In my Spring Boot project I'm trying to implement a kind of virtual proxy able to intercept REST API coming from an external microservice and thus activate security filters to manage the following vulnerabilities: XSS, CSRF, SQL-INJECTION.
I was able to implement the filters concerning the first two vulnerabilities.
I am continuing on the SQL-Injection and for now I have implemented a class that behaves like Escaper (which I had already found here on stackoverflow) but I don't know if it's okay or if there is something better.
public class SQLInjectionEscaper {
private final DataSource dataSource = null;
public static String escapeString(String value) {
StringBuilder sBuilder = new StringBuilder(value.length() * 11 / 10);
int stringLength = value.length();
for (int i = 0; i < stringLength; ++i) {
char c = value.charAt(i);
switch (c) {
case 0: /* Must be escaped for 'mysql' */
sBuilder.append('\\');
sBuilder.append('0');
break;
case '\n': /* Must be escaped for logs */
sBuilder.append('\\');
sBuilder.append('n');
break;
case '\r':
sBuilder.append('\\');
sBuilder.append('r');
break;
case '\\':
sBuilder.append('\\');
sBuilder.append('\\');
break;
case '\'':
sBuilder.append('\\');
sBuilder.append('\'');
break;
case '"': /* Better safe than sorry */
// if (escapeDoubleQuotes) {
// sBuilder.append('\\');
// }
sBuilder.append('"');
break;
case '\032': /* This gives problems on Win32 */
sBuilder.append('\\');
sBuilder.append('Z');
break;
case '\u00a5':
case '\u20a9':
// escape characters interpreted as backslash by mysql
// fall through
default:
sBuilder.append(c);
}
}
return sBuilder.toString();
}
}
In particular I would like to create an escaper similar to this but better and above all suitable for postgres db.
Can you help me?
Related
Is there any example available to explain how the JAVA code written in RHS part of the JAPE rule can be converted in the UIMA RUTA? Also is there any way to get features of the annotations in RUTA?
Is your question if you can inject annotations (found by other systems) into RUTA before starting the RUTA analysis? So, if that's the question the answer is "yes, that's possible".
You can do something like this:
private static createCASAnnotation(Cas cas, MyOwnAnnotation myOwnAnnotation) {
Type annotationType = cas.getTypeSystem().getType(myOwnAnnotation.getType());
if (annotationType != null) {
AnnotationFS casAnnotation = cas.createAnnotation(annotationType, myOwnAnnotation.getTextStart(), myOwnAnnotation.getTextEnd());
// Also possible to add features / child annotations
for (MyOwnAnnotation childAnnotation : myOwnAnnotation.getChildAnnotations()) {
String featureFullName = casAnnotation.getType().getName() + ":" + childAnnotation.getName();
Feature feature = casAnnotation.getCAS().getTypeSystem().getFeatureByFullName(featureFullName);
if (feature != null && feature.getRange().isPrimitive()
&& "uima.cas.String".equalsIgnoreCase(feature.getRange().getName())) {
casAnnotation.setStringValue(feature, childAnnotation.getText());
// Other options for example "uima.cas.Integer" -> casAnnotation.setIntValue(...
}
// if not primitive you can also add Annotation type:
// AnnotationFS childCASAnnotation = createCASAnnotation(...
// casAnnotation.setFeatureValue(feature, childCASAnnotation);
}
cas.addFsToIndexes(casAnnotation);
} else {
log.error("invalid type .... or something better");
// Or throw exception
}
}
The MyOwnAnnotation is an object from your own domain/system and can be something like:
class MyAnnotation {
private final String value; // or text or fragment ...??
private final Long startIndex;
private final Long endIndex; // or use size/length
private final List<MyAnnotation> childAnnotations;
// constructor, builder pattern?, getters ....
}
Code examples are for demonstrating the concept.
in open-jdk-8 :
this jin function : Java_java_net_PlainSocketImpl_socketSetOption:
/*
* SO_TIMEOUT is a no-op on Solaris/Linux
*/
if (cmd == java_net_SocketOptions_SO_TIMEOUT) {
return;
}
file: openjdk7/jdk/src/solaris/native/java/net/PlainSocketImpl.c
does this mean , on linux setOption of SO_TIMEOUT will be ignored ?
I am can't found the jin for linux. but the solaris's code seems also works for linux .
