001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.commons.validator.routines; 018 019import java.io.Serializable; 020import java.util.Arrays; 021import java.util.Collections; 022import java.util.HashSet; 023import java.util.Set; 024import java.util.regex.Matcher; 025import java.util.regex.Pattern; 026 027/** 028 * <p><b>URL Validation</b> routines.</p> 029 * Behavior of validation is modified by passing in options: 030 * <li>ALLOW_2_SLASHES - [FALSE] Allows double '/' characters in the path 031 * component.</li> 032 * <li>NO_FRAGMENT- [FALSE] By default fragments are allowed, if this option is 033 * included then fragments are flagged as illegal.</li> 034 * <li>ALLOW_ALL_SCHEMES - [FALSE] By default only http, https, and ftp are 035 * considered valid schemes. Enabling this option will let any scheme pass validation.</li> 036 * 037 * <p>Originally based in on php script by Debbie Dyer, validation.php v1.2b, Date: 03/07/02, 038 * http://javascript.internet.com. However, this validation now bears little resemblance 039 * to the php original.</p> 040 * <pre> 041 * Example of usage: 042 * Construct a UrlValidator with valid schemes of "http", and "https". 043 * 044 * String[] schemes = {"http","https"}. 045 * UrlValidator urlValidator = new UrlValidator(schemes); 046 * if (urlValidator.isValid("ftp://foo.bar.com/")) { 047 * System.out.println("url is valid"); 048 * } else { 049 * System.out.println("url is invalid"); 050 * } 051 * 052 * prints "url is invalid" 053 * If instead the default constructor is used. 054 * 055 * UrlValidator urlValidator = new UrlValidator(); 056 * if (urlValidator.isValid("ftp://foo.bar.com/")) { 057 * System.out.println("url is valid"); 058 * } else { 059 * System.out.println("url is invalid"); 060 * } 061 * 062 * prints out "url is valid" 063 * </pre> 064 * 065 * @see 066 * <a href="http://www.ietf.org/rfc/rfc2396.txt"> 067 * Uniform Resource Identifiers (URI): Generic Syntax 068 * </a> 069 * 070 * @version $Revision: 1227719 $ $Date: 2012-01-05 12:45:51 -0500 (Thu, 05 Jan 2012) $ 071 * @since Validator 1.4 072 */ 073public class UrlValidator implements Serializable { 074 075 private static final long serialVersionUID = 7557161713937335013L; 076 077 /** 078 * Allows all validly formatted schemes to pass validation instead of 079 * supplying a set of valid schemes. 080 */ 081 public static final long ALLOW_ALL_SCHEMES = 1 << 0; 082 083 /** 084 * Allow two slashes in the path component of the URL. 085 */ 086 public static final long ALLOW_2_SLASHES = 1 << 1; 087 088 /** 089 * Enabling this options disallows any URL fragments. 090 */ 091 public static final long NO_FRAGMENTS = 1 << 2; 092 093 /** 094 * Allow local URLs, such as http://localhost/ or http://machine/ . 095 * This enables a broad-brush check, for complex local machine name 096 * validation requirements you should create your validator with 097 * a {@link RegexValidator} instead ({@link #UrlValidator(RegexValidator, long)}) 098 */ 099 public static final long ALLOW_LOCAL_URLS = 1 << 3; 100 101 // Drop numeric, and "+-." for now 102 private static final String AUTHORITY_CHARS_REGEX = "\\p{Alnum}\\-\\."; 103 104 /** 105 * This expression derived/taken from the BNF for URI (RFC2396). 106 */ 107 private static final String URL_REGEX = 108 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"; 109 // 12 3 4 5 6 7 8 9 110 private static final Pattern URL_PATTERN = Pattern.compile(URL_REGEX); 111 112 /** 113 * Schema/Protocol (ie. http:, ftp:, file:, etc). 114 */ 115 private static final int PARSE_URL_SCHEME = 2; 116 117 /** 118 * Includes hostname/ip and port number. 119 */ 120 private static final int PARSE_URL_AUTHORITY = 4; 121 122 private static final int PARSE_URL_PATH = 5; 123 124 private static final int PARSE_URL_QUERY = 7; 125 126 private static final int PARSE_URL_FRAGMENT = 9; 127 128 /** 129 * Protocol (ie. http:, ftp:,https:). 