| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.commons.validator.routines; |
| |
| import java.io.Serializable; |
| import java.net.URI; |
| import java.net.URISyntaxException; |
| import java.util.Collections; |
| import java.util.HashSet; |
| import java.util.Locale; |
| import java.util.Set; |
| import java.util.regex.Matcher; |
| import java.util.regex.Pattern; |
| |
| /** |
| * <p><b>URL Validation</b> routines.</p> |
| * Behavior of validation is modified by passing in options: |
| * <ul> |
| * <li>ALLOW_2_SLASHES - [FALSE] Allows double '/' characters in the path |
| * component.</li> |
| * <li>NO_FRAGMENT- [FALSE] By default fragments are allowed, if this option is |
| * included then fragments are flagged as illegal.</li> |
| * <li>ALLOW_ALL_SCHEMES - [FALSE] By default only http, https, and ftp are |
| * considered valid schemes. Enabling this option will let any scheme pass validation.</li> |
| * </ul> |
| * |
| * <p>Originally based in on php script by Debbie Dyer, validation.php v1.2b, Date: 03/07/02, |
| * http://javascript.internet.com. However, this validation now bears little resemblance |
| * to the php original.</p> |
| * <pre> |
| * Example of usage: |
| * Construct a UrlValidator with valid schemes of "http", and "https". |
| * |
| * String[] schemes = {"http","https"}. |
| * UrlValidator urlValidator = new UrlValidator(schemes); |
| * if (urlValidator.isValid("ftp://foo.bar.com/")) { |
| * System.out.println("url is valid"); |
| * } else { |
| * System.out.println("url is invalid"); |
| * } |
| * |
| * prints "url is invalid" |
| * If instead the default constructor is used. |
| * |
| * UrlValidator urlValidator = new UrlValidator(); |
| * if (urlValidator.isValid("ftp://foo.bar.com/")) { |
| * System.out.println("url is valid"); |
| * } else { |
| * System.out.println("url is invalid"); |
| * } |
| * |
| * prints out "url is valid" |
| * </pre> |
| * |
| * @see |
| * <a href="http://www.ietf.org/rfc/rfc2396.txt"> |
| * Uniform Resource Identifiers (URI): Generic Syntax |
| * </a> |
| * |
| * @version $Revision$ |
| * @since Validator 1.4 |
| */ |
| public class UrlValidator implements Serializable { |
| |
| private static final long serialVersionUID = 7557161713937335013L; |
| |
| private static final int MAX_UNSIGNED_16_BIT_INT = 0xFFFF; // port max |
| |
| /** |
| * Allows all validly formatted schemes to pass validation instead of |
| * supplying a set of valid schemes. |
| */ |
| public static final long ALLOW_ALL_SCHEMES = 1 << 0; |
| |
| /** |
| * Allow two slashes in the path component of the URL. |
| */ |
| public static final long ALLOW_2_SLASHES = 1 << 1; |
| |
| /** |
| * Enabling this options disallows any URL fragments. |
| */ |
| public static final long NO_FRAGMENTS = 1 << 2; |
| |
| /** |
| * Allow local URLs, such as http://localhost/ or http://machine/ . |
| * This enables a broad-brush check, for complex local machine name |
| * validation requirements you should create your validator with |
| * a {@link RegexValidator} instead ({@link #UrlValidator(RegexValidator, long)}) |
| */ |
| public static final long ALLOW_LOCAL_URLS = 1 << 3; // CHECKSTYLE IGNORE MagicNumber |
| |
| /** |
| * Protocol scheme (e.g. http, ftp, https). |
| */ |
| private static final String SCHEME_REGEX = "^\\p{Alpha}[\\p{Alnum}\\+\\-\\.]*"; |
| private static final Pattern SCHEME_PATTERN = Pattern.compile(SCHEME_REGEX); |
| |
| // Drop numeric, and "+-." for now |
| // TODO does not allow for optional userinfo. |
| // Validation of character set is done by isValidAuthority |
| private static final String AUTHORITY_CHARS_REGEX = "\\p{Alnum}\\-\\."; // allows for IPV4 but not IPV6 |
| // Allow for IPv4 mapped addresses: ::FFF:123.123.123.123 |
