001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.commons.validator.routines;
018
019import java.io.Serializable;
020import java.util.Arrays;
021import java.util.Collections;
022import java.util.HashSet;
023import java.util.Set;
024import java.util.regex.Matcher;
025import java.util.regex.Pattern;
026
027/**
028 * <p><b>URL Validation</b> routines.</p>
029 * Behavior of validation is modified by passing in options:
030 * <li>ALLOW_2_SLASHES - [FALSE]  Allows double '/' characters in the path
031 * component.</li>
032 * <li>NO_FRAGMENT- [FALSE]  By default fragments are allowed, if this option is
033 * included then fragments are flagged as illegal.</li>
034 * <li>ALLOW_ALL_SCHEMES - [FALSE] By default only http, https, and ftp are
035 * considered valid schemes.  Enabling this option will let any scheme pass validation.</li>
036 *
037 * <p>Originally based in on php script by Debbie Dyer, validation.php v1.2b, Date: 03/07/02,
038 * http://javascript.internet.com. However, this validation now bears little resemblance
039 * to the php original.</p>
040 * <pre>
041 *   Example of usage:
042 *   Construct a UrlValidator with valid schemes of "http", and "https".
043 *
044 *    String[] schemes = {"http","https"}.
045 *    UrlValidator urlValidator = new UrlValidator(schemes);
046 *    if (urlValidator.isValid("ftp://foo.bar.com/")) {
047 *       System.out.println("url is valid");
048 *    } else {
049 *       System.out.println("url is invalid");
050 *    }
051 *
052 *    prints "url is invalid"
053 *   If instead the default constructor is used.
054 *
055 *    UrlValidator urlValidator = new UrlValidator();
056 *    if (urlValidator.isValid("ftp://foo.bar.com/")) {
057 *       System.out.println("url is valid");
058 *    } else {
059 *       System.out.println("url is invalid");
060 *    }
061 *
062 *   prints out "url is valid"
063 *  </pre>
064 *
065 * @see
066 * <a href="http://www.ietf.org/rfc/rfc2396.txt">
067 *  Uniform Resource Identifiers (URI): Generic Syntax
068 * </a>
069 *
070 * @version $Revision: 1227719 $ $Date: 2012-01-05 18:45:51 +0100 (Do, 05 Jan 2012) $
071 * @since Validator 1.4
072 */
073public class UrlValidator implements Serializable {
074
075    private static final long serialVersionUID = 7557161713937335013L;
076
077    /**
078     * Allows all validly formatted schemes to pass validation instead of
079     * supplying a set of valid schemes.
080     */
081    public static final long ALLOW_ALL_SCHEMES = 1 << 0;
082
083    /**
084     * Allow two slashes in the path component of the URL.
085     */
086    public static final long ALLOW_2_SLASHES = 1 << 1;
087
088    /**
089     * Enabling this options disallows any URL fragments.
090     */
091    public static final long NO_FRAGMENTS = 1 << 2;
092
093    /**
094     * Allow local URLs, such as http://localhost/ or http://machine/ .
095     * This enables a broad-brush check, for complex local machine name
096     *  validation requirements you should create your validator with
097     *  a {@link RegexValidator} instead ({@link #UrlValidator(RegexValidator, long)})
098     */
099    public static final long ALLOW_LOCAL_URLS = 1 << 3;
100
101    // Drop numeric, and  "+-." for now
102    private static final String AUTHORITY_CHARS_REGEX = "\\p{Alnum}\\-\\.";
103
104    /**
105     * This expression derived/taken from the BNF for URI (RFC2396).
106     */
107    private static final String URL_REGEX =
108            "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?";
109    //                                                                      12            3  4          5       6   7        8 9
110    private static final Pattern URL_PATTERN = Pattern.compile(URL_REGEX);
111
112    /**
113     * Schema/Protocol (ie. http:, ftp:, file:, etc).
114     */
115    private static final int PARSE_URL_SCHEME = 2;
116
117    /**
118     * Includes hostname/ip and port number.
