plugins/json/src/main/java/org/apache/struts2/json/JSONCleaner.java - struts - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *  http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.struts2.json;

 import com.opensymphony.xwork2.util.TextParseUtil;
 import com.opensymphony.xwork2.util.WildcardUtil;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;

 import java.util.*;
 import java.util.regex.Pattern;

 /**
  * <p>Isolate the process of cleaning JSON data from the Interceptor class
  * itself.</p>
  *
  * <p>The allowed and blocked wildcard patterns, combined with
  * defaultBlock, let you filter out values that should not be injected, in
  * the same way that ParameterFilterInterceptor does.  Note that you can
  * only remove values from a Map.  Removing values from a List is dangerous
  * because it could change the meaning of the data!</p>
  */
 public abstract class JSONCleaner {

     private static final Logger LOG = LogManager.getLogger(JSONCleaner.class);

     public static class Filter
     {
         public Pattern pattern;
         public boolean allow;

         public Filter(String pattern, boolean allow)
         {
             this.pattern = WildcardUtil.compileWildcardPattern(pattern);
             this.allow = allow;
         }
     }

     private boolean defaultBlock = false;
     private Collection<String> allowed;
     private Collection<String> blocked;
     private Map<String, Filter> includesExcludesMap;

     public Object clean(String ognlPrefix, Object data) throws JSONException {
         if (data == null)
             return null;
         else if (data instanceof List)
             return cleanList(ognlPrefix, data);
         else if (data instanceof Map)
             return cleanMap(ognlPrefix, data);
         else
             return cleanValue(ognlPrefix, data);
     }

     protected Object cleanList(String ognlPrefix, Object data) throws JSONException {
         List list = (List) data;
         int count = list.size();
         for (int i = 0; i < count; i++) {
             list.set(i, clean(ognlPrefix + "[" + i + "]", list.get(i)));
         }
         return list;
     }

     protected Object cleanMap(String ognlPrefix, Object data) throws JSONException {
         Map map = (Map) data;
         Iterator iter = map.entrySet().iterator();
         while (iter.hasNext()) {
             Map.Entry e = (Map.Entry) iter.next();
             String key = (ognlPrefix.length() > 0 ? ognlPrefix + "." : "") + e.getKey();
             if (allow(key)) {
                 e.setValue(clean(key, e.getValue()));
             } else {
                 LOG.debug("Blocked: {}", key);
                 iter.remove();
             }
         }
         return map;
     }

     protected abstract Object cleanValue(String ognlName, Object data) throws JSONException;

     private boolean allow(String ognl) {
         Map<String, Filter> includesExcludesMap = getIncludesExcludesMap();

         boolean allow = !isDefaultBlock();

         if (includesExcludesMap != null) {
             for (Filter f : includesExcludesMap.values()) {
                 if (f.pattern.matcher(ognl).matches()) {
                     allow = f.allow;
                 }
             }
         }

         return allow;
     }

     /**
      * @return the compiled list of includes and excludes
      */
     public Map<String, Filter> getIncludesExcludesMap() {
         if (allowed == null && blocked == null) {
             return includesExcludesMap;
         }

         if (includesExcludesMap == null) {
             includesExcludesMap = new TreeMap<>();

             Map<String, Boolean> existingExpr = new HashMap<>();

             Map<String, Map<String, String>> includePatternData = JSONUtil.getIncludePatternData();
             String splitPattern = includePatternData.get(JSONUtil.SPLIT_PATTERN).get(JSONUtil.WILDCARD_PATTERN);
             String joinString = includePatternData.get(JSONUtil.JOIN_STRING).get(JSONUtil.WILDCARD_PATTERN);
             String arrayBegin = includePatternData.get(JSONUtil.ARRAY_BEGIN_STRING).get(JSONUtil.WILDCARD_PATTERN);
             String arrayEnd = includePatternData.get(JSONUtil.ARRAY_END_STRING).get(JSONUtil.WILDCARD_PATTERN);

             if (allowed != null) {
                 for (String a : allowed) {
                     // Compile a pattern for each level of the object hierarchy
                     // so cleanMap() won't short-circuit too early.