| private static final String IPV6_REGEX = "::FFFF:(?:\\d{1,3}\\.){3}\\d{1,3}|[0-9a-fA-F:]+"; // do this as separate match because : could cause ambiguity with port prefix |
| |
| // userinfo = *( unreserved / pct-encoded / sub-delims / ":" ) |
| // unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" |
| // sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" |
| // We assume that password has the same valid chars as user info |
| private static final String USERINFO_CHARS_REGEX = "[a-zA-Z0-9%-._~!$&'()*+,;=]"; |
| // since neither ':' nor '@' are allowed chars, we don't need to use non-greedy matching |
| private static final String USERINFO_FIELD_REGEX = |
| USERINFO_CHARS_REGEX + "+" + // At least one character for the name |
| "(?::" + USERINFO_CHARS_REGEX + "*)?@"; // colon and password may be absent |
| private static final String AUTHORITY_REGEX = |
| "(?:\\[("+IPV6_REGEX+")\\]|(?:(?:"+USERINFO_FIELD_REGEX+")?([" + AUTHORITY_CHARS_REGEX + "]*)))(?::(\\d*))?(.*)?"; |
| // 1 e.g. user:pass@ 2 3 4 |
| private static final Pattern AUTHORITY_PATTERN = Pattern.compile(AUTHORITY_REGEX); |
| |
| private static final int PARSE_AUTHORITY_IPV6 = 1; |
| |
| private static final int PARSE_AUTHORITY_HOST_IP = 2; // excludes userinfo, if present |
| |
| private static final int PARSE_AUTHORITY_PORT = 3; // excludes leading colon |
| |
| /** |
| * Should always be empty. The code currently allows spaces. |
| */ |
| private static final int PARSE_AUTHORITY_EXTRA = 4; |
| |
| private static final String PATH_REGEX = "^(/[-\\w:@&?=+,.!/~*'%$_;\\(\\)]*)?$"; |
| private static final Pattern PATH_PATTERN = Pattern.compile(PATH_REGEX); |
| |
| private static final String QUERY_REGEX = "^(\\S*)$"; |
| private static final Pattern QUERY_PATTERN = Pattern.compile(QUERY_REGEX); |
| |
| /** |
| * Holds the set of current validation options. |
| */ |
| private final long options; |
| |
| /** |
| * The set of schemes that are allowed to be in a URL. |
| */ |
| private final Set<String> allowedSchemes; // Must be lower-case |
| |
| /** |
| * Regular expressions used to manually validate authorities if IANA |
| * domain name validation isn't desired. |
| */ |
| private final RegexValidator authorityValidator; |
| |
| /** |
| * If no schemes are provided, default to this set. |
| */ |
| private static final String[] DEFAULT_SCHEMES = {"http", "https", "ftp"}; // Must be lower-case |
| |
| /** |
| * Singleton instance of this class with default schemes and options. |
| */ |
| private static final UrlValidator DEFAULT_URL_VALIDATOR = new UrlValidator(); |
| |
| /** |
| * Returns the singleton instance of this class with default schemes and options. |
| * @return singleton instance with default schemes and options |
| */ |
| public static UrlValidator getInstance() { |
| return DEFAULT_URL_VALIDATOR; |
| } |
| |
| private final DomainValidator domainValidator; |
| |
| /** |
| * Create a UrlValidator with default properties. |
| */ |
| public UrlValidator() { |
| this(null); |
| } |
| |
| /** |
| * Behavior of validation is modified by passing in several strings options: |
| * @param schemes Pass in one or more url schemes to consider valid, passing in |
| * a null will default to "http,https,ftp" being valid. |
| * If a non-null schemes is specified then all valid schemes must |
| * be specified. Setting the ALLOW_ALL_SCHEMES option will |
| * ignore the contents of schemes. |
| */ |
| public UrlValidator(String[] schemes) { |
| this(schemes, 0L); |
| } |
| |
| /** |
| * Initialize a UrlValidator with the given validation options. |
| * @param options The options should be set using the public constants declared in |
| * this class. To set multiple options you simply add them together. For example, |
| * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options. |