130 */ 131 private static final String SCHEME_REGEX = "^\\p{Alpha}[\\p{Alnum}\\+\\-\\.]*"; 132 private static final Pattern SCHEME_PATTERN = Pattern.compile(SCHEME_REGEX); 133 134 private static final String AUTHORITY_REGEX = 135 "^([" + AUTHORITY_CHARS_REGEX + "]*)(:\\d*)?(.*)?"; 136 // 1 2 3 4 137 private static final Pattern AUTHORITY_PATTERN = Pattern.compile(AUTHORITY_REGEX); 138 139 private static final int PARSE_AUTHORITY_HOST_IP = 1; 140 141 private static final int PARSE_AUTHORITY_PORT = 2; 142 143 /** 144 * Should always be empty. 145 */ 146 private static final int PARSE_AUTHORITY_EXTRA = 3; 147 148 private static final String PATH_REGEX = "^(/[-\\w:@&?=+,.!/~*'%$_;\\(\\)]*)?$"; 149 private static final Pattern PATH_PATTERN = Pattern.compile(PATH_REGEX); 150 151 private static final String QUERY_REGEX = "^(.*)$"; 152 private static final Pattern QUERY_PATTERN = Pattern.compile(QUERY_REGEX); 153 154 private static final String LEGAL_ASCII_REGEX = "^\\p{ASCII}+$"; 155 private static final Pattern ASCII_PATTERN = Pattern.compile(LEGAL_ASCII_REGEX); 156 157 private static final String PORT_REGEX = "^:(\\d{1,5})$"; 158 private static final Pattern PORT_PATTERN = Pattern.compile(PORT_REGEX); 159 160 /** 161 * Holds the set of current validation options. 162 */ 163 private final long options; 164 165 /** 166 * The set of schemes that are allowed to be in a URL. 167 */ 168 private final Set allowedSchemes; 169 170 /** 171 * Regular expressions used to manually validate authorities if IANA 172 * domain name validation isn't desired. 173 */ 174 private final RegexValidator authorityValidator; 175 176 /** 177 * If no schemes are provided, default to this set. 178 */ 179 private static final String[] DEFAULT_SCHEMES = {"http", "https", "ftp"}; 180 181 /** 182 * Singleton instance of this class with default schemes and options. 183 */ 184 private static final UrlValidator DEFAULT_URL_VALIDATOR = new UrlValidator(); 185 186 /** 187 * Returns the singleton instance of this class with default schemes and options. 188 * @return singleton instance with default schemes and options 189 */ 190 public static UrlValidator getInstance() { 191 return DEFAULT_URL_VALIDATOR; 192 } 193 194 /** 195 * Create a UrlValidator with default properties. 196 */ 197 public UrlValidator() { 198 this(null); 199 } 200 201 /** 202 * Behavior of validation is modified by passing in several strings options: 203 * @param schemes Pass in one or more url schemes to consider valid, passing in 204 * a null will default to "http,https,ftp" being valid. 205 * If a non-null schemes is specified then all valid schemes must 206 * be specified. Setting the ALLOW_ALL_SCHEMES option will 207 * ignore the contents of schemes. 208 */ 209 public UrlValidator(String[] schemes) { 210 this(schemes, 0L); 211 } 212 213 /** 214 * Initialize a UrlValidator with the given validation options. 215 * @param options The options should be set using the public constants declared in 216 * this class. To set multiple options you simply add them together. For example, 217 * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options. 218 */ 219 public UrlValidator(long options) { 220 this(null, null, options); 221 } 222 223 /** 224 * Behavior of validation is modified by passing in options: 225 * @param schemes The set of valid schemes. 226 * @param options The options should be set using the public constants declared in 227 * this class. To set multiple options you simply add them together. For example, 228 * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options. 229 */ 230 public UrlValidator(String[] schemes, long options) { 231 this(schemes, null, options); 232 } 233 234 /** 235 * Initialize a UrlValidator with the given validation options. 