119     */
120    private static final int PARSE_URL_AUTHORITY = 4;
121
122    private static final int PARSE_URL_PATH = 5;
123
124    private static final int PARSE_URL_QUERY = 7;
125
126    private static final int PARSE_URL_FRAGMENT = 9;
127
128    /**
129     * Protocol (ie. http:, ftp:,https:).
130     */
131    private static final String SCHEME_REGEX = "^\\p{Alpha}[\\p{Alnum}\\+\\-\\.]*";
132    private static final Pattern SCHEME_PATTERN = Pattern.compile(SCHEME_REGEX);
133
134    private static final String AUTHORITY_REGEX =
135            "^([" + AUTHORITY_CHARS_REGEX + "]*)(:\\d*)?(.*)?";
136    //                                                                            1                          2  3       4
137    private static final Pattern AUTHORITY_PATTERN = Pattern.compile(AUTHORITY_REGEX);
138
139    private static final int PARSE_AUTHORITY_HOST_IP = 1;
140
141    private static final int PARSE_AUTHORITY_PORT = 2;
142
143    /**
144     * Should always be empty.
145     */
146    private static final int PARSE_AUTHORITY_EXTRA = 3;
147
148    private static final String PATH_REGEX = "^(/[-\\w:@&?=+,.!/~*'%$_;\\(\\)]*)?$";
149    private static final Pattern PATH_PATTERN = Pattern.compile(PATH_REGEX);
150
151    private static final String QUERY_REGEX = "^(.*)$";
152    private static final Pattern QUERY_PATTERN = Pattern.compile(QUERY_REGEX);
153
154    private static final String LEGAL_ASCII_REGEX = "^\\p{ASCII}+$";
155    private static final Pattern ASCII_PATTERN = Pattern.compile(LEGAL_ASCII_REGEX);
156
157    private static final String PORT_REGEX = "^:(\\d{1,5})$";
158    private static final Pattern PORT_PATTERN = Pattern.compile(PORT_REGEX);
159
160    /**
161     * Holds the set of current validation options.
162     */
163    private final long options;
164
165    /**
166     * The set of schemes that are allowed to be in a URL.
167     */
168    private final Set allowedSchemes;
169
170    /**
171     * Regular expressions used to manually validate authorities if IANA
172     * domain name validation isn't desired.
173     */
174    private final RegexValidator authorityValidator;
175
176    /**
177     * If no schemes are provided, default to this set.
178     */
179    private static final String[] DEFAULT_SCHEMES = {"http", "https", "ftp"};
180
181    /**
182     * Singleton instance of this class with default schemes and options.
183     */
184    private static final UrlValidator DEFAULT_URL_VALIDATOR = new UrlValidator();
185
186    /**
187     * Returns the singleton instance of this class with default schemes and options.
188     * @return singleton instance with default schemes and options
189     */
190    public static UrlValidator getInstance() {
191        return DEFAULT_URL_VALIDATOR;
192    }
193
194    /**
195     * Create a UrlValidator with default properties.
196     */
197    public UrlValidator() {
198        this(null);
199    }
200
201    /**
202     * Behavior of validation is modified by passing in several strings options:
203     * @param schemes Pass in one or more url schemes to consider valid, passing in
204     *        a null will default to "http,https,ftp" being valid.
205     *        If a non-null schemes is specified then all valid schemes must
206     *        be specified. Setting the ALLOW_ALL_SCHEMES option will
207     *        ignore the contents of schemes.
208     */
209    public UrlValidator(String[] schemes) {
210        this(schemes, 0L);
211    }
212
213    /**
214     * Initialize a UrlValidator with the given validation options.
215     * @param options The options should be set using the public constants declared in
216     * this class.  To set multiple options you simply add them together.  For example,
217     * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
218     */
219    public UrlValidator(long options) {
220        this(null, null, options);
221    }
222
223    /**
224     * Behavior of validation is modified by passing in options:
225     * @param schemes The set of valid schemes.
