HV-1185 Add more tests for URL validation and improve the existing validators

Author: marko-bekhta

engine/src/main/java/org/hibernate/validator/constraintvalidators/RegexpURLValidator.java

@@ -12,6 +12,7 @@
 import javax.validation.ConstraintValidatorContext;
 
 import org.hibernate.validator.constraints.URL;
+import org.hibernate.validator.internal.util.DomainNameUtil;
 
 /**
  * Validate that the character sequence (e.g. string) is a valid URL using a regular expression.
@@ -54,6 +55,10 @@ public boolean isValid(CharSequence value, ConstraintValidatorContext constraint
 			return false;
 		}
 
+		if ( !DomainNameUtil.isValidDomainAddress( values.getHost() ) ) {
+			return false;
+		}
+
 		if ( protocol != null && protocol.length() > 0 && !protocol.equals( values.getProtocol() ) ) {
 			return false;
 		}

engine/src/main/java/org/hibernate/validator/internal/constraintvalidators/hv/EmailValidator.java

@@ -8,14 +8,13 @@
 
 import static java.util.regex.Pattern.CASE_INSENSITIVE;
 
-import java.net.IDN;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 
 import org.hibernate.validator.constraints.Email;
+import org.hibernate.validator.internal.util.DomainNameUtil;
 
 /**
  * Checks that a given character sequence (e.g. string) is a well-formed email address.
@@ -33,20 +32,11 @@
  * @author Guillaume Smet
  */
 public class EmailValidator implements ConstraintValidator<Email, CharSequence> {
-	private static final String LOCAL_PART_ATOM = "[a-z0-9!#$%&'*+/=?^_`{|}~\u0080-\uFFFF-]";
-	private static final String LOCAL_PART_INSIDE_QUOTES_ATOM = "([a-z0-9!#$%&'*.(),<>\\[\\]:;  @+/=?^_`{|}~\u0080-\uFFFF-]|\\\\\\\\|\\\\\\\")";
-	private static final String DOMAIN_LABEL = "[a-z0-9!#$%&'*+/=?^_`{|}~-]";
-	private static final String DOMAIN = DOMAIN_LABEL + "+(\\." + DOMAIN_LABEL + "+)*";
-	private static final String IP_DOMAIN = "\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\]";
-	//IP v6 regex taken from http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
-	private static final String IP_V6_DOMAIN = "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))";
+
 	private static final int MAX_LOCAL_PART_LENGTH = 64;
-	/**
-	 * This is the maximum length of a domain name. But be aware that each label (parts separated by a dot) of the
-	 * domain name must be at most 63 characters long. This is verified by {@link IDN#toASCII(String)}.
-	 */
-	private static final int MAX_DOMAIN_PART_LENGTH = 255;
 
+	private static final String LOCAL_PART_ATOM = "[a-z0-9!#$%&'*+/=?^_`{|}~\u0080-\uFFFF-]";
+	private static final String LOCAL_PART_INSIDE_QUOTES_ATOM = "([a-z0-9!#$%&'*.(),<>\\[\\]:;  @+/=?^_`{|}~\u0080-\uFFFF-]|\\\\\\\\|\\\\\\\")";
 	/**
 	 * Regular expression for the local part of an email address (everything before '@')
 	 */
@@ -55,13 +45,6 @@ public class EmailValidator implements ConstraintValidator<Email, CharSequence>
 					"(\\." + "(" + LOCAL_PART_ATOM + "+|\"" + LOCAL_PART_INSIDE_QUOTES_ATOM + "+\")" + ")*", CASE_INSENSITