/** * Prints formatted attack produced by the user if the logging level defined in the Web application rate should be at least INFO. * * @param error Validator error data */ public void log(final ValidatorError error) { this.log(error.getType(), error.getRule(), error.getTarget(), error.getParameterName(), error.getParameterValue(), error.getOriginalParameterValue(), error.getLocalIp(), error.getRemoteIp(), error.getUserName(), error.getValidationRuleName()); }
public ValidationErrorException(final String message) { this(message, null, new ValidatorHelperResult(new ValidatorError(message))); }
/** * Complete {@link ValidatorError} containing data including user related info. * * @param request request object * @param errors all validation errors */ protected void completeErrorData(final HttpServletRequest request, final List<ValidatorError> errors) { String localIp = userData.getLocalIp(request); String remoteIp = userData.getRemoteIp(request); String userName = userData.getUsername(request); String contextPath = request.getContextPath(); for (ValidatorError error : errors) { error.setLocalIp(localIp); error.setRemoteIp(remoteIp); error.setUserName(userName); // Include context path in the target String target = error.getTarget(); if (target != null && !target.startsWith(contextPath)) { target = request.getContextPath() + target; } else if (target == null) { target = request.getRequestURI(); } error.setTarget(target); } }
public ValidationErrorException(final String message, final Throwable e) { this(message, e, new ValidatorHelperResult(new ValidatorError(message))); result.getErrors().get(0).setException(e); }
@SuppressWarnings("unchecked") protected void validateEditableParameter(final String param, final Errors errors) { RequestAttributes attr = RequestContextHolder.getRequestAttributes(); if (attr == null) { // This is not a web request return; } List<ValidatorError> validationErrors = (List<ValidatorError>) attr.getAttribute(Constants.EDITABLE_PARAMETER_ERROR, 0); if (validationErrors != null && !validationErrors.isEmpty()) { ValidatorError paramError = null; for (ValidatorError error : validationErrors) { if (error.getParameterName().equals(param)) { paramError = error; } } if (paramError != null) { rejectParamValues(paramError.getParameterName(), paramError.getParameterValue(), errors); } } }
writer.startError("Invalid request"); for (ValidatorError error : errors) { writer.write(" Type:" + error.getType()); writer.write(", Param:" + error.getParameterName()); writer.write(", Value:" + error.getParameterValue());
/** * Is the error type HDIVErrorCodes.PAGE_ID_INCORRECT? * * @param errors Validation errors * @return true if there is any PAGE_ID_INCORRECT error in the list */ protected boolean isPageNotFoundError(final List<ValidatorError> errors) { for (ValidatorError error : errors) { if (HDIVErrorCodes.INVALID_PAGE_ID.equals(error.getType())) { return true; } } return false; }
/** * Helper method to write an attack in the log * * @param context Request context * @param error validation result */ private void log(final FacesContext context, final List<FacesValidatorError> errors) { HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest(); if (errors != null) { for (ValidatorError error : errors) { error.setTarget(HDIVUtil.getRequestContext(request).getRequestURI()); logger.log(error); } } }
/** * Obtains the errors from request detected by HDIV during the validation process of the editable parameters. * * @param errors errors detected by HDIV during the validation process of the editable parameters. */ @SuppressWarnings("unchecked") protected void validateEditableParameters(final Errors errors) { RequestAttributes attr = RequestContextHolder.getRequestAttributes(); if (attr == null) { // This is not a web request return; } List<ValidatorError> validationErrors = (List<ValidatorError>) attr.getAttribute(Constants.EDITABLE_PARAMETER_ERROR, 0); if (validationErrors != null) { for (ValidatorError error : validationErrors) { rejectParamValues(error.getParameterName(), error.getParameterValue(), errors); } } }
