Class InjectionDefense
- java.lang.Object
-
- org.apache.solr.client.solrj.io.stream.expr.InjectionDefense
-
public class InjectionDefense extends Object
A class with which to safely build a streaming expression. Three types of parameters (String, Numeric, Expression) are accepted and minimally type checked. All parameters are positional (unnamed) so the order in which parameters are added must correspond to the order of the parameters in the supplied expression string.
Specifically, this class verifies that the parameter substitutions do not inject additional expressions, and that the parameters are strings, valid numbers or valid expressions producing the expected number of sub-expressions. The idea is not to provide full type safety but rather to heuristically prevent the injection of malicious expressions. The template expression and the parameters supplied must not contain comments since injection of comments could be used to hide one or more of the expected expressions. Use
stripComments(String)
to remove comments.
Valid patterns for parameters are:
- ?$? for strings
- ?#? for numeric parameters in integer or decimal format (no exponents)
- ?(n)? for expressions producing n sub-expressions (minimum n=1)
- Since:
- 8.0.0
-
-
Constructor Summary
Constructors Constructor Description InjectionDefense(String exprString)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addParameter(String param)
StreamExpression
safeExpression()
Provides an expression that is guaranteed to have the expected number of sub-expressionsString
safeExpressionString()
Provides a string that is guaranteed to parse to a legal expression and to have the expected number of sub-expressions.static String
stripComments(String exprString)
-
-
-
Constructor Detail
-
InjectionDefense
public InjectionDefense(String exprString)
-
-
Method Detail
-
addParameter
public void addParameter(String param)
-
safeExpression
public StreamExpression safeExpression()
Provides an expression that is guaranteed to have the expected number of sub-expressions- Returns:
- An expression object that should be safe from injection of additional expressions
-
safeExpressionString
public String safeExpressionString()
Provides a string that is guaranteed to parse to a legal expression and to have the expected number of sub-expressions.- Returns:
- A string that should be safe from injection of additional expressions.
-
-