UrlValidator.java

  1. /*
  2.  * Licensed to the Apache Software Foundation (ASF) under one or more
  3.  * contributor license agreements.  See the NOTICE file distributed with
  4.  * this work for additional information regarding copyright ownership.
  5.  * The ASF licenses this file to You under the Apache License, Version 2.0
  6.  * (the "License"); you may not use this file except in compliance with
  7.  * the License.  You may obtain a copy of the License at
  8.  *
  9.  *      http://www.apache.org/licenses/LICENSE-2.0
  10.  *
  11.  * Unless required by applicable law or agreed to in writing, software
  12.  * distributed under the License is distributed on an "AS IS" BASIS,
  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14.  * See the License for the specific language governing permissions and
  15.  * limitations under the License.
  16.  */
  17. package org.apache.commons.validator.routines;

  19. import java.io.Serializable;
  20. import java.net.URI;
  21. import java.net.URISyntaxException;
  22. import java.util.Collections;
  23. import java.util.HashSet;
  24. import java.util.Locale;
  25. import java.util.Set;
  26. import java.util.regex.Matcher;
  27. import java.util.regex.Pattern;

  29. import org.apache.commons.validator.GenericValidator;

  31. /**
  32.  * <p><b>URL Validation</b> routines.</p>
  33.  * Behavior of validation is modified by passing in options:
  34.  * <ul>
  35.  * <li>ALLOW_2_SLASHES - [FALSE]  Allows double '/' characters in the path
  36.  * component.</li>
  37.  * <li>NO_FRAGMENT- [FALSE]  By default fragments are allowed, if this option is
  38.  * included then fragments are flagged as illegal.</li>
  39.  * <li>ALLOW_ALL_SCHEMES - [FALSE] By default only http, https, and ftp are
  40.  * considered valid schemes.  Enabling this option will let any scheme pass validation.</li>
  41.  * </ul>
  42.  *
  43.  * <p>Originally based in on php script by Debbie Dyer, validation.php v1.2b, Date: 03/07/02,
  44.  * https://javascript.internet.com. However, this validation now bears little resemblance
  45.  * to the php original.</p>
  46.  * <pre>
  47.  *   Example of usage:
  48.  *   Construct a UrlValidator with valid schemes of "http", and "https".
  49.  *
  50.  *    String[] schemes = {"http","https"}.
  51.  *    UrlValidator urlValidator = new UrlValidator(schemes);
  52.  *    if (urlValidator.isValid("ftp://foo.bar.com/")) {
  53.  *       System.out.println("URL is valid");
  54.  *    } else {
  55.  *       System.out.println("URL is invalid");
  56.  *    }
  57.  *
  58.  *    prints "URL is invalid"
  59.  *   If instead the default constructor is used.
  60.  *
  61.  *    UrlValidator urlValidator = new UrlValidator();
  62.  *    if (urlValidator.isValid("ftp://foo.bar.com/")) {
  63.  *       System.out.println("URL is valid");
  64.  *    } else {
  65.  *       System.out.println("URL is invalid");
  66.  *    }
  67.  *
  68.  *   prints out "URL is valid"
  69.  *  </pre>
  70.  *
  71.  * @see
  72.  * <a href="http://www.ietf.org/rfc/rfc2396.txt">
  73.  *  Uniform Resource Identifiers (URI): Generic Syntax
  74.  * </a>
  75.  *
  76.  * @since 1.4
  77.  */
  78. public class UrlValidator implements Serializable {

  80.     private static final long serialVersionUID = 7557161713937335013L;

  82.     private static final int MAX_UNSIGNED_16_BIT_INT = 0xFFFF; // port max

  84.     /**
  85.      * Allows all validly formatted schemes to pass validation instead of
  86.      * supplying a set of valid schemes.
  87.      */
  88.     public static final long ALLOW_ALL_SCHEMES = 1 << 0;

  90.     /**
  91.      * Allow two slashes in the path component of the URL.
  92.      */
  93.     public static final long ALLOW_2_SLASHES = 1 << 1;

  95.     /**
  96.      * Enabling this options disallows any URL fragments.
  97.      */
  98.     public static final long NO_FRAGMENTS = 1 << 2;

  100.     /**
  101.      * Allow local URLs, such as https://localhost/ or https://machine/ .
  102.      * This enables a broad-brush check, for complex local machine name
  103.      *  validation requirements you should create your validator with
  104.      *  a {@link RegexValidator} instead ({@link #UrlValidator(RegexValidator, long)})
  105.      */
  106.     public static final long ALLOW_LOCAL_URLS = 1 << 3; // CHECKSTYLE IGNORE MagicNumber

