Module de.cuioss.http
Package de.cuioss.http.security.validation

Record Class LengthValidationStage

java.lang.Object
java.lang.Record
de.cuioss.http.security.validation.LengthValidationStage
All Implemented Interfaces:
HttpSecurityValidator
public record LengthValidationStage(SecurityConfiguration config, ValidationType validationType) extends Record implements HttpSecurityValidator
Length validation stage with configurable limits for HTTP components.

This stage enforces length limits on various HTTP components to prevent denial-of-service attacks, buffer overflow attempts, and resource exhaustion. The stage validates input length against component-specific limits:

  1. Path Length Validation - Enforces maximum URL path length
  2. Parameter Length Validation - Validates parameter names and values
  3. Header Length Validation - Checks header names and values
  4. Cookie Length Validation - Validates cookie names and values
  5. Body Size Validation - Enforces request/response body size limits

Design Principles

  • DoS Protection - Prevents resource exhaustion through size limits
  • Context-Sensitive - Different limits for different HTTP components
  • Performance Optimized - Simple length checks with O(1) complexity
  • RFC Compliant - Follows HTTP specification recommendations

Security Validations

  • Path Length - Prevents extremely long URL paths
  • Parameter Length - Limits parameter name and value sizes
  • Header Length - Enforces HTTP header size restrictions
  • Cookie Length - Validates cookie name and value sizes
  • Body Size - Prevents large payload attacks

Usage Examples

 // Create length validation stage
 SecurityConfiguration config = SecurityConfiguration.defaults();
 LengthValidationStage lengthValidator = new LengthValidationStage(config, ValidationType.URL_PATH);

 // Validate path length
 try {
     lengthValidator.validate("/api/users/123"); // Passes if within limit
 } catch (UrlSecurityException e) {
     logger.warn("Path too long: {}", e.getFailureType());
 }

 // Validate parameter value
 LengthValidationStage paramValidator = new LengthValidationStage(config, ValidationType.PARAMETER_VALUE);
 try {
     paramValidator.validate("very_long_parameter_value"); // May fail if too long
 } catch (UrlSecurityException e) {
     logger.warn("Parameter value too long: {}", e.getDetail());
 }

 // Validate with custom limits
 SecurityConfiguration strictConfig = SecurityConfiguration.builder()
     .maxPathLength(1024)
     .maxParameterValueLength(256)
     .build();
 LengthValidationStage strictValidator = new LengthValidationStage(strictConfig, ValidationType.URL_PATH);

Performance Characteristics

  • O(1) time complexity - simple length comparison
  • Minimal memory overhead - no string manipulation
  • Early termination on limit exceeded
  • No regex or pattern matching overhead

Configuration Dependencies

  • maxPathLength - Maximum allowed path length
  • maxParameterNameLength/maxParameterValueLength - Parameter size limits
  • maxHeaderNameLength/maxHeaderValueLength - Header size limits
  • maxCookieNameLength/maxCookieValueLength - Cookie size limits
  • maxBodySize - Maximum body size in bytes

Implements: Task V4 from HTTP verification specification

Since:
1.0
See Also:

  • Constructor Details

    • LengthValidationStage

      public LengthValidationStage(SecurityConfiguration config, ValidationType validationType)
      Creates an instance of a LengthValidationStage record class.
      Parameters:
      config - the value for the config record component
      validationType - the value for the validationType record component

  • Method Details

    • validate

      public Optional<String> validate(@Nullable String value) throws UrlSecurityException
      Validates input length against component-specific limits.

      Processing logic:

      1. Input validation - handles null/empty inputs
      2. Length calculation - gets input length in characters or bytes
      3. Limit lookup - determines appropriate limit based on validation type
      4. Comparison - checks if input exceeds configured limit
      Specified by:
      validate in interface HttpSecurityValidator
      Parameters:
      value - The input string to validate for length limits
      Returns:
      The original input wrapped in Optional if validation passes, Optional.empty() if input was null
      Throws:
      UrlSecurityException - if length limits are exceeded:
      • PATH_TOO_LONG - if URL path exceeds maximum length
      • INPUT_TOO_LONG - if other components exceed their limits

    • when

      public HttpSecurityValidator when(Predicate<String> condition)
      Creates a conditional validator that only processes inputs matching the condition.
      Specified by:
      when in interface HttpSecurityValidator
      Parameters:
      condition - The condition to test before validation
      Returns:
      A conditional HttpSecurityValidator that applies length validation conditionally

    • toString

      public final String toString()
      Returns a string representation of this record class. The representation contains the name of the class, followed by the name and value of each of the record components.
      Specified by:
      toString in class Record
      Returns:
      a string representation of this object

    • hashCode

      public final int hashCode()
      Returns a hash code value for this object. The value is derived from the hash code of each of the record components.
      Specified by:
      hashCode in class Record
      Returns:
      a hash code value for this object

    • equals

      public final boolean equals(Object o)
      Indicates whether some other object is "equal to" this one. The objects are equal if the other object is of the same class and if all the record components are equal. All components in this record class are compared with Objects::equals(Object,Object).
      Specified by:
      equals in class Record
      Parameters:
      o - the object with which to compare
      Returns:
      true if this object is the same as the o argument; false otherwise.

    • config

      public SecurityConfiguration config()
      Returns the value of the config record component.
      Returns:
      the value of the config record component

    • validationType

      public ValidationType validationType()
      Returns the value of the validationType record component.
      Returns:
      the value of the validationType record component