                     String expr = "";
                     for (String piece : a.split(splitPattern)) {
                         if (expr.length() > 0) {
                             expr += joinString;
                         }
                         expr += piece;

                         if (!existingExpr.containsKey(expr)) {
                             existingExpr.put(expr, Boolean.TRUE);

                             String s = expr;
                             if (piece.endsWith(arrayEnd)) {
                                 s = expr.substring(0, expr.lastIndexOf(arrayBegin));
                             }

                             if (s.length() > 0) {
                                 includesExcludesMap.put(s, new Filter(s, true));

                                 LOG.debug("Adding include wildcard expression: {}", s);
                             }
                         }
                     }
                 }
             }
             if (blocked != null) {
                 for (String b : blocked) {
                     includesExcludesMap.put(b, new Filter(b, false));
                 }
             }
         }

         return includesExcludesMap;
     }

     /**
      * Allow external caching of the compiled result.
      *
      * @param map the compiled list of includes and excludes
      */
     public void setIncludesExcludesMap(Map<String, Filter> map) {
         includesExcludesMap = map;
     }

     /**
      * @return value of defaultBlock
      */
     public boolean isDefaultBlock() {
         return defaultBlock;
     }

     /**
      * @param defaultExclude The defaultExclude to set.
      */
     public void setDefaultBlock(boolean defaultExclude) {
         this.defaultBlock = defaultExclude;
     }

     /**
      * @return list of blocked wildcard patterns
      */
     public Collection<String> getBlockedCollection() {
         return blocked;
     }

     /**
      * @param blocked The blocked to set.
      */
     public void setBlockedCollection(Collection<String> blocked) {
         this.blocked = blocked;
     }

     /**
      * @param blocked The blocked parameters as comma separated String.
      */
     public void setBlocked(String blocked) {
         setBlockedCollection(asCollection(blocked));
     }

     /**
      * @return list of allowed wildcard patterns
      */
     public Collection<String> getAllowedCollection() {
         return allowed;
     }

     /**
      * @param allowed The allowed to set.
      */
     public void setAllowedCollection(Collection<String> allowed) {
         this.allowed = allowed;
     }

     /**
      * @param allowed The allowed paramters as comma separated String.
      */
     public void setAllowed(String allowed) {
         setAllowedCollection(asCollection(allowed));
     }

     /**
      * Return a collection from the comma delimited String.
      *
      * @param commaDelim the comma delimited String.
      * @return A collection from the comma delimited String. Returns <tt>null</tt> if the string is empty.
      */
     private Collection<String> asCollection(String commaDelim) {
         if (commaDelim == null || commaDelim.trim().length() == 0) {
             return null;
         }
         return TextParseUtil.commaDelimitedStringToSet(commaDelim);
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.struts2.json;

	import com.opensymphony.xwork2.util.TextParseUtil;
	import com.opensymphony.xwork2.util.WildcardUtil;
	import org.apache.logging.log4j.LogManager;
	import org.apache.logging.log4j.Logger;

	import java.util.*;
	import java.util.regex.Pattern;

	/**
	* <p>Isolate the process of cleaning JSON data from the Interceptor class
	* itself.</p>
	*
	* <p>The allowed and blocked wildcard patterns, combined with
	* defaultBlock, let you filter out values that should not be injected, in
	* the same way that ParameterFilterInterceptor does. Note that you can
	* only remove values from a Map. Removing values from a List is dangerous
	* because it could change the meaning of the data!</p>
	*/
	public abstract class JSONCleaner {

	private static final Logger LOG = LogManager.getLogger(JSONCleaner.class);

	public static class Filter
	{
	public Pattern pattern;
	public boolean allow;

	public Filter(String pattern, boolean allow)
	{
	this.pattern = WildcardUtil.compileWildcardPattern(pattern);
	this.allow = allow;
	}
	}

	private boolean defaultBlock = false;
	private Collection<String> allowed;
	private Collection<String> blocked;
	private Map<String, Filter> includesExcludesMap;

	public Object clean(String ognlPrefix, Object data) throws JSONException {
	if (data == null)
	return null;
	else if (data instanceof List)
	return cleanList(ognlPrefix, data);
	else if (data instanceof Map)
	return cleanMap(ognlPrefix, data);
	else
	return cleanValue(ognlPrefix, data);
	}

	protected Object cleanList(String ognlPrefix, Object data) throws JSONException {
	List list = (List) data;
	int count = list.size();
	for (int i = 0; i < count; i++) {
	list.set(i, clean(ognlPrefix + "[" + i + "]", list.get(i)));
	}
	return list;
	}

	protected Object cleanMap(String ognlPrefix, Object data) throws JSONException {
	Map map = (Map) data;
	Iterator iter = map.entrySet().iterator();
	while (iter.hasNext()) {
	Map.Entry e = (Map.Entry) iter.next();
	String key = (ognlPrefix.length() > 0 ? ognlPrefix + "." : "") + e.getKey();
	if (allow(key)) {
	e.setValue(clean(key, e.getValue()));
	} else {
	LOG.debug("Blocked: {}", key);
	iter.remove();
	}
	}
	return map;
	}