  108.     /**
  109.      * Protocol scheme (e.g. http, ftp, https).
  110.      */
  111.     private static final String SCHEME_REGEX = "^\\p{Alpha}[\\p{Alnum}\\+\\-\\.]*";
  112.     private static final Pattern SCHEME_PATTERN = Pattern.compile(SCHEME_REGEX);

  114.     // Drop numeric, and  "+-." for now
  115.     // TODO does not allow for optional userinfo.
  116.     // Validation of character set is done by isValidAuthority
  117.     private static final String AUTHORITY_CHARS_REGEX = "\\p{Alnum}\\-\\."; // allows for IPV4 but not IPV6
  118.     // Allow for IPv4 mapped addresses: ::FFF:123.123.123.123
  119.     private static final String IPV6_REGEX = "::FFFF:(?:\\d{1,3}\\.){3}\\d{1,3}|[0-9a-fA-F:]+"; // do this as separate match because : could cause ambiguity with port prefix

  121.     // userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
  122.     // unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
  123.     // sub-delims    = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
  124.     // We assume that password has the same valid chars as user info
  125.     private static final String USERINFO_CHARS_REGEX = "[a-zA-Z0-9%-._~!$&'()*+,;=]";

  127.     // since neither ':' nor '@' are allowed chars, we don't need to use non-greedy matching
  128.     private static final String USERINFO_FIELD_REGEX =
  129.             USERINFO_CHARS_REGEX + "+" + // At least one character for the name
  130.             "(?::" + USERINFO_CHARS_REGEX + "*)?@"; // colon and password may be absent

  132.     private static final String AUTHORITY_REGEX =
  133.             "(?:\\[(" + IPV6_REGEX + ")\\]|(?:(?:" + USERINFO_FIELD_REGEX + ")?([" + AUTHORITY_CHARS_REGEX + "]*)))(?::(\\d*))?(.*)?";
  134.     //             1                                 e.g. user:pass@           2                                       3       4
  135.     private static final Pattern AUTHORITY_PATTERN = Pattern.compile(AUTHORITY_REGEX);

  137.     private static final int PARSE_AUTHORITY_IPV6 = 1;

  139.     private static final int PARSE_AUTHORITY_HOST_IP = 2; // excludes userinfo, if present

  141.     private static final int PARSE_AUTHORITY_PORT = 3; // excludes leading colon

  143.     /**
  144.      * Should always be empty. The code currently allows spaces.
  145.      */
  146.     private static final int PARSE_AUTHORITY_EXTRA = 4;

  148.     private static final String PATH_REGEX = "^(/[-\\w:@&?=+,.!/~*'%$_;\\(\\)]*)?$";
  149.     private static final Pattern PATH_PATTERN = Pattern.compile(PATH_REGEX);

  151.     private static final String QUERY_REGEX = "^(\\S*)$";
  152.     private static final Pattern QUERY_PATTERN = Pattern.compile(QUERY_REGEX);

  154.     /**
  155.      * If no schemes are provided, default to this set.
  156.      */
  157.     private static final String[] DEFAULT_SCHEMES = {"http", "https", "ftp"}; // Must be lower-case

  159.     /**
  160.      * Singleton instance of this class with default schemes and options.
  161.      */
  162.     private static final UrlValidator DEFAULT_URL_VALIDATOR = new UrlValidator();

  164.     /**
  165.      * Returns the singleton instance of this class with default schemes and options.
  166.      * @return singleton instance with default schemes and options
  167.      */
  168.     public static UrlValidator getInstance() {
  169.         return DEFAULT_URL_VALIDATOR;
  170.     }

  172.     /**
  173.      * Tests whether the given flag is on.  If the flag is not a power of 2
  174.      * (e.g. 3) this tests whether the combination of flags is on.
  175.      *
  176.      * @param flag Flag value to check.
  177.      * @param options what to check
  178.      *
  179.      * @return whether the specified flag value is on.
  180.      */
  181.     private static boolean isOn(final long flag, final long options) {
  182.         return (options & flag) > 0;
  183.     }

  185.     /**
  186.      * Holds the set of current validation options.
  187.      */
  188.     private final long options;

  190.     /**
  191.      * The set of schemes that are allowed to be in a URL.
  192.      */
  193.     private final Set<String> allowedSchemes; // Must be lower-case

