Merging develop into master

Merging develop into master.
UDA-EJIE · Jun 1, 2017 · f4fbe04 · f4fbe04
2 parents 61b82f1 + 8194ee4
commit f4fbe04
Show file tree

Hide file tree

Showing 14 changed files with 821 additions and 22 deletions.
diff --git a/x38ShLibClasses/build.xml b/x38ShLibClasses/build.xml
@@ -6,7 +6,7 @@
 	<property name="srcDir" value="./src"/>
 	<property name="destDir" value="./target"/>
 	<property name="buildDir" value="./bin"/>
-	<property name="version" value="3.0.0-RELEASE"/>
+	<property name="version" value="3.1.0-RELEASE"/>
 
 	<target name="mavenRunDependencies" description="Resuelve las dependencias del proyecto desde Maven">
 		<echo>${ant.home}</echo>

diff --git a/x38ShLibClasses/pom.xml b/x38ShLibClasses/pom.xml
@@ -4,7 +4,7 @@
   <groupId>com.ejie.x38</groupId>
   <artifactId>x38ShLibClasses</artifactId>
   <packaging>jar</packaging>
-  <version>3.0.0-RELEASE</version>
+  <version>3.1.0-RELEASE</version>
   <name>x38ShLibClasses</name>
   <url>http://maven.apache.org</url>
 	<properties>
@@ -196,11 +196,7 @@
 			<artifactId>jackson-databind</artifactId>
 			<version>${org.jackson.version}</version>
 		</dependency>
-	<dependency>
-			<groupId>com.fasterxml.jackson.core</groupId>
-			<artifactId>jackson-annotations</artifactId>
-			<version>${org.jackson.version}</version>
-		</dependency>
+
 		<!-- JSR 303 with Hibernate Validator -->
 		<dependency>
 			<groupId>org.hibernate</groupId>

