/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.openstreetmap.josm.data.validation.routines;
import static org.openstreetmap.josm.tools.I18n.tr;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.openstreetmap.josm.Main;
/**
* <p><b>URL Validation</b> routines.</p>
* Behavior of validation is modified by passing in options:
* <ul>
* <li>ALLOW_2_SLASHES - [FALSE] Allows double '/' characters in the path
* component.</li>
* <li>NO_FRAGMENT- [FALSE] By default fragments are allowed, if this option is
* included then fragments are flagged as illegal.</li>
* <li>ALLOW_ALL_SCHEMES - [FALSE] By default only http, https, and ftp are
* considered valid schemes. Enabling this option will let any scheme pass validation.</li>
* </ul>
*
* <p>Originally based in on php script by Debbie Dyer, validation.php v1.2b, Date: 03/07/02,
* http://javascript.internet.com. However, this validation now bears little resemblance
* to the php original.</p>
* <pre>
* Example of usage:
* Construct a UrlValidator with valid schemes of "http", and "https".
*
* String[] schemes = {"http","https"}.
* UrlValidator urlValidator = new UrlValidator(schemes);
* if (urlValidator.isValid("ftp://foo.bar.com/")) {
* System.out.println("url is valid");
* } else {
* System.out.println("url is invalid");
* }
*
* prints "url is invalid"
* If instead the default constructor is used.
*
* UrlValidator urlValidator = new UrlValidator();
* if (urlValidator.isValid("ftp://foo.bar.com/")) {
* System.out.println("url is valid");
* } else {
* System.out.println("url is invalid");
* }
*
* prints out "url is valid"
* </pre>
*
* @version $Revision: 1741724 $
* @see
* <a href="http://www.ietf.org/rfc/rfc2396.txt">
* Uniform Resource Identifiers (URI): Generic Syntax
* </a>
*
* @since Validator 1.4
*/
public class UrlValidator extends AbstractValidator {
/**
* Allows all validly formatted schemes to pass validation instead of
* supplying a set of valid schemes.
*/
public static final long ALLOW_ALL_SCHEMES = 1 << 0;
/**
* Allow two slashes in the path component of the URL.
*/
public static final long ALLOW_2_SLASHES = 1 << 1;
/**
* Enabling this options disallows any URL fragments.
*/
public static final long NO_FRAGMENTS = 1 << 2;
/**
* Allow local URLs, such as http://localhost/ or http://machine/ .
* This enables a broad-brush check, for complex local machine name
* validation requirements you should create your validator with
* a {@link RegexValidator} instead ({@link #UrlValidator(RegexValidator, long)})
*/
public static final long ALLOW_LOCAL_URLS = 1 << 3; // CHECKSTYLE IGNORE MagicNumber
/**
* This expression derived/taken from the BNF for URI (RFC2396).
*/
private static final String URL_REGEX =
"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?";
// 12 3 4 5 6 7 8 9
private static final Pattern URL_PATTERN = Pattern.compile(URL_REGEX);
/**
* Schema/Protocol (ie. http:, ftp:, file:, etc).
*/
private static final int PARSE_URL_SCHEME = 2;
/**
* Includes hostname/ip and port number.
*/
private static final int PARSE_URL_AUTHORITY = 4;
private static final int PARSE_URL_PATH = 5;
private static final int PARSE_URL_QUERY = 7;
private static final int PARSE_URL_FRAGMENT = 9;
/**
* Protocol scheme (e.g. http, ftp, https).
*/
private static final String SCHEME_REGEX = "^\\p{Alpha}[\\p{Alnum}\\+\\-\\.]*";
private static final Pattern SCHEME_PATTERN = Pattern.compile(SCHEME_REGEX);
// Drop numeric, and "+-." for now
// TODO does not allow for optional userinfo.
