Module de.cuioss.http
Package de.cuioss.http.security.pipeline
@NullMarked
package de.cuioss.http.security.pipeline
Validation pipelines for different HTTP component types.
This package provides specialized validation pipelines that combine multiple validation stages optimized for specific HTTP components. Each pipeline is designed to detect and prevent security vulnerabilities relevant to its target component type.
Available Pipelines
URLPathValidationPipeline- Path traversal, encoding attacks, and all URL validationURLParameterValidationPipeline- XSS and injection attacks via URL parametersHTTPHeaderValidationPipeline- Header injection and CRLF attacksPipelineFactory- Factory for creating and configuring pipelines
Pipeline Selection
Choose the appropriate pipeline based on the HTTP component being validated:
- URL Paths - Use
URLPathValidationPipelinefor paths and full URLs like/api/users/123orhttp://example.com/path - Parameters - Use
URLParameterValidationPipelinefor query parameters and form data - Headers - Use
HTTPHeaderValidationPipelinefor HTTP headers
Usage Example
// Create configuration and event counter
SecurityConfiguration config = SecurityConfiguration.defaults();
SecurityEventCounter eventCounter = new SecurityEventCounter();
// Create pipelines using factory
HttpSecurityValidator pathValidator = PipelineFactory.createUrlPathPipeline(config, eventCounter);
HttpSecurityValidator paramValidator = PipelineFactory.createUrlParameterPipeline(config, eventCounter);
// Validate different HTTP components
try {
String safePath = pathValidator.validate("/api/users/123");
String safeParam = paramValidator.validate("search=test&page=1");
} catch (UrlSecurityException e) {
log.warn("Security violation: {}", e.getFailureType());
}
Package Nullability
This package follows strict nullability conventions using JSpecify annotations:
- All parameters and return values are non-null by default
- Nullable parameters and return values are explicitly annotated with
@Nullable
- Since:
- 1.0
- See Also:
-
ClassDescriptionAbstract base class for validation pipelines that provides common validation logic.Sequential validation pipeline specifically for HTTP header components.Factory class for creating HTTP security validation pipelines.A record containing commonly used HTTP validation pipelines.Sequential validation pipeline specifically for URL parameter components.Sequential validation pipeline specifically for URL path components.