InputValidation.java

/**
 * Copyright (c) Codice Foundation
 * <p>
 * This is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser
 * General Public License as published by the Free Software Foundation, either version 3 of the
 * License, or any later version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details. A copy of the GNU Lesser General Public License
 * is distributed along with this program and can be found at
 * <http://www.gnu.org/licenses/lgpl.html>.
 **/
package org.codice.ddf.platform.util;

import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class InputValidation {

    private static final Logger LOGGER = LoggerFactory.getLogger(InputValidation.class);

    private static final String DEFAULT_EXTENSION = ".bin";

    private static final String DEFAULT_FILE = "file" + DEFAULT_EXTENSION;

    private static final List<String> BAD_FILES = Arrays.asList(System.getProperty("bad.files")
            .split(","));

    private static final List<String> BAD_FILE_EXTENSIONS = Arrays.asList(
            System.getProperty("bad.file.extensions")
                    .split(","));

    private static final List<String> BAD_MIME_TYPES = Arrays.asList(
            System.getProperty("bad.mime.types")
                    .split(","));

    private static final Pattern BAD_CHAR_PATTERN = Pattern.compile("[^a-z0-9.-]");

    private static final Pattern BAD_PATH_PATTERN = Pattern.compile("\\.\\.");

    private InputValidation() {

    }

    /**
     * Removes disallowed characters and file extensions from the filename.
     *
     * @param filename - filename to sanitize
     * @return sanitized filename
     */
    public static String sanitizeFilename(String filename) {
        Path path = Paths.get(filename.toLowerCase());
        filename = path.getFileName()
                .toString();
        if (BAD_FILES.contains(filename)) {
            filename = DEFAULT_FILE;
        }
        filename = BAD_CHAR_PATTERN.matcher(filename)
                .replaceAll("_");
        filename = BAD_PATH_PATTERN.matcher(filename)
                .replaceAll("_");
        for (String extension : BAD_FILE_EXTENSIONS) {
            if (filename.contains(extension)) {
                filename = filename.replace(extension, DEFAULT_EXTENSION);
            }
        }
        if (filename.charAt(0) == '.') {
            if (filename.length() == 1) {
                filename = DEFAULT_FILE;
            } else {
                filename = filename.substring(1);
            }
        }
        return filename;
    }

    /**
     * Checks for mime types that have been disallowed by the system.
     *
     * @param mimetype
     * @return true if the mime type is acceptable
     */
    public static boolean checkForClientSideVulnerableMimeType(String mimetype) {
        mimetype = mimetype.toLowerCase();
        for (String type : BAD_MIME_TYPES) {
            if (mimetype.contains(type)) {
                LOGGER.debug("Mime type {} is flagged as client side vulnerable.", mimetype);
                return false;
            }
        }
        return true;
    }
}