| */ |
| public UrlValidator(long options) { |
| this(null, null, options); |
| } |
| |
| /** |
| * Behavior of validation is modified by passing in options: |
| * @param schemes The set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set. |
| * @param options The options should be set using the public constants declared in |
| * this class. To set multiple options you simply add them together. For example, |
| * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options. |
| */ |
| public UrlValidator(String[] schemes, long options) { |
| this(schemes, null, options); |
| } |
| |
| /** |
| * Initialize a UrlValidator with the given validation options. |
| * @param authorityValidator Regular expression validator used to validate the authority part |
| * This allows the user to override the standard set of domains. |
| * @param options Validation options. Set using the public constants of this class. |
| * To set multiple options, simply add them together: |
| * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p> |
| * enables both of those options. |
| */ |
| public UrlValidator(RegexValidator authorityValidator, long options) { |
| this(null, authorityValidator, options); |
| } |
| |
| /** |
| * Customizable constructor. Validation behavior is modifed by passing in options. |
| * @param schemes the set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set. |
| * @param authorityValidator Regular expression validator used to validate the authority part |
| * @param options Validation options. Set using the public constants of this class. |
| * To set multiple options, simply add them together: |
| * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p> |
| * enables both of those options. |
| */ |
| public UrlValidator(String[] schemes, RegexValidator authorityValidator, long options) { |
| this(schemes, authorityValidator, options, DomainValidator.getInstance(isOn(ALLOW_LOCAL_URLS, options))); |
| } |
| |
| /** |
| * Customizable constructor. Validation behavior is modifed by passing in options. |
| * @param schemes the set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set. |
| * @param authorityValidator Regular expression validator used to validate the authority part |
| * @param options Validation options. Set using the public constants of this class. |
| * To set multiple options, simply add them together: |
| * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p> |
| * enables both of those options. |
| * @param domainValidator the DomainValidator to use; must agree with ALLOW_LOCAL_URLS setting |
| * @since 1.7 |
| */ |
| public UrlValidator(String[] schemes, RegexValidator authorityValidator, long options, DomainValidator domainValidator) { |
| this.options = options; |
| if (domainValidator == null) { |
| throw new IllegalArgumentException("DomainValidator must not be null"); |
| } |
| if (domainValidator.isAllowLocal() != ((options & ALLOW_LOCAL_URLS) > 0)){ |
| throw new IllegalArgumentException("DomainValidator disagrees with ALLOW_LOCAL_URLS setting"); |
| } |
| this.domainValidator = domainValidator; |
| |
| if (isOn(ALLOW_ALL_SCHEMES)) { |
| allowedSchemes = Collections.emptySet(); |
| } else { |
| if (schemes == null) { |
| schemes = DEFAULT_SCHEMES; |
| } |
| allowedSchemes = new HashSet<>(schemes.length); |
| for (String scheme : schemes) { |
| allowedSchemes.add(scheme.toLowerCase(Locale.ENGLISH)); |
| } |
| } |
| |
| this.authorityValidator = authorityValidator; |
| } |
| |
| /** |
| * <p>Checks if a field has a valid url address.</p> |
| * |
| * Note that the method calls #isValidAuthority() |
| * which checks that the domain is valid. |
| * |
| * @param value The value validation is being performed on. A <code>null</code> |
| * value is considered invalid. |
