owasp-esapi-ruby 0.30.0

data/lib/validator/date_rule.rb

@@ -0,0 +1,92 @@
+require 'date'
+
+# DateTime now has a to_time method injected in
+class DateTime
+  def to_time
+    self.offset == 0 ? ::Time.utc(year, month, day, hour, min, sec) : self
+  end
+end
+
+module Owasp
+  module Esapi
+    module Validator
+
+      # A validator performs syntax and possibly semantic validation of a single
+      # piece of string data from an untrusted source. This class will return
+      # Time objects, as they are more flexible to reformat to for timezones
+      # and calendars
+      # Format variables, from rdoc
+      # %a - The abbreviated weekday name (``Sun'')
+      # %A - The  full  weekday  name (``Sunday'')
+      # %b - The abbreviated month name (``Jan'')
+      # %B - The  full  month  name (``January'')
+      # %c - The preferred local date and time representation
+      # %d - Day of the month (01..31)
+      # %H - Hour of the day, 24-hour clock (00..23)
+      # %I - Hour of the day, 12-hour clock (01..12)
+      # %j - Day of the year (001..366)
+      # %m - Month of the year (01..12)
+      # %M - Minute of the hour (00..59)**
+      # %p - Meridian indicator (``AM''  or  ``PM'')
+      # %S - Second of the minute (00..60)
+      # %U - Week  number  of the current year,
+      #        starting with the first Sunday as the first
+      #        day of the first week (00..53)
+      # %W - Week  number  of the current year,
+      #        starting with the first Monday as the first
+      #        day of the first week (00..53)
+      # %w - Day of the week (Sunday is 0, 0..6)
+      # %x - Preferred representation for the date alone, no time
+      # %X - Preferred representation for the time alone, no date
+      # %y - Year without a century (00..99)
+      # %Y - Year with century
+      # %Z - Time zone name
+      # %% - Literal ``%'' character
+      class DateRule < BaseRule
+        attr :format
+        # Create a validator, if no format is specificed
+        # We assume %b $d, %Y i.e. September 11, 2001
+        def initialize(type, encoder = nil, dateformat = nil)
+          super(type,encoder)
+          @format = dateformat
+          @format = "%B %d, %Y" if dateformat.nil?
+        end
+
+        # Parse the input, raise exceptions if validation fails
+        # Returns a Time object
+        # see BaseRule
+        def valid(context,input)
+          # check for empty
+          if input.nil? or input.empty?
+            if @allow_nil
+              return nil
+            end
+            user = "#{context}: Input date required"
+            log = "Input date required: context=#{context}, input=#{input}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          # clean the input
+          clean = @encoder.canonicalize(input)
+          begin
+            return DateTime.strptime(clean,@format).to_time
+          rescue ArgumentError => failed
+            user="#{context}: Input date required"
+            log="Input date required: context=#{context}, input=#{input}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+        end
+
+        # Calls valid, with any failures causing it to return a zero Time object
+        def sanitize(context,input)
+          d = Time.new(0)
+          begin
+            d = valid(context,input)
+          rescue ValidationException => e
+          end
+          return d
+        end
+
+      end
+    end
+  end
+end

data/lib/validator/email.rb

@@ -0,0 +1,29 @@
+require 'validator/generic_validator'
+
+module Owasp
+  module Esapi
+    module Validator
+      class Email < GenericValidator
+        
+        EMAIL_REGEX = "^(\\w)+[@](\\w)+[.]\\w{3}$"
+        # In order to make a strong validation for email addresses, it might be a good idea to 
+        # make a check for the domain tld.
+        # This is a very optional and beta feature, so it is turned off by default.
+        attr_reader :validate_tld
+        
+        def initialize(options=nil)
+          validate_tld = false
+          @matcher = EMAIL_REGEX
+          super(@matcher)
+          
+          unless options.nil? 
+            if options.has_key? "validate_tld"
+              validate_tld = options["validate_tld"]
+            end
+          end
+        end
+      
+      end
+    end
+  end
+end

