https://github.com/righettod/code-snippets-security-utils
Provides different utilities methods to apply processing from a security perspective.
https://github.com/righettod/code-snippets-security-utils
appsecurity code-snippets java security
Last synced: 4 months ago
JSON representation
Provides different utilities methods to apply processing from a security perspective.
- Host: GitHub
- URL: https://github.com/righettod/code-snippets-security-utils
- Owner: righettod
- License: gpl-3.0
- Created: 2024-05-24T11:50:30.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-10-21T06:28:13.000Z (about 1 year ago)
- Last Synced: 2024-10-21T09:20:20.987Z (about 1 year ago)
- Topics: appsecurity, code-snippets, java, security
- Language: Java
- Homepage: https://righettod.github.io/code-snippets-security-utils/
- Size: 16.9 MB
- Stars: 5
- Watchers: 1
- Forks: 1
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[](https://github.com/righettod/code-snippets-security-utils/actions/workflows/dependabot/dependabot-updates) [](https://github.com/righettod/code-snippets-security-utils/actions/workflows/test.yml)    
# Description
> [!NOTE]
> Java was chosen but the ideas behind the proposed code can be applied to other languages.
💻This project provides different utilities methods to apply processing from a defensive security perspective. These code snippet:
* Can be used, as "foundation", to customize the validation to the app context.
* Were implemented in a way to facilitate adding or removal of validations depending on usage context.
* Were centralized into [one class](src/main/java/eu/righettod/SecurityUtils.java) to be able to enhance them across time as well as handle missing case/bug.
🔬I uses it, as a sandbox, to create/test/provide remediation code proposals when I perform web assessment or secure code review activities.
# Disclaimer
> [!CAUTION]
> I do not claim (and will never claim) that the proposed code is 100% effective, these are simply practical tests of ideas regarding security issues I have encountered.
📍The project will not be deployed, as an artefact, into the Maven repository or the GitHub Package repository because the code provided is intended to be tailored to the business and technical context
of the
application.
# Tips for validating file contents
> [!NOTE]
> The tips and code snippets provided enrich the advices provided by the [OWASP File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html).
```mermaid
flowchart TB
A[File received] --> B("🔬Call corresponding isXXXSafe() methods")
B --> C{🤔File is safe?}
C -->|No| E[❌File rejected]
C -->|Yes| D("🔬Call sanitizeFile() methods")
D --> F{🤔Exception occur?}
F -->|Yes| E
F -->|No| G[✅File accepted]
```
# Content & conventions
📝Code is centralized into the class [SecurityUtils](src/main/java/eu/righettod/SecurityUtils.java).
🧪Unit tests are centralized into the
class [TestSecurityUtils](src/test/java/eu/righettod/TestSecurityUtils.java).
📖Conventions used:
* One utility methods in **SecurityUtils** class is associated to one unit test methods in **TestSecurityUtils** class: Both with the same name.
* All tests data are stored into the [resources](src/test/resources) folder of the test area.
* Each utility methods have a single goal and is fully documented in terms of usage as well as Internet references used.
# Documentation
The javadoc of the class **SecurityUtils** is exposed [here](https://righettod.github.io/code-snippets-security-utils).
# Usage
👨💻The repository can be open directly into [Intellij IDEA](https://www.jetbrains.com/idea/download).
💻Maven command to run all the unit tests:
```shell
$ mvn clean test
[INFO] ------------------------------------------------
[INFO] T E S T S
[INFO] ------------------------------------------------
[INFO] Running eu.righettod.TestSecurityUtils
[INFO] Tests run: 8, Failures: 0, Errors: 0, Skipped: 0
```
# Misc
* https://github.com/marchof/the-missing-javadoc-fonts