Skip to content

Commit

Permalink
Polish toLower/UpperCase Usage
Browse files Browse the repository at this point in the history
Apply the common security hardening
technique of specifying Locale when
calling toUpperCase and toLowerCase

Closes gh-963
  • Loading branch information
jzheaux committed Nov 14, 2024
1 parent d6b897c commit 734336d
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import java.io.Serializable;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Locale;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -75,10 +76,10 @@ public LdapRdnComponent(String key, String value, boolean decodeValue) {

String caseFold = System.getProperty(DistinguishedName.KEY_CASE_FOLD_PROPERTY);
if (!StringUtils.hasText(caseFold) || caseFold.equals(DistinguishedName.KEY_CASE_FOLD_LOWER)) {
this.key = key.toLowerCase();
this.key = key.toLowerCase(Locale.ROOT);
}
else if (caseFold.equals(DistinguishedName.KEY_CASE_FOLD_UPPER)) {
this.key = key.toUpperCase();
this.key = key.toUpperCase(Locale.ROOT);
}
else if (caseFold.equals(DistinguishedName.KEY_CASE_FOLD_NONE)) {
this.key = key;
Expand All @@ -88,7 +89,7 @@ else if (caseFold.equals(DistinguishedName.KEY_CASE_FOLD_NONE)) {
+ "; expected \"" + DistinguishedName.KEY_CASE_FOLD_LOWER + "\", \""
+ DistinguishedName.KEY_CASE_FOLD_UPPER + "\", or \"" + DistinguishedName.KEY_CASE_FOLD_NONE
+ "\"");
this.key = key.toLowerCase();
this.key = key.toLowerCase(Locale.ROOT);
}
if (decodeValue) {
this.value = LdapEncoder.nameDecode(value);
Expand Down Expand Up @@ -203,7 +204,7 @@ public boolean equals(Object obj) {
*/
@Override
public int hashCode() {
return this.key.toUpperCase().hashCode() ^ this.value.toUpperCase().hashCode();
return this.key.toUpperCase(Locale.ROOT).hashCode() ^ this.value.toUpperCase(Locale.ROOT).hashCode();
}

/*
Expand All @@ -228,9 +229,9 @@ public int compareTo(Object obj) {

// It's safe to compare directly against key and value,
// because they are validated not to be null on instance creation.
int keyCompare = this.key.toLowerCase().compareTo(that.key.toLowerCase());
int keyCompare = this.key.toLowerCase(Locale.ROOT).compareTo(that.key.toLowerCase(Locale.ROOT));
if (keyCompare == 0) {
return this.value.toLowerCase().compareTo(that.value.toLowerCase());
return this.value.toLowerCase(Locale.ROOT).compareTo(that.value.toLowerCase(Locale.ROOT));
}
else {
return keyCompare;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package org.springframework.ldap.core;

import java.util.HashMap;
import java.util.Locale;
import java.util.Map;

import javax.naming.NamingEnumeration;
Expand Down Expand Up @@ -67,7 +68,7 @@ public int size() {
@Override
public NameAwareAttribute get(String attrID) {
Assert.hasLength(attrID, "Attribute ID must not be empty");
return this.attributes.get(attrID.toLowerCase());
return this.attributes.get(attrID.toLowerCase(Locale.ROOT));
}

@Override
Expand All @@ -84,7 +85,7 @@ public NamingEnumeration<String> getIDs() {
public Attribute put(String attrID, Object val) {
Assert.hasLength(attrID, "Attribute ID must not be empty");
NameAwareAttribute newAttribute = new NameAwareAttribute(attrID, val);
this.attributes.put(attrID.toLowerCase(), newAttribute);
this.attributes.put(attrID.toLowerCase(Locale.ROOT), newAttribute);

return newAttribute;
}
Expand All @@ -93,15 +94,15 @@ public Attribute put(String attrID, Object val) {
public Attribute put(Attribute attr) {
Assert.notNull(attr, "Attribute must not be null");
NameAwareAttribute newAttribute = new NameAwareAttribute(attr);
this.attributes.put(attr.getID().toLowerCase(), newAttribute);
this.attributes.put(attr.getID().toLowerCase(Locale.ROOT), newAttribute);

return newAttribute;
}

@Override
public Attribute remove(String attrID) {
Assert.hasLength(attrID, "Attribute ID must not be empty");
return this.attributes.remove(attrID.toLowerCase());
return this.attributes.remove(attrID.toLowerCase(Locale.ROOT));
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

package org.springframework.ldap.odm.core.impl;

import java.util.Locale;

import org.springframework.util.Assert;

