1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17 package org.apache.commons.validator;
18
19 import java.io.Serializable;
20 import java.util.Arrays;
21 import java.util.HashSet;
22 import java.util.Set;
23 import java.util.regex.Matcher;
24 import java.util.regex.Pattern;
25
26 import org.apache.commons.validator.routines.InetAddressValidator;
27 import org.apache.commons.validator.util.Flags;
28
29 /**
30 * <p>Validates URLs.</p>
31 * Behavour of validation is modified by passing in options:
32 * <ul>
33 * <li>ALLOW_2_SLASHES - [FALSE] Allows double '/' characters in the path
34 * component.</li>
35 * <li>NO_FRAGMENT- [FALSE] By default fragments are allowed, if this option is
36 * included then fragments are flagged as illegal.</li>
37 * <li>ALLOW_ALL_SCHEMES - [FALSE] By default only http, https, and ftp are
38 * considered valid schemes. Enabling this option will let any scheme pass validation.</li>
39 * </ul>
40 *
41 * <p>Originally based in on php script by Debbie Dyer, validation.php v1.2b, Date: 03/07/02,
42 * https://javascript.internet.com. However, this validation now bears little resemblance
43 * to the php original.</p>
44 * <pre>
45 * Example of usage:
46 * Construct a UrlValidator with valid schemes of "http", and "https".
47 *
48 * String[] schemes = {"http","https"}.
49 * UrlValidator urlValidator = new UrlValidator(schemes);
50 * if (urlValidator.isValid("ftp://foo.bar.com/")) {
51 * System.out.println("URL is valid");
52 * } else {
53 * System.out.println("URL is invalid");
54 * }
55 *
56 * prints "URL is invalid"
57 * If instead the default constructor is used.
58 *
59 * UrlValidator urlValidator = new UrlValidator();
60 * if (urlValidator.isValid("ftp://foo.bar.com/")) {
61 * System.out.println("URL is valid");
62 * } else {
63 * System.out.println("URL is invalid");
64 * }
65 *
66 * prints out "URL is valid"
67 * </pre>
68 *
69 * @see
70 * <a href="http://www.ietf.org/rfc/rfc2396.txt">
71 * Uniform Resource Identifiers (URI): Generic Syntax
72 * </a>
73 *
74 * @since 1.1
75 * @deprecated Use the new UrlValidator in the routines package. This class
76 * will be removed in a future release.
77 */
78 @Deprecated
79 public class UrlValidator implements Serializable {
80
81 private static final long serialVersionUID = 24137157400029593L;
82
83 /**
84 * Allows all validly formatted schemes to pass validation instead of
85 * supplying a set of valid schemes.
86 */
87 public static final int ALLOW_ALL_SCHEMES = 1 << 0;
88
89 /**
90 * Allow two slashes in the path component of the URL.
91 */
92 public static final int ALLOW_2_SLASHES = 1 << 1;
93
94 /**
95 * Enabling this options disallows any URL fragments.
96 */
97 public static final int NO_FRAGMENTS = 1 << 2;
98
99 private static final String ALPHA_CHARS = "a-zA-Z";
100
101 // NOT USED private static final String ALPHA_NUMERIC_CHARS = ALPHA_CHARS + "\\d";
102
103 private static final String SPECIAL_CHARS = ";/@&=,.?:+$";
104
105 private static final String VALID_CHARS = "[^\\s" + SPECIAL_CHARS + "]";
106
107 // Drop numeric, and "+-." for now
108 private static final String AUTHORITY_CHARS_REGEX = "\\p{Alnum}\\-\\.";
109
110 private static final String ATOM = VALID_CHARS + '+';
111
112 /**
113 * This expression derived/taken from the BNF for URI (RFC2396).
114 */
115 private static final String URL_REGEX =
116 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?";
117 // 12 3 4 5 6 7 8 9
118 private static final Pattern URL_PATTERN = Pattern.compile(URL_REGEX);
119
120 /**
121 * Schema/Protocol (ie. http:, ftp:, file:, etc).
122 */
123 private static final int PARSE_URL_SCHEME = 2;
124
125 /**
126 * Includes hostname/ip and port number.
127 */
128 private static final int PARSE_URL_AUTHORITY = 4;
129
130 private static final int PARSE_URL_PATH = 5;
131
132 private static final int PARSE_URL_QUERY = 7;
133
134 private static final int PARSE_URL_FRAGMENT = 9;
135
136 /**
137 * Protocol (ie. http:, ftp:,https:).
138 */
139 private static final Pattern SCHEME_PATTERN = Pattern.compile("^\\p{Alpha}[\\p{Alnum}\\+\\-\\.]*");
140
141 private static final String AUTHORITY_REGEX =
142 "^([" + AUTHORITY_CHARS_REGEX + "]*)(:\\d*)?(.*)?";
143 // 1 2 3 4
144 private static final Pattern AUTHORITY_PATTERN = Pattern.compile(AUTHORITY_REGEX);
145
146 private static final int PARSE_AUTHORITY_HOST_IP = 1;
147
148 private static final int PARSE_AUTHORITY_PORT = 2;
149
150 /**
151 * Should always be empty.
