Enum Class PathSyntaxPolicy

java.lang.Object
java.lang.Enum<PathSyntaxPolicy>
oracle.dbtools.plugin.api.http.annotations.PathSyntaxPolicy
All Implemented Interfaces:
Serializable, Comparable<PathSyntaxPolicy>, Constable

public enum PathSyntaxPolicy extends Enum<PathSyntaxPolicy>
Determines what validation is performed on the path portion of a request URI. Path based attacks are a common vulnerability in web applications and arise when there are defects in how a web application uses (directly or indirectly) APIs that operate on file-system objects. To protect against many well known attacks, suspicious path name patterns that should not have a legitimate use case (or uncommon edge cases) are tested for at the start of processing. If a suspicious path is encountered then the request is rejected with a 400 Bad Request status.

Path Syntax Rules

These tests restrict valid file names to a subset of names that are valid on both Windows and UNIX operating systems and that do not represent attempts to exploit potential weaknesses in underlying APIs such as strings containing null characters or percent encoded characters.

The following tests are applied:

  • Is not empty or whitespace only
  • Does not contain any of the following characters: <,>,:,",|,?,*,#,;,%,
  • Does not contain the null character ()
  • Does not contain characters in the range: -1
  • Does not end with white space or a period.
  • Does not contain // or \\
  • Does not contain two or more periods in sequence (.., ... etc)
  • Total length is 1024 characters or less
  • Does not match any of the following names (case insensitive), with or without file extensions : CON, PRN, AUX, CLOCK$, NUL, COM0, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT0, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9

We apply these rules regardless of operating system, so that data can be migrated from one operating system to another without hitting an operating system specific restriction during the migration.

Author:
cdivilly
  • Enum Constant Details

    • CHECK

      public static final PathSyntaxPolicy CHECK
      Default, all request paths will be checked to ensure they comply with the above validation rules
    • DO_NOT_CHECK

      public static final PathSyntaxPolicy DO_NOT_CHECK
      No validation will be performed on request paths. Use of this value is strongly discouraged. Path Syntax Validation provides an important defence against unanticipated behaviours/interactions with file systems APIs in both the application server and the database.
  • Field Details

    • MAX_PATH_LENGTH

      public static int MAX_PATH_LENGTH
      Over-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process
  • Method Details

    • values

      public static PathSyntaxPolicy[] values()
      Returns an array containing the constants of this enum class, in the order they are declared.
      Returns:
      an array containing the constants of this enum class, in the order they are declared
    • valueOf

      public static PathSyntaxPolicy valueOf(String name)
      Returns the enum constant of this class with the specified name. The string must match exactly an identifier used to declare an enum constant in this class. (Extraneous whitespace characters are not permitted.)
      Parameters:
      name - the name of the enum constant to be returned.
      Returns:
      the enum constant with the specified name
      Throws:
      IllegalArgumentException - if this enum class has no constant with the specified name
      NullPointerException - if the argument is null