Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the method of java input verification". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what is the method of java input verification".

Check after string standardization

Usually when we do string checking, we need to filter some special characters, and then check the string after filtering.

We know that characters are encoded based on Unicode in java. But in Unicode, the same character may have a different representation. So we need to standardize the characters.

There is a special class Normalizer in java to deal with the standardization of characters.

Let's look at the following example:

Public void testNormalizer () {System.out.println (Normalizer.normalize ("\ u00C1", Normalizer.Form.NFKC)); System.out.println (Normalizer.normalize ("\ u0041\ u0301", Normalizer.Form.NFKC));}

Output result:

CSA

We can see that although the Unicode of the two is not the same, the final representation of the characters is the same. Therefore, when we do character verification, we must first do normalize processing.

Consider the following example:

Public void falseNormalize () {String s = "\ uFE64" + "script" + "\ uFE65"; Pattern pattern = Pattern.compile ("[]"); / / check for angle brackets Matcher matcher = pattern.matcher (s); if (matcher.find ()) {throw new IllegalStateException ();} s = Normalizer.normalize (s, Normalizer.Form.NFKC);}

Where\ uFE64 indicates that the program is intended to determine whether the input string contains angle brackets, but because the unicode character is passed directly, the direct compile cannot be detected.

We need to make the following changes to the code:

Public void trueNormalize () {String s = "\ uFE64" + "script" + "\ uFE65"; s = Normalizer.normalize (s, Normalizer.Form.NFKC); Pattern pattern = Pattern.compile ("[]"); / / check for angle brackets Matcher matcher = pattern.matcher (s); if (matcher.find ()) {throw new IllegalStateException ();}}

Normalize operation is performed first, followed by character verification.

Note the formatting of untrusted strings

We often use formatting to format strings. When formatting, if the formatting string contains user input information, then we should pay attention.

Look at the following example:

Public void wrongFormat () {Calendar c = new GregorianCalendar (2020, GregorianCalendar.JULY, 27); String input= "1$ tm"; System.out.format (input + "time mismatch, should be the 1$ terd day of a month", c);}

At a cursory glance, there is no problem, but our input contains formatting information, and the final output is:

07 time does not match, it should be the 27rd day of a month

In disguise, we get the internal information of the system, and in some cases, the internal logic of the system may be exposed.

In the above example, we should also take input as a parameter, as shown below:

Public void rightFormat () {Calendar c = new GregorianCalendar (2020, GregorianCalendar.JULY, 27); String input= "1$ tm"; System.out.format ("s time mismatch, should be the terd day of a month", input, c);}

Output result:

1$ tm time mismatch, should be the 27rd day of a month to use Runtime.exec () carefully

We know that Runtime.exec () is used to call system commands, and if a malicious user calls "rm-rf /", it's all over.

Therefore, when we call Runtime.exec (), we must be careful to detect the user's input.

Look at the following example:

Public void wrongExec () throws IOException {String dir = System.getProperty ("dir"); Runtime rt = Runtime.getRuntime (); Process proc = rt.exec (new String [] {"sh", "- c", "ls" + dir});}

In the above example, we read the dir from the system properties and then execute the system's ls command to view the contents of the dir.

If a malicious user assigns a value to dir as:

/ usr & rm-rf /

Then the command that the system actually executes is:

Sh-c'ls / usr & rm-rf /'

This leads to malicious deletions.

There are also several ways to solve the above problems. The first one is to check the input. For example, we only run dir that contains specific characters:

Public void correctExec1 () throws IOException {String dir = System.getProperty ("dir"); if (! Pattern.matches ("[0-9A-Za-z [@.] (https://my.oschina.net/sakkeil)]+", dir)) {/ / Handle error} Runtime rt = Runtime.getRuntime () Process proc = rt.exec (new String [] {"sh", "- c", "ls" + dir});}

The second way is to use a switch statement to qualify a specific input:

Public void correctExec2 () {String dir = System.getProperty ("dir"); switch (dir) {case "/ usr": System.out.println ("/ usr"); break; case "/ local": System.out.println ("/ local"); break Default: break;}}

Another way is not to use the Runtime.exec () method, but to use the method that comes with java.

Matching of regular expressions

In the process of building regular expressions, if user-defined input is used, input verification is also required.

Consider the following regular expression:

(. *? + public\ [\ d +\] +. *)

The above expression is intended to search for user input in log information such as public [1234].

But the user can actually enter the following information:

. *) | (. *

The result is that the regular expression looks like this:

(. *? + public\ [\ d +\] +. *) | (. *. *)

This causes all log information to be matched.

There are also two solutions, one is to use the whitelist to determine the user's input. One is to use Pattern.quote () to escape malicious characters.

Thank you for your reading, these are the contents of "what is the method of java input verification". After the study of this article, I believe you have a deeper understanding of what the method of java input verification is, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.