226     * @param options The options should be set using the public constants declared in
227     * this class.  To set multiple options you simply add them together.  For example,
228     * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
229     */
230    public UrlValidator(String[] schemes, long options) {
231        this(schemes, null, options);
232    }
233
234    /**
235     * Initialize a UrlValidator with the given validation options.
236     * @param authorityValidator Regular expression validator used to validate the authority part
237     * @param options Validation options. Set using the public constants of this class.
238     * To set multiple options, simply add them together:
239     * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
240     * enables both of those options.
241     */
242    public UrlValidator(RegexValidator authorityValidator, long options) {
243        this(null, authorityValidator, options);
244    }
245
246    /**
247     * Customizable constructor. Validation behavior is modifed by passing in options.
248     * @param schemes the set of valid schemes
249     * @param authorityValidator Regular expression validator used to validate the authority part
250     * @param options Validation options. Set using the public constants of this class.
251     * To set multiple options, simply add them together:
252     * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
253     * enables both of those options.
254     */
255    public UrlValidator(String[] schemes, RegexValidator authorityValidator, long options) {
256        this.options = options;
257
258        if (isOn(ALLOW_ALL_SCHEMES)) {
259            this.allowedSchemes = Collections.EMPTY_SET;
260        } else {
261            if (schemes == null) {
262                schemes = DEFAULT_SCHEMES;
263            }
264            this.allowedSchemes = new HashSet();
265            this.allowedSchemes.addAll(Arrays.asList(schemes));
266        }
267
268        this.authorityValidator = authorityValidator;
269
270    }
271
272    /**
273     * <p>Checks if a field has a valid url address.</p>
274     *
275     * @param value The value validation is being performed on.  A <code>null</code>
276     * value is considered invalid.
277     * @return true if the url is valid.
278     */
279    public boolean isValid(String value) {
280        if (value == null) {
281            return false;
282        }
283
284        if (!ASCII_PATTERN.matcher(value).matches()) {
285            return false;
286        }
287
288        // Check the whole url address structure
289        Matcher urlMatcher = URL_PATTERN.matcher(value);
290        if (!urlMatcher.matches()) {
291            return false;
292        }
293
294        String scheme = urlMatcher.group(PARSE_URL_SCHEME);
295        if (!isValidScheme(scheme)) {
296            return false;
297        }
298
299        String authority = urlMatcher.group(PARSE_URL_AUTHORITY);
300        if ("file".equals(scheme) && "".equals(authority)) {
301           // Special case - file: allows an empty authority
302        } else {
303           // Validate the authority
304           if (!isValidAuthority(authority)) {
305               return false;
306            }
307        }
308
309        if (!isValidPath(urlMatcher.group(PARSE_URL_PATH))) {
310            return false;
311        }
312
313        if (!isValidQuery(urlMatcher.group(PARSE_URL_QUERY))) {
314            return false;
315        }
316
317        if (!isValidFragment(urlMatcher.group(PARSE_URL_FRAGMENT))) {
318            return false;
319        }
320
321        return true;
322    }
323
324    /**
325     * Validate scheme. If schemes[] was initialized to a non null,
326     * then only those scheme's are allowed.  Note this is slightly different
327     * than for the constructor.
328     * @param scheme The scheme to validate.  A <code>null</code> value is considered
329     * invalid.
330     * @return true if valid.
331     */
332    protected boolean isValidScheme(String scheme) {
333        if (scheme == null) {
334            return false;
335        }
336
337        if (!SCHEME_PATTERN.matcher(scheme).matches()) {
338            return false;
339        }
340
341        if (isOff(ALLOW_ALL_SCHEMES)) {
342
343            if (!this.allowedSchemes.contains(scheme)) {
344                return false;
345            }
346        }
347
348        return true;
349    }
350
351    /**
352     * Returns true if the authority is properly formatted.  An authority is the combination
353     * of hostname and port.  A <code>null</code> authority value is considered invalid.
354     * @param authority Authority value to validate.
355     * @return true if authority (hostname and port) is valid.
