Package oracle.dbtools.plugin.api.http.annotations

Enum PathSyntaxPolicy

  • All Implemented Interfaces:
    java.io.Serializable, java.lang.Comparable<PathSyntaxPolicy>
    public enum PathSyntaxPolicy
extends java.lang.Enum<PathSyntaxPolicy>
    Determines what validation is performed on the path portion of a request URI. Path based attacks are a common vulnerability in web applications and arise when there are defects in how a web application uses (directly or indirectly) APIs that operate on file-system objects. To protect against many well known attacks, suspicious path name patterns that should not have a legitimate use case (or uncommon edge cases) are tested for at the start of processing. If a suspicious path is encountered then the request is rejected with a 400 Bad Request status.

    Path Syntax Rules

    These tests restrict valid file names to a subset of names that are valid on both Windows and UNIX operating systems and that do not represent attempts to exploit potential weaknesses in underlying APIs such as strings containing null characters or percent encoded characters.

    The following tests are applied:

    • Is not empty or whitespace only
    • Does not contain any of the following characters: <,>,:,",|,?,*,#,;,%,
    • Does not contain the null character ()
    • Does not contain characters in the range: -1
    • Does not end with white space or a period.
    • Does not contain // or \\
    • Does not contain two or more periods in sequence (.., ... etc)
    • Total length is 1024 characters or less
    • Does not match any of the following names (case insensitive), with or without file extensions : CON, PRN, AUX, CLOCK$, NUL, COM0, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT0, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9

    We apply these rules regardless of operating system, so that data can be migrated from one operating system to another without hitting an operating system specific restriction during the migration.

    Author:
    cdivilly
  • <section role="region">

    • Enum Constant Summary

      Enum Constants 
      Enum Constant Description
      CHECK
      Default, all request paths will be checked to ensure they comply with the above validation rules
      DO_NOT_CHECK
      No validation will be performed on request paths.
    </section> <section role="region">

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static int MAX_PATH_LENGTH
      Over-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process
    </section> <section role="region">

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static PathSyntaxPolicy valueOf​(java.lang.String name)
      Returns the enum constant of this type with the specified name.
      static PathSyntaxPolicy[] values()
      Returns an array containing the constants of this enum type, in the order they are declared.

      • Methods inherited from class java.lang.Enum

        clone, compareTo, equals, finalize, getDeclaringClass, hashCode, name, ordinal, toString, valueOf

      • Methods inherited from class java.lang.Object

        getClass, notify, notifyAll, wait, wait, wait
    </section>
  • <section role="region">

    • Enum Constant Detail

      • CHECK

        public static final PathSyntaxPolicy CHECK
        Default, all request paths will be checked to ensure they comply with the above validation rules

      • DO_NOT_CHECK

        public static final PathSyntaxPolicy DO_NOT_CHECK
        No validation will be performed on request paths. Use of this value is strongly discouraged. Path Syntax Validation provides an important defence against unanticipated behaviours/interactions with file systems APIs in both the application server and the database.
    </section> <section role="region">

    • Field Detail

      • MAX_PATH_LENGTH

        public static int MAX_PATH_LENGTH
        Over-long path names can cause diminished/denial of service attacks, so we restrict the maximum file path we will process
    </section> <section role="region">

    • Method Detail

      • values

        public static PathSyntaxPolicy[] values()
        Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows: 
        for (PathSyntaxPolicy c : PathSyntaxPolicy.values())
    System.out.println(c);
        Returns:
        an array containing the constants of this enum type, in the order they are declared

      • valueOf

        public static PathSyntaxPolicy valueOf​(java.lang.String name)
        Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)
        Parameters:
        name - the name of the enum constant to be returned.
        Returns:
        the enum constant with the specified name
        Throws:
        java.lang.IllegalArgumentException - if this enum type has no constant with the specified name
        java.lang.NullPointerException - if the argument is null
    </section>