data/lib/validator/float_rule.rb

@@ -0,0 +1,76 @@
+module Owasp
+  module Esapi
+    module Validator
+      class FloatRule < BaseRule
+        attr_accessor :min, :max
+
+        def initialize(type,encoder=nil,min=nil,max=nil)
+          super(type,encoder)
+          @min = min
+          @max = max
+          @min = Float::MIN if min.nil?
+          @max = Float::MAX if max.nil?
+        end
+
+        # Validate the input context as an integer
+        def valid(context,input)
+          if input.nil?
+            if @allow_nil
+              return nil
+            end
+            puts "::#{input}::"
+            user = "#{context}: Input number required"
+            log = "Input number required: context=#{context}, input=#{input}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          clean = @encoder.canonicalize(input)
+          if @min > @max
+            user = "#{context}: Invalid number input: context"
+            log = "Validation parameter error for number: maxValue ( #{max}) must be greater than minValue ( #{min}) for #{context}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          begin
+            user = "Invalid number input must be between #{min} and #{max}: context=#{context}"
+            log = "Invalid number input must be between #{min} and #{max}: context=#{context}, input=#{input}"
+            i = Float(clean)
+            #check min
+            if i < @min
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+            # check max
+            if i > @max
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+            # check infinity
+            if i.infinite?
+              user = "#{context}: Invalid number input: context"
+              log = "Invalid double input is infinite context=#{context} input=#{input}"
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+            # checknan
+            if i.nan?
+              user = "#{context}: Invalid number input: context"
+              log = "Invalid double input not a number context=#{context} input=#{input}"
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+            return i
+          rescue Exception => e
+            user = "#{context}: Input number required"
+            log = "Input number required: context=#{context}, input=#{input}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+        end
+
+        # This will call valid and return a 0 if its invalid
+        def sanitize(context,input)
+          result = 0
+          begin
+            result= valid(context,input)
+          rescue ValidationException => e
+          end
+          result
+        end
+      end
+    end
+  end
+end

data/lib/validator/generic_validator.rb

@@ -0,0 +1,26 @@
+# This is the generic validator class that it will be the dad of all specific validation classes.
+module Owasp
+  module Esapi
+    module Validator
+      class GenericValidator
+        
+        attr_accessor :matcher
+        
+        # Creates a new generic validator.
+        # @param [String] matcher the regular expression to be matched from this validator
+        def initialize(matcher)
+          @matcher = matcher
+        end
+        
+        # Validate a string against the matcher
+        # @param [String] string the string that need to be validated
+        # @return [Boolean] true if the string matches the regular expression, false otherwise
+        def valid?(string)
+          r = Regexp.new(@matcher)
+          
+          !(string =~ r).nil?
+        end
+      end
+    end
+  end
+end

data/lib/validator/integer_rule.rb

@@ -0,0 +1,61 @@
+module Owasp
+  module Esapi
+    module Validator
+      class IntegerRule < BaseRule
+        attr_accessor :min, :max
+
+        def initialize(type,encoder=nil,min=nil,max=nil)
+          super(type,encoder)
+          @min = min
+          @max = max
+          @min = Integer::MIN if min.nil?
+          @max = Integer::MAX if max.nil?
+        end
+
+        # Validate the input context as an integer
+        def valid(context,input)
+          if input.nil?
+            if @allow_nil
+              return nil
+            end
+            user = "#{context}: Input number required"
+            log = "Input number required: context=#{context}, input=#{input}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          clean = @encoder.canonicalize(input)
+          if @min > @max
+            user = "#{context}: Invalid number input: context"
+            log = "Validation parameter error for number: maxValue ( #{max}) must be greater than minValue ( #{min}) for #{context}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          begin
+            user = "Invalid number input must be between #{min} and #{max}: context=#{context}"
+            log = "Invalid number input must be between #{min} and #{max}: context=#{context}, input=#{input}"
+            i = Integer(clean)
+            if i < @min
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+            if i > @max
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+            return i
+          rescue Exception => e
+            user = "#{context}: Input number required"
+            log = "Input number required: context=#{context}, input=#{input}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+        end
+
+        # SThis will call valid and return a 0 if its invalid
+        def sanitize(context,input)
+          result = 0
+          begin
+            result= valid(context,input)
+          rescue ValidationException => e
+          end
+          result
+        end
+      end
+    end
+  end
+end

