hackademic/esapi/src/ValidationRule.php at next-dev · Hackademic/hackademic · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
<?php
/**
 * OWASP Enterprise Security API (ESAPI)
 *
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project.
 *
 * LICENSE: This source file is subject to the New BSD license.  You should read
 * and accept the LICENSE before you use, modify, and/or redistribute this
 * software.
 *
 * PHP version 5.2
 *
 * @category  OWASP
 * @package   ESAPI
 * @author    Johannes B. Ullrich <jullrich@sans.edu>
 * @author    Mike Boberski <boberski_michael@bah.com>
 * @author    jah <jah@jahboite.co.uk>
 * @copyright 2009-2010 The OWASP Foundation
 * @license   http://www.opensource.org/licenses/bsd-license.php New BSD license
 * @version   SVN: $Id$
 * @link      http://www.owasp.org/index.php/ESAPI
 */

/**
 * Implementations require ValidationException and IntrusionException.
 */
require_once dirname(__FILE__) . '/errors/IntrusionException.php';
require_once dirname(__FILE__) . '/errors/ValidationException.php';

/**
 * Use this ESAPI security control to wrap your data type-specific
 * validation rules.
 *
 * The idea behind this interface is to encapsulate data type-specific
 * validation logic.
 *
 * @category  OWASP
 * @package   ESAPI
 * @author    Johannes B. Ullrich <jullrich@sans.edu>
 * @author    Mike Boberski <boberski_michael@bah.com>
 * @author    jah <jah@jahboite.co.uk>
 * @copyright 2009-2010 The OWASP Foundation
 * @license   http://www.opensource.org/licenses/bsd-license.php New BSD license
 * @version   Release: @package_version@
 * @link      http://www.owasp.org/index.php/ESAPI
 */
interface ValidationRule
{

    /**
     * Sets the boolean allowNull property which, if set true, will allow empty
     * inputs to validate as true.
     *
     * @param bool $flag TRUE, if empty inputs should validate as true.
     *
     * @return does not return a value.
     */
    public function setAllowNull($flag);


    /**
     * Sets a descriptive name for the validator e.g. CreditCardNumber.
     *
     * @param string $typeName name describing the validator.
     *
     * @return does not return a value.
     */
    public function setTypeName($typeName);


    /**
     * Gets the descriptive name for the validator.
     *
     * @return string name describing the validator.
     */
    public function getTypeName();


    /**
     * Sets an instance of an encoder class which should provide a
     * canonicalize method.
     *
     * @param Encoder $encoder Encoder which provides a canonicalize method.
     *
     * @return does not return a value.
     */
    public function setEncoder($encoder);


    /**
     * Asserts that the supplied $input is valid after canonicalization. Invalid
     * Inputs will cause a descriptive ValidationException to be thrown. Inputs
     * that are obviously an attack will cause an IntrusionException.
     *
     * @param string $context A descriptive name of the parameter that you are
     *                        validating (e.g., LoginPage_UsernameField). This
     *                        value is used by any logging or error handling that
     *                        is done with respect to the value passed in.
     * @param string $input   The actual user input data to validate.
     *
     * @return does not return a value.
     */
    public function assertValid($context, $input);


    /**
     * Returns the canonicalized, valid input.
     * Throws ValidationException if the input is not valid or
     * IntrusionException if the input is an obvious attack.
     *
     * @param string $context A descriptive name of the parameter that you are
     *                        validating (e.g., LoginPage_UsernameField). This
     *                        value is used by any logging or error handling that
     *                        is done with respect to the value passed in.
     * @param string $input   The actual string user input data to validate.
     *
     * @return string canonicalized, valid input.
     */
    public function getValid($context, $input);


    /**
     * Attempts to return valid canonicalized input.  If a ValidationException
     * is thrown, this method will return sanitized input which may or may not
     * have any similarity to the original input.
     *
     * @param string $context A descriptive name of the parameter that you are
     *                        validating (e.g., LoginPage_UsernameField). This
     *                        value is used by any logging or error handling that
     *                        is done with respect to the value passed in.
     * @param string $input   The actual user input data to validate.
     *
     * @return string valid, canonicalized input or sanitized input or a default
     *                value.
     * @throws IntrusionException if intrusion detected
     */
    public function getSafe($context, $input);


    /**
     * Returns boolean true if the input is valid, false otherwise.
     *
     * @param string $context A descriptive name of the parameter that you are
     *                        validating (e.g., LoginPage_UsernameField). This
     *                        value is used by any logging or error handling that
     *                        is done with respect to the value passed in.
     * @param string $input   The actual user input data to validate.
     *
     * @return bool true if the input is valid, false otherwise.
     */
    public function isValid($context, $input);


    /**
     * The method is similar to getSafe except that it returns a harmless value
     * that may or may not have any similarity to the original input (in some
     * cases you may not care). In most cases this should be the same as the
     * getSafe method only instead of throwing an exception, return some default
     * value.
     *
     * @param string $context A descriptive name of the parameter that you are
     *                        validating (e.g., LoginPage_UsernameField). This
     *                        value is used by any logging or error handling that
     *                        is done with respect to the value passed in.
     * @param string $input   The actual user input data to validate.
     *
     * @return string a parsed version of the input or a default value.
     */
    public function sanitize($context, $input);


    /**
     * Returns the supplied input string after removing any characters not
     * present in the supplied whitelist.
     *
     * @param string $input string input to be filtered.
     * @param array  $list  array or string of whitelist characters.
     *
     * @return string a string of characters from $input that are present in $list.
     */
    public function whitelist($input, $list);


}