/** * Returns the input if valid over the given white list and black list patterns else throws an * IdentityValidationException * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @param blackListPatterns a String array of black list pattern keys * @return input if valid over the given white list and black list patterns else throws an * IdentityValidationException */ public static String getValidInput(String input, String[] whiteListPatterns, String[] blackListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValid(input, whiteListPatterns, blackListPatterns)) { return input; } StringBuilder message = new StringBuilder(); message.append(msgSection1); message.append(String.format(msgSection2, getPatternString(whiteListPatterns))); message.append(msgSection4); message.append(String.format(msgSection3, getPatternString(blackListPatterns))); throw new IdentityValidationException(message.toString()); }
/** * Validates the provided input against the given white list and black list patterns. * Precedence was give to the white list patterns. Thus, if the input is both white listed and blacklisted it * will be considered as valid. * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @param blackListPatterns a String array of black list pattern keys * @return isWhiteListed || isNotBlackListed */ public static boolean isValid(String input, String[] whiteListPatterns, String[] blackListPatterns) { if (ArrayUtils.isEmpty(whiteListPatterns) || ArrayUtils.isEmpty(blackListPatterns)) { throw new IllegalArgumentException("Should provide at least one white list pattern and black list pattern"); } return isValidOverWhiteListPatterns(input, whiteListPatterns) || isValidOverBlackListPatterns(input, blackListPatterns); }
/** * Check if all provided patterns keys have a corresponding regex registered. * * @param patterns array of pattern keys to be checked */ private static void validatePatternKeys(String[] patterns) { for (String key : patterns) { if (!patternExists(key)) { throw new IllegalArgumentException(String.format(PATTERN_NOT_REGISTERED, key)); } } } }
/** * Returns the input if valid over the given white list patterns else throws an IdentityValidationException * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @return input if valid over the given white list patterns else throws an IdentityValidationException */ public static String getValidInputOverWhiteListPatterns(String input, String... whiteListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValidOverWhiteListPatterns(input, whiteListPatterns)) { return input; } throw new IdentityValidationException( msgSection1 + String.format(msgSection2, getPatternString(whiteListPatterns))); }
/** * Returns the input if valid over the given black list patterns else throws an IdentityValidationException * * @param input input * @param blackListPatterns a String array of black list pattern keys * @return input if valid over the given black list patterns else throws an IdentityValidationException */ public static String getValidInputOverBlackListPatterns(String input, String... blackListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValidOverBlackListPatterns(input, blackListPatterns)) { return input; } throw new IdentityValidationException( msgSection1 + String.format(msgSection3, getPatternString(blackListPatterns))); }
@Override public boolean doPreSetUserClaimValues(String userName, Map<String, String> claims, String profileName, UserStoreManager userStoreManager) throws UserStoreException { if (!isEnable()) { return true; } if (log.isDebugEnabled()) { String userStoreDomain = UserCoreUtil.getDomainName(userStoreManager.getRealmConfiguration()); if (StringUtils.isBlank(userStoreDomain)) { userStoreDomain = UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME; } String tenantDomain = IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId()); log.debug("doPreSetUserClaimValues method executed in ProfileMgtEventListener for user: " + getFullQualifiedUsername(userName, userStoreDomain, tenantDomain)); } //The following black listed patterns contain possible invalid inputs for profile which could be used for a // stored XSS attack. String[] whiteListPatternKeys = {ALPHANUMERICS_ONLY, DIGITS_ONLY}; String[] blackListPatternKeys = {WHITESPACE_EXISTS, URI_RESERVED_EXISTS, HTML_META_EXISTS, XML_META_EXISTS, REGEX_META_EXISTS, URL}; if (!IdentityValidationUtil.isValid(profileName, whiteListPatternKeys, blackListPatternKeys)) { throw new UserStoreException("profile name contains invalid characters!"); } return true; }
private String createRegexPattern(List<String> redirectURIs) throws DCRException { StringBuilder regexPattern = new StringBuilder(); for (String redirectURI : redirectURIs) { try { //validate the redirect uri IdentityValidationUtil.getValidInputOverWhiteListPatterns(redirectURI, new String[]{IdentityValidationUtil.ValidatorPattern.URL_WITHOUT_FRAGMENT.name()}); if (regexPattern.length() > 0) { regexPattern.append("|").append(redirectURI); } else { regexPattern.append("(").append(redirectURI); } } catch (IdentityValidationException e) { //TODO: need to add error code throw IdentityException.error(DCRException.class, "Redirect URI: " + redirectURI + ", is invalid", e); } } if (regexPattern.length() > 0) { regexPattern.append(")"); } return regexPattern.toString(); }
/** * Validates the provided input against the given white list patterns * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @return true if matches with any of the white list patterns */ public static boolean isValidOverWhiteListPatterns(String input, String... whiteListPatterns) { if (ArrayUtils.isEmpty(whiteListPatterns)) { throw new IllegalArgumentException("Should provide at least one white list pattern"); } if (StringUtils.isEmpty(input)) { return true; } validatePatternKeys(whiteListPatterns); boolean isValid = false; for (String key : whiteListPatterns) { isValid = validatorConfig.getPattern(key).matcher(input).matches(); if (isValid) { break; } } return isValid; }
