1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.plugins.verifybackurl.utils;
35
36 import fr.paris.lutece.portal.service.util.AppPropertiesService;
37
38 import java.nio.charset.StandardCharsets;
39 import java.util.Base64;
40 import java.util.regex.Matcher;
41 import java.util.regex.Pattern;
42 import javax.servlet.http.HttpServletRequest;
43 import javax.servlet.http.HttpSession;
44 import org.apache.commons.lang3.StringUtils;
45 import org.springframework.util.AntPathMatcher;
46 import org.springframework.util.PathMatcher;
47
48
49
50 public class VerifiyBackUrlUtils
51 {
52
53 public final static PathMatcher PATH_MATCHER = new AntPathMatcher( );
54
55
56
57
58
59
60
61
62 public static boolean isValidBackUrl( String strBackUrl )
63 {
64 boolean isValid = true;
65 String strAuthorizedDomains = AppPropertiesService.getProperty( VerifyBackUrlConstants.PROPERTY_AUTHORIZED_DOMAINS_BACK_URL );
66
67
68 if ( !StringUtils.isEmpty( strAuthorizedDomains ) )
69 {
70 isValid = false;
71
72 String [ ] tabAuthorizedDomains = strAuthorizedDomains.split( VerifyBackUrlConstants.COMMA );
73
74 for ( int i = 0; i < tabAuthorizedDomains.length; i++ )
75 {
76 if ( PATH_MATCHER.match( tabAuthorizedDomains [i], strBackUrl ) )
77 {
78 isValid = true;
79
80 break;
81 }
82 }
83 }
84
85 return isValid;
86 }
87
88
89
90
91
92
93
94
95 public static boolean containsNoUnauthorizedHTML( String strBackUrl )
96 {
97 boolean isValid = true;
98 String strPatterUnAuthorizedHTML = AppPropertiesService.getProperty( VerifyBackUrlConstants.PROPERTY_AUTHORIZED_HTML );
99 isValid = !strBackUrl.matches( strPatterUnAuthorizedHTML );
100
101 return isValid;
102 }
103
104
105
106
107
108
109
110
111 public static boolean containsUnauthorizedCharactersDomain( String strBackUrl )
112 {
113 String strPatterUnAuthorizedCharactersDomain = AppPropertiesService.getProperty( VerifyBackUrlConstants.PROPERTY_UNAUTHORIZED_CHARACTERS_DOMAIN );
114
115 return strBackUrl.matches( strPatterUnAuthorizedCharactersDomain );
116 }
117
118
119
120
121
122
123
124
125 public static boolean compareBaseUrl( String url1, String url2 )
126 {
127 String strBaseUrl1 = getBaseUrl( url1 );
128 String strBaseUrl2 = getBaseUrl( url2 );
129 if ( !StringUtils.isEmpty( strBaseUrl1 ) && strBaseUrl1.equals( strBaseUrl2 ) )
130 {
131 return true;
132 }
133 return false;
134 }
135
136
137
138
139
140
141 public static String getBaseUrl ( String strUrl )
142 {
143 String strRegexpBaseUrl = AppPropertiesService.getProperty( VerifyBackUrlConstants.PROPERTY_REGEXP_BASE_URL );
144 Pattern regex = Pattern.compile( strRegexpBaseUrl );
145 Matcher regexMatcher = regex.matcher( strUrl );
146 if (regexMatcher.find( ) ) {
147 return regexMatcher.group( 2 );
148 }
149 return "";
150 }
151
152
153
154
155
156
157
158
159 public static void storeBackUrlInSession ( HttpServletRequest request, String strBackUrl,String strSessionAttributeName )
160 {
161 HttpSession session = request.getSession( true );
162 session.setAttribute( strSessionAttributeName , strBackUrl );
163 }
164
165
166
167
168
169
170
171 public static void dropBackUrlInSession ( HttpServletRequest request,String strSessionAttributeName )
172 {
173 HttpSession session = request.getSession( true );
174 session.removeAttribute( strSessionAttributeName );
175
176 }
177
178
179
180
181
182
183
184 public static String getBackUrlInSession ( HttpServletRequest request,String strSessionAttributeName)
185 {
186 HttpSession session = request.getSession( true );
187 return (String) session.getAttribute( strSessionAttributeName);
188 }
189
190
191
192
193
194
195 public static String encodeUrl(String strUrl)
196 {
197 return !StringUtils.isEmpty(strUrl) ? new String(Base64.getUrlEncoder().encode(strUrl.getBytes( StandardCharsets.UTF_8 ))):"";
198
199 }
200
201
202
203 }