// Validation of character set is done by isValidAuthority
private static final String AUTHORITY_CHARS_REGEX = "\\p{Alnum}\\-\\."; // allows for IPV4 but not IPV6
private static final String IPV6_REGEX = "[0-9a-fA-F:]+"; // do this as separate match because : could cause ambiguity with port prefix
// userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
// unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
// sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
// We assume that password has the same valid chars as user info
private static final String USERINFO_CHARS_REGEX = "[a-zA-Z0-9%-._~!$&'()*+,;=]";
// since neither ':' nor '@' are allowed chars, we don't need to use non-greedy matching
private static final String USERINFO_FIELD_REGEX =
USERINFO_CHARS_REGEX + "+:" + // At least one character for the name
USERINFO_CHARS_REGEX + "*@"; // password may be absent
private static final String AUTHORITY_REGEX =
"(?:\\[("+IPV6_REGEX+")\\]|(?:(?:"+USERINFO_FIELD_REGEX+")?([" + AUTHORITY_CHARS_REGEX + "]*)))(:\\d*)?(.*)?";
// 1 e.g. user:pass@ 2 3 4
private static final Pattern AUTHORITY_PATTERN = Pattern.compile(AUTHORITY_REGEX);
private static final int PARSE_AUTHORITY_IPV6 = 1;
private static final int PARSE_AUTHORITY_HOST_IP = 2; // excludes userinfo, if present
/**
* Should always be empty. The code currently allows spaces.
*/
private static final int PARSE_AUTHORITY_EXTRA = 4;
private static final String PATH_REGEX = "^(/[-\\w:@&?=+,.!/~*'%$_;\\(\\)]*)?$";
private static final Pattern PATH_PATTERN = Pattern.compile(PATH_REGEX);
private static final String QUERY_REGEX = "^(.*)$";
private static final Pattern QUERY_PATTERN = Pattern.compile(QUERY_REGEX);
/**
* Holds the set of current validation options.
*/
private final long options;
/**
* The set of schemes that are allowed to be in a URL.
*/
private final Set<String> allowedSchemes; // Must be lower-case
/**
* Regular expressions used to manually validate authorities if IANA
* domain name validation isn't desired.
*/
private final RegexValidator authorityValidator;
/**
* If no schemes are provided, default to this set.
*/
private static final String[] DEFAULT_SCHEMES = {"http", "https", "ftp"}; // Must be lower-case
/**
* Singleton instance of this class with default schemes and options.
*/
private static final UrlValidator DEFAULT_URL_VALIDATOR = new UrlValidator();
/**
* Returns the singleton instance of this class with default schemes and options.
* @return singleton instance with default schemes and options
*/
public static UrlValidator getInstance() {
return DEFAULT_URL_VALIDATOR;
}
/**
* Create a UrlValidator with default properties.
*/
public UrlValidator() {
this((String[]) null);
}
/**
* Behavior of validation is modified by passing in several strings options:
* @param schemes Pass in one or more url schemes to consider valid, passing in
* a null will default to "http,https,ftp" being valid.
* If a non-null schemes is specified then all valid schemes must
* be specified. Setting the ALLOW_ALL_SCHEMES option will
* ignore the contents of schemes.
*/
public UrlValidator(String... schemes) {
this(schemes, 0L);
}
/**
* Initialize a UrlValidator with the given validation options.
* @param options The options should be set using the public constants declared in
* this class. To set multiple options you simply add them together. For example,
* ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
*/
public UrlValidator(long options) {
this(null, null, options);
}
/**
* Behavior of validation is modified by passing in options:
* @param schemes The set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set.
* @param options The options should be set using the public constants declared in
* this class. To set multiple options you simply add them together. For example,
* ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
*/
public UrlValidator(String[] schemes, long options) {
this(schemes, null, options);
}
/**
* Initialize a UrlValidator with the given validation options.
* @param authorityValidator Regular expression validator used to validate the authority part
* This allows the user to override the standard set of domains.
* @param options Validation options. Set using the public constants of this class.
* To set multiple options, simply add them together:
* <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
* enables both of those options.
*/
public UrlValidator(RegexValidator authorityValidator, long options) {
this(null, authorityValidator, options);
}
/**
* Customizable constructor. Validation behavior is modifed by passing in options.
