Whitelist Regex Validation Tests

Providing a structure to assert that the enviroment configurations will
provide expected responses when passed controlled values.

Performing a preliminary whitelist test set on HttpQueryString regex from
ESAPI.properties.

The test implementation asserts that the regex being tested matches the
test environment's regex for a given property. If the regex strings
differ, the tests associated with that property will be skipped to prevent
false-positives from being provided to a client.

Author: jeremiahjstacey

src/test/java/org/owasp/esapi/reference/AbstractPatternTest.java

@@ -0,0 +1,49 @@
+package org.owasp.esapi.reference;
+
+import java.util.regex.Pattern;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+
+/**
+ * FIXME:  Document intent of class.  General Function, purpose of creation, intended feature, etc.
+ *  Why do people care this exists? 
+ * @author Jeremiah
+ * @since Jan 20, 2018
+ *
+ */
+@RunWith (Parameterized.class)
+public abstract class AbstractPatternTest {
+    
+    protected static class PatternTestTuple {
+        String input;
+        String regex;
+        boolean shouldMatch;
+        String description;
+        /** {@inheritDoc}*/        
+        @Override
+        public String toString() {
+           return description != null ? description : regex;
+        }
+    }
+
+    private String input;
+    private Pattern pattern;
+    private boolean shouldMatch;
+    
+    
+    public AbstractPatternTest(PatternTestTuple tuple) {
+        this.input = tuple.input;
+        this.pattern = Pattern.compile(tuple.regex);
+        this.shouldMatch = tuple.shouldMatch;
+    }
+    
+    @Test
+    public void checkPatternMatches() {
+        Assert.assertEquals(shouldMatch, pattern.matcher(input).matches());
+    }
+    
+}

src/test/java/org/owasp/esapi/reference/EsapiWhitelistValidationPatternTester.java

@@ -0,0 +1,91 @@
+package org.owasp.esapi.reference;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.junit.Assume;
+import org.junit.runners.Parameterized.Parameters;
+import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+/**
+ * Extension of the AbstractPatternTest which focuses on asserting that the default whitelist regex values applied in
+ * the validation process are performing the intended function in the environment.
+ * 
+ * <br/>
+ * 
+ * If the regex values in this test are found to not match the running environment configurations, then the tests will
+ * be skipped.
+ *
+ * @author Jeremiah
+ * @since Jan 20, 2018
+ */
+public class EsapiWhitelistValidationPatternTester extends AbstractPatternTest {
+    //See ESAPI.properties
+    private static final String HTTP_QUERY_STRING_PROP_NAME="HTTPQueryString";
+    private static final String HTTP_QUERY_STRING_REGEX="^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$";
+
+    @Parameters(name = "{0}-{1}")
+    public static Collection<Object[]> createDefaultPatternTests() {
+        Collection<Object[]> parameters = new ArrayList<>();
+        
+        for(PatternTestTuple tuple : buildHttpQueryStringTests()) {
+            parameters.add(new Object[] { HTTP_QUERY_STRING_PROP_NAME, tuple });
+        }
+
+        
+        return parameters;
+    }
+    
+    private static Collection<PatternTestTuple> buildHttpQueryStringTests() {
+        Collection <PatternTestTuple> httpQueryStringTests = new ArrayList<>();
+        
+        //MATCHING CASES
+        PatternTestTuple tuple = newHttpQueryStringTuple("Default Case", "b", true);
+        httpQueryStringTests.add(tuple);
+        tuple = newHttpQueryStringTuple("Percent Encoded Value", "%62", true);
+        httpQueryStringTests.add(tuple);
+        tuple = newHttpQueryStringTuple("Percent Encoded Null Character", "%00", true);
+        httpQueryStringTests.add(tuple);
+        tuple = newHttpQueryStringTuple("Double Equals", "=", true);
+        httpQueryStringTests.add(tuple);
+        
+        //NON-MATCHING CASES
+        tuple = newHttpQueryStringTuple("Ampersand In Value", "&b", false);
+        httpQueryStringTests.add(tuple);
+        tuple = newHttpQueryStringTuple("Null Character", ""+Character.MIN_VALUE, false);
+        httpQueryStringTests.add(tuple);
+        tuple = newHttpQueryStringTuple("Encoded Null Character", "\u0000", false);
+        httpQueryStringTests.add(tuple);
+        
+        return httpQueryStringTests;
+    }
+
+    private static PatternTestTuple newHttpQueryStringTuple(String description, String value, boolean shouldPass) {
+        PatternTestTuple tuple = new PatternTestTuple();
+        tuple.input = "a="+value;
+        tuple.shouldMatch = shouldPass;
+        tuple.regex = HTTP_QUERY_STRING_REGEX;
+        tuple.description = description;
+        return tuple;
+    }
+   
+    public EsapiWhitelistValidationPatternTester(String property, PatternTestTuple tuple) {
+        super(tuple);
+        /*
+         * This next block causes the case to be skipped programatically if the regex being tested
+         * is different than the one being loaded at runtime.
+         * This is being done to prevent a false sense of security.
+         * If the configurations are changed to meet additional environmental concerns, the intent of this test should
+         * be copied into that environment and tested there to assert the additional expectations or changes in desired
+         * behavior.
+         */
+        DefaultSecurityConfiguration configuration = new DefaultSecurityConfiguration();
+        Assume.assumeTrue(
+            "The regular expression specified does not match the configuration settings.\n"
+            + "If the value was changed from the ESAPI default, it is recommended to copy "
+            + "this class into your project, update the regex being tested, and update all "
+            + "associated input expectations for your unique environment.",
+            configuration.getValidationPattern(property).toString().equals(tuple.regex));
+    }
+
+}