augustd
diff --git a/‎build.xml‎
Lines changed: 74 additions & 0 deletions b/‎build.xml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎lib/junit/junit-3.8.2-api.zip‎
71.8 KB b/‎lib/junit/junit-3.8.2-api.zip‎
71.8 KB
diff --git a/‎lib/junit/junit-3.8.2.jar‎
118 KB b/‎lib/junit/junit-3.8.2.jar‎
118 KB
diff --git a/‎lib/junit_4/junit-4.10-javadoc.jar‎
415 KB b/‎lib/junit_4/junit-4.10-javadoc.jar‎
415 KB
diff --git a/‎lib/junit_4/junit-4.10-sources.jar‎
138 KB b/‎lib/junit_4/junit-4.10-sources.jar‎
138 KB
diff --git a/‎lib/junit_4/junit-4.10.jar‎
247 KB b/‎lib/junit_4/junit-4.10.jar‎
247 KB
diff --git a/‎src/org/owasp/fileio/Encoder.java‎
Lines changed: 165 additions & 0 deletions b/‎src/org/owasp/fileio/Encoder.java‎
Lines changed: 165 additions & 0 deletions
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- You may freely edit this file. See commented blocks below for -->
+<!-- some examples of how to customize the build. -->
+<!-- (If you delete it and reopen the project it will be recreated.) -->
+<!-- By default, only the Clean and Build commands use this build script. -->
+<!-- Commands such as Run, Debug, and Test only use this build script if -->
+<!-- the Compile on Save feature is turned off for the project. -->
+<!-- You can turn off the Compile on Save (or Deploy on Save) setting -->
+<!-- in the project's Project Properties dialog box.-->
+<project name="OWASP_File_IO_Security" default="default" basedir=".">
+    <description>Builds, tests, and runs the project OWASP File IO Security.</description>
+    <import file="nbproject/build-impl.xml"/>
+    <!--
+
+    There exist several targets which are by default empty and which can be 
+    used for execution of your tasks. These targets are usually executed 
+    before and after some main targets. They are: 
+
+      -pre-init:                 called before initialization of project properties
+      -post-init:                called after initialization of project properties
+      -pre-compile:              called before javac compilation
+      -post-compile:             called after javac compilation
+      -pre-compile-single:       called before javac compilation of single file
+      -post-compile-single:      called after javac compilation of single file
+      -pre-compile-test:         called before javac compilation of JUnit tests
+      -post-compile-test:        called after javac compilation of JUnit tests
+      -pre-compile-test-single:  called before javac compilation of single JUnit test
+      -post-compile-test-single: called after javac compilation of single JUunit test
+      -pre-jar:                  called before JAR building
+      -post-jar:                 called after JAR building
+      -post-clean:               called after cleaning build products
+
+    (Targets beginning with '-' are not intended to be called on their own.)
+
+    Example of inserting an obfuscator after compilation could look like this:
+
+        <target name="-post-compile">
+            <obfuscate>
+                <fileset dir="${build.classes.dir}"/>
+            </obfuscate>
+        </target>
+
+    For list of available properties check the imported 
+    nbproject/build-impl.xml file. 
+
+
+    Another way to customize the build is by overriding existing main targets.
+    The targets of interest are: 
+
+      -init-macrodef-javac:     defines macro for javac compilation
+      -init-macrodef-junit:     defines macro for junit execution
+      -init-macrodef-debug:     defines macro for class debugging
+      -init-macrodef-java:      defines macro for class execution
+      -do-jar-with-manifest:    JAR building (if you are using a manifest)
+      -do-jar-without-manifest: JAR building (if you are not using a manifest)
+      run:                      execution of project 
+      -javadoc-build:           Javadoc generation
+      test-report:              JUnit report generation
+
+    An example of overriding the target for project execution could look like this:
+
+        <target name="run" depends="OWASP_File_IO_Security-impl.jar">
+            <exec dir="bin" executable="launcher.exe">
+                <arg file="${dist.jar}"/>
+            </exec>
+        </target>
+
+    Notice that the overridden target depends on the jar target and not only on 
+    the compile target as the regular run target does. Again, for a list of available 
+    properties which you can use, check the target you are overriding in the
+    nbproject/build-impl.xml file. 
+
+    -->
+</project>
@@ -0,0 +1,165 @@
+/**
+ * This file is part of the Open Web Application Security Project (OWASP) Java File IO Security project. For details, please see
+ * <a href="https://www.owasp.org/index.php/OWASP_Java_File_I_O_Security_Project">https://www.owasp.org/index.php/OWASP_Java_File_I_O_Security_Project</a>.
+ *
+ * Copyright (c) 2014 - The OWASP Foundation
+ *
+ * This API is published by OWASP under the Apache 2.0 license. You should read and accept the LICENSE before you use, modify, and/or redistribute this software.
+ *
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> - Original ESAPI author
+ * @author August Detlefsen <a href="http://www.codemagi.com">CodeMagi</a> - Java File IO Security Project lead
+ * @created 2014
+ */
+package org.owasp.fileio;
+
+import org.owasp.fileio.util.Utils;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import org.owasp.fileio.codecs.Codec;
+import org.owasp.fileio.codecs.HTMLEntityCodec;
+import org.owasp.fileio.codecs.PercentCodec;
+
+/**
+ * Reference implementation of the Encoder interface. This implementation takes a whitelist approach to encoding, meaning that everything not specifically identified in a list of "immune" characters
+ * is encoded.
+ */
+public class Encoder {
+
+    private static volatile Encoder singletonInstance;
+    public final static char[] CHAR_ALPHANUMERICS = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
+	'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
+	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9'};
+    public static final Set<Character> ALPHANUMERICS;
+
+    static {
+	ALPHANUMERICS = Utils.arrayToSet(Encoder.CHAR_ALPHANUMERICS);
+    }
+    private boolean restrictMultiple = true;
+    private boolean restrictMixed = true;
+
+    public boolean isRestrictMultiple() {
+	return restrictMultiple;
+    }
+
+    public void setRestrictMultiple(boolean restrictMultiple) {
+	this.restrictMultiple = restrictMultiple;
+    }
+
+    public boolean isRestrictMixed() {
+	return restrictMixed;
+    }
+
+    public void setRestrictMixed(boolean restrictMixed) {
+	this.restrictMixed = restrictMixed;
+    }
+
+    public static Encoder getInstance() {
+	if (singletonInstance == null) {
+	    synchronized (Encoder.class) {
+		if (singletonInstance
+			== null) {
+		    singletonInstance = new Encoder();
+		}
+	    }
+	}
+	return singletonInstance;
+    }
+    // Codecs
+    private List codecs = new ArrayList();
+    private HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
+    private PercentCodec percentCodec = new PercentCodec();
+
+    /**
+     * Instantiates a new DefaultEncoder with the default codecs
+     */
+    public Encoder() {
+	codecs.add(htmlCodec);
+	codecs.add(percentCodec);
+    }
+
+    /**
+     * Instantiates a new DefaultEncoder with the default codecs
+     */
+    public Encoder(List<Codec> codecs) {
+	this.codecs = codecs;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public String canonicalize(String input) {
+	if (input == null) {
+	    return null;
+	}
+
+	// Issue 231 - These are reverse boolean logic in the Encoder interface, so we need to invert these values - CS
+	return canonicalize(input, restrictMultiple, restrictMixed);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public String canonicalize(String input, boolean strict) {
+	return canonicalize(input, strict, strict);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public String canonicalize(String input, boolean restrictMultiple, boolean restrictMixed) {
+	if (input == null) {
+	    return null;
+	}
+
+	String working = input;
+	Codec codecFound = null;
+	int mixedCount = 1;
+	int foundCount = 0;
+	boolean clean = false;
+	while (!clean) {
+	    clean = true;
+
+	    // try each codec and keep track of which ones work
+	    Iterator i = codecs.iterator();
+	    while (i.hasNext()) {
+		Codec codec = (Codec) i.next();
+		String old = working;
+		working = codec.decode(working);
+		if (!old.equals(working)) {
+		    if (codecFound != null && codecFound != codec) {
+			mixedCount++;
+		    }
+		    codecFound = codec;
+		    if (clean) {
+			foundCount++;
+		    }
+		    clean = false;
+		}
+	    }
+	}
+
+	// do strict tests and handle if any mixed, multiple, nested encoding were found
+	if (foundCount >= 2 && mixedCount > 1) {
+	    if (restrictMultiple || restrictMixed) {
+		//TODO: throw new ValidationException("Input validation failure", "Multiple (" + foundCount + "x) and mixed encoding (" + mixedCount + "x) detected in " + input);
+	    } else {
+		//TODO: logger.warning(Logger.SECURITY_FAILURE, "Multiple (" + foundCount + "x) and mixed encoding (" + mixedCount + "x) detected in " + input);
+	    }
+	} else if (foundCount >= 2) {
+	    if (restrictMultiple) {
+		//TODO: throw new ValidationException("Input validation failure", "Multiple (" + foundCount + "x) encoding detected in " + input);
+	    } else {
+		//TODO: logger.warning(Logger.SECURITY_FAILURE, "Multiple (" + foundCount + "x) encoding detected in " + input);
+	    }
+	} else if (mixedCount > 1) {
+	    if (restrictMixed) {
+		//TODO: throw new ValidationException("Input validation failure", "Mixed encoding (" + mixedCount + "x) detected in " + input);
+	    } else {
+		//TODO: logger.warning(Logger.SECURITY_FAILURE, "Mixed encoding (" + mixedCount + "x) detected in " + input);
+	    }
+	}
+	return working;
+    }
+}