diff --git a/README.md b/README.md index e081302..ef5652e 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,12 @@ Follow the steps below to get started. For more detailed documentation on this l - Go to the releases section to get the installation link for both managed and un-managed versions of the ESAPI package. +* Just latest sources from repo : + + Deploy to Salesforce + + ##Example Code ###Input Validation: diff --git a/src/classes/ESAPI.cls b/src/classes/ESAPI.cls index c078627..2cba309 100644 --- a/src/classes/ESAPI.cls +++ b/src/classes/ESAPI.cls @@ -1,15 +1,15 @@ /** * OWASP Enterprise Security API (ESAPI) - * + * * This file is part of the Open Web Application Security Project (OWASP) * Enterprise Security API (ESAPI) project. For details, please see * http://www.owasp.org/index.php/ESAPI. * * Copyright (c) 2010 - Salesforce.com - * + * * The Apex ESAPI implementation is published by Salesforce.com under the New BSD license. You should read and accept the * LICENSE before you use, modify, and/or redistribute this software. - * + * * @author Yoel Gluck (securecloud .at. salesforce.com) Salesforce.com * @created 2010 */ @@ -18,20 +18,21 @@ * ESAPI locator class is provided to make it easy to gain access to the current ESAPI classes in use.
* For example you can use the validator() function to access the validator methods. (i.e. ESAPI.validator().isValidCreditCard(creditcard, false)) */ -global with sharing class ESAPI { +global with sharing class ESAPI { private static SFDCValidator SFDC_validator = null; private static SFDCEncoder SFDC_encoder = null; + private static SFDCEncoder SFDC_decoder = null; private static SFDCAccessController SFDC_accessController = null; - + /** * prevent instantiation of this class */ private ESAPI() { } - + /** - * @return the current ESAPI SFDCValidator being used to validate data in this application. + * @return the current ESAPI SFDCValidator being used to validate data in this application. */ global static SFDCValidator validator() { if (SFDC_validator == null) { @@ -41,17 +42,27 @@ global with sharing class ESAPI { } /** - * @return the current SFDCEncoder object. This gives the basic encoding functionality as those availabel in VisualForce (HTMLENCODE, JSENCODE, JSINHTMLENCODE and URLENCODE) + * @return the current SFDCEncoder object. This gives the basic encoding functionality as those availabel in VisualForce (HTMLENCODE, JSENCODE, JSINHTMLENCODE and URLENCODE) */ global static SFDCEncoder encoder() { if (SFDC_encoder == null) { SFDC_encoder = new SFDCEncoder(); - } + } return SFDC_encoder; } - + + /** + * @return the current SFDCDecoder object. This gives the basic decoding functionality + */ + global static SFDCDecoder decoder() { + if (SFDC_decoder == null) { + SFDC_decoder = new SFDCDecoder(); + } + return SFDC_decoder; + } + /** - * @return the current ESAPI SFDCAccessController object being used to maintain the access control rules for this application. + * @return the current ESAPI SFDCAccessController object being used to maintain the access control rules for this application. */ global static SFDCAccessController accessController() { if (SFDC_accessController == null) { diff --git a/src/classes/SFDCDecoder.cls b/src/classes/SFDCDecoder.cls new file mode 100644 index 0000000..827ddc9 --- /dev/null +++ b/src/classes/SFDCDecoder.cls @@ -0,0 +1,42 @@ +/** + * OWASP Enterprise Security API (ESAPI) + * + * This file is part of the Open Web Application Security Project (OWASP) + * Enterprise Security API (ESAPI) project. For details, please see + * http://www.owasp.org/index.php/ESAPI. + * + * Copyright (c) 2010 - Salesforce.com + * + * The Apex ESAPI implementation is published by Salesforce.com under the New BSD license. You should read and accept the + * LICENSE before you use, modify, and/or redistribute this software. + * + * @author Sébastien Colladon (scolladon .at. salesforce.com) Salesforce.com + * @created 2016 + */ + +/** + * This class is a basic decoder. + */ +global with sharing class SFDCDecoder { + + + /** + * Note : This function always decodes a base64 url encoded string