152 */
153 private static final int PARSE_AUTHORITY_EXTRA = 3;
154
155 private static final Pattern PATH_PATTERN = Pattern.compile("^(/[-\\w:@&?=+,.!/~*'%$_;]*)?$");
156
157 private static final Pattern QUERY_PATTERN = Pattern.compile("^(.*)$");
158
159 private static final Pattern LEGAL_ASCII_PATTERN = Pattern.compile("^\\p{ASCII}+$");
160
161 private static final Pattern DOMAIN_PATTERN =
162 Pattern.compile("^" + ATOM + "(\\." + ATOM + ")*$");
163
164 private static final Pattern PORT_PATTERN = Pattern.compile("^:(\\d{1,5})$");
165
166 private static final Pattern ATOM_PATTERN = Pattern.compile("^(" + ATOM + ").*?$");
167
168 private static final Pattern ALPHA_PATTERN = Pattern.compile("^[" + ALPHA_CHARS + "]");
169
170 /**
171 * Holds the set of current validation options.
172 */
173 private final Flags options;
174
175 /**
176 * The set of schemes that are allowed to be in a URL.
177 */
178 private final Set<String> allowedSchemes = new HashSet<>();
179
180 /**
181 * If no schemes are provided, default to this set.
182 */
183 protected String[] defaultSchemes = {"http", "https", "ftp"};
184
185 /**
186 * Create a UrlValidator with default properties.
187 */
188 public UrlValidator() {
189 this(null);
190 }
191
192 /**
193 * Initialize a UrlValidator with the given validation options.
194 * @param options The options should be set using the public constants declared in
195 * this class. To set multiple options you simply add them together. For example,
196 * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
197 */
198 public UrlValidator(final int options) {
199 this(null, options);
200 }
201
202 /**
203 * Behavior of validation is modified by passing in several strings options:
204 * @param schemes Pass in one or more URL schemes to consider valid, passing in
205 * a null will default to "http,https,ftp" being valid.
206 * If a non-null schemes is specified then all valid schemes must
207 * be specified. Setting the ALLOW_ALL_SCHEMES option will
208 * ignore the contents of schemes.
209 */
210 public UrlValidator(final String[] schemes) {
211 this(schemes, 0);
212 }
213
214 /**
215 * Behavour of validation is modified by passing in options:
216 * @param schemes The set of valid schemes.
217 * @param options The options should be set using the public constants declared in
218 * this class. To set multiple options you simply add them together. For example,
219 * ALLOW_2_SLASHES + NO_FRAGMENTS enables both of those options.
220 */
221 public UrlValidator(String[] schemes, final int options) {
222 this.options = new Flags(options);
223
224 if (this.options.isOn(ALLOW_ALL_SCHEMES)) {
225 return;
226 }
227
228 if (schemes == null) {
229 schemes = this.defaultSchemes;
230 }
231
232 this.allowedSchemes.addAll(Arrays.asList(schemes));
233 }
234
235 /**
236 * Returns the number of times the token appears in the target.
237 * @param token Token value to be counted.
238 * @param target Target value to count tokens in.
239 * @return the number of tokens.
240 */
241 protected int countToken(final String token, final String target) {
242 int tokenIndex = 0;
243 int count = 0;
244 while (tokenIndex != -1) {
245 tokenIndex = target.indexOf(token, tokenIndex);
246 if (tokenIndex > -1) {
247 tokenIndex++;
248 count++;
249 }
250 }
251 return count;
252 }
253
254 /**
255 * <p>Checks if a field has a valid URL address.</p>
256 *
257 * @param value The value validation is being performed on. A {@code null}
258 * value is considered invalid.
259 * @return true if the URL is valid.
260 */
261 public boolean isValid(final String value) {
262 if (value == null) {
263 return false;
264 }
265 if (!LEGAL_ASCII_PATTERN.matcher(value).matches()) {
266 return false;
267 }
268
269 // Check the whole url address structure
270 final Matcher urlMatcher = URL_PATTERN.matcher(value);
271 if (!urlMatcher.matches()) {
272 return false;
273 }
274
275 if (!isValidScheme(urlMatcher.group(PARSE_URL_SCHEME))) {
276 return false;
277 }
278
279 if (!isValidAuthority(urlMatcher.group(PARSE_URL_AUTHORITY))) {
280 return false;
281 }
282
283 if (!isValidPath(urlMatcher.group(PARSE_URL_PATH))) {
284 return false;
285 }
286
287 if (!isValidQuery(urlMatcher.group(PARSE_URL_QUERY))) {
288 return false;
289 }
290
291 if (!isValidFragment(urlMatcher.group(PARSE_URL_FRAGMENT))) {
292 return false;
293 }
294
295 return true;
296 }
297
298 /**
299 * Returns true if the authority is properly formatted. An authority is the combination
300 * of hostname and port. A {@code null} authority value is considered invalid.
301 * @param authority Authority value to validate.