	protected abstract Object cleanValue(String ognlName, Object data) throws JSONException;

	private boolean allow(String ognl) {
	Map<String, Filter> includesExcludesMap = getIncludesExcludesMap();

	boolean allow = !isDefaultBlock();

	if (includesExcludesMap != null) {
	for (Filter f : includesExcludesMap.values()) {
	if (f.pattern.matcher(ognl).matches()) {
	allow = f.allow;
	}
	}
	}

	return allow;
	}

	/**
	* @return the compiled list of includes and excludes
	*/
	public Map<String, Filter> getIncludesExcludesMap() {
	if (allowed == null && blocked == null) {
	return includesExcludesMap;
	}

	if (includesExcludesMap == null) {
	includesExcludesMap = new TreeMap<>();

	Map<String, Boolean> existingExpr = new HashMap<>();

	Map<String, Map<String, String>> includePatternData = JSONUtil.getIncludePatternData();
	String splitPattern = includePatternData.get(JSONUtil.SPLIT_PATTERN).get(JSONUtil.WILDCARD_PATTERN);
	String joinString = includePatternData.get(JSONUtil.JOIN_STRING).get(JSONUtil.WILDCARD_PATTERN);
	String arrayBegin = includePatternData.get(JSONUtil.ARRAY_BEGIN_STRING).get(JSONUtil.WILDCARD_PATTERN);
	String arrayEnd = includePatternData.get(JSONUtil.ARRAY_END_STRING).get(JSONUtil.WILDCARD_PATTERN);

	if (allowed != null) {
	for (String a : allowed) {
	// Compile a pattern for each level of the object hierarchy
	// so cleanMap() won't short-circuit too early.

	String expr = "";
	for (String piece : a.split(splitPattern)) {
	if (expr.length() > 0) {
	expr += joinString;
	}
	expr += piece;

	if (!existingExpr.containsKey(expr)) {
	existingExpr.put(expr, Boolean.TRUE);

	String s = expr;
	if (piece.endsWith(arrayEnd)) {
	s = expr.substring(0, expr.lastIndexOf(arrayBegin));
	}

	if (s.length() > 0) {
	includesExcludesMap.put(s, new Filter(s, true));

	LOG.debug("Adding include wildcard expression: {}", s);
	}
	}
	}
	}
	}
	if (blocked != null) {
	for (String b : blocked) {
	includesExcludesMap.put(b, new Filter(b, false));
	}
	}
	}

	return includesExcludesMap;
	}

	/**
	* Allow external caching of the compiled result.
	*
	* @param map the compiled list of includes and excludes
	*/
	public void setIncludesExcludesMap(Map<String, Filter> map) {
	includesExcludesMap = map;
	}

	/**
	* @return value of defaultBlock
	*/
	public boolean isDefaultBlock() {
	return defaultBlock;
	}

	/**
	* @param defaultExclude The defaultExclude to set.
	*/
	public void setDefaultBlock(boolean defaultExclude) {
	this.defaultBlock = defaultExclude;
	}

	/**
	* @return list of blocked wildcard patterns
	*/
	public Collection<String> getBlockedCollection() {
	return blocked;
	}

	/**
	* @param blocked The blocked to set.
	*/
	public void setBlockedCollection(Collection<String> blocked) {
	this.blocked = blocked;
	}

	/**
	* @param blocked The blocked parameters as comma separated String.
	*/
	public void setBlocked(String blocked) {
	setBlockedCollection(asCollection(blocked));
	}

	/**
	* @return list of allowed wildcard patterns
	*/
	public Collection<String> getAllowedCollection() {
	return allowed;
	}

	/**
	* @param allowed The allowed to set.
	*/
	public void setAllowedCollection(Collection<String> allowed) {
	this.allowed = allowed;
	}

	/**
	* @param allowed The allowed paramters as comma separated String.
	*/
	public void setAllowed(String allowed) {
	setAllowedCollection(asCollection(allowed));
	}

	/**
	* Return a collection from the comma delimited String.
	*
	* @param commaDelim the comma delimited String.
	* @return A collection from the comma delimited String. Returns <tt>null</tt> if the string is empty.
	*/
	private Collection<String> asCollection(String commaDelim) {
	if (commaDelim == null \|\| commaDelim.trim().length() == 0) {
	return null;
	}
	return TextParseUtil.commaDelimitedStringToSet(commaDelim);
	}

	}