* @param schemes the set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set.
* @param authorityValidator Regular expression validator used to validate the authority part
* @param options Validation options. Set using the public constants of this class.
* To set multiple options, simply add them together:
* <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
* enables both of those options.
*/
public UrlValidator(String[] schemes, RegexValidator authorityValidator, long options) {
this.options = options;
if (isOn(ALLOW_ALL_SCHEMES)) {
allowedSchemes = Collections.emptySet();
} else {
if (schemes == null) {
schemes = DEFAULT_SCHEMES;
}
allowedSchemes = new HashSet<>(schemes.length);
for (int i = 0; i < schemes.length; i++) {
allowedSchemes.add(schemes[i].toLowerCase(Locale.ENGLISH));
}
}
this.authorityValidator = authorityValidator;
}
/**
* <p>Checks if a field has a valid url address.</p>
*
* Note that the method calls #isValidAuthority()
* which checks that the domain is valid.
*
* @param value The value validation is being performed on. A <code>null</code>
* value is considered invalid.
* @return true if the url is valid.
*/
@Override
public boolean isValid(String value) {
if (value == null) {
return false;
}
// Check the whole url address structure
Matcher urlMatcher = URL_PATTERN.matcher(value);
if (!urlMatcher.matches()) {
setErrorMessage(tr("URL is invalid"));
return false;
}
String scheme = urlMatcher.group(PARSE_URL_SCHEME);
if (!isValidScheme(scheme)) {
setErrorMessage(tr("URL contains an invalid protocol: {0}", scheme));
return false;
}
String authority = urlMatcher.group(PARSE_URL_AUTHORITY);
if ("file".equals(scheme)) { // Special case - file: allows an empty authority
if (!"".equals(authority) && authority.contains(":")) { // but cannot allow trailing :
setErrorMessage(tr("URL contains an invalid authority: {0}", authority));
return false;
}
// drop through to continue validation
} else { // not file:
// Validate the authority
if (!isValidAuthority(authority)) {
setErrorMessage(tr("URL contains an invalid authority: {0}", authority));
return false;
}
}
String path = urlMatcher.group(PARSE_URL_PATH);
if (!isValidPath(path)) {
setErrorMessage(tr("URL contains an invalid path: {0}", path));
return false;
}
String query = urlMatcher.group(PARSE_URL_QUERY);
if (!isValidQuery(query)) {
setErrorMessage(tr("URL contains an invalid query: {0}", query));
return false;
}
String fragment = urlMatcher.group(PARSE_URL_FRAGMENT);
if (!isValidFragment(fragment)) {
setErrorMessage(tr("URL contains an invalid fragment: {0}", fragment));
return false;
}
return true;
}
@Override
public String getValidatorName() {
return tr("URL validator");
}
/**
* Validate scheme. If schemes[] was initialized to a non null,
* then only those schemes are allowed.
* Otherwise the default schemes are "http", "https", "ftp".
* Matching is case-blind.
* @param scheme The scheme to validate. A <code>null</code> value is considered
* invalid.
* @return true if valid.
*/
protected boolean isValidScheme(String scheme) {
if (scheme == null) {
return false;
}
// TODO could be removed if external schemes were checked in the ctor before being stored
if (!SCHEME_PATTERN.matcher(scheme).matches()) {
return false;
}
if (isOff(ALLOW_ALL_SCHEMES) && !allowedSchemes.contains(scheme.toLowerCase(Locale.ENGLISH))) {
return false;
}
return true;
}
/**
* Returns true if the authority is properly formatted. An authority is the combination
* of hostname and port. A <code>null</code> authority value is considered invalid.
* Note: this implementation validates the domain unless a RegexValidator was provided.
* If a RegexValidator was supplied and it matches, then the authority is regarded
* as valid with no further checks, otherwise the method checks against the
* AUTHORITY_PATTERN and the DomainValidator (ALLOW_LOCAL_URLS)
* @param authority Authority value to validate, alllows IDN
* @return true if authority (hostname and port) is valid.