302 * @return true if authority (hostname and port) is valid.
303 */
304 protected boolean isValidAuthority(final String authority) {
305 if (authority == null) {
306 return false;
307 }
308
309 final InetAddressValidator inetAddressValidator =
310 InetAddressValidator.getInstance();
311
312 final Matcher authorityMatcher = AUTHORITY_PATTERN.matcher(authority);
313 if (!authorityMatcher.matches()) {
314 return false;
315 }
316
317 boolean hostname = false;
318 // check if authority is IP address or hostname
319 String hostIP = authorityMatcher.group(PARSE_AUTHORITY_HOST_IP);
320 final boolean ipV4Address = inetAddressValidator.isValid(hostIP);
321
322 if (!ipV4Address) {
323 // Domain is hostname name
324 hostname = DOMAIN_PATTERN.matcher(hostIP).matches();
325 }
326
327 //rightmost hostname will never start with a digit.
328 if (hostname) {
329 // LOW-TECH FIX FOR VALIDATOR-202
330 // TODO: Rewrite to use ArrayList and .add semantics: see VALIDATOR-203
331 final char[] chars = hostIP.toCharArray();
332 int size = 1;
333 for (final char element : chars) {
334 if (element == '.') {
335 size++;
336 }
337 }
338 final String[] domainSegment = new String[size];
339 boolean match = true;
340 int segmentCount = 0;
341 int segmentLength = 0;
342
343 while (match) {
344 final Matcher atomMatcher = ATOM_PATTERN.matcher(hostIP);
345 match = atomMatcher.matches();
346 if (match) {
347 domainSegment[segmentCount] = atomMatcher.group(1);
348 segmentLength = domainSegment[segmentCount].length() + 1;
349 hostIP =
350 segmentLength >= hostIP.length()
351 ? ""
352 : hostIP.substring(segmentLength);
353
354 segmentCount++;
355 }
356 }
357 final String topLevel = domainSegment[segmentCount - 1];
358 if (topLevel.length() < 2 || topLevel.length() > 4) { // CHECKSTYLE IGNORE MagicNumber (deprecated code)
359 return false;
360 }
361
362 // First letter of top level must be a alpha
363 if (!ALPHA_PATTERN.matcher(topLevel.substring(0, 1)).matches()) {
364 return false;
365 }
366
367 // Make sure there's a host name preceding the authority.
368 if (segmentCount < 2) {
369 return false;
370 }
371 }
372
373 if (!hostname && !ipV4Address) {
374 return false;
375 }
376
377 final String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
378 if (port != null && !PORT_PATTERN.matcher(port).matches()) {
379 return false;
380 }
381
382 final String extra = authorityMatcher.group(PARSE_AUTHORITY_EXTRA);
383 if (!GenericValidator.isBlankOrNull(extra)) {
384 return false;
385 }
386
387 return true;
388 }
389
390 /**
391 * Returns true if the given fragment is null or fragments are allowed.
392 * @param fragment Fragment value to validate.
393 * @return true if fragment is valid.
394 */
395 protected boolean isValidFragment(final String fragment) {
396 if (fragment == null) {
397 return true;
398 }
399
400 return options.isOff(NO_FRAGMENTS);
401 }
402
403 /**
404 * Returns true if the path is valid. A {@code null} value is considered invalid.
405 * @param path Path value to validate.
406 * @return true if path is valid.
407 */
408 protected boolean isValidPath(final String path) {
409 if (path == null) {
410 return false;
411 }
412
413 if (!PATH_PATTERN.matcher(path).matches()) {
414 return false;
415 }
416
417 final int slash2Count = countToken("//", path);
418 if (options.isOff(ALLOW_2_SLASHES) && slash2Count > 0) {
419 return false;
420 }
421
422 final int slashCount = countToken("/", path);
423 final int dot2Count = countToken("..", path);
424 if (dot2Count > 0 && slashCount - slash2Count - 1 <= dot2Count) {
425 return false;
426 }
427
428 return true;
429 }
430
431 /**
432 * Returns true if the query is null or it's a properly formatted query string.
433 * @param query Query value to validate.
434 * @return true if query is valid.
435 */
436 protected boolean isValidQuery(final String query) {
437 if (query == null) {
438 return true;
439 }
440
441 return QUERY_PATTERN.matcher(query).matches();
442 }
443
444 /**
445 * Validate scheme. If schemes[] was initialized to a non null,
446 * then only those scheme's are allowed. Note this is slightly different
447 * than for the constructor.
448 * @param scheme The scheme to validate. A {@code null} value is considered
449 * invalid.
450 * @return true if valid.
451 */
452 protected boolean isValidScheme(final String scheme) {
453 if (scheme == null) {
454 return false;
455 }
456
457 if (!SCHEME_PATTERN.matcher(scheme).matches()) {
458 return false;
459 }
460
461 if (options.isOff(ALLOW_ALL_SCHEMES) && !allowedSchemes.contains(scheme)) {
462 return false;
463 }
464
465 return true;
466 }
467 }