jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/ValidUrlRule.java - jetty - Git at Google

 //
 //  ========================================================================
 //  Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
 //  ------------------------------------------------------------------------
 //  All rights reserved. This program and the accompanying materials
 //  are made available under the terms of the Eclipse Public License v1.0
 //  and Apache License v2.0 which accompanies this distribution.
 //
 //      The Eclipse Public License is available at
 //      http://www.eclipse.org/legal/epl-v10.html
 //
 //      The Apache License v2.0 is available at
 //      http://www.opensource.org/licenses/apache2.0.php
 //
 //  You may elect to redistribute this code under either of these licenses.
 //  ========================================================================
 //

 package org.eclipse.jetty.rewrite.handler;

 import java.io.IOException;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;

 /**
  * This rule can be used to protect against invalid unicode characters in a url making it into applications.
  * <p>
  * The logic is as follows.
  * <ul>
  * <li>if decoded uri character is an iso control character return code/reason</li>
  * <li>if no UnicodeBlock is found for character return code/reason</li>
  * <li>if character is in UnicodeBlock.SPECIALS return code/reason</li>
  * </ul>
  */
 public class ValidUrlRule extends Rule
 {
     private static final Logger LOG = Log.getLogger(ValidUrlRule.class);

     String _code = "400";
     String _reason = "Illegal Url";

     public ValidUrlRule()
     {
         _handling = true;
         _terminating = true;
     }

     /* ------------------------------------------------------------ */
     /**
      * Sets the response status code.
      *
      * @param code
      *            response code
      */
     public void setCode(String code)
     {
         _code = code;
     }

     /* ------------------------------------------------------------ */
     /**
      * Sets the reason for the response status code. Reasons will only reflect if the code value is greater or equal to 400.
      *
      * @param reason the reason
      */
     public void setReason(String reason)
     {
         _reason = reason;
     }

     @Override
     public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
     {
         // best to decide the request uri and validate that
         // String uri = request.getRequestURI();
         String uri = URIUtil.decodePath(request.getRequestURI());

         for (int i = 0; i < uri.length();)
         {
             int codepoint = uri.codePointAt(i);

             if (!isValidChar(uri.codePointAt(i)))
             {

                 int code = Integer.parseInt(_code);

                 // status code 400 and up are error codes so include a reason
                 if (code >= 400)
                 {
                     response.sendError(code,_reason);
                 }
                 else
                 {
                     response.setStatus(code);
                 }

                 // we have matched, return target and consider it is handled
                 return target;
             }
             i += Character.charCount(codepoint);
         }

         // we have not matched so return null
         return null;
     }

     protected boolean isValidChar(int codepoint)
     {
         Character.UnicodeBlock block = Character.UnicodeBlock.of(codepoint);

         LOG.debug("{} {} {} {}", Character.charCount(codepoint), codepoint, block, Character.isISOControl(codepoint));

         return (!Character.isISOControl(codepoint)) && block != null && block != Character.UnicodeBlock.SPECIALS;
     }

     public String toString()
     {
         return super.toString() + "[" + _code + ":" + _reason + "]";
     }
 }
	//
	// ========================================================================
	// Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
	// ------------------------------------------------------------------------
	// All rights reserved. This program and the accompanying materials
	// are made available under the terms of the Eclipse Public License v1.0
	// and Apache License v2.0 which accompanies this distribution.
	//
	// The Eclipse Public License is available at
	// http://www.eclipse.org/legal/epl-v10.html
	//
	// The Apache License v2.0 is available at
	// http://www.opensource.org/licenses/apache2.0.php
	//
	// You may elect to redistribute this code under either of these licenses.
	// ========================================================================
	//

	package org.eclipse.jetty.rewrite.handler;

	import java.io.IOException;

	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import org.eclipse.jetty.util.URIUtil;
	import org.eclipse.jetty.util.log.Log;
	import org.eclipse.jetty.util.log.Logger;

	/**
	* This rule can be used to protect against invalid unicode characters in a url making it into applications.
	* <p>
	* The logic is as follows.
	* <ul>
	* <li>if decoded uri character is an iso control character return code/reason</li>
	* <li>if no UnicodeBlock is found for character return code/reason</li>
	* <li>if character is in UnicodeBlock.SPECIALS return code/reason</li>
	* </ul>
	*/
	public class ValidUrlRule extends Rule
	{
	private static final Logger LOG = Log.getLogger(ValidUrlRule.class);

	String _code = "400";
	String _reason = "Illegal Url";

	public ValidUrlRule()
	{
	_handling = true;
	_terminating = true;
	}

	/* ------------------------------------------------------------ */
	/**
	* Sets the response status code.
	*
	* @param code
	* response code
	*/
	public void setCode(String code)
	{
	_code = code;
	}

	/* ------------------------------------------------------------ */
	/**
	* Sets the reason for the response status code. Reasons will only reflect if the code value is greater or equal to 400.
	*
	* @param reason the reason
	*/
	public void setReason(String reason)
	{
	_reason = reason;
	}

	@Override
	public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
	{
	// best to decide the request uri and validate that
	// String uri = request.getRequestURI();
	String uri = URIUtil.decodePath(request.getRequestURI());

	for (int i = 0; i < uri.length();)
	{
	int codepoint = uri.codePointAt(i);

	if (!isValidChar(uri.codePointAt(i)))
	{

	int code = Integer.parseInt(_code);

	// status code 400 and up are error codes so include a reason
	if (code >= 400)
	{
	response.sendError(code,_reason);
	}
	else
	{
	response.setStatus(code);
	}

	// we have matched, return target and consider it is handled
	return target;
	}
	i += Character.charCount(codepoint);
	}

	// we have not matched so return null
	return null;
	}

	protected boolean isValidChar(int codepoint)
	{
	Character.UnicodeBlock block = Character.UnicodeBlock.of(codepoint);

	LOG.debug("{} {} {} {}", Character.charCount(codepoint), codepoint, block, Character.isISOControl(codepoint));

	return (!Character.isISOControl(codepoint)) && block != null && block != Character.UnicodeBlock.SPECIALS;
	}

	public String toString()
	{
	return super.toString() + "[" + _code + ":" + _reason + "]";
	}
	}