Enum Class PathSyntaxPolicy
- All Implemented Interfaces:
Serializable,Comparable<PathSyntaxPolicy>,Constable
Determines what validation is performed on the path portion of a request URI.
Path based attacks are a common vulnerability in web applications and arise
when there are defects in how a web application uses (directly or indirectly)
APIs that operate on file-system objects.
To protect against many well known attacks, suspicious path name patterns
that should not have a legitimate use case (or uncommon edge cases) are
tested for at the start of processing.
If a suspicious path is encountered then the request is rejected with a 400
Bad Request status.
Path Syntax Rules
These tests restrict valid file names to a subset of names that are valid on both Windows and UNIX operating systems and that do not represent attempts to exploit potential weaknesses in underlying APIs such as strings containing null characters or percent encoded characters.
The following tests are applied:
- Is not empty or whitespace only
- Does not contain any of the following characters:
<,>,:,",|,?,*,#,;,%, - Does not contain the null character ( )
- Does not contain characters in the range: -1
- Does not end with white space or a period.
- Does not contain // or \\
- Does not contain two or more periods in sequence (.., ... etc)
- Total length is 1024 characters or less
- Does not match any of the following names (case insensitive), with or
without file extensions :
CON, PRN, AUX, CLOCK$, NUL, COM0, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT0, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9
We apply these rules regardless of operating system, so that data can be migrated from one operating system to another without hitting an operating system specific restriction during the migration.
- Author:
- cdivilly
-
Nested Class Summary
Nested classes/interfaces inherited from class java.lang.Enum
Enum.EnumDesc<E extends Enum<E>> -
Enum Constant Summary
Enum ConstantsEnum ConstantDescriptionDefault, all request paths will be checked to ensure they comply with the above validation rulesNo validation will be performed on request paths. -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic intOver-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process -
Method Summary
Modifier and TypeMethodDescriptionstatic PathSyntaxPolicyReturns the enum constant of this class with the specified name.static PathSyntaxPolicy[]values()Returns an array containing the constants of this enum class, in the order they are declared.
-
Enum Constant Details
-
CHECK
Default, all request paths will be checked to ensure they comply with the above validation rules -
DO_NOT_CHECK
No validation will be performed on request paths. Use of this value is strongly discouraged. Path Syntax Validation provides an important defence against unanticipated behaviours/interactions with file systems APIs in both the application server and the database.
-
-
Field Details
-
MAX_PATH_LENGTH
public static int MAX_PATH_LENGTHOver-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process
-
-
Method Details
-
values
Returns an array containing the constants of this enum class, in the order they are declared.- Returns:
- an array containing the constants of this enum class, in the order they are declared
-
valueOf
Returns the enum constant of this class with the specified name. The string must match exactly an identifier used to declare an enum constant in this class. (Extraneous whitespace characters are not permitted.)- Parameters:
name- the name of the enum constant to be returned.- Returns:
- the enum constant with the specified name
- Throws:
IllegalArgumentException- if this enum class has no constant with the specified nameNullPointerException- if the argument is null
-