*/
protected boolean isValidAuthority(String authority) {
if (authority == null) {
return false;
}
// check manual authority validation if specified
if (authorityValidator != null && authorityValidator.isValid(authority)) {
return true;
}
// convert to ASCII if possible
final String authorityASCII = DomainValidator.unicodeToASCII(authority);
Matcher authorityMatcher = AUTHORITY_PATTERN.matcher(authorityASCII);
if (!authorityMatcher.matches()) {
return false;
}
// We have to process IPV6 separately because that is parsed in a different group
String ipv6 = authorityMatcher.group(PARSE_AUTHORITY_IPV6);
if (ipv6 != null) {
InetAddressValidator inetAddressValidator = InetAddressValidator.getInstance();
if (!inetAddressValidator.isValidInet6Address(ipv6)) {
return false;
}
} else {
String hostLocation = authorityMatcher.group(PARSE_AUTHORITY_HOST_IP);
// check if authority is hostname or IP address:
// try a hostname first since that's much more likely
DomainValidator domainValidator = DomainValidator.getInstance(isOn(ALLOW_LOCAL_URLS));
if (!domainValidator.isValid(hostLocation)) {
// try an IPv4 address
InetAddressValidator inetAddressValidator = InetAddressValidator.getInstance();
if (!inetAddressValidator.isValidInet4Address(hostLocation)) {
// isn't IPv4, so the URL is invalid
return false;
}
}
}
String extra = authorityMatcher.group(PARSE_AUTHORITY_EXTRA);
if (extra != null && !extra.trim().isEmpty()) {
return false;
}
return true;
}
/**
* Returns true if the path is valid. A <code>null</code> value is considered invalid.
* @param path Path value to validate.
* @return true if path is valid.
*/
protected boolean isValidPath(String path) {
if (path == null) {
return false;
}
if (!PATH_PATTERN.matcher(path).matches()) {
return false;
}
try {
URI uri = new URI(null, null, path, null);
String norm = uri.normalize().getPath();
if (norm.startsWith("/../") // Trying to go via the parent dir
|| "/..".equals(norm)) { // Trying to go to the parent dir
return false;
}
} catch (URISyntaxException e) {
Main.trace(e);
return false;
}
int slash2Count = countToken("//", path);
if (slash2Count > 0 && isOff(ALLOW_2_SLASHES)) {
return false;
}
return true;
}
/**
* Returns true if the query is null or it's a properly formatted query string.
* @param query Query value to validate.
* @return true if query is valid.
*/
protected boolean isValidQuery(String query) {
if (query == null) {
return true;
}
return QUERY_PATTERN.matcher(query).matches();
}
/**
* Returns true if the given fragment is null or fragments are allowed.
* @param fragment Fragment value to validate.
* @return true if fragment is valid.
*/
protected boolean isValidFragment(String fragment) {
if (fragment == null) {
return true;
}
return isOff(NO_FRAGMENTS);
}
/**
* Returns the number of times the token appears in the target.
* @param token Token value to be counted.
* @param target Target value to count tokens in.
* @return the number of tokens.
*/
protected int countToken(String token, String target) {
int tokenIndex = 0;
int count = 0;
while (tokenIndex != -1) {
tokenIndex = target.indexOf(token, tokenIndex);
if (tokenIndex > -1) {
tokenIndex++;
count++;
}
}
return count;
}
/**
* Tests whether the given flag is on. If the flag is not a power of 2
* (ie. 3) this tests whether the combination of flags is on.
*
* @param flag Flag value to check.
*
* @return whether the specified flag value is on.
*/
private boolean isOn(long flag) {
return (options & flag) > 0;
}
/**
* Tests whether the given flag is off. If the flag is not a power of 2
* (ie. 3) this tests whether the combination of flags is off.
*
* @param flag Flag value to check.
*
* @return whether the specified flag value is off.
*/
private boolean isOff(long flag) {
return (options & flag) == 0;
}
}