public boolean shouldErrorBeRemoved(final ValidatorError validatorError) { boolean editable = HDIVErrorCodes.isEditableError(validatorError.getType()); if (!hdivConfig.isEditableValidation() && editable) { return true; } if (!hdivConfig.isIntegrityValidation() && !editable) { return true; } return false; }
/** * Obtains the errors detected by HDIV during the validation process of the editable parameters. * * @param request The servlet request we are processing * @return errors detected by HDIV during the validation process of the editable parameters. */ public ActionMessages getEditableParametersErrors(final HttpServletRequest request) { @SuppressWarnings("unchecked") List<ValidatorError> validationErrors = (List<ValidatorError>) request.getAttribute(EDITABLE_PARAMETER_ERROR); ActionMessages errors = null; if (validationErrors != null && validationErrors.size() > 0) { errors = new ActionMessages(); for (ValidatorError validationError : validationErrors) { String errorValues = validationError.getParameterValue(); ActionMessage error = null; if (errorValues.contains(HDIV_EDITABLE_PASSWORD_ERROR)) { error = new ActionMessage(HDIV_EDITABLE_PASSWORD_ERROR); } else { String printedValue = createMessageError(errorValues); error = new ActionMessage(HDIV_EDITABLE_ERROR, printedValue); } errors.add("hdiv.editable." + validationError.getParameterName(), error); } } return errors; }
/** * Complete {@link ValidatorError} containing data including user related info. * * @param context request object * @param errors all validation errors */ protected void completeErrorData(final FacesContext context, final List<FacesValidatorError> errors) { HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest(); String localIp = userData.getLocalIp(request); String remoteIp = userData.getRemoteIp(request); String userName = userData.getUsername(request); String contextPath = request.getContextPath(); for (ValidatorError error : errors) { error.setLocalIp(localIp); error.setRemoteIp(remoteIp); error.setUserName(userName); // Include context path in the target String target = error.getTarget(); if (target != null && !target.startsWith(contextPath)) { target = request.getContextPath() + target; } else if (target == null) { target = request.getRequestURI(); } error.setTarget(target); } }
private List<ValidatorError> findErrors(final Throwable e, final String target, final boolean allowUncontrolledOrigin) { Throwable current = e; do { if (!(current instanceof SharedHdivException)) { current = current.getCause(); } } while (current != null && !(current instanceof SharedHdivException)); if (current instanceof SharedHdivException) { if (log.isErrorEnabled()) { log.error("Exception in request validation", current); } if (!allowUncontrolledOrigin) { // Check uncontrolledOrigin Throwable invalid = current; while ((invalid = invalid.getCause()) != null) { if (invalid instanceof NullPointerException || invalid instanceof IndexOutOfBoundsException || invalid instanceof OutOfMemoryError || invalid instanceof ClassNotFoundException || invalid instanceof StackOverflowError || invalid instanceof ClassCastException) { return null; } } } return Collections.singletonList(new ValidatorError(current, target)); } return null; }
public boolean processEditableValidationErrors(final RequestContextHolder request, final List<ValidatorError> errors) { List<ValidatorError> editableErrors = new ArrayList<ValidatorError>(); for (ValidatorError error : errors) { if (HDIVErrorCodes.isEditableError(error.getType())) { editableErrors.add(error); } } if (!editableErrors.isEmpty() && hdivConfig.isEditableValidation()) { // Put the errors on request to be accessible from the Web framework request.setAttribute(Constants.EDITABLE_PARAMETER_ERROR, editableErrors); if (hdivConfig.isShowErrorPageOnEditableValidation()) { // Redirect to error page // Put errors in session to be accessible from error page request.getSession().setAttribute(Constants.EDITABLE_PARAMETER_ERROR, editableErrors); } } return !editableErrors.isEmpty(); }
