DTOValidator.java

/*
 * Copyright 2013-2017 Simba Open Source
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

package org.simbasecurity.core.service.validation;

import org.apache.commons.lang.StringUtils;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.errors.ValidationException;
import org.owasp.esapi.reference.validation.HTMLValidationRule;
import org.simbasecurity.core.service.manager.dto.AbstractIdentifiableDTO;

import java.lang.reflect.Method;

public class DTOValidator {
    private static final HTMLValidationRule hvr = new SimbaHTMLValidationRule( "safehtml", ESAPI.encoder() );

    public static void assertValid(AbstractIdentifiableDTO dto) {
        Method[] declaredMethods = dto.getClass().getDeclaredMethods();
        for(Method method : declaredMethods) {
            if(method.getName().startsWith("get") && method.getReturnType().isAssignableFrom(String.class)) {
                assertValidField(dto, method.getName().substring(3, method.getName().length()));
            }
        }
    }

    private static void assertValidField(AbstractIdentifiableDTO dto, String methodName) {
        try {
            String value = (String) dto.getClass().getMethod("get"+methodName).invoke(dto);
            assertValidString(methodName, value);
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to access get/set "+methodName+" on "+dto.getClass().getName(), e);
        }
    }

    public static void assertValidString(String methodName, String value) throws ValidationException {
        if(value!=null && !StringUtils.isBlank(value)) {
            hvr.setValidateInputAndCanonical(false);
            hvr.assertValid(methodName, value);
        }
    }

    public static void encodeForHTML(AbstractIdentifiableDTO dto) {
        Method[] declaredMethods = dto.getClass().getDeclaredMethods();
        for(Method method : declaredMethods) {
            if(method.getName().startsWith("get") && method.getReturnType().isAssignableFrom(String.class)) {
                encodeFieldForHTML(dto, method.getName().substring(3, method.getName().length()));
            }
        }
    }

    private static void encodeFieldForHTML(AbstractIdentifiableDTO dto, String methodName) {
        try {
            String value = (String) dto.getClass().getMethod("get"+methodName).invoke(dto);
            if(value!=null && !StringUtils.isBlank(value)) {
                String cleanedValue = ESAPI.encoder().encodeForHTML(value);
                dto.getClass().getMethod("set"+methodName, new Class[]{String.class}).invoke(dto, cleanedValue);
            }
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to access get/set "+methodName+" on "+dto.getClass().getName(), e);
        }
    }

}