No, it just means it isn't implemented as a socket option. Some platforms don't support it. On those platforms select() or friends are used.
The source inside solaris folder is also used for Linux.
SO_TIMEOUT is ignored in Java_java_net_PlainSocketImpl_socketSetOption0. But timeout is kept as a field when AbstractPlainSocketImpl.setOption is called:
case SO_TIMEOUT:
if (val == null || (!(val instanceof Integer)))
throw new SocketException("Bad parameter for SO_TIMEOUT");
int tmp = ((Integer) val).intValue();
if (tmp < 0)
throw new IllegalArgumentException("timeout < 0");
// Saved for later use
timeout = tmp;
break;
And timeout is used when doing read in SocketInputStream:
public int read(byte b[], int off, int length) throws IOException {
return read(b, off, length, impl.getTimeout());
}
I want to validate XML files against an XSD on iOS. The documentations alludes to using NSXMLDocument to do this, but its not available on iOS =(. Are there any light weight alternatives to do this on iOS?
I ended up using the validation facilities in libxml2 since its a library already included in iOS. Following this sample code
#include <libxml/parser.h>
#include <libxml/xmlschemas.h>
int is_valid(const xmlDocPtr doc, const char *schema_filename)
{
xmlDocPtr schema_doc = xmlReadFile(schema_filename, NULL, XML_PARSE_NONET);
if (schema_doc == NULL) {
/* the schema cannot be loaded or is not well-formed */
return -1;
}
xmlSchemaParserCtxtPtr parser_ctxt = xmlSchemaNewDocParserCtxt(schema_doc);
if (parser_ctxt == NULL) {
/* unable to create a parser context for the schema */
xmlFreeDoc(schema_doc);
return -2;
}
xmlSchemaPtr schema = xmlSchemaParse(parser_ctxt);
if (schema == NULL) {
/* the schema itself is not valid */
xmlSchemaFreeParserCtxt(parser_ctxt);
xmlFreeDoc(schema_doc);
return -3;
}
xmlSchemaValidCtxtPtr valid_ctxt = xmlSchemaNewValidCtxt(schema);
if (valid_ctxt == NULL) {
/* unable to create a validation context for the schema */
xmlSchemaFree(schema);
xmlSchemaFreeParserCtxt(parser_ctxt);
xmlFreeDoc(schema_doc);
return -4;
}
int is_valid = (xmlSchemaValidateDoc(valid_ctxt, doc) == 0);
xmlSchemaFreeValidCtxt(valid_ctxt);
xmlSchemaFree(schema);
xmlSchemaFreeParserCtxt(parser_ctxt);
xmlFreeDoc(schema_doc);
/* force the return value to be non-negative on success */
return is_valid ? 1 : 0;
}
It appears that it is not exactly easy to do in Objective C, but there are several ideas listed at this S.O. question: Possible to validate xml against xsd using Objc/iPhone code at runtime
It seems CodeSynthesis supports this here : http://wiki.codesynthesis.com/Using_XSDE_in_iPhone_Applications
I am really just pulling links and ideas from the Stack Overflow question at this point, though.
There is not a general schema validator. Try using XSDE as proposed above. It is very fast and very, very reliable.
Nice tutorial is here: http://amateuritsolutions.blogspot.hu/2012/10/validate-xsd-schema-in-your-ios.html
I'm fairly new to Coldfusion, we are using MX 7, and i'm trying to figure out how to populate a page based on user input. The goal is to have the user specify how many products they want to input into an order form and display that many textfields.
Any help would be appreciated.
EDIT: I found how to do this using jQuery but i'm still having a problem populating the textfields with information from the database. Here is what I have:
function fillfields(oSel){
var oForm=oSel.form;
switch(oSel.options[oSel.selectedIndex].value){
case '0': break;
case'1':oForm.ShipCompany2.value="#company_name.Company#";
oForm.ShipName2.value="#company_name.Name#";
oForm.ShipLine3.value="#company_name.Address1#";
oFrom.ShipLine4.value="#company_name.Address2#";
oForm.ShipCity2.value="#company_name.City#";
oForm.ShipState2.value="#company_name.State#";
oForm.ShipZipcode2.value="#company_name.ZipCode#";
break;
case '2':
break;
case '3':
break;
}
}
This won't work. Is there another way to populate this?
