ScrubbingDynaActionForm.java example

Explorer
spacewalk-master
/**
 * Copyright (c) 2009--2010 Red Hat, Inc.
 *
 * This software is licensed to you under the GNU General Public License,
 * version 2 (GPLv2). There is NO WARRANTY for this software, express or
 * implied, including the implied warranties of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
 * along with this software; if not, see
 * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
 *
 * Red Hat trademarks are not licensed under GPLv2. No permission is
 * granted to use or replicate Red Hat trademarks that are incorporated
 * in this software or its documentation.
 */
package com.redhat.rhn.frontend.struts;

import org.apache.commons.lang.StringUtils;
import org.apache.struts.action.DynaActionForm;

import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;

/**
 * A DynaActionForm which knows how to scrub its input for malicious content.
 * @version $Rev $
 */
public class ScrubbingDynaActionForm extends DynaActionForm {

    private static final long serialVersionUID = 7679506300113360100L;
    private static final String NO_SCRUB = "no_scrub";
    private static final String NO_PAREN_SCRUB = "no_paren_scrub";

    private static final String[] SPECIAL_PROHIBITED_INPUT = {"<", ">", "\\{", "\\}"};

    /** constructor */
    public ScrubbingDynaActionForm() {
        super();
    }

    /**
     * Tell the form to "scrub thyself"
     */
    public void scrub() {
        List keys = new LinkedList(dynaValues.keySet());

        Set<String> noScrub = new HashSet<String>();
        Set<String> noParenScrub = new HashSet<String>();

        if (dynaValues.containsKey(NO_SCRUB)) {
            for (String item : StringUtils.split(
                    (String)dynaValues.get(NO_SCRUB), ",")) {
                noScrub.add(item.trim());
            }
        }

        if (dynaValues.containsKey(NO_PAREN_SCRUB)) {
            for (String item : StringUtils.split(
                    (String)dynaValues.get(NO_PAREN_SCRUB), ",")) {
                noParenScrub.add(item.trim());
            }
        }

        for (Iterator iter = keys.iterator(); iter.hasNext();) {
            String name = (String) iter.next();
            Object value = dynaValues.get(name);
            if (isScrubbable(name, value, noScrub)) {
                if (noParenScrub.contains(name)) {
                    value = Scrubber.scrub(value, SPECIAL_PROHIBITED_INPUT);
                }
                else {
                    value = Scrubber.scrub(value);
                }

                if (value == null) {
                    dynaValues.remove(name);
                }
                else {
                    dynaValues.put(name, value);
                }
            }
        }
    }

    protected boolean isScrubbable(String name, Object value, Set<String> noScrub) {
        if (name.equals(NO_SCRUB) || NO_PAREN_SCRUB.equals(name) ||
                                               noScrub.contains(name)) {
            return false;
        }
        return Scrubber.canScrub(value);
    }
}