236 * @param authorityValidator Regular expression validator used to validate the authority part 237 * @param options Validation options. Set using the public constants of this class. 238 * To set multiple options, simply add them together: 239 * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p> 240 * enables both of those options. 241 */ 242 public UrlValidator(RegexValidator authorityValidator, long options) { 243 this(null, authorityValidator, options); 244 } 245 246 /** 247 * Customizable constructor. Validation behavior is modifed by passing in options. 248 * @param schemes the set of valid schemes 249 * @param authorityValidator Regular expression validator used to validate the authority part 250 * @param options Validation options. Set using the public constants of this class. 251 * To set multiple options, simply add them together: 252 * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p> 253 * enables both of those options. 254 */ 255 public UrlValidator(String[] schemes, RegexValidator authorityValidator, long options) { 256 this.options = options; 257 258 if (isOn(ALLOW_ALL_SCHEMES)) { 259 this.allowedSchemes = Collections.EMPTY_SET; 260 } else { 261 if (schemes == null) { 262 schemes = DEFAULT_SCHEMES; 263 } 264 this.allowedSchemes = new HashSet(); 265 this.allowedSchemes.addAll(Arrays.asList(schemes)); 266 } 267 268 this.authorityValidator = authorityValidator; 269 270 } 271 272 /** 273 * <p>Checks if a field has a valid url address.</p> 274 * 275 * @param value The value validation is being performed on. A <code>null</code> 276 * value is considered invalid. 277 * @return true if the url is valid. 278 */ 279 public boolean isValid(String value) { 280 if (value == null) { 281 return false; 282 } 283 284 if (!ASCII_PATTERN.matcher(value).matches()) { 285 return false; 286 } 287 288 // Check the whole url address structure 289 Matcher urlMatcher = URL_PATTERN.matcher(value); 290 if (!urlMatcher.matches()) { 291 return false; 292 } 293 294 String scheme = urlMatcher.group(PARSE_URL_SCHEME); 295 if (!isValidScheme(scheme)) { 296 return false; 297 } 298 299 String authority = urlMatcher.group(PARSE_URL_AUTHORITY); 300 if ("file".equals(scheme) && "".equals(authority)) { 301 // Special case - file: allows an empty authority 302 } else { 303 // Validate the authority 304 if (!isValidAuthority(authority)) { 305 return false; 306 } 307 } 308 309 if (!isValidPath(urlMatcher.group(PARSE_URL_PATH))) { 310 return false; 311 } 312 313 if (!isValidQuery(urlMatcher.group(PARSE_URL_QUERY))) { 314 return false; 315 } 316 317 if (!isValidFragment(urlMatcher.group(PARSE_URL_FRAGMENT))) { 318 return false; 319 } 320 321 return true; 322 } 323 324 /** 325 * Validate scheme. If schemes[] was initialized to a non null, 326 * then only those scheme's are allowed. Note this is slightly different 327 * than for the constructor. 328 * @param scheme The scheme to validate. A <code>null</code> value is considered 329 * invalid. 330 * @return true if valid. 331 */ 332 protected boolean isValidScheme(String scheme) { 333 if (scheme == null) { 334 return false; 335 } 336 337 if (!SCHEME_PATTERN.matcher(scheme).matches()) { 338 return false; 339 } 340 341 if (isOff(ALLOW_ALL_SCHEMES)) { 342 343 if (!this.allowedSchemes.contains(scheme)) { 344 return false; 345 } 346 } 347 348 return true; 349 } 350 351 /** 352 * Returns true if the authority is properly formatted. An authority is the combination 353 * of hostname and port. A <code>null</code> authority value is considered invalid. 354 * @param authority Authority value to validate. 355 * @return true if authority (hostname and port) is valid. 