实操指南:Java ESAPI类的运用案例
最编程
2024-07-27 14:14:13
...
实例1: doGet
import org.owasp.esapi.ESAPI; //导入依赖的package包/类
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
Cookie cookie = new Cookie("name", unknown());
cookie.setValue(req.getParameter("p") + "x");
resp.setHeader("header", req.getParameter("h1"));
resp.addHeader("header", unknown());
callCookieSink(req.getParameter("h2"));
String encoded = ESAPI.encoder().encodeForURL(req.getParameter("h3"));
resp.addHeader("header", ESAPI.encoder().decodeFromURL(encoded));
// false positives
String safe = "x".concat("y");
Cookie safeCookie = new Cookie("name", safe);
safeCookie.setValue(safe + "x");
resp.setHeader("header", safe);
resp.addHeader("header", encoded.concat(safe));
HttpServletResponseWrapper resWrapper = new HttpServletResponseWrapper(resp);
resWrapper.setHeader("header2",req.getParameter("a"));
resWrapper.addHeader("header3",req.getParameter("b"));
}
实例2: setUp
import org.owasp.esapi.ESAPI; //导入依赖的package包/类
/**
* {@inheritDoc}
* @throws Exception
*/
protected void setUp() throws Exception {
//override default log configuration in ESAPI.properties to use Log4JLogFactory
UnitTestSecurityConfiguration tmpConfig = new UnitTestSecurityConfiguration((DefaultSecurityConfiguration) ESAPI.securityConfiguration());
tmpConfig.setLogImplementation( Log4JLogFactory.class.getName() );
ESAPI.override(tmpConfig);
//This ensures a clean logger between tests
testLogger = ESAPI.getLogger( "test ExampleExtendedLog4JLogFactory: " + testCount++ );
System.out.println("Test ExampleExtendedLog4JLogFactory logger: " + testLogger);
//declare this one as Log4JLogger to be able to use Log4J logging methods
log4JLogger = (Log4JLogger)ESAPI.getLogger( "test Log4JLogFactory: " + testCount);
System.out.println("Test Log4JLogFactory logger: " + log4JLogger);
}
实例3: initializeESAPI
import org.owasp.esapi.ESAPI; //导入依赖的package包/类
/**
* Initializes the OWASPI ESAPI library.
*/
protected static void initializeESAPI() {
Logger log = getLogger();
String systemPropertyKey = "org.owasp.esapi.SecurityConfiguration";
String opensamlConfigImpl = ESAPISecurityConfig.class.getName();
String currentValue = System.getProperty(systemPropertyKey);
if (currentValue == null || currentValue.isEmpty()) {
log.debug("Setting ESAPI SecurityConfiguration impl to OpenSAML internal class: {}", opensamlConfigImpl);
System.setProperty(systemPropertyKey, opensamlConfigImpl);
// We still need to call ESAPI.initialize() despite setting the system property, b/c within the ESAPI class
// the property is only evaluated once in a static initializer and stored. The initialize method however
// does overwrite the statically-set value from the system property. But still set the system property for
// consistency, so other callers can see what has been set.
ESAPI.initialize(opensamlConfigImpl);
} else {
log.debug("ESAPI SecurityConfiguration impl was already set non-null and non-empty via system property, leaving existing value in place: {}",
currentValue);
}
}
实例4: validate
import org.owasp.esapi.ESAPI; //导入依赖的package包/类
/**
* The idea is to do minimal validation on inputs.
*/
public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {
ActionErrors errors = new ActionErrors();
//
boolean validName = false, validEmail = false;
try {
validName = ESAPI.validator().isValidInput("TestForm_name", name, "name", 20, false);
validEmail = ESAPI.validator().isValidInput("TestForm_email", email, "email", 45, false);
} catch (IntrusionException e) {
log.severe(e.getMessage());
}
if (!validName) errors.add("name", new ActionMessage("TestForm.name.invalid"));
if (!validEmail) errors.add("email", new ActionMessage("TestForm.email.invalid"));
return errors;
}