  195.     /**
  196.      * Regular expressions used to manually validate authorities if IANA
  197.      * domain name validation isn't desired.
  198.      */
  199.     private final RegexValidator authorityValidator;

  201.     private final DomainValidator domainValidator;

  203.     /**
  204.      * Create a UrlValidator with default properties.
  205.      */
  206.     public UrlValidator() {
  207.         this(null);
  208.     }

  210.     /**
  211.      * Initialize a UrlValidator with the given validation options.
  212.      * @param options The options should be set using the public constants declared in
  213.      * this class.  To set multiple options you simply add them together.  For example,
  214.      * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
  215.      */
  216.     public UrlValidator(final long options) {
  217.         this(null, null, options);
  218.     }

  220.     /**
  221.      * Initialize a UrlValidator with the given validation options.
  222.      * @param authorityValidator Regular expression validator used to validate the authority part
  223.      * This allows the user to override the standard set of domains.
  224.      * @param options Validation options. Set using the public constants of this class.
  225.      * To set multiple options, simply add them together:
  226.      * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
  227.      * enables both of those options.
  228.      */
  229.     public UrlValidator(final RegexValidator authorityValidator, final long options) {
  230.         this(null, authorityValidator, options);
  231.     }

  233.     /**
  234.      * Behavior of validation is modified by passing in several strings options:
  235.      * @param schemes Pass in one or more URL schemes to consider valid, passing in
  236.      *        a null will default to "http,https,ftp" being valid.
  237.      *        If a non-null schemes is specified then all valid schemes must
  238.      *        be specified. Setting the ALLOW_ALL_SCHEMES option will
  239.      *        ignore the contents of schemes.
  240.      */
  241.     public UrlValidator(final String[] schemes) {
  242.         this(schemes, 0L);
  243.     }

  245.     /**
  246.      * Behavior of validation is modified by passing in options:
  247.      * @param schemes The set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set.
  248.      * @param options The options should be set using the public constants declared in
  249.      * this class.  To set multiple options you simply add them together.  For example,
  250.      * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
  251.      */
  252.     public UrlValidator(final String[] schemes, final long options) {
  253.         this(schemes, null, options);
  254.     }

  256.     /**
  257.      * Customizable constructor. Validation behavior is modified by passing in options.
  258.      * @param schemes the set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set.
  259.      * @param authorityValidator Regular expression validator used to validate the authority part
  260.      * @param options Validation options. Set using the public constants of this class.
  261.      * To set multiple options, simply add them together:
  262.      * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
  263.      * enables both of those options.
  264.      */
  265.     public UrlValidator(final String[] schemes, final RegexValidator authorityValidator, final long options) {
  266.         this(schemes, authorityValidator, options, DomainValidator.getInstance(isOn(ALLOW_LOCAL_URLS, options)));
  267.     }

  269.     /**
  270.      * Customizable constructor. Validation behavior is modified by passing in options.
  271.      * @param schemes the set of valid schemes. Ignored if the ALLOW_ALL_SCHEMES option is set.
  272.      * @param authorityValidator Regular expression validator used to validate the authority part
  273.      * @param options Validation options. Set using the public constants of this class.
  274.      * To set multiple options, simply add them together:
  275.      * <p><code>ALLOW_2_SLASHES + NO_FRAGMENTS</code></p>
  276.      * enables both of those options.
  277.      * @param domainValidator the DomainValidator to use; must agree with ALLOW_LOCAL_URLS setting
  278.      * @since 1.7
  279.      */
  280.     public UrlValidator(String[] schemes, final RegexValidator authorityValidator, final long options, final DomainValidator domainValidator) {
  281.         this.options = options;
  282.         if (domainValidator == null) {
  283.             throw new IllegalArgumentException("DomainValidator must not be null");
  284.         }
  285.         if (domainValidator.isAllowLocal() != (options & ALLOW_LOCAL_URLS) > 0) {
  286.             throw new IllegalArgumentException("DomainValidator disagrees with ALLOW_LOCAL_URLS setting");
  287.         }
  288.         this.domainValidator = domainValidator;

  290.         if (isOn(ALLOW_ALL_SCHEMES)) {
  291.             allowedSchemes = Collections.emptySet();
  292.         } else {
  293.             if (schemes == null) {
  294.                 schemes = DEFAULT_SCHEMES;
  295.             }
  296.             allowedSchemes = new HashSet<>(schemes.length);
  297.             for (final String scheme : schemes) {
  298.                 allowedSchemes.add(scheme.toLowerCase(Locale.ENGLISH));
  299.             }
  300.         }

