From 1656454763a733c7e43889ad666970b4bede7f97 Mon Sep 17 00:00:00 2001 From: ptorres-prowide Date: Mon, 16 Sep 2024 14:18:55 -0300 Subject: [PATCH] Fixing Insecure Bean Validation --- .../swift/constraints/BicValidator.java | 5 +--- .../swift/constraints/IbanValidator.java | 5 +--- .../swift/model/BicValidationResult.java | 20 ++++++++-------- .../swift/model/IbanValidationResult.java | 24 +++++++++---------- 4 files changed, 24 insertions(+), 30 deletions(-) diff --git a/src/main/java/com/prowidesoftware/swift/constraints/BicValidator.java b/src/main/java/com/prowidesoftware/swift/constraints/BicValidator.java index a8098d780..7a5909d36 100644 --- a/src/main/java/com/prowidesoftware/swift/constraints/BicValidator.java +++ b/src/main/java/com/prowidesoftware/swift/constraints/BicValidator.java @@ -15,8 +15,6 @@ */ package com.prowidesoftware.swift.constraints; -import static com.prowidesoftware.swift.utils.ConstraintUtils.escapeScript; - import com.prowidesoftware.swift.model.BIC; import com.prowidesoftware.swift.model.BicValidationResult; import javax.validation.ConstraintValidator; @@ -44,8 +42,7 @@ public boolean isValid(String bic, ConstraintValidatorContext context) { return true; } else { context.disableDefaultConstraintViolation(); - context.buildConstraintViolationWithTemplate(escapeScript(result.message())) - .addConstraintViolation(); + context.buildConstraintViolationWithTemplate(result.message()).addConstraintViolation(); return false; } } diff --git a/src/main/java/com/prowidesoftware/swift/constraints/IbanValidator.java b/src/main/java/com/prowidesoftware/swift/constraints/IbanValidator.java index a472a42a9..2eaf443aa 100644 --- a/src/main/java/com/prowidesoftware/swift/constraints/IbanValidator.java +++ b/src/main/java/com/prowidesoftware/swift/constraints/IbanValidator.java @@ -15,8 +15,6 @@ */ package com.prowidesoftware.swift.constraints; -import static com.prowidesoftware.swift.utils.ConstraintUtils.escapeScript; - import com.prowidesoftware.swift.model.IBAN; import com.prowidesoftware.swift.model.IbanValidationResult; import javax.validation.ConstraintValidator; @@ -44,8 +42,7 @@ public boolean isValid(String iban, ConstraintValidatorContext context) { return true; } else { context.disableDefaultConstraintViolation(); - context.buildConstraintViolationWithTemplate(escapeScript(result.message())) - .addConstraintViolation(); + context.buildConstraintViolationWithTemplate(result.message()).addConstraintViolation(); return false; } diff --git a/src/main/java/com/prowidesoftware/swift/model/BicValidationResult.java b/src/main/java/com/prowidesoftware/swift/model/BicValidationResult.java index 5823861dd..9183d6843 100644 --- a/src/main/java/com/prowidesoftware/swift/model/BicValidationResult.java +++ b/src/main/java/com/prowidesoftware/swift/model/BicValidationResult.java @@ -31,14 +31,14 @@ public enum BicValidationResult { INVALID_LENGTH( "The BIC code must contain at least 8 characters with the institution (4), country (2) and location code (2)"), - INVALID_INSTITUTION_LENGTH("The institution code must contain 4 characters and ${length} were found in ${found}"), - INVALID_COUNTRY_LENGTH("The country code must contain 2 characters and ${length} were found in ${found}"), - INVALID_LOCATION_LENGTH("The location code must contain 2 characters and ${length} were found in ${found}"), - INVALID_BRANCH_LENGTH("The branch code must contain 3 characters and ${length} were found in ${found}"), - INVALID_INSTITUTION_CHARSET("The institution code can only contain uppercase letters and ${found} was found"), - INVALID_COUNTRY("Invalid country code ${found}"), - INVALID_LOCATION_CHARSET("The location code can only contain uppercase letters or digits and ${found} was found"), - INVALID_BRANCH_CHARSET("The branch code can only contain uppercase letters or digits and ${found} was found"); + INVALID_INSTITUTION_LENGTH("The institution code must contain 4 characters and #[length] were found in #[found]"), + INVALID_COUNTRY_LENGTH("The country code must contain 2 characters and #[length] were found in #[found]"), + INVALID_LOCATION_LENGTH("The location code must contain 2 characters and #[length] were found in #[found]"), + INVALID_BRANCH_LENGTH("The branch code must contain 3 characters and #[length] were found in #[found]"), + INVALID_INSTITUTION_CHARSET("The institution code can only contain uppercase letters and #[found] was found"), + INVALID_COUNTRY("Invalid country code #[found]"), + INVALID_LOCATION_CHARSET("The location code can only contain uppercase letters or digits and #[found] was found"), + INVALID_BRANCH_CHARSET("The branch code can only contain uppercase letters or digits and #[found] was found"); private final String message; private String found; @@ -54,8 +54,8 @@ public enum BicValidationResult { */ public String message() { return this.message - .replace("${found}", Objects.toString(escapeScript(found))) - .replace("${length}", found == null ? "-1" : String.valueOf(found.length())); + .replace("#[found]", Objects.toString(escapeScript(found))) + .replace("#[length]", found == null ? "-1" : String.valueOf(found.length())); } /** diff --git a/src/main/java/com/prowidesoftware/swift/model/IbanValidationResult.java b/src/main/java/com/prowidesoftware/swift/model/IbanValidationResult.java index 5555d0d8e..b9368db6e 100644 --- a/src/main/java/com/prowidesoftware/swift/model/IbanValidationResult.java +++ b/src/main/java/com/prowidesoftware/swift/model/IbanValidationResult.java @@ -35,25 +35,25 @@ public enum IbanValidationResult { IBAN_IS_EMPTY("The IBAN is empty"), MISSING_COUNTRY_CODE("The IBAN must start with the two letters ISO country code"), - INVALID_COUNTRY_CODE_CHARSET("The country code must contain upper case letters and ${found} was found"), + INVALID_COUNTRY_CODE_CHARSET("The country code must contain upper case letters and #[found] was found"), INVALID_COUNTRY_CODE( - "The country code ${found} is not a valid ISO country code or the country code is not configured for IBAN validations"), + "The country code #[found] is not a valid ISO country code or the country code is not configured for IBAN validations"), - INVALID_CHARACTERS("Invalid character '${found}' found"), + INVALID_CHARACTERS("Invalid character '#[found]' found"), MISSING_CHECK_DIGITS("Missing check digits"), - INVALID_CHECK_DIGITS_FORMAT("Expected 2 check digits and found ${found}"), - IVALID_CHECK_DIGITS("The expected computed check digit is ${expectedCheckDigit} and ${found} was found"), + INVALID_CHECK_DIGITS_FORMAT("Expected 2 check digits and found #[found]"), + IVALID_CHECK_DIGITS("The expected computed check digit is #[expectedCheckDigit] and #[found] was found"), MISSING_BBAN("Missing custom account number (BBAN)"), BBAN_MAX_LENGTH( - "The max length for the custom account number (BBAN) is ${expectedLength} and found ${foundLength}"), + "The max length for the custom account number (BBAN) is #[expectedLength] and found #[foundLength]"), - MISSING_BBAN_CONFIGURATION("Missing custom account number (BBAN) configuration for country ${found}"), + MISSING_BBAN_CONFIGURATION("Missing custom account number (BBAN) configuration for country #[found]"), BBAN_INVALID_LENGTH( - "Expected a ${expectedLength} characters length for the custom account number (BBAN) and found ${foundLength} in ${found}"), - BBAN_INVALID_UPPER_CASE_LETTERS("The ${bbanEntryType} ${found} must contain only upper case letters"), - BBAN_INVALID_DIGITS_OR_LETTERS("The ${bbanEntryType} ${found} must contain only digits or upper case letters"), - BBAN_INVALID_DIGITS("The ${bbanEntryType} ${found} must contain only digits"), + "Expected a #[expectedLength] characters length for the custom account number (BBAN) and found #[foundLength] in #[found]"), + BBAN_INVALID_UPPER_CASE_LETTERS("The #[bbanEntryType] #[found] must contain only upper case letters"), + BBAN_INVALID_DIGITS_OR_LETTERS("The #[bbanEntryType] #[found] must contain only digits or upper case letters"), + BBAN_INVALID_DIGITS("The #[bbanEntryType] #[found] must contain only digits"), UNKNOWN("Unknown exception validating IBAN"); @@ -70,7 +70,7 @@ public enum IbanValidationResult { public String message() { String msg = this.message; for (Entry e : vars.entrySet()) { - msg = msg.replace("${" + e.getKey() + "}", escapeScript(e.getValue())); + msg = msg.replace("#[" + e.getKey() + "]", escapeScript(e.getValue())); } return msg; }