/** * Returns the input if valid over the given white list patterns else throws an IdentityValidationException * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @return input if valid over the given white list patterns else throws an IdentityValidationException * @throws IdentityValidationException if a white list pattern key provided does not correspond to a registered * regex. */ public static String getValidInputOverWhiteListPatterns(String input, String... whiteListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValidOverWhiteListPatterns(input, whiteListPatterns)) { return input; } throw new IdentityValidationException( msgSection1 + String.format(msgSection2, getPatternString(whiteListPatterns))); }
/** * Returns the input if valid over the given black list patterns else throws an IdentityValidationException * * @param input input * @param blackListPatterns a String array of black list pattern keys * @return input if valid over the given black list patterns else throws an IdentityValidationException * @throws IdentityValidationException if a black list pattern key provided does not correspond to a registered * regex. */ public static String getValidInputOverBlackListPatterns(String input, String... blackListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValidOverBlackListPatterns(input, blackListPatterns)) { return input; } throw new IdentityValidationException( msgSection1 + String.format(msgSection3, getPatternString(blackListPatterns))); }
@Override public boolean doPreSetUserClaimValues(String userName, Map<String, String> claims, String profileName, UserStoreManager userStoreManager) throws UserStoreException { if (!isEnable()) { return true; } if (log.isDebugEnabled()) { String userStoreDomain = UserCoreUtil.getDomainName(userStoreManager.getRealmConfiguration()); if (StringUtils.isBlank(userStoreDomain)) { userStoreDomain = UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME; } String tenantDomain = IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId()); log.debug("doPreSetUserClaimValues method executed in ProfileMgtEventListener for user: " + getFullQualifiedUsername(userName, userStoreDomain, tenantDomain)); } //The following black listed patterns contain possible invalid inputs for profile which could be used for a // stored XSS attack. String[] whiteListPatternKeys = {ALPHANUMERICS_ONLY, DIGITS_ONLY}; String[] blackListPatternKeys = {WHITESPACE_EXISTS, URI_RESERVED_EXISTS, HTML_META_EXISTS, XML_META_EXISTS, REGEX_META_EXISTS, URL}; if (!IdentityValidationUtil.isValid(profileName, whiteListPatternKeys, blackListPatternKeys)) { throw new UserStoreException("profile name contains invalid characters!"); } return true; }
try { IdentityValidationUtil.getValidInputOverWhiteListPatterns(redirectUri, new String[]{IdentityValidationUtil.ValidatorPattern.URL_WITHOUT_FRAGMENT.name()}); oAuthConsumerApp.setCallbackUrl(redirectUri);
/** * Validates the provided input against the given black list patterns * * @param input input * @param blackListPatterns a String array of black list pattern keys * @return true if does not match with any of the black list patterns */ public static boolean isValidOverBlackListPatterns(String input, String... blackListPatterns) { if (ArrayUtils.isEmpty(blackListPatterns)) { throw new IllegalArgumentException("Should provide at least one black list pattern"); } if (StringUtils.isEmpty(input)) { return true; } validatePatternKeys(blackListPatterns); boolean isValid = false; for (String key : blackListPatterns) { isValid = !validatorConfig.getPattern(key).matcher(input).matches(); if (!isValid) { break; } } return isValid; }
/** * Returns the input if valid over the given white list and black list patterns else throws an * IdentityValidationException * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @param blackListPatterns a String array of black list pattern keys * @return input if valid over the given white list and black list patterns else throws an * IdentityValidationException * @throws IdentityValidationException if input is invalid for the he given white list and black list patterns */ public static String getValidInput(String input, String[] whiteListPatterns, String[] blackListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValid(input, whiteListPatterns, blackListPatterns)) { return input; } StringBuilder message = new StringBuilder(); message.append(msgSection1); message.append(String.format(msgSection2, getPatternString(whiteListPatterns))); message.append(msgSection4); message.append(String.format(msgSection3, getPatternString(blackListPatterns))); throw new IdentityValidationException(message.toString()); }
/** * Validates the provided input against the given white list and black list patterns. * Precedence was give to the white list patterns. Thus, if the input is both white listed and blacklisted it * will be considered as valid. * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @param blackListPatterns a String array of black list pattern keys * @return isWhiteListed || isNotBlackListed */ public static boolean isValid(String input, String[] whiteListPatterns, String[] blackListPatterns) { if (ArrayUtils.isEmpty(whiteListPatterns) || ArrayUtils.isEmpty(blackListPatterns)) { throw new IllegalArgumentException("Should provide at least one white list pattern and black list pattern"); } return isValidOverWhiteListPatterns(input, whiteListPatterns) || isValidOverBlackListPatterns(input, blackListPatterns); }