Fixing Insecure Bean Validation

prowide · Sep 16, 2024 · 1656454 · 1656454
1 parent b54e3a8
commit 1656454
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 30 deletions.
diff --git a/src/main/java/com/prowidesoftware/swift/constraints/BicValidator.java b/src/main/java/com/prowidesoftware/swift/constraints/BicValidator.java
@@ -15,8 +15,6 @@
  */
 package com.prowidesoftware.swift.constraints;
 
-import static com.prowidesoftware.swift.utils.ConstraintUtils.escapeScript;
-
 import com.prowidesoftware.swift.model.BIC;
 import com.prowidesoftware.swift.model.BicValidationResult;
 import javax.validation.ConstraintValidator;
@@ -44,8 +42,7 @@ public boolean isValid(String bic, ConstraintValidatorContext context) {
             return true;
         } else {
             context.disableDefaultConstraintViolation();
-            context.buildConstraintViolationWithTemplate(escapeScript(result.message()))
-                    .addConstraintViolation();
+            context.buildConstraintViolationWithTemplate(result.message()).addConstraintViolation();
             return false;
         }
     }

diff --git a/src/main/java/com/prowidesoftware/swift/constraints/IbanValidator.java b/src/main/java/com/prowidesoftware/swift/constraints/IbanValidator.java
@@ -15,8 +15,6 @@
  */
 package com.prowidesoftware.swift.constraints;
 
-import static com.prowidesoftware.swift.utils.ConstraintUtils.escapeScript;
-
 import com.prowidesoftware.swift.model.IBAN;
 import com.prowidesoftware.swift.model.IbanValidationResult;
 import javax.validation.ConstraintValidator;
@@ -44,8 +42,7 @@ public boolean isValid(String iban, ConstraintValidatorContext context) {
             return true;
         } else {
             context.disableDefaultConstraintViolation();
-            context.buildConstraintViolationWithTemplate(escapeScript(result.message()))
-                    .addConstraintViolation();
+            context.buildConstraintViolationWithTemplate(result.message()).addConstraintViolation();
 
             return false;
         }

diff --git a/src/main/java/com/prowidesoftware/swift/model/BicValidationResult.java b/src/main/java/com/prowidesoftware/swift/model/BicValidationResult.java
@@ -31,14 +31,14 @@ public enum BicValidationResult {
 
     INVALID_LENGTH(
             "The BIC code must contain at least 8 characters with the institution (4), country (2) and location code (2)"),
-    INVALID_INSTITUTION_LENGTH("The institution code must contain 4 characters and ${length} were found in ${found}"),
-    INVALID_COUNTRY_LENGTH("The country code must contain 2 characters and ${length} were found in ${found}"),
-    INVALID_LOCATION_LENGTH("The location code must contain 2 characters and ${length} were found in ${found}"),
-    INVALID_BRANCH_LENGTH("The branch code must contain 3 characters and ${length} were found in ${found}"),
-    INVALID_INSTITUTION_CHARSET("The institution code can only contain uppercase letters and ${found} was found"),
-    INVALID_COUNTRY("Invalid country code ${found}"),
-    INVALID_LOCATION_CHARSET("The location code can only contain uppercase letters or digits and ${found} was found"),
-    INVALID_BRANCH_CHARSET("The branch code can only contain uppercase letters or digits and ${found} was found");
+    INVALID_INSTITUTION_LENGTH("The institution code must contain 4 characters and #[length] were found in #[found]"),
+    INVALID_COUNTRY_LENGTH("The country code must contain 2 characters and #[length] were found in #[found]"),
+    INVALID_LOCATION_LENGTH("The location code must contain 2 characters and #[length] were found in #[found]"),
+    INVALID_BRANCH_LENGTH("The branch code must contain 3 characters and #[length] were found in #[found]"),
+    INVALID_INSTITUTION_CHARSET("The institution code can only contain uppercase letters and #[found] was found"),
+    INVALID_COUNTRY("Invalid country code #[found]"),
+    INVALID_LOCATION_CHARSET("The location code can only contain uppercase letters or digits and #[found] was found"),
+    INVALID_BRANCH_CHARSET("The branch code can only contain uppercase letters or digits and #[found] was found");
 
     private final String message;
     private String found;
@@ -54,8 +54,8 @@ public enum BicValidationResult {
      */
     public String message() {
         return this.message
-                .replace("${found}", Objects.toString(escapeScript(found)))
-                .replace("${length}", found == null ? "-1" : String.valueOf(found.length()));
+                .replace("#[found]", Objects.toString(escapeScript(found)))
+                .replace("#[length]", found == null ? "-1" : String.valueOf(found.length()));
     }
 