Somewhere in your CFM page, you have code that looks like:
function fillfields(oSel){
var oForm=oSel.form;
switch(oSel.options[oSel.selectedIndex].value){
case '0': break;
case'1':oForm.ShipCompany2.value="#company_name.Company#";
oForm.ShipName2.value="#company_name.Name#";
oForm.ShipLine3.value="#company_name.Address1#";
oFrom.ShipLine4.value="#company_name.Address2#";
oForm.ShipCity2.value="#company_name.City#";
oForm.ShipState2.value="#company_name.State#";
oForm.ShipZipcode2.value="#company_name.ZipCode#";
break;
case '2':
break;
case '3':
break;
}
}
Modify this to:
<cfoutput>
function fillfields(oSel){
var oForm=oSel.form;
switch(oSel.options[oSel.selectedIndex].value){
case '0': break;
case'1':oForm.ShipCompany2.value="#company_name.Company#";
oForm.ShipName2.value="#company_name.Name#";
oForm.ShipLine3.value="#company_name.Address1#";
oFrom.ShipLine4.value="#company_name.Address2#";
oForm.ShipCity2.value="#company_name.City#";
oForm.ShipState2.value="#company_name.State#";
oForm.ShipZipcode2.value="#company_name.ZipCode#";
break;
case '2':
break;
case '3':
break;
}
}
</cfoutput>
This will pick up the fields from the company_name structure, assuming that the company_name struture exists when you are rendering this section of code.
Ideally the solution would be in python and cross platform, but that's probably not too likely, so all I require is it work in linux, and I can use a c extension to interface w/python if necessary. I see there is a python binding for ffmpeg which I was thinking about using, however I can't figure out how to determine the profile and level as it is, with fmmpeg or anything else, much less do it pragmatically. Google is not much help on the matter either.
I've been able to determine what features I'd be looking for if I needed to determine the profile and levels manually then I can do that, but then that leads to the question, can ffmpeg then determine if the video was encoded with that feature set? I guess what I'm wondering to that effect is, is it perhaps not possible to fully determine the level and specific profile after encoding? I would think you'd have to know in order to decode it, but maybe not; that would explain why I can't find any information on it. I've been toying with this on and off for awhile, but recently decided to consider a project I'd been thinking about, but this is one of this big things holding me back.
Here is a small program I wrote. It prints the profile and level of MP4 files that use h264 as the video codec.
You can compile it with the following command line:
gcc -std=c99 printProfileAndLevel.c -o printProfileAndLevel
Here is the C source :
#include <stdio.h>
#include <stdlib.h>
void printProfile(int profile_idc, int profile_iop, int level_idc) {
switch(profile_idc) {
case 0x42: printf("Baseline Profile"); break;
case 0x4D: printf("Main Profile"); break;
case 0x58: printf("Extended Profile"); break;
case 0x64: printf("High Profile"); break;
default: printf("Unknown profile (%x)", profile_idc);
}
switch(level_idc) {
case 0x15: printf(" # Level 2.1\n"); break;
case 0x1F: printf(" # Level 3.1\n"); break;
case 0x29: printf(" # Level 4.1\n"); break;
case 0x33: printf(" # Level 5.1\n"); break;
default: printf(" # unknown level (%x)", level_idc);
}
}
int main(int argc, char* argv[])
{
if(argc < 2) {
printf("syntax: %s <files>\n", argv[0]);
exit(-1);
}
int buffsize = 1024;
char *buffer = malloc(buffsize + 1);
for(int nArg = 1; nArg < argc; nArg++) {
printf("File %s:\n", argv[nArg]);
FILE *file = fopen(argv[nArg], "r+");
if(file == NULL) {
printf("Cannot open input file %s\n", argv[nArg]);
continue;
}
int nRead = 0;
nRead = fread(buffer, 1, buffsize, file);
for(int i = 0; i < nRead - 7; i++) {
if(buffer[i] == 0x61 && buffer[i+1] == 0x76 && buffer[i+2] == 0x63 && buffer[i+3] == 0x43) {
printProfile(buffer[i+5], buffer[i+6], buffer[i+7]);
}
}
fclose(file);
}
free(buffer);
return 0;
}
Basically you need to identify SPS (Sequence Parameter Set) in the bitstream and decode a couple of its leading bytes.
See H.264 stream header and links there.