fr.paris.lutece.util.http

Class SecurityUtil

java.lang.Object

fr.paris.lutece.util.http.SecurityUtil

public final class SecurityUtil
extends Object

Security utils

Field Summary

Fields

Modifier and Type	Field and Description
static String	PROPERTY_REDIRECT_URL_SAFE_PATTERNS

Method Summary

Modifier and Type	Method and Description
static boolean	containsCleanParameters(javax.servlet.http.HttpServletRequest request) Scan request parameters to see if there no malicious code.
static boolean	containsCleanParameters(javax.servlet.http.HttpServletRequest request, String strXssCharacters) Scan request parameters to see if there no malicious code.
static boolean	containsPathManipulationChars(javax.servlet.http.HttpServletRequest request, String strValue) Check if the value contains characters used for Path Manipulation
static boolean	containsXmlExternalEntityInjectionTerms(String strValue) Check if the value contains terms used for XML External Entity Injection
static boolean	containsXssCharacters(javax.servlet.http.HttpServletRequest request, String strString) Checks if a String contains characters that could be used for a cross-site scripting attack.
static boolean	containsXssCharacters(javax.servlet.http.HttpServletRequest request, String strValue, String strXssCharacters) Checks if a String contains characters that could be used for a cross-site scripting attack.
static String	dumpRequest(javax.servlet.http.HttpServletRequest request) Dump all request info
static String	getRealIp(javax.servlet.http.HttpServletRequest request) Get the IP of the user from a request.
static boolean	isInternalRedirectUrlSafe(String strUrl, javax.servlet.http.HttpServletRequest request) Validate a forward URL to avoid open redirect with url safe patterns found in properties
static boolean	isInternalRedirectUrlSafe(String strUrl, javax.servlet.http.HttpServletRequest request, String strAntPathMatcherPatterns) Validate an internal redirect URL to avoid internal open redirect.
static String	logForgingProtect(String strUserInputData) Identify user data saved in log files to prevent Log Forging attacks

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PROPERTY_REDIRECT_URL_SAFE_PATTERNS

public static final String PROPERTY_REDIRECT_URL_SAFE_PATTERNS

See Also:

Constant Field Values

Method Detail

containsCleanParameters

public static boolean containsCleanParameters(javax.servlet.http.HttpServletRequest request)

Scan request parameters to see if there no malicious code.

Parameters:

request - The HTTP request

Returns:

true if all parameters don't contains any special characters

containsCleanParameters

public static boolean containsCleanParameters(javax.servlet.http.HttpServletRequest request,
                                              String strXssCharacters)

Scan request parameters to see if there no malicious code.

Parameters:

request - The HTTP request

strXssCharacters - a String wich contain a list of Xss characters to check in strValue

Returns:

true if all parameters don't contains any special characters

containsXssCharacters

public static boolean containsXssCharacters(javax.servlet.http.HttpServletRequest request,
                                            String strString)

Checks if a String contains characters that could be used for a cross-site scripting attack.

Parameters:

request - The HTTP request

strString - a character String

Returns:

true if the String contains illegal characters

containsXssCharacters

public static boolean containsXssCharacters(javax.servlet.http.HttpServletRequest request,
                                            String strValue,
                                            String strXssCharacters)

Checks if a String contains characters that could be used for a cross-site scripting attack.

Parameters:

request - The HTTP request

strValue - a character String

strXssCharacters - a String wich contain a list of Xss characters to check in strValue

Returns:

true if the String contains illegal characters

containsXmlExternalEntityInjectionTerms

public static boolean containsXmlExternalEntityInjectionTerms(String strValue)

Check if the value contains terms used for XML External Entity Injection

Parameters:

strValue - The value

Returns:

true if

containsPathManipulationChars

public static boolean containsPathManipulationChars(javax.servlet.http.HttpServletRequest request,
                                                    String strValue)

Check if the value contains characters used for Path Manipulation

Parameters:

request - The Http request

strValue - The value

Returns:

true if

dumpRequest

public static String dumpRequest(javax.servlet.http.HttpServletRequest request)

Dump all request info

Parameters:

request - The HTTP request

Returns:

A report containing all request info

getRealIp

public static String getRealIp(javax.servlet.http.HttpServletRequest request)

Get the IP of the user from a request. If the user is behind an apache server, return the ip of the user instead of the ip of the server.

Parameters:

request - The request

Returns:

The IP of the user that made the request

isInternalRedirectUrlSafe

public static boolean isInternalRedirectUrlSafe(String strUrl,
                                                javax.servlet.http.HttpServletRequest request)

Validate a forward URL to avoid open redirect with url safe patterns found in properties

Parameters:

strUrl -

request -

Returns:

true if valid

See Also:

isInternalRedirectUrlSafe(java.lang.String, javax.servlet.http.HttpServletRequest, java.lang.String)

isInternalRedirectUrlSafe

public static boolean isInternalRedirectUrlSafe(String strUrl,
                                                javax.servlet.http.HttpServletRequest request,
                                                String strAntPathMatcherPatterns)

Validate an internal redirect URL to avoid internal open redirect. (Use this function only if the use of internal url redirect keys is not possible. For external url redirection control, use the plugin plugin-verifybackurl) the url should : - not be blank (null or empty string or spaces) - not start with "http://" or "https://" or "//" OR match the base URL or any URL in the pattern list example with a base url "https://lutece.fr/ : - valid : myapp/jsp/site/Portal.jsp , Another.jsp , https://lutece.fr/myapp/jsp/site/Portal.jsp - invalid : http://anothersite.com , https://anothersite.com , //anothersite.com , file://my.txt , ...

Parameters:

strUrl - the Url to validate

request - the current request (containing the baseUrl)

strAntPathMatcherPatterns - a comma separated list of AntPathMatcher patterns, as "http://**.lutece.com,https://**.lutece.com"

Returns:

true if valid

logForgingProtect

public static String logForgingProtect(String strUserInputData)

Identify user data saved in log files to prevent Log Forging attacks

Parameters:

strUserInputData - User Input Data

Returns:

The User Data to log