public class InjectionDefense extends ObjectA class with which to safely build a streaming expression. Three types of parameters (String, Numeric, Expression) are accepted and minimally type checked. All parameters are positional (unnamed) so the order in which parameters are added must correspond to the order of the parameters in the supplied expression string.
Specifically, this class verifies that the parameter substitutions do not inject additional expressions, and that the parameters are strings, valid numbers or valid expressions producing the expected number of sub-expressions. The idea is not to provide full type safety but rather to heuristically prevent the injection of malicious expressions. The template expression and the parameters supplied must not contain comments since injection of comments could be used to hide one or more of the expected expressions. Use
stripComments(String)to remove comments.
Valid patterns for parameters are:
- ?$? for strings
- ?#? for numeric parameters in integer or decimal format (no exponents)
- ?(n)? for expressions producing n sub-expressions (minimum n=1)
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description
safeExpression()Provides an expression that is guaranteed to have the expected number of sub-expressions
safeExpressionString()Provides a string that is guaranteed to parse to a legal expression and to have the expected number of sub-expressions.
public InjectionDefense(String exprString)
public void addParameter(String param)
public StreamExpression safeExpression()Provides an expression that is guaranteed to have the expected number of sub-expressions
- An expression object that should be safe from injection of additional expressions
public String safeExpressionString()
- A string that should be safe from injection of additional expressions.