  302.         this.authorityValidator = authorityValidator;
  303.     }

  305.     /**
  306.      * Returns the number of times the token appears in the target.
  307.      * @param token Token value to be counted.
  308.      * @param target Target value to count tokens in.
  309.      * @return the number of tokens.
  310.      */
  311.     protected int countToken(final String token, final String target) {
  312.         int tokenIndex = 0;
  313.         int count = 0;
  314.         while (tokenIndex != -1) {
  315.             tokenIndex = target.indexOf(token, tokenIndex);
  316.             if (tokenIndex > -1) {
  317.                 tokenIndex++;
  318.                 count++;
  319.             }
  320.         }
  321.         return count;
  322.     }

  324.     /**
  325.      * Tests whether the given flag is off.  If the flag is not a power of 2
  326.      * (ie. 3) this tests whether the combination of flags is off.
  327.      *
  328.      * @param flag Flag value to check.
  329.      *
  330.      * @return whether the specified flag value is off.
  331.      */
  332.     private boolean isOff(final long flag) {
  333.         return (options & flag) == 0;
  334.     }

  336.     /**
  337.      * Tests whether the given flag is on.  If the flag is not a power of 2
  338.      * (ie. 3) this tests whether the combination of flags is on.
  339.      *
  340.      * @param flag Flag value to check.
  341.      *
  342.      * @return whether the specified flag value is on.
  343.      */
  344.     private boolean isOn(final long flag) {
  345.         return (options & flag) > 0;
  346.     }

  348.     /**
  349.      * <p>Checks if a field has a valid URL address.</p>
  350.      *
  351.      * Note that the method calls #isValidAuthority()
  352.      * which checks that the domain is valid.
  353.      *
  354.      * @param value The value validation is being performed on.  A {@code null}
  355.      * value is considered invalid.
  356.      * @return true if the URL is valid.
  357.      */
  358.     public boolean isValid(final String value) {
  359.         if (value == null) {
  360.             return false;
  361.         }

  363.         URI uri; // ensure value is a valid URI
  364.         try {
  365.             uri = new URI(value);
  366.         } catch (final URISyntaxException e) {
  367.             return false;
  368.         }
  369.         // OK, perform additional validation

  371.         final String scheme = uri.getScheme();
  372.         if (!isValidScheme(scheme)) {
  373.             return false;
  374.         }

  376.         final String authority = uri.getRawAuthority();
  377.         if ("file".equals(scheme) && GenericValidator.isBlankOrNull(authority)) { // Special case - file: allows an empty authority
  378.             return true; // this is a local file - nothing more to do here
  379.         }
  380.         if ("file".equals(scheme) && authority != null && authority.contains(":")) {
  381.             return false;
  382.         }
  383.         // Validate the authority
  384.         if (!isValidAuthority(authority)) {
  385.             return false;
  386.         }

  388.         if (!isValidPath(uri.getRawPath())) {
  389.             return false;
  390.         }

  392.         if (!isValidQuery(uri.getRawQuery())) {
  393.             return false;
  394.         }

  396.         if (!isValidFragment(uri.getRawFragment())) {
  397.             return false;
  398.         }

  400.         return true;
  401.     }

  403.     /**
  404.      * Returns true if the authority is properly formatted.  An authority is the combination
  405.      * of hostname and port.  A {@code null} authority value is considered invalid.
  406.      * Note: this implementation validates the domain unless a RegexValidator was provided.
  407.      * If a RegexValidator was supplied and it matches, then the authority is regarded
  408.      * as valid with no further checks, otherwise the method checks against the
  409.      * AUTHORITY_PATTERN and the DomainValidator (ALLOW_LOCAL_URLS)
  410.      * @param authority Authority value to validate, alllows IDN
  411.      * @return true if authority (hostname and port) is valid.
  412.      */
  413.     protected boolean isValidAuthority(final String authority) {
  414.         if (authority == null) {
  415.             return false;
  416.         }

  418.         // check manual authority validation if specified
  419.         if (authorityValidator != null && authorityValidator.isValid(authority)) {
  420.             return true;
  421.         }
  422.         // convert to ASCII if possible
  423.         final String authorityASCII = DomainValidator.unicodeToASCII(authority);

  425.         final Matcher authorityMatcher = AUTHORITY_PATTERN.matcher(authorityASCII);
  426.         if (!authorityMatcher.matches()) {
  427.             return false;
  428.         }

