Enum PathSyntaxPolicy
- java.lang.Object
-
- java.lang.Enum<PathSyntaxPolicy>
-
- oracle.dbtools.plugin.api.http.annotations.PathSyntaxPolicy
-
- All Implemented Interfaces:
java.io.Serializable
,java.lang.Comparable<PathSyntaxPolicy>
public enum PathSyntaxPolicy extends java.lang.Enum<PathSyntaxPolicy>
Determines what validation is performed on the path portion of a request URI. Path based attacks are a common vulnerability in web applications and arise when there are defects in how a web application uses (directly or indirectly) APIs that operate on file-system objects. To protect against many well known attacks, suspicious path name patterns that should not have a legitimate use case (or uncommon edge cases) are tested for at the start of processing. If a suspicious path is encountered then the request is rejected with a 400 Bad Request status.Path Syntax Rules
These tests restrict valid file names to a subset of names that are valid on both Windows and UNIX operating systems and that do not represent attempts to exploit potential weaknesses in underlying APIs such as strings containing null characters or percent encoded characters.
The following tests are applied:
- Is not empty or whitespace only
- Does not contain any of the following characters:
<,>,:,",|,?,*,#,;,%,
- Does not contain the null character ()
- Does not contain characters in the range: -1
- Does not end with white space or a period.
- Does not contain // or \\
- Does not contain two or more periods in sequence (.., ... etc)
- Total length is 1024 characters or less
- Does not match any of the following names (case insensitive), with or without file extensions :
CON, PRN, AUX, CLOCK$, NUL, COM0, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT0, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9
We apply these rules regardless of operating system, so that data can be migrated from one operating system to another without hitting an operating system specific restriction during the migration.
- Author:
- cdivilly
-
<section role="region">
-
Enum Constant Summary
Enum Constants Enum Constant Description CHECK
Default, all request paths will be checked to ensure they comply with the above validation rulesDO_NOT_CHECK
No validation will be performed on request paths.
-
Field Summary
Fields Modifier and Type Field Description static int
MAX_PATH_LENGTH
Over-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static PathSyntaxPolicy
valueOf(java.lang.String name)
Returns the enum constant of this type with the specified name.static PathSyntaxPolicy[]
values()
Returns an array containing the constants of this enum type, in the order they are declared.
-
-
<section role="region">
-
Enum Constant Detail
-
CHECK
public static final PathSyntaxPolicy CHECK
Default, all request paths will be checked to ensure they comply with the above validation rules
-
DO_NOT_CHECK
public static final PathSyntaxPolicy DO_NOT_CHECK
No validation will be performed on request paths. Use of this value is strongly discouraged. Path Syntax Validation provides an important defence against unanticipated behaviours/interactions with file systems APIs in both the application server and the database.
-
-
Field Detail
-
MAX_PATH_LENGTH
public static int MAX_PATH_LENGTH
Over-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process
-
-
Method Detail
-
values
public static PathSyntaxPolicy[] values()
Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows:for (PathSyntaxPolicy c : PathSyntaxPolicy.values()) System.out.println(c);
- Returns:
- an array containing the constants of this enum type, in the order they are declared
-
valueOf
public static PathSyntaxPolicy valueOf(java.lang.String name)
Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)- Parameters:
name
- the name of the enum constant to be returned.- Returns:
- the enum constant with the specified name
- Throws:
java.lang.IllegalArgumentException
- if this enum type has no constant with the specified namejava.lang.NullPointerException
- if the argument is null
-
-