     /**

diff --git a/src/main/java/com/prowidesoftware/swift/model/IbanValidationResult.java b/src/main/java/com/prowidesoftware/swift/model/IbanValidationResult.java
@@ -35,25 +35,25 @@ public enum IbanValidationResult {
     IBAN_IS_EMPTY("The IBAN is empty"),
 
     MISSING_COUNTRY_CODE("The IBAN must start with the two letters ISO country code"),
-    INVALID_COUNTRY_CODE_CHARSET("The country code must contain upper case letters and ${found} was found"),
+    INVALID_COUNTRY_CODE_CHARSET("The country code must contain upper case letters and #[found] was found"),
     INVALID_COUNTRY_CODE(
-            "The country code ${found} is not a valid ISO country code or the country code is not configured for IBAN validations"),
+            "The country code #[found] is not a valid ISO country code or the country code is not configured for IBAN validations"),
 
-    INVALID_CHARACTERS("Invalid character '${found}' found"),
+    INVALID_CHARACTERS("Invalid character '#[found]' found"),
     MISSING_CHECK_DIGITS("Missing check digits"),
-    INVALID_CHECK_DIGITS_FORMAT("Expected 2 check digits and found ${found}"),
-    IVALID_CHECK_DIGITS("The expected computed check digit is ${expectedCheckDigit} and ${found} was found"),
+    INVALID_CHECK_DIGITS_FORMAT("Expected 2 check digits and found #[found]"),
+    IVALID_CHECK_DIGITS("The expected computed check digit is #[expectedCheckDigit] and #[found] was found"),
 
     MISSING_BBAN("Missing custom account number (BBAN)"),
     BBAN_MAX_LENGTH(
-            "The max length for the custom account number (BBAN) is ${expectedLength} and found ${foundLength}"),
+            "The max length for the custom account number (BBAN) is #[expectedLength] and found #[foundLength]"),
 
-    MISSING_BBAN_CONFIGURATION("Missing custom account number (BBAN) configuration for country ${found}"),
+    MISSING_BBAN_CONFIGURATION("Missing custom account number (BBAN) configuration for country #[found]"),
     BBAN_INVALID_LENGTH(
-            "Expected a ${expectedLength} characters length for the custom account number (BBAN) and found ${foundLength} in ${found}"),
-    BBAN_INVALID_UPPER_CASE_LETTERS("The ${bbanEntryType} ${found} must contain only upper case letters"),
-    BBAN_INVALID_DIGITS_OR_LETTERS("The ${bbanEntryType} ${found} must contain only digits or upper case letters"),
-    BBAN_INVALID_DIGITS("The ${bbanEntryType} ${found} must contain only digits"),
+            "Expected a #[expectedLength] characters length for the custom account number (BBAN) and found #[foundLength] in #[found]"),
+    BBAN_INVALID_UPPER_CASE_LETTERS("The #[bbanEntryType] #[found] must contain only upper case letters"),
+    BBAN_INVALID_DIGITS_OR_LETTERS("The #[bbanEntryType] #[found] must contain only digits or upper case letters"),
+    BBAN_INVALID_DIGITS("The #[bbanEntryType] #[found] must contain only digits"),
 
     UNKNOWN("Unknown exception validating IBAN");
 
@@ -70,7 +70,7 @@ public enum IbanValidationResult {
     public String message() {
         String msg = this.message;
         for (Entry<String, String> e : vars.entrySet()) {
-            msg = msg.replace("${" + e.getKey() + "}", escapeScript(e.getValue()));
+            msg = msg.replace("#[" + e.getKey() + "]", escapeScript(e.getValue()));
         }
         return msg;
     }