| * @return true if the url is valid. |
| */ |
| public boolean isValid(String value) { |
| if (value == null) { |
| return false; |
| } |
| |
| URI uri; // ensure value is a valid URI |
| try { |
| uri = new URI(value); |
| } catch (URISyntaxException e) { |
| return false; |
| } |
| // OK, perfom additional validation |
| |
| String scheme = uri.getScheme(); |
| if (!isValidScheme(scheme)) { |
| return false; |
| } |
| |
| String authority = uri.getRawAuthority(); |
| if ("file".equals(scheme) && (authority == null || "".equals(authority))) {// Special case - file: allows an empty authority |
| return true; // this is a local file - nothing more to do here |
| } else if ("file".equals(scheme) && authority != null && authority.contains(":")) { |
| return false; |
| } else { |
| // Validate the authority |
| if (!isValidAuthority(authority)) { |
| return false; |
| } |
| } |
| |
| if (!isValidPath(uri.getRawPath())) { |
| return false; |
| } |
| |
| if (!isValidQuery(uri.getRawQuery())) { |
| return false; |
| } |
| |
| if (!isValidFragment(uri.getRawFragment())) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| /** |
| * Validate scheme. If schemes[] was initialized to a non null, |
| * then only those schemes are allowed. |
| * Otherwise the default schemes are "http", "https", "ftp". |
| * Matching is case-blind. |
| * @param scheme The scheme to validate. A <code>null</code> value is considered |
| * invalid. |
| * @return true if valid. |
| */ |
| protected boolean isValidScheme(String scheme) { |
| if (scheme == null) { |
| return false; |
| } |
| |
| if (!SCHEME_PATTERN.matcher(scheme).matches()) { |
| return false; |
| } |
| |
| if (isOff(ALLOW_ALL_SCHEMES) && !allowedSchemes.contains(scheme.toLowerCase(Locale.ENGLISH))) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| /** |
| * Returns true if the authority is properly formatted. An authority is the combination |
| * of hostname and port. A <code>null</code> authority value is considered invalid. |
| * Note: this implementation validates the domain unless a RegexValidator was provided. |
| * If a RegexValidator was supplied and it matches, then the authority is regarded |
| * as valid with no further checks, otherwise the method checks against the |
| * AUTHORITY_PATTERN and the DomainValidator (ALLOW_LOCAL_URLS) |
| * @param authority Authority value to validate, alllows IDN |
| * @return true if authority (hostname and port) is valid. |
| */ |
| protected boolean isValidAuthority(String authority) { |
| if (authority == null) { |
| return false; |
| } |
| |
| // check manual authority validation if specified |
| if (authorityValidator != null && authorityValidator.isValid(authority)) { |
| return true; |
| } |
| // convert to ASCII if possible |
| final String authorityASCII = DomainValidator.unicodeToASCII(authority); |
| |
| Matcher authorityMatcher = AUTHORITY_PATTERN.matcher(authorityASCII); |
| if (!authorityMatcher.matches()) { |
| return false; |
| } |
| |
| // We have to process IPV6 separately because that is parsed in a different group |
| String ipv6 = authorityMatcher.group(PARSE_AUTHORITY_IPV6); |
| if (ipv6 != null) { |
| InetAddressValidator inetAddressValidator = InetAddressValidator.getInstance(); |
| if (!inetAddressValidator.isValidInet6Address(ipv6)) { |
| return false; |
| } |
| } else { |
| String hostLocation = authorityMatcher.group(PARSE_AUTHORITY_HOST_IP); |
| // check if authority is hostname or IP address: |
| // try a hostname first since that's much more likely |
| if (!this.domainValidator.isValid(hostLocation)) { |
| // try an IPv4 address |
| InetAddressValidator inetAddressValidator = InetAddressValidator.getInstance(); |
| if (!inetAddressValidator.isValidInet4Address(hostLocation)) { |
