Index (Javadoc)

C E I P S V
All Classes and Interfaces|All Packages
C

clearPDFMetadata(PDDocument) - Static method in class eu.righettod.SecurityUtils: Remove as much as possible metadata from the provided PDF document object.
computeHashNoProneToAbuseOnParts(List<String>) - Static method in class eu.righettod.SecurityUtils: Compute a SHA256 hash from an input composed of a collection of strings.

This method take care to build the source string in a way to prevent this source string to be prone to abuse targeting the different parts composing it.

Example of possible abuse without precautions applied during the hash calculation logic:
Hash of SHA256("Hello", "My", "World!!!")

E

ensureSerializedObjectIntegrity(ProcessingMode, String, byte[]) - Static method in class eu.righettod.SecurityUtils

Provide a way to add an integrity marker (HMAC) to a serialized object serialized using the java native system (binary).

 The goal is to provide a temporary workaround to try to prevent deserialization attacks and give time to move to a text-based serialization approach.

eu.righettod - package eu.righettod
 
extractAllPDFLinks(String) - Static method in class eu.righettod.SecurityUtils

Extract all URL links from a PDF file provided.

 This can be used to apply validation on a PDF against contained links.


I

identifyMimeType(byte[]) - Static method in class eu.righettod.SecurityUtils

Identify the mime type of the content specified (array of bytes).

 Note that it cannot be fully trusted (see the tweet '1595824709186519041' referenced), so, additional validations are required.

IMAGE - Enum constant in enum class eu.righettod.InputFileType

Image: PNG, GIF, ...

InputFileType - Enum Class in eu.righettod

Enumeration used by the method SecurityUtils.sanitizeFile() to define the type of file to sanitize.

isEmailAddress(String) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a string expected to be an email address:

 - Is a valid email address, from a parser perspective, following RFCs on email addresses.

 - Is not using "Encoded-word" format.

 - Is not using comment format.

 - Is not using "Punycode" format.

 - Is not using UUCP style addresses.

 - Is not using address literals.

 - Is not using source routes.

 - Is not using the "percent hack".


 This is based on the research work from Gareth Heyes added in references (Portswigger).



 Note: The notion of valid, here, is to take from a secure usage of the data perspective.

isExcelCSVSafe(String) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a EXCEL CSV file provided (file was expected to be opened in Microsoft EXCEL):

 - Real CSV file.

 - Do not contains any payload related to a CSV injections.


 Ensure that, if Apache Commons CSV does not find any record then, the file will be considered as NOT safe (prevent potential bypasses).


 Note: Record delimiter used is the , (comma) character.

isImageSafe(String, List<String>) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a image file provided:

 - Real image file.

 - Its mime type is into the list of allowed mime types.

 - Its metadata fields do not contains any characters related to a malicious payloads.


 

 Important note: This implementation is prone to bypass using the "raw insertion" method documented in the blog post from the Synacktiv team.

isJSONSafe(String, int, int) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a JSON string provided:

 - Real JSON structure.

 - Contain less than a specified number of deepness for nested objects or arrays.

 - Contain less than a specified number of items in any arrays.



 Note: I decided to use a parsing approach using only string processing to prevent any StackOverFlow or OutOfMemory error that can be abused.


 I used the following assumption:
 
      The character { identify the beginning of an object.
      The character } identify the end of an object.
      The character [ identify the beginning of an array.
      The character ] identify the end of an array.
      The character " identify the delimiter of a string.
      The character sequence \" identify the escaping of an double quote.
 

isPDFSafe(String) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a PDF file provided:

 - Real PDF file

 - No attachments.

 - No Javascript code.

 - No links using action of type URI/Launch/RemoteGoTo/ImportData.


isPSD2StetSafeCertificateURL(String) - Static method in class eu.righettod.SecurityUtils

The PSD2 STET specification require to use HTTP Signature.

isPublicIPAddress(String) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a string expected to be an public IP address:

 - Is a valid IP v4 or v6 address.

 - Is public from an Internet perspective.


 Note: I often see missing such validation in the value read from HTTP request headers like "X-Forwarded-For" or "Forwarded".

isRelativeURL(String) - Static method in class eu.righettod.SecurityUtils

Validate that the URL provided is really a relative URL.

isWeakPINCode(String) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validation to verify if a provided PIN code is considered weak (easy to guess) or none.

 This method consider that format of the PIN code is [0-9]{6,}

 Rule to consider a PIN code as weak:

 - Length is inferior to 6 positions.

 - Contain only the same number or only a sequence of zero.

 - Contain sequence of following incremental or decremental numbers.


isWord972003DocumentSafe(String) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a Word 97-2003 (binary format) document file provided:

 - Real Microsoft Word 97-2003 document file.

 - No VBA Macro.

 - No embedded objects.


isXMLOnlyUseAllowedXSDorDTD(String, List<String>) - Static method in class eu.righettod.SecurityUtils

Ensure that an XML file only uses DTD/XSD references (called System Identifier) present in the allowed list provided.


 The code is based on the validation implemented into the OpenJDK 21, by the class java.util.prefs.XmlSupport, in the method loadPrefsDoc().


 The method also ensure that no Public Identifier is used to prevent potential bypasses of the validations.

isXMLSafe(String) - Static method in class eu.righettod.SecurityUtils

Ensure that an XML file does not contain any External Entity, DTD or XInclude instructions.

isZIPSafe(String, int, boolean) - Static method in class eu.righettod.SecurityUtils

Apply a collection of validations on a ZIP file provided:

 - Real ZIP file

 - Contain less than a specified level of deepness.

 - Do not contain Zip-Slip entry path.



P

PDF - Enum constant in enum class eu.righettod.InputFileType

PDF file

ProcessingMode - Enum Class in eu.righettod

Enumeration used by the method SecurityUtils.ensureSerializedObjectIntegrity() to define its working mode.

PROTECT - Enum constant in enum class eu.righettod.ProcessingMode

Protection mode: Add the integrity HMAC to the linked serialized object.


S

sanitizeFile(String, InputFileType) - Static method in class eu.righettod.SecurityUtils

Rewrite the input file to remove any embedded files that is not embedded using a methods supported by the official format of the file.

 Example: a file can be embedded by adding it to the end of the source file, see the reference provided for details.

SecurityUtils - Class in eu.righettod

Provides different utilities methods to apply processing from a security perspective.

 These code snippet:
 
     Can be used, as "foundation", to customize the validation to the app context.
     Were implemented in a way to facilitate adding or removal of validations depending on usage context.
     Were centralized on one class to be able to enhance them across time as well as missing case/bug identification.
 


V

VALIDATE - Enum constant in enum class eu.righettod.ProcessingMode

Validation of the protection mode: Verify the integrity HMAC against the linked serialized object.

valueOf(String) - Static method in enum class eu.righettod.InputFileType

Returns the enum constant of this class with the specified name.

valueOf(String) - Static method in enum class eu.righettod.ProcessingMode

Returns the enum constant of this class with the specified name.

values() - Static method in enum class eu.righettod.InputFileType

Returns an array containing the constants of this enum class, in
the order they are declared.

values() - Static method in enum class eu.righettod.ProcessingMode

Returns an array containing the constants of this enum class, in
the order they are declared.


C E I P S V 
All Classes and Interfaces|All Packages