diff --git a/x38ShLibClasses/src/META-INF/MANIFEST.MF b/x38ShLibClasses/src/META-INF/MANIFEST.MF
@@ -1,2 +1,2 @@
-Manifest-Version: 3.0.0-RELEASE
+Manifest-Version: 3.1.0-SNAPSHOT
 Class-Path: 
diff --git a/x38ShLibClasses/src/com/ejie/x38/dao/sql/OracleEncoder.java b/x38ShLibClasses/src/com/ejie/x38/dao/sql/OracleEncoder.java
@@ -0,0 +1,30 @@
+package com.ejie.x38.dao.sql;
+
+import com.ejie.x38.dao.sql.codecs.Codec;
+import com.ejie.x38.dao.sql.codecs.OracleCodec;
+
+public class OracleEncoder {
+
+	private static Codec codec;
+
+	private static OracleEncoder instance;
+
+	public static OracleEncoder getInstance(){
+		if (OracleEncoder.instance == null){
+			OracleEncoder.instance = new OracleEncoder();
+			OracleEncoder.codec = new OracleCodec();
+		}
+
+		return OracleEncoder.instance;
+	}
+
+
+	private OracleEncoder(){
+
+	}
+
+	public String encode(String input){
+		return SqlEncoder.encodeForSQL(OracleEncoder.codec, input);
+	}
+
+}
diff --git a/x38ShLibClasses/src/com/ejie/x38/dao/sql/SqlEncoder.java b/x38ShLibClasses/src/com/ejie/x38/dao/sql/SqlEncoder.java
@@ -0,0 +1,44 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2007
+ */
+package com.ejie.x38.dao.sql;
+
+import com.ejie.x38.dao.sql.codecs.Codec;
+
+
+
+
+/**
+ * Reference implementation of the Encoder interface. This implementation takes
+ * a whitelist approach to encoding, meaning that everything not specifically identified in a
+ * list of "immune" characters is encoded.
+ * 
+ * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
+ *         href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @since June 1, 2007
+ * @see org.owasp.esapi.Encoder
+ */
+public class SqlEncoder {
+
+	private final static char[] IMMUNE_SQL = { ' ' };
+
+	public static String encodeForSQL(Codec codec, String input) {
+	    if( input == null ) {
+	    	return null;
+	    }
+	    return codec.encode(IMMUNE_SQL, input);
+	}
+
+}
diff --git a/x38ShLibClasses/src/com/ejie/x38/dao/sql/codecs/Codec.java b/x38ShLibClasses/src/com/ejie/x38/dao/sql/codecs/Codec.java
@@ -0,0 +1,159 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2007
+ */
+package com.ejie.x38.dao.sql.codecs;
+
+
+/**
+ * The Codec interface defines a set of methods for encoding and decoding application level encoding schemes,
+ * such as HTML entity encoding and percent encoding (aka URL encoding). Codecs are used in output encoding
+ * and canonicalization.  The design of these codecs allows for character-by-character decoding, which is
+ * necessary to detect double-encoding and the use of multiple encoding schemes, both of which are techniques
+ * used by attackers to bypass validation and bury encoded attacks in data.
+ * 
+ * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
+ *         href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @since June 1, 2007
+ * @see org.owasp.esapi.Encoder
+ */
+public abstract class Codec {
+
+	/**
+	 * Initialize an array to mark which characters are to be encoded. Store the hex
+	 * string for that character to save time later. If the character shouldn't be
+	 * encoded, then store null.
+	 */
+	private static final String[] hex = new String[256];
+
+	static {
+		for ( char c = 0; c < 0xFF; c++ ) {
+			if ( c >= 0x30 && c <= 0x39 || c >= 0x41 && c <= 0x5A || c >= 0x61 && c <= 0x7A ) {
+				hex[c] = null;
+			} else {
+				hex[c] = toHex(c).intern();
+			}
+		}
+	}
+
+
+	/**
+	 * Default constructor
+	 */
+	public Codec() {
+	}
+
+	/**
+	 * Encode a String so that it can be safely used in a specific context.
+	 * 
+	 * @param immune
+	 * @param input
+	 * 		the String to encode
+	 * @return the encoded String
+	 */
+	public String encode(char[] immune, String input) {
+		StringBuilder sb = new StringBuilder();
+		for (int i = 0; i < input.length(); i++) {
+			char c = input.charAt(i);
+			sb.append(encodeCharacter(immune, c));
+		}
+		return sb.toString();
+	}
+
+	/**
+	 * Default implementation that should be overridden in specific codecs.
+	 * 
+	 * @param immune
+	 * @param c
+	 * 		the Character to encode
+	 * @return
+	 * 		the encoded Character
+	 */
+	public String encodeCharacter( char[] immune, Character c ) {
+		return ""+c;
+	}
+
+	/**
+	 * Decode a String that was encoded using the encode method in this Class
+	 * 
+	 * @param input
+	 * 		the String to decode
+	 * @return
+	 *		the decoded String
+	 */
+	public String decode(String input) {
+		StringBuilder sb = new StringBuilder();
+		PushbackString pbs = new PushbackString(input);
+		while (pbs.hasNext()) {
+			Character c = decodeCharacter(pbs);
+			if (c != null) {
+				sb.append(c);
+			} else {
+				sb.append(pbs.next());
+			}
+		}
+		return sb.toString();
+	}
+
+	/**
+	 * Returns the decoded version of the next character from the input string and advances the
+	 * current character in the PushbackString.  If the current character is not encoded, this 
+	 * method MUST reset the PushbackString.
+	 * 
+	 * @param input	the Character to decode
+	 * 
+	 * @return the decoded Character
+	 */
+	public Character decodeCharacter( PushbackString input ) {
+		return input.next();
+	}
+
+	/**
+	 * Lookup the hex value of any character that is not alphanumeric.
+	 * @param c The character to lookup.
+	 * @return, return null if alphanumeric or the character code
+	 * 	in hex.
+	 */
+	public static String getHexForNonAlphanumeric(char c)
+	{
+		if(c<0xFF)
+			return hex[c];
+		return toHex(c);
+	}
+
+	public static String toOctal(char c)
+	{
+		return Integer.toOctalString(c);
+	}
+
+	public static String toHex(char c)
+	{
+		return Integer.toHexString(c);
+	}
+
+	/**
+	 * Utility to search a char[] for a specific char.
+	 * 
+	 * @param c
+	 * @param array
+	 * @return
+	 */
+	public static boolean containsCharacter( char c, char[] array ) {
+		for (char ch : array) {
+			if (c == ch) return true;
+		}
+		return false;
+	}
+
+}
diff --git a/x38ShLibClasses/src/com/ejie/x38/dao/sql/codecs/OracleCodec.java b/x38ShLibClasses/src/com/ejie/x38/dao/sql/codecs/OracleCodec.java
@@ -0,0 +1,90 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ *
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ *
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2007
+ */
+package com.ejie.x38.dao.sql.codecs;
+
+
+
+/**
+ * Implementation of the Codec interface for Oracle strings. This function will only protect you from SQLi in the case of user data
+ * bring placed within an Oracle quoted string such as:
+ * 
+ * select * from table where user_name='  USERDATA    ';
+ * 
+ * @see <a href="http://oraqa.com/2006/03/20/how-to-escape-single-quotes-in-strings/">how-to-escape-single-quotes-in-strings</a>
+ * 
+ * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @author Jim Manico ([email protected]) <a href="http://www.manico.net">Manico.net</a>
+ * @since June 1, 2007
+ * @see org.owasp.esapi.Encoder
+ */
+public class OracleCodec extends Codec {
+
+
+	/**
+	 * {@inheritDoc}
+	 * 
+	 * Encodes ' to ''
+     *
+	 * Encodes ' to ''
+     *
+     * @param immune
+     */
+	public String encodeCharacter( char[] immune, Character c ) {
+		if ( c.charValue() == '\'' )
+        	return "\'\'";
+        return ""+c;
+	}
+
+
+
+	/**
+	 * {@inheritDoc}
+	 *
+	 * Returns the decoded version of the character starting at index, or
+	 * null if no decoding is possible.
+	 *
+	 * Formats all are legal
+	 *   '' decodes to '
+	 */
+	public Character decodeCharacter( PushbackString input ) {
+		input.mark();
+		Character first = input.next();
+		if ( first == null ) {
+			input.reset();
+			return null;
+		}
+
+		// if this is not an encoded character, return null
+		if ( first.charValue() != '\'' ) {
+			input.reset();
+			return null;
+		}
+
+		Character second = input.next();
+		if ( second == null ) {
+			input.reset();
+			return null;
+		}
+
+		// if this is not an encoded character, return null
+		if ( second.charValue() != '\'' ) {
+			input.reset();
+			return null;
+		}
+		return( Character.valueOf( '\'' ) );
+	}
+
+}