+ * + * Example:
+ *
+     * //htmlstr is going to be converted from url to blob
+     * htmlstr = ESAPI.decoder().SFDC_BASE64_URLDECODE(base64urlencodedText);
+     * 
+ */ + global Blob SFDC_BASE64_URLDECODE(final String input){ + if(String.isBlank(input)) { + return null; + } + + return EncodingUtil.base64Decode(input.replace('-', '+') + .replace('_', '/') + .rightPad(math.mod(input.length() + (math.mod(4 - input.length(), 4)), 4)) + .replace(' ','=')); + } +} \ No newline at end of file diff --git a/src/classes/SFDCDecoder.cls-meta.xml b/src/classes/SFDCDecoder.cls-meta.xml new file mode 100644 index 0000000..38aa015 --- /dev/null +++ b/src/classes/SFDCDecoder.cls-meta.xml @@ -0,0 +1,5 @@ + + + 36.0 + Active + diff --git a/src/classes/testDecoder.cls b/src/classes/testDecoder.cls new file mode 100644 index 0000000..3743d56 --- /dev/null +++ b/src/classes/testDecoder.cls @@ -0,0 +1,77 @@ +/** + * OWASP Enterprise Security API (ESAPI) + * + * This file is part of the Open Web Application Security Project (OWASP) + * Enterprise Security API (ESAPI) project. For details, please see + * http://www.owasp.org/index.php/ESAPI. + * + * Copyright (c) 2010 - Salesforce.com + * + * The Apex ESAPI implementation is published by Salesforce.com under the New BSD license. You should read and accept the + * LICENSE before you use, modify, and/or redistribute this software. + * + * @author Sebastien Colladon (scolladon .at. salesforce.com) Salesforce.com + * @created 2010 + */ + +/** + * This class contains unit tests for validating the behavior of Apex classes + * and triggers. + * + * Unit tests are class methods that verify whether a particular piece + * of code is working properly. Unit test methods take no arguments, + * commit no data to the database, and are flagged with the testMethod + * keyword in the method definition. + * + * All test methods in an organization are executed whenever Apex code is deployed + * to a production organization to confirm correctness, ensure code + * coverage, and prevent regressions. All Apex classes are + * required to have at least 75% code coverage in order to be deployed + * to a production organization. In addition, all triggers must have some code coverage. + * + * The @isTest class annotation indicates this class only contains test + * methods. Classes defined with the @isTest annotation do not count against + * the organization size limit for all Apex scripts. + * + * See the Apex Language Reference for more information about Testing and Code Coverage. + */ +@isTest +private class testDecoder { + + private class DecodeTest { + public String inputStr; + public String expectedOutput; + public String errText; + public Boolean expectedResult; + public String encoding; + + public DecodeTest(String inputStr, String expectedOutput, String errText, Boolean expectedResult) { + this.inputStr = inputStr; + this.expectedOutput = expectedOutput; + this.errText = errText; + this.expectedResult = expectedResult; + } + } + private static final DecodeTest [] base64UrlDecodeTests = new DecodeTest[]{}; + + + static { + base64UrlDecodeTests.add(new DecodeTest('dGVzdA', 'test', 'Valid #1', true)); + base64UrlDecodeTests.add(new DecodeTest('QCM_Ky0kKi8-VA', '@#?+-$*/>T', 'Valid #2', true)); + } + + static testMethod void testEncoderBase64UrlDecode() { + for (DecodeTest t : base64UrlDecodeTests) { + try { + String ret = ESAPI.decoder().SFDC_BASE64_URLDECODE(t.inputStr).toString(); + // if no exception - check if we are expecting a valid test + System.assert(t.expectedResult == true, t.errText); + // also make sure return value is equal to input + System.assert(ret.equals(t.expectedOutput), t.errText); + } catch (Exception e) { + // if exception - check if we are expecting an invalid test + System.assert(t.expectedResult == false, t.errText); + } + } + } +} \ No newline at end of file diff --git a/src/classes/testDecoder.cls-meta.xml b/src/classes/testDecoder.cls-meta.xml new file mode 100644 index 0000000..f165265 --- /dev/null +++ b/src/classes/testDecoder.cls-meta.xml @@ -0,0 +1,5 @@ + + + 29.0 + Active +