/** * Obtains the errors detected by HDIV during the validation process of the editable parameters. * * @param request The servlet request we are processing * @return errors detected by HDIV during the validation process of the editable parameters. */ public ActionMessages getEditableParametersErrors(final HttpServletRequest request) { @SuppressWarnings("unchecked") List<ValidatorError> validationErrors = (List<ValidatorError>) request.getAttribute(EDITABLE_PARAMETER_ERROR); ActionMessages errors = null; if (validationErrors != null && validationErrors.size() > 0) { errors = new ActionMessages(); for (ValidatorError validationError : validationErrors) { String errorValues = validationError.getParameterValue(); ActionMessage error = null; if (errorValues.contains(HDIV_EDITABLE_PASSWORD_ERROR)) { error = new ActionMessage(HDIV_EDITABLE_PASSWORD_ERROR); } else { String printedValue = createMessageError(errorValues); error = new ActionMessage(HDIV_EDITABLE_ERROR, printedValue); } errors.add("hdiv.editable." + validationError.getParameterName(), error); } } return errors; }
/** * Checks if the confidential value received in <code>value</code> is a value lower than the number or values received for the parameter * <code>parameter</code>. * * @param target Part of the url that represents the target action * @param parameter parameter * @param value value * @param stateValues real values for <code>parameter</code> * @return ValidatorHelperResult with the result of the validation. * @since HDIV 2.0 */ protected ValidatorHelperResult isInRange(final String target, final String parameter, final String value, final List<String> stateValues) { Matcher m = numberPattern.matcher(value); try { if (!m.matches() || Integer.parseInt(value) >= stateValues.size()) { String originalValue = stateValues.size() > 1 ? stateValues.toString() : stateValues.get(0); ValidatorError error = new ValidatorError(HDIVErrorCodes.INVALID_CONFIDENTIAL_VALUE, target, parameter, value, originalValue); return new ValidatorHelperResult(error); } } catch (final NumberFormatException e) { // value is not a number or is greater than the length of Integer.MAX_VALUE String originalValue = stateValues.size() > 1 ? stateValues.toString() : stateValues.get(0); ValidatorError error = new ValidatorError(HDIVErrorCodes.INVALID_CONFIDENTIAL_VALUE, target, parameter, value, originalValue); return new ValidatorHelperResult(error); } return ValidatorHelperResult.VALID; }
protected boolean mustStopRequest(final List<FacesValidatorError> errors) { if (errors == null || errors.isEmpty()) { return false; } boolean editableError = false; boolean integrityError = false; if (errors != null && !errors.isEmpty()) { for (ValidatorError error : errors) { if (HDIVErrorCodes.isEditableError(error.getType())) { editableError = true; } else { integrityError = true; } } } boolean integrityOk = !integrityError || !config.isIntegrityValidation(); boolean editableOk = !editableError || !config.isShowErrorPageOnEditableValidation() || !config.isEditableValidation(); if (integrityOk && editableOk) { return false; } return true; }
out.write(" <li>Values for field '" + error.getParameterName() + "' are not correct: "); String values = error.getParameterValue();
protected ValidatorError createEditableValidatorError(final EditableDataValidationResult result, final String target, final String parameter, final String value) { return new ValidatorError(HDIVErrorCodes.INVALID_EDITABLE_VALUE, result.getRule(), target, parameter, value, null, null, null, null, result.getValidationId()); }
/** * This method check if hasNonConfidentialIncorrectValues method can receive repeated values of received array values. */ public void testHasNonConfidentialIncorrectValues_RepeatedValuesInAnyPosition_2() { String parameter = "param1"; String[] values = new String[] { "20", "0", "20", "10" }; List<String> tempStateValues = new ArrayList<String>(); tempStateValues.add("0"); tempStateValues.add("10"); tempStateValues.add("20"); ValidatorHelperResult actualResult = ((ValidatorHelperRequest) helper).hasNonConfidentialIncorrectValues(targetName, parameter, values, tempStateValues); assertFalse(actualResult.isValid()); assertEquals(HDIVErrorCodes.REPEATED_VALUES_FOR_PARAMETER, actualResult.getErrors().get(0).getType()); }