  430.         // We have to process IPV6 separately because that is parsed in a different group
  431.         final String ipv6 = authorityMatcher.group(PARSE_AUTHORITY_IPV6);
  432.         if (ipv6 != null) {
  433.             final InetAddressValidator inetAddressValidator = InetAddressValidator.getInstance();
  434.             if (!inetAddressValidator.isValidInet6Address(ipv6)) {
  435.                 return false;
  436.             }
  437.         } else {
  438.             final String hostLocation = authorityMatcher.group(PARSE_AUTHORITY_HOST_IP);
  439.             // check if authority is hostname or IP address:
  440.             // try a hostname first since that's much more likely
  441.             if (!this.domainValidator.isValid(hostLocation)) {
  442.                 // try an IPv4 address
  443.                 final InetAddressValidator inetAddressValidator = InetAddressValidator.getInstance();
  444.                 if (!inetAddressValidator.isValidInet4Address(hostLocation)) {
  445.                     // isn't IPv4, so the URL is invalid
  446.                     return false;
  447.                 }
  448.             }
  449.             final String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
  450.             if (!GenericValidator.isBlankOrNull(port)) {
  451.                 try {
  452.                     final int iPort = Integer.parseInt(port);
  453.                     if (iPort < 0 || iPort > MAX_UNSIGNED_16_BIT_INT) {
  454.                         return false;
  455.                     }
  456.                 } catch (final NumberFormatException nfe) {
  457.                     return false; // this can happen for big numbers
  458.                 }
  459.             }
  460.         }

  462.         final String extra = authorityMatcher.group(PARSE_AUTHORITY_EXTRA);
  463.         if (extra != null && !extra.trim().isEmpty()) {
  464.             return false;
  465.         }

  467.         return true;
  468.     }

  470.     /**
  471.      * Returns true if the given fragment is null or fragments are allowed.
  472.      * @param fragment Fragment value to validate.
  473.      * @return true if fragment is valid.
  474.      */
  475.     protected boolean isValidFragment(final String fragment) {
  476.         if (fragment == null) {
  477.             return true;
  478.         }

  480.         return isOff(NO_FRAGMENTS);
  481.     }

  483.     /**
  484.      * Returns true if the path is valid.  A {@code null} value is considered invalid.
  485.      * @param path Path value to validate.
  486.      * @return true if path is valid.
  487.      */
  488.     protected boolean isValidPath(final String path) {
  489.         if (path == null) {
  490.             return false;
  491.         }

  493.         if (!PATH_PATTERN.matcher(path).matches()) {
  494.             return false;
  495.         }

  497.         try {
  498.             // Don't omit host otherwise leading path may be taken as host if it starts with //
  499.             final URI uri = new URI(null, "localhost", path, null);
  500.             final String norm = uri.normalize().getPath();
  501.             if (norm.startsWith("/../") // Trying to go via the parent dir
  502.                     || norm.equals("/..")) { // Trying to go to the parent dir
  503.                 return false;
  504.             }
  505.         } catch (final URISyntaxException e) {
  506.             return false;
  507.         }

  509.         final int slash2Count = countToken("//", path);
  510.         if (isOff(ALLOW_2_SLASHES) && slash2Count > 0) {
  511.             return false;
  512.         }

  514.         return true;
  515.     }

  517.     /**
  518.      * Returns true if the query is null or it's a properly formatted query string.
  519.      * @param query Query value to validate.
  520.      * @return true if query is valid.
  521.      */
  522.     protected boolean isValidQuery(final String query) {
  523.         if (query == null) {
  524.             return true;
  525.         }
  526.         return QUERY_PATTERN.matcher(query).matches();
  527.     }

  529.     /**
  530.      * Validate scheme. If schemes[] was initialized to a non null,
  531.      * then only those schemes are allowed.
  532.      * Otherwise the default schemes are "http", "https", "ftp".
  533.      * Matching is case-blind.
  534.      * @param scheme The scheme to validate.  A {@code null} value is considered
  535.      * invalid.
  536.      * @return true if valid.
  537.      */
  538.     protected boolean isValidScheme(final String scheme) {
  539.         if (scheme == null) {
  540.             return false;
  541.         }

  543.         if (!SCHEME_PATTERN.matcher(scheme).matches()) {
  544.             return false;
  545.         }

  547.         if (isOff(ALLOW_ALL_SCHEMES) && !allowedSchemes.contains(scheme.toLowerCase(Locale.ENGLISH))) {
  548.             return false;
  549.         }

  551.         return true;
  552.     }

  554. }
Created with JaCoCo 0.8.12.202403310830