Merge pull request #519 from jeremiahjstacey/issue_494

Issue 494 CSSCodec RGB Triplets

Author: xeno6696

src/main/java/org/owasp/esapi/codecs/CSSCodec.java

@@ -15,6 +15,10 @@
  */
 package org.owasp.esapi.codecs;
 
+import java.util.regex.Pattern;
+
+import org.owasp.esapi.codecs.ref.EncodingPatternPreservation;
+
 /**
  * Implementation of the Codec interface for backslash encoding used in CSS.
  * 
@@ -26,8 +30,21 @@
 public class CSSCodec extends AbstractCharacterCodec
 {
 	private static final Character REPLACEMENT = '\ufffd';
-
-
+	//rgb (###,###,###) OR rgb(###%,###%,###%)
+	//([rR][gG][bB])\s*\(\s*\d{1,3}\s*(\%)?\s*,\s*\d{1,3}\s*(\%)?\s*,\s*\d{1,3}\s*(\%)?\s*\)
+	private static final String RGB_TRPLT = "([rR][gG][bB])\\s*\\(\\s*\\d{1,3}\\s*(\\%)?\\s*,\\s*\\d{1,3}\\s*(\\%)?\\s*,\\s*\\d{1,3}\\s*(\\%)?\\s*\\)";
+	private static final Pattern RGB_TRPLT_PATTERN = Pattern.compile(RGB_TRPLT); 
+	
+	@Override
+	public String encode(char[] immune, String input) {
+		 EncodingPatternPreservation tripletCheck = new EncodingPatternPreservation(RGB_TRPLT_PATTERN);
+		 
+		 String inputChk = tripletCheck.captureAndReplaceMatches(input);
+		 
+		 String result = super.encode(immune, inputChk);
+		 
+		 return tripletCheck.restoreOriginalContent(result);
+	}
     /**
 	 * {@inheritDoc}
 	 *

src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java

@@ -0,0 +1,111 @@
+package org.owasp.esapi.codecs.ref;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * String mutation utility which can be used to replace all occurrences of a
+ * defined regular expression with a marker string, and also restore the
+ * original string content.
+ *
+ */
+public class EncodingPatternPreservation {
+	/** Default replacement marker. */
+	private static final String REPLACEMENT_MARKER = EncodingPatternPreservation.class.getSimpleName();
+	/** Pattern that is used to identify which content should be replaced. */
+	private final Pattern noEncodeContent;
+	/** The Marker used to replace found Pattern references. */
+	private String replacementMarker = REPLACEMENT_MARKER;
+
+	/**
+	 * The ordered-list of elements that were replaced in the last call to
+	 * {@link #captureAndReplaceMatches(String)}, and that will be used to replace
+	 * the {@link #replacementMarker} on the next call to
+	 * {@link #restoreOriginalContent(String)}
+	 */
+	private final List<String> replacedContentList = new ArrayList<>();
+
+	/**
+	 * Constructor.
+	 * 
+	 * @param pattern Pattern identifying content being replaced.
+	 */
+	public EncodingPatternPreservation(Pattern pattern) {
+		noEncodeContent = pattern;
+	}
+
+	/**
+	 * Replaces each matching instance of this instance's Pattern with an
+	 * identifiable replacement marker. <br>
+	 * 
+	 * <br>
+	 * After the encoding process is complete, use
+	 * {@link #restoreOriginalContent(String)} to re-insert the original data.
+	 * 
+	 * @param input String to adjust
+	 * @return The adjusted String
+	 */
+	public String captureAndReplaceMatches(String input) {
+		if (!replacedContentList.isEmpty()) {
+			// This may seem odd, but this will prevent programmer error that would result
+			// in being unable to restore a previously tokenized String.
+			String message = "Previously captured state is still present in instance. Call PatternContentPreservation.reset() to clear out preserved state and to reuse the reference.";
+			throw new IllegalStateException(message);
+		}
+		String inputCpy = input;
+		Matcher matcher = noEncodeContent.matcher(input);
+
+		while (matcher.find()) {
+			String replaceContent = matcher.group(0);
+			if (replaceContent != null) {
+				replacedContentList.add(replaceContent);
+				inputCpy = inputCpy.replaceFirst(noEncodeContent.pattern(), replacementMarker);
+			}			
+		}
+
+		return inputCpy;
+	}
+
+	/**
+	 * Replaces each instance of the {@link #replacementMarker} with the original
+	 * content, as captured by {@link #captureAndReplaceMatches(String)}
+	 * 
+	 * @param input String to restore.
+	 * @return String reference with all values replaced.
+	 */
+	public String restoreOriginalContent(String input) {
+		String result = input;
+		while (replacedContentList.size() > 0) {
+			String origValue = replacedContentList.remove(0);
+			result = result.replaceFirst(replacementMarker, origValue);
+		}
+
+		return result;
+
+	}
+
+	/**
+	 * Allows the marker used as a replacement to be altered.
+	 * 
+	 * @param marker String replacment to use for regex matches.
+	 */
+	public void setReplacementMarker(String marker) {
+		if (!replacedContentList.isEmpty()) {
+			// This may seem odd, but this will prevent programmer error that would result
+			// in being unable to restore a previously tokenized String.
+			String message = "Previously captured state is still present in instance. Call PatternContentPreservation.reset() to clear out preserved state and to alter the marker.";
+			throw new IllegalStateException(message);
+		}
+		this.replacementMarker = marker;
+	}
+
+	/**
+	 * Clears any stored replacement values out of the instance.
+	 */
+	public void reset() {
+		replacedContentList.clear();
+	}
+
+}