// A case independent String wrapper.
Expand All @@ -28,7 +30,7 @@
CaseIgnoreString(String string) {
Assert.notNull(string, "string must not be null");
this.string = string;
this.hashCode = string.toUpperCase().hashCode();
this.hashCode = string.toUpperCase(Locale.ROOT).hashCode();
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package org.springframework.ldap.support;

import java.util.Base64;
import java.util.Locale;

import org.springframework.ldap.BadLdapGrammarException;
import org.springframework.util.Assert;
Expand Down Expand Up @@ -81,7 +82,7 @@ private LdapEncoder() {

protected static String toTwoCharHex(char c) {

String raw = Integer.toHexString(c).toUpperCase();
String raw = Integer.toHexString(c).toUpperCase(Locale.ROOT);

if (raw.length() > 1) {
return raw;
Expand Down
16 changes: 16 additions & 0 deletions etc/checkstyle/checkstyle.xml
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,21 @@
<property name="message" value="Please use assertThatExceptionOfType." />
<property name="ignoreComments" value="true" />
</module>
<module name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
<property name="id" value="toLowerCaseWithoutLocale"/>
<property name="format" value="\.toLowerCase\(\)"/>
<property name="maximum" value="0"/>
<property name="message"
value="String.toLowerCase() should be String.toLowerCase(Locale.ROOT) or String.toLowerCase(Locale.ENGLISH)"/>
<property name="ignoreComments" value="true"/>
</module>
<module name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
<property name="id" value="toUpperCaseWithoutLocale"/>
<property name="format" value="\.toUpperCase\(\)"/>
<property name="maximum" value="0"/>
<property name="message"
value="String.toUpperCase() should be String.toUpperCase(Locale.ROOT) or String.toUpperCase(Locale.ENGLISH)"/>
<property name="ignoreComments" value="true"/>
</module>
</module>
</module>
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package org.springframework.ldap.odm.tools;

import java.util.HashSet;
import java.util.Locale;
import java.util.Set;

import javax.naming.NamingEnumeration;
Expand Down Expand Up @@ -156,7 +157,7 @@ private void createObjectClass(Set<String> objectClasses, DirContext schemaConte
Attribute currentAttribute = valuesEnumeration.nextElement();

// Get the attribute name and lower case it (as this is all case indep)
String currentId = currentAttribute.getID().toUpperCase();
String currentId = currentAttribute.getID().toUpperCase(Locale.ROOT);

// Is this a MUST, MAY or SUP attribute
SchemaAttributeType type = getSchemaAttributeType(currentId);
Expand All @@ -168,7 +169,7 @@ private void createObjectClass(Set<String> objectClasses, DirContext schemaConte
switch (type) {
case SUP:
// Its a super class
String lowerCased = currentValue.toLowerCase();
String lowerCased = currentValue.toLowerCase(Locale.ROOT);
if (!schema.getObjectClass().contains(lowerCased)) {
supList.add(lowerCased);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
Expand Down Expand Up @@ -340,7 +341,7 @@ private static Set<String> parseObjectClassesFlag(String objectClassesFlag) {

for (String objectClassFlag : objectClassesFlag.split(",")) {
if (objectClassFlag.length() > 0) {
objectClasses.add(objectClassFlag.toLowerCase().trim());
objectClasses.add(objectClassFlag.toLowerCase(Locale.ROOT).trim());
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import java.io.UnsupportedEncodingException;
import java.util.List;
import java.util.Locale;

import javax.naming.directory.BasicAttribute;
import javax.naming.directory.DirContext;
Expand Down Expand Up @@ -112,7 +113,8 @@ private void createUser(String username) throws UnsupportedEncodingException {
ctx.setAttributeValue("userPrincipalName", username + "@example.com");
ctx.setAttributeValue("cn", username);
ctx.setAttributeValue("description", "Dummy user");
ctx.setAttributeValue("sAMAccountName", username.toUpperCase() + "." + username.toUpperCase());
ctx.setAttributeValue("sAMAccountName",
username.toUpperCase(Locale.ENGLISH) + "." + username.toUpperCase(Locale.ENGLISH));
ctx.setAttributeValue("userAccountControl", "512");

String newQuotedPassword = "\"" + DEFAULT_PASSWORD + "\"";
Expand Down

0 comments on commit 734336d

Please sign in to comment.