#include <Sanitizer.hxx>
|
| static std::string | sanitizeCommand (const std::string &theInput) |
| |
| static std::string | sanitizePath (const std::string &theInput) |
| |
| static std::string | sanitizePathWithWhiteList (std::vector< std::string > &whiteList, std::vector< std::string > &validExtensions, const std::string &theInput, bool ignoreCase=true) |
| |
Definition at line 23 of file Sanitizer.hxx.
| static std::string Teamcenter::Sanitizer::sanitizeCommand |
( |
const std::string & |
theInput | ) |
|
|
static |
Sanitize a user input string before including it in a command to be executed in another process or shell (e.g., with Runtime.exec()). The method is intended to detect and prevent command injection attacks. It checks whether the input string contains shell control characters or OS commands that might be signs of command injection.
- Parameters
-
| theInput | the user input string to be sanitized. |
- Returns
- the input string if the string is judged to be safe for command execution.
- Exceptions
-
| SanitizationException | if the string is judged unsafe for command execution. |
| static std::string Teamcenter::Sanitizer::sanitizePath |
( |
const std::string & |
theInput | ) |
|
|
static |
Sanitize a user input string before it is included in a file path to be opened for read or write. The method is intended to detect and prevent file path traversal attacks. It checks that the input string is a relative path and does not contain character sequences such as "../.." that can traverse out of a base directory. For stronger validation handling symbolic links or if an absolute path is to be sanitized, the sanitizePathWithWhitelist method is recommended instead.
- Parameters
-
| theInput | the user input string to be sanitized. |
- Returns
- the normalized version of input string if the string is judged to be free of path traversal attacks
- Exceptions
-
| SanitizationException | if the string is suspected for a path traversal attack as well as untrust absoulute path. |
| static std::string Teamcenter::Sanitizer::sanitizePathWithWhiteList |
( |
std::vector< std::string > & |
whiteList, |
|
|
std::vector< std::string > & |
validExtensions, |
|
|
const std::string & |
theInput, |
|
|
bool |
ignoreCase = true |
|
) |
| |
|
static |
Sanitize a user input string before it is included in a file path to be opened for read or write. The method is intended to detect and prevent file path traversal attacks. It checks that the input string denotes a file that is either in the white list or is within a directory in the whitelist. If validExtensions is provided the file must also have an extension that is in the list. Unlike sanitizePath, the input to be sanitized is allowed to be an absolute path.
- Parameters
-
| whiteList | user input valid file path list to begin with |
| validExtensions | user input valid file extension list to end with |
| theInput | the user input string to be sanitized. |
| ignoreCase | Perform case insensitive path comparisons for theInput with whitelist and validExtensions values by default. |
- Returns
- String the input string if the string is judged to be free of path/file attacks
- Exceptions
-
| SanitizationException | an Sanitization exception is thrown |
| std::string Teamcenter::Sanitizer::m_delimiters |
|
staticprivate |
| std::string Teamcenter::Sanitizer::m_invalidStringList2[] |
|
staticprivate |
| const int Teamcenter::Sanitizer::m_numInvalidStrings = 20 |
|
staticprivate |
The documentation for this class was generated from the following file:
