Class InjectionDefense

  • public class InjectionDefense
    extends Object
    A class with which to safely build a streaming expression. Three types of parameters (String, Numeric, Expression) are accepted and minimally type checked. All parameters are positional (unnamed) so the order in which parameters are added must correspond to the order of the parameters in the supplied expression string.

    Specifically, this class verifies that the parameter substitutions do not inject additional expressions, and that the parameters are strings, valid numbers or valid expressions producing the expected number of sub-expressions. The idea is not to provide full type safety but rather to heuristically prevent the injection of malicious expressions. The template expression and the parameters supplied must not contain comments since injection of comments could be used to hide one or more of the expected expressions. Use stripComments(String) to remove comments.

    Valid patterns for parameters are:

    • ?$? for strings
    • ?#? for numeric parameters in integer or decimal format (no exponents)
    • ?(n)? for expressions producing n sub-expressions (minimum n=1)
    • Constructor Detail

      • InjectionDefense

        public InjectionDefense​(String exprString)
    • Method Detail

      • stripComments

        public static String stripComments​(String exprString)
      • addParameter

        public void addParameter​(String param)
      • safeExpression

        public StreamExpression safeExpression()
        Provides an expression that is guaranteed to have the expected number of sub-expressions
        An expression object that should be safe from injection of additional expressions
      • safeExpressionString

        public String safeExpressionString()
        Provides a string that is guaranteed to parse to a legal expression and to have the expected number of sub-expressions.
        A string that should be safe from injection of additional expressions.