src/test/java/org/owasp/esapi/codecs/CSSCodecTest.java

@@ -0,0 +1,33 @@
+package org.owasp.esapi.codecs;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+
+public class CSSCodecTest {
+	private static final char[] IMMUNE_STUB = new char[0];
+	/** Unit In Test*/
+	private CSSCodec uit = new CSSCodec();
+	
+	@Test
+    public void testCSSTripletLeadString() {
+    	assertEquals("rgb(255,255,255)\\21 ", uit.encode(IMMUNE_STUB, "rgb(255,255,255)!"));
+    	assertEquals("rgb(25%,25%,25%)\\21 ", uit.encode(IMMUNE_STUB, "rgb(25%,25%,25%)!"));
+    }
+	@Test
+    public void testCSSTripletTailString() {
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(255,255,255)!"));
+    	assertEquals("\\24 field\\3d rgb(25%,25%,25%)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(25%,25%,25%)!"));
+    }
+	@Test
+    public void testCSSTripletStringPart() {
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(255,255,255)!"));
+    	assertEquals("\\24 field\\3d rgb(25%,25%,25%)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(25%,25%,25%)!"));
+    }
+	@Test
+    public void testCSSTripletStringMultiPart() {
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 \\20 \\24 field\\3d rgb(255,255,255)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(255,255,255)! $field=rgb(255,255,255)!"));
+    	assertEquals("\\24 field\\3d rgb(25%,25%,25%)\\21 \\20 \\24 field\\3d rgb(25%,25%,25%)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(25%,25%,25%)! $field=rgb(25%,25%,25%)!"));
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 \\20 \\24 field\\3d rgb(25%,25%,25%)\\21 ", uit.encode(IMMUNE_STUB, "$field=rgb(255,255,255)! $field=rgb(25%,25%,25%)!"));
+    }
+}

src/test/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservationTest.java

@@ -0,0 +1,79 @@
+package org.owasp.esapi.codecs.ref;
+
+import java.util.regex.Pattern;
+
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+public class EncodingPatternPreservationTest {
+	
+	@Test
+	public void testReplaceAndRestore() {
+		Pattern numberRegex = Pattern.compile("(ABC)");
+		EncodingPatternPreservation epp = new EncodingPatternPreservation(numberRegex);
+		String origStr = "12 ABC 34 DEF 56 G 7";
+		String replacedStr = epp.captureAndReplaceMatches(origStr);
+		
+		assertEquals("12 EncodingPatternPreservation 34 DEF 56 G 7", replacedStr);
+		
+		String restored = epp.restoreOriginalContent(replacedStr);
+		assertEquals(origStr, restored);
+	}
+	
+	@Test
+	public void testReplaceMultipleAndRestore() {
+		Pattern numberRegex = Pattern.compile("(ABC)");
+		EncodingPatternPreservation epp = new EncodingPatternPreservation(numberRegex);
+		String origStr = "12 ABC 34 ABC 56 G 7 ABC8";
+		String replacedStr = epp.captureAndReplaceMatches(origStr);
+		
+		assertEquals("12 EncodingPatternPreservation 34 EncodingPatternPreservation 56 G 7 EncodingPatternPreservation8", replacedStr);
+		
+		String restored = epp.restoreOriginalContent(replacedStr);
+		assertEquals(origStr, restored);
+	}
+	
+	@Test
+	public void testSetMarker() {
+		Pattern numberRegex = Pattern.compile("(ABC)");
+		EncodingPatternPreservation epp = new EncodingPatternPreservation(numberRegex);
+		epp.setReplacementMarker(EncodingPatternPreservationTest.class.getSimpleName());
+		
+		String origStr = "12 ABC 34 DEF 56 G 7";
+		String replacedStr = epp.captureAndReplaceMatches(origStr);
+		
+		assertEquals("12 EncodingPatternPreservationTest 34 DEF 56 G 7", replacedStr);
+		
+		String restored = epp.restoreOriginalContent(replacedStr);
+		assertEquals(origStr, restored);
+	}
+	
+	@Test (expected = IllegalStateException.class)
+	public void testSetMarkerExceptionNoReset() {
+		Pattern numberRegex = Pattern.compile("(ABC)");
+		EncodingPatternPreservation epp = new EncodingPatternPreservation(numberRegex);
+		String origStr = "12 ABC 34 DEF 56 G 7";
+		epp.captureAndReplaceMatches(origStr);
+		//This allows the + case to be illustrated
+		epp.reset();
+		
+		//And the exception case.
+		epp.captureAndReplaceMatches(origStr);
+		epp.setReplacementMarker(EncodingPatternPreservationTest.class.getSimpleName());
+	}
+	
+	@Test (expected = IllegalStateException.class)
+	public void testReplaceExceptionNoReset() {
+		Pattern numberRegex = Pattern.compile("(ABC)");
+		EncodingPatternPreservation epp = new EncodingPatternPreservation(numberRegex);
+		String origStr = "12 ABC 34 DEF 56 G 7";
+		epp.captureAndReplaceMatches(origStr);
+		//This allows the + case to be illustrated
+		epp.reset();
+		
+		//And the exception case.
+		epp.captureAndReplaceMatches(origStr);
+		epp.captureAndReplaceMatches(origStr);
+	}
+}