356     */
357    protected boolean isValidAuthority(String authority) {
358        if (authority == null) {
359            return false;
360        }
361
362        // check manual authority validation if specified
363        if (authorityValidator != null) {
364            if (authorityValidator.isValid(authority)) {
365                return true;
366            }
367        }
368
369        Matcher authorityMatcher = AUTHORITY_PATTERN.matcher(authority);
370        if (!authorityMatcher.matches()) {
371            return false;
372        }
373
374        String hostLocation = authorityMatcher.group(PARSE_AUTHORITY_HOST_IP);
375        // check if authority is hostname or IP address:
376        // try a hostname first since that's much more likely
377        DomainValidator domainValidator = DomainValidator.getInstance(isOn(ALLOW_LOCAL_URLS));
378        if (!domainValidator.isValid(hostLocation)) {
379            // try an IP address
380            InetAddressValidator inetAddressValidator =
381                InetAddressValidator.getInstance();
382            if (!inetAddressValidator.isValid(hostLocation)) {
383                // isn't either one, so the URL is invalid
384                return false;
385            }
386        }
387
388        String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
389        if (port != null) {
390            if (!PORT_PATTERN.matcher(port).matches()) {
391                return false;
392            }
393        }
394
395        String extra = authorityMatcher.group(PARSE_AUTHORITY_EXTRA);
396        if (extra != null && extra.trim().length() > 0){
397            return false;
398        }
399
400        return true;
401    }
402
403    /**
404     * Returns true if the path is valid.  A <code>null</code> value is considered invalid.
405     * @param path Path value to validate.
406     * @return true if path is valid.
407     */
408    protected boolean isValidPath(String path) {
409        if (path == null) {
410            return false;
411        }
412
413        if (!PATH_PATTERN.matcher(path).matches()) {
414            return false;
415        }
416
417        int slash2Count = countToken("//", path);
418        if (isOff(ALLOW_2_SLASHES) && (slash2Count > 0)) {
419            return false;
420        }
421
422        int slashCount = countToken("/", path);
423        int dot2Count = countToken("..", path);
424        if (dot2Count > 0) {
425            if ((slashCount - slash2Count - 1) <= dot2Count) {
426                return false;
427            }
428        }
429
430        return true;
431    }
432
433    /**
434     * Returns true if the query is null or it's a properly formatted query string.
435     * @param query Query value to validate.
436     * @return true if query is valid.
437     */
438    protected boolean isValidQuery(String query) {
439        if (query == null) {
440            return true;
441        }
442
443        return QUERY_PATTERN.matcher(query).matches();
444    }
445
446    /**
447     * Returns true if the given fragment is null or fragments are allowed.
448     * @param fragment Fragment value to validate.
449     * @return true if fragment is valid.
450     */
451    protected boolean isValidFragment(String fragment) {
452        if (fragment == null) {
453            return true;
454        }
455
456        return isOff(NO_FRAGMENTS);
457    }
458
459    /**
460     * Returns the number of times the token appears in the target.
461     * @param token Token value to be counted.
462     * @param target Target value to count tokens in.
463     * @return the number of tokens.
464     */
465    protected int countToken(String token, String target) {
466        int tokenIndex = 0;
467        int count = 0;
468        while (tokenIndex != -1) {
469            tokenIndex = target.indexOf(token, tokenIndex);
470            if (tokenIndex > -1) {
471                tokenIndex++;
472                count++;
473            }
474        }
475        return count;
476    }
477
478    /**
479     * Tests whether the given flag is on.  If the flag is not a power of 2
480     * (ie. 3) this tests whether the combination of flags is on.
481     *
482     * @param flag Flag value to check.
483     *
484     * @return whether the specified flag value is on.
485     */
486    private boolean isOn(long flag) {
487        return (this.options & flag) > 0;
488    }
489
490    /**
491     * Tests whether the given flag is off.  If the flag is not a power of 2
492     * (ie. 3) this tests whether the combination of flags is off.
493     *
494     * @param flag Flag value to check.
495     *
496     * @return whether the specified flag value is off.
497     */
498    private boolean isOff(long flag) {
499        return (this.options & flag) == 0;
500    }
501}