data/lib/validator/string_rule.rb

@@ -0,0 +1,146 @@
+require 'stringio'
+
+module Owasp
+  module Esapi
+    module Validator
+
+      # A validator performs syntax and possibly semantic validation of a single
+      # piece of string data from an untrusted source.
+      class StringRule < BaseRule
+        attr_writer :min,:max,:canonicalize
+
+        # Create an instance of the String vlidator
+        # whitelist_pattern is an optionla white listing regex
+        def initialize(type,encoder = nil,whitelist_pattern = nil)
+          super(type,encoder)
+          @white_list = []
+          @black_list = []
+          @white_list << whitelist_pattern unless whitelist_pattern.nil?
+          @min = 0
+          @max = 0
+          @canonicalize = false
+        end
+
+        # Add a whitelist regex
+        def add_whitelist(p)
+          raise ArgumentError.new("Nil Pattern") if p.nil?
+          @white_list << create_regex(p)
+        end
+
+        # Add a blacklist regex
+        def add_blacklist(p)
+          raise ArgumentError.new("Nil Pattern") if p.nil?
+          @black_list << create_regex(p)
+        end
+
+        # Ensure we dont show the warnings to stderr, just fail the regexp
+        def create_regex(p) #:nodoc:
+          output = StringIO.open('','w')
+          $stderr = output
+          begin
+            r = /#{p}/
+          ensure
+            output.close
+            $stderr = STDERR
+          end
+        end
+
+        # Checks input against whitelists.
+        def check_white_list(context,input,original = nil)
+          original = input.dup if original.nil?
+          @white_list.each do |p|
+            match = p.match(input)
+            if match.nil? or not match[0].eql?(input)
+              # format user msg
+              user = "#{context}: Invalid input. Conform to #{p.to_s}"
+              user << " with a max length of #{@max}" unless @max == 0
+              # format log message
+              log = "Invalid input: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
+              log << ", input=#{input}, original=#{original}"
+              # raise an error
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+          end
+          input
+        end
+
+        # Checks input against blacklists.
+        def check_black_list(context,input,original = nil)
+          original = input.dup if original.nil?
+          @black_list.each do |p|
+            if p.match(input)
+              # format user msg
+              user = "#{context}: Invalid input. Dangerous input matching #{p.to_s}"
+              # format log message
+              log = "Dangerous input: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
+              log << ", input=#{input}, original=#{original}"
+              # raise an error
+              raise Owasp::Esapi::ValidationException.new(user,log,context)
+            end
+          end
+          input
+        end
+
+        # Checks input lengths
+        def check_length(context,input,original = nil)
+          original = input.dup if original.nil?
+          # check min value
+          if input.size < @min
+            user = "#{context}: Invalid input, The min length is #{@min} characters"
+            log = "Input didnt meet #{@min} chars by #{input.size}: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
+            log << ", input=#{input}, original=#{original}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          # check max value
+          if input.size > @max and @max > 0
+            user = "#{context}: Invalid input, The max length is #{@max} characters"
+            log = "Input exceed #{@max} chars by #{input.size}: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
+            log << ", input=#{input}, original=#{original}"
+            raise Owasp::Esapi::ValidationException.new(user,log,context)
+          end
+          input
+        end
+
+        def check_empty(context,input,orig = nil)
+          return nil if @allow_nil and input.nil?
+          unless input.nil?
+            original = input.dup if original.nil?
+            return input unless input.empty?
+          end
+          user = "#{context}: Input required."
+          log = "Input required: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
+          log << ", input=#{input}, original=#{original}"
+          raise Owasp::Esapi::ValidationException.new(user,log,context)
+        end
+
+        # Remvoe any non alpha numerics form the string
+        def sanitize(context,input)
+          whitelist(input,Owasp::Esapi::Ecnoder::CHAR_ALPHANUMERIC)
+        end
+
+        # Parse the input, raise exceptions if validation fails
+        # see BaseRule
+        def valid(context,input)
+
+          data = nil
+          return nil if check_empty(context,input).nil?
+          # check for pre-canonicalize if we are in sanitize mode
+          check_length(context,input) if @canonicalize
+          check_white_list(context,input) if @canonicalize
+          check_black_list(context,input) if @canonicalize
+          if @canonicalize
+            data = encoder.canonicalize(input)
+          else
+            data = input
+          end
+          # no check again after we figured otu canonicalization
+          return nil if check_empty(context,input).nil?
+          check_length(context,input)
+          check_white_list(context,input)
+          check_black_list(context,input)
+          data
+        end
+      end
+    end
+  end
+end

data/lib/validator/validator_error_list.rb

@@ -0,0 +1,48 @@
+module Owasp
+  module Esapi
+    module Validator
+      # List of Validation exceptions
+      # this list is indexed by the context
+      class ValidatorErrorList
+
+        # Create a new list
+        def initialize()
+          @errors = {}
+        end
+
+        # Add an error to the list. We will raise ArgumentException if any of the following is true:
+        # 1. error is nil
+        # 2. context is nil
+        # 3. we already have an error for the given context
+        # 4. the error isnt a ValidationException
+        def <<(error)
+          raise ArgumentError.new("Invalid Error") if error.nil?
+          if error.instance_of?(ValidationException)
+            context = error.context
+            raise ArgumentError.new("Invalid context") if context.nil?
+            raise ArgumentError.new("Duplicate error") if @errors.has_key?(context)
+            @errors[context] = error
+          else
+            raise ArgumentError.new("Exception was not a ValdiaitonException")
+          end
+        end
+
+        # Return true if this list is empty
+        def empty?
+          @errors.empty?
+        end
+
+        # Return the size of the list
+        def size
+          @errors.size
+        end
+
+        # Return the array of errors in this list
+        def errors
+          @errors.values
+        end
+
+      end
+    end
+  end
+end