src/test/java/org/owasp/esapi/reference/EncoderTest.java

@@ -15,19 +15,23 @@
  */
 package org.owasp.esapi.reference;
 
-import java.io.ByteArrayOutputStream;
+import static org.junit.Assert.assertEquals;
+
 import java.io.IOException;
-import java.io.ObjectOutputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
-import org.junit.Ignore;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Encoder;
 import org.owasp.esapi.EncoderConstants;
-import org.owasp.esapi.codecs.Base64;
+import org.owasp.esapi.codecs.CSSCodec;
 import org.owasp.esapi.codecs.Codec;
 import org.owasp.esapi.codecs.HTMLEntityCodec;
 import org.owasp.esapi.codecs.MySQLCodec;
@@ -376,7 +380,7 @@ public void testEncodeForHTMLAttribute() {
     /**
      *
      */
-    public void testEncodeForCSS() {
+    public void testencodeForCSS() {
         System.out.println("encodeForCSS");
         Encoder instance = ESAPI.encoder();
         assertEquals(null, instance.encodeForCSS(null));
@@ -385,11 +389,32 @@ public void testEncodeForCSS() {
         assertEquals("#f00", instance.encodeForCSS("#f00"));
         assertEquals("#123456", instance.encodeForCSS("#123456"));
         assertEquals("#abcdef", instance.encodeForCSS("#abcdef"));
-        assertEquals("red", instance.encodeForCSS("red"));
+        assertEquals("red", instance.encodeForCSS("red"));       
     }
-
-
-
+    
+    public void testCSSTripletLeadString() {
+    	Encoder instance = ESAPI.encoder();
+    	assertEquals("rgb(255,255,255)\\21 ", instance.encodeForCSS("rgb(255,255,255)!"));
+    	assertEquals("rgb(25%,25%,25%)\\21 ", instance.encodeForCSS("rgb(25%,25%,25%)!"));
+    }
+    public void testCSSTripletTailString() {
+		Encoder instance = ESAPI.encoder();
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 ", instance.encodeForCSS("$field=rgb(255,255,255)!"));
+    	assertEquals("\\24 field\\3d rgb(25%,25%,25%)\\21 ", instance.encodeForCSS("$field=rgb(25%,25%,25%)!"));
+    }
+    public void testCSSTripletStringPart() {
+		Encoder instance = ESAPI.encoder();
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 ", instance.encodeForCSS("$field=rgb(255,255,255)!"));
+    	assertEquals("\\24 field\\3d rgb(25%,25%,25%)\\21 ", instance.encodeForCSS("$field=rgb(25%,25%,25%)!"));
+    }
+    public void testCSSTripletStringMultiPart() {
+		Encoder instance = ESAPI.encoder();
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 \\20 \\24 field\\3d rgb(255,255,255)\\21 ", instance.encodeForCSS("$field=rgb(255,255,255)! $field=rgb(255,255,255)!"));
+    	assertEquals("\\24 field\\3d rgb(25%,25%,25%)\\21 \\20 \\24 field\\3d rgb(25%,25%,25%)\\21 ", instance.encodeForCSS("$field=rgb(25%,25%,25%)! $field=rgb(25%,25%,25%)!"));
+    	assertEquals("\\24 field\\3d rgb(255,255,255)\\21 \\20 \\24 field\\3d rgb(25%,25%,25%)\\21 ", instance.encodeForCSS("$field=rgb(255,255,255)! $field=rgb(25%,25%,25%)!"));
+    }
+       
+    
     /**
 	 * Test of encodeForJavaScript method, of class org.owasp.esapi.Encoder.
 	 */