ScriptProtect.java example

Explorer
openbd-core-master
- src
/* 
 *  Copyright (C) 2000 - 2015 aw2.0 Ltd
 *
 *  This file is part of Open BlueDragon (OpenBD) CFML Server Engine.
 *  
 *  OpenBD is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  Free Software Foundation,version 3.
 *  
 *  OpenBD is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with OpenBD.  If not, see http://www.gnu.org/licenses/
 *  
 *  Additional permission under GNU GPL version 3 section 7
 *  
 *  If you modify this Program, or any covered work, by linking or combining 
 *  it with any of the JARS listed in the README.txt (or a modified version of 
 *  (that library), containing parts covered by the terms of that JAR, the 
 *  licensors of this Program grant you additional permission to convey the 
 *  resulting work. 
 *  README.txt @ http://www.openbluedragon.org/license/README.txt
 *  
 *  http://openbd.org/
 */

package com.naryx.tagfusion.cfm.application;

import java.util.regex.Pattern;

import com.naryx.tagfusion.cfm.cookie.cfCookieData;
import com.naryx.tagfusion.cfm.engine.cfCGIData;
import com.naryx.tagfusion.cfm.engine.cfData;
import com.naryx.tagfusion.cfm.engine.cfEngine;
import com.naryx.tagfusion.cfm.engine.cfFormData;
import com.naryx.tagfusion.cfm.engine.cfSession;
import com.naryx.tagfusion.cfm.engine.cfStringData;
import com.naryx.tagfusion.cfm.engine.cfStructData;
import com.naryx.tagfusion.cfm.engine.cfUrlData;
import com.naryx.tagfusion.cfm.engine.variableStore;
import com.naryx.tagfusion.xmlConfig.xmlCFML;


public class ScriptProtect {

	private static Pattern p;
	
	public static void init(xmlCFML config){
		String SCRIPT_REGEX = config.getString( "server.system.scriptprotectregex", "<(\\s*)(object|embed|script|applet|meta)" );
		cfEngine.log( "cfEngine: [server.system.scriptprotectregex]=" + SCRIPT_REGEX );

		p = Pattern.compile(SCRIPT_REGEX, Pattern.CASE_INSENSITIVE );
	}
	
	public static String sanitize( String value ) {
		if ( value == null || value.isEmpty() )
			return value;
		
    return p.matcher(value).replaceAll("<$1InvalidTag");
	}

	
	/**
	 * Called to protect a given scope
	 * 
	 * @param _Session
	 * @param _scope
	 */
	public static void applyScriptProtection(cfSession _Session, int _scope) {		
		cfData scopeData = _Session.getQualifiedData(_scope);
		
		if ( scopeData != null && _scope == variableStore.CGI_SCOPE )
			((cfCGIData) scopeData).setScriptProtect();
		else if (scopeData != null && scopeData.getDataType() == cfData.CFSTRUCTDATA) {
			cfStructData data = (cfStructData) scopeData;
			Object[] keys = data.keys();
			for (int i = 0; i < keys.length; i++) {
				String nextKey = keys[i].toString();
				cfData valueData = data.getData(nextKey);

				if (valueData.getDataType() == cfData.CFSTRINGDATA) {
					String value = ((cfStringData) valueData).getString();
					int origLen = value.length();
					value = sanitize( value );

					// only replace the existing cfData if it's changed - note this works because any replaced string will grow the existing string length
					if (value.length() != origLen) {
						if (_scope == variableStore.COOKIE_SCOPE) {
							((cfCookieData) scopeData).overrideData(nextKey, value);
						} else if (_scope == variableStore.FORM_SCOPE) {
							((cfFormData) scopeData).overrideData(nextKey, new cfStringData(value));
						} else if (_scope == variableStore.URL_SCOPE) {
							((cfUrlData) scopeData).overrideData(nextKey, new cfStringData(value));
						}
					}
				}
			}
		}
	}
	
}