| // isn't IPv4, so the URL is invalid |
| return false; |
| } |
| } |
| String port = authorityMatcher.group(PARSE_AUTHORITY_PORT); |
| if (port != null && port.length() > 0) { |
| try { |
| int iPort = Integer.parseInt(port); |
| if (iPort < 0 || iPort > MAX_UNSIGNED_16_BIT_INT) { |
| return false; |
| } |
| } catch (NumberFormatException nfe) { |
| return false; // this can happen for big numbers |
| } |
| } |
| } |
| |
| String extra = authorityMatcher.group(PARSE_AUTHORITY_EXTRA); |
| if (extra != null && extra.trim().length() > 0){ |
| return false; |
| } |
| |
| return true; |
| } |
| |
| /** |
| * Returns true if the path is valid. A <code>null</code> value is considered invalid. |
| * @param path Path value to validate. |
| * @return true if path is valid. |
| */ |
| protected boolean isValidPath(String path) { |
| if (path == null) { |
| return false; |
| } |
| |
| if (!PATH_PATTERN.matcher(path).matches()) { |
| return false; |
| } |
| |
| try { |
| // Don't omit host otherwise leading path may be taken as host if it starts with // |
| URI uri = new URI(null,"localhost",path,null); |
| String norm = uri.normalize().getPath(); |
| if (norm.startsWith("/../") // Trying to go via the parent dir |
| || norm.equals("/..")) { // Trying to go to the parent dir |
| return false; |
| } |
| } catch (URISyntaxException e) { |
| return false; |
| } |
| |
| int slash2Count = countToken("//", path); |
| if (isOff(ALLOW_2_SLASHES) && (slash2Count > 0)) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| /** |
| * Returns true if the query is null or it's a properly formatted query string. |
| * @param query Query value to validate. |
| * @return true if query is valid. |
| */ |
| protected boolean isValidQuery(String query) { |
| if (query == null) { |
| return true; |
| } |
| |
| return QUERY_PATTERN.matcher(query).matches(); |
| } |
| |
| /** |
| * Returns true if the given fragment is null or fragments are allowed. |
| * @param fragment Fragment value to validate. |
| * @return true if fragment is valid. |
| */ |
| protected boolean isValidFragment(String fragment) { |
| if (fragment == null) { |
| return true; |
| } |
| |
| return isOff(NO_FRAGMENTS); |
| } |
| |
| /** |
| * Returns the number of times the token appears in the target. |
| * @param token Token value to be counted. |
| * @param target Target value to count tokens in. |
| * @return the number of tokens. |
| */ |
| protected int countToken(String token, String target) { |
| int tokenIndex = 0; |
| int count = 0; |
| while (tokenIndex != -1) { |
| tokenIndex = target.indexOf(token, tokenIndex); |
| if (tokenIndex > -1) { |
| tokenIndex++; |
| count++; |
| } |
| } |
| return count; |
| } |
| |
| /** |
| * Tests whether the given flag is on. If the flag is not a power of 2 |
| * (ie. 3) this tests whether the combination of flags is on. |
| * |
| * @param flag Flag value to check. |
| * |
| * @return whether the specified flag value is on. |
| */ |
| private boolean isOn(long flag) { |
| return (options & flag) > 0; |
| } |
| |
| /** |
| * Tests whether the given flag is on. If the flag is not a power of 2 |
| * (e.g. 3) this tests whether the combination of flags is on. |
| * |
| * @param flag Flag value to check. |
| * @param options what to check |
| * |
| * @return whether the specified flag value is on. |
| */ |
| private static boolean isOn(long flag, long options) { |
| return (options & flag) > 0; |
| } |
| |
| /** |
| * Tests whether the given flag is off. If the flag is not a power of 2 |
| * (ie. 3) this tests whether the combination of flags is off. |
| * |
| * @param flag Flag value to check. |
| * |
| * @return whether the specified flag value is off. |
| */ |
| private boolean isOff(long flag) { |
| return (options & flag) == 0; |
| } |
| |
| } |