356 */ 357 protected boolean isValidAuthority(String authority) { 358 if (authority == null) { 359 return false; 360 } 361 362 // check manual authority validation if specified 363 if (authorityValidator != null) { 364 if (authorityValidator.isValid(authority)) { 365 return true; 366 } 367 } 368 369 Matcher authorityMatcher = AUTHORITY_PATTERN.matcher(authority); 370 if (!authorityMatcher.matches()) { 371 return false; 372 } 373 374 String hostLocation = authorityMatcher.group(PARSE_AUTHORITY_HOST_IP); 375 // check if authority is hostname or IP address: 376 // try a hostname first since that's much more likely 377 DomainValidator domainValidator = DomainValidator.getInstance(isOn(ALLOW_LOCAL_URLS)); 378 if (!domainValidator.isValid(hostLocation)) { 379 // try an IP address 380 InetAddressValidator inetAddressValidator = 381 InetAddressValidator.getInstance(); 382 if (!inetAddressValidator.isValid(hostLocation)) { 383 // isn't either one, so the URL is invalid 384 return false; 385 } 386 } 387 388 String port = authorityMatcher.group(PARSE_AUTHORITY_PORT); 389 if (port != null) { 390 if (!PORT_PATTERN.matcher(port).matches()) { 391 return false; 392 } 393 } 394 395 String extra = authorityMatcher.group(PARSE_AUTHORITY_EXTRA); 396 if (extra != null && extra.trim().length() > 0){ 397 return false; 398 } 399 400 return true; 401 } 402 403 /** 404 * Returns true if the path is valid. A <code>null</code> value is considered invalid. 405 * @param path Path value to validate. 406 * @return true if path is valid. 407 */ 408 protected boolean isValidPath(String path) { 409 if (path == null) { 410 return false; 411 } 412 413 if (!PATH_PATTERN.matcher(path).matches()) { 414 return false; 415 } 416 417 int slash2Count = countToken("//", path); 418 if (isOff(ALLOW_2_SLASHES) && (slash2Count > 0)) { 419 return false; 420 } 421 422 int slashCount = countToken("/", path); 423 int dot2Count = countToken("..", path); 424 if (dot2Count > 0) { 425 if ((slashCount - slash2Count - 1) <= dot2Count) { 426 return false; 427 } 428 } 429 430 return true; 431 } 432 433 /** 434 * Returns true if the query is null or it's a properly formatted query string. 435 * @param query Query value to validate. 436 * @return true if query is valid. 437 */ 438 protected boolean isValidQuery(String query) { 439 if (query == null) { 440 return true; 441 } 442 443 return QUERY_PATTERN.matcher(query).matches(); 444 } 445 446 /** 447 * Returns true if the given fragment is null or fragments are allowed. 448 * @param fragment Fragment value to validate. 449 * @return true if fragment is valid. 450 */ 451 protected boolean isValidFragment(String fragment) { 452 if (fragment == null) { 453 return true; 454 } 455 456 return isOff(NO_FRAGMENTS); 457 } 458 459 /** 460 * Returns the number of times the token appears in the target. 461 * @param token Token value to be counted. 462 * @param target Target value to count tokens in. 463 * @return the number of tokens. 464 */ 465 protected int countToken(String token, String target) { 466 int tokenIndex = 0; 467 int count = 0; 468 while (tokenIndex != -1) { 469 tokenIndex = target.indexOf(token, tokenIndex); 470 if (tokenIndex > -1) { 471 tokenIndex++; 472 count++; 473 } 474 } 475 return count; 476 } 477 478 /** 479 * Tests whether the given flag is on. If the flag is not a power of 2 480 * (ie. 3) this tests whether the combination of flags is on. 481 * 482 * @param flag Flag value to check. 483 * 484 * @return whether the specified flag value is on. 485 */ 486 private boolean isOn(long flag) { 487 return (this.options & flag) > 0; 488 } 489 490 /** 491 * Tests whether the given flag is off. If the flag is not a power of 2 492 * (ie. 3) this tests whether the combination of flags is off. 493 * 494 * @param flag Flag value to check. 495 * 496 * @return whether the specified flag value is off. 497 */ 498 private boolean isOff(long flag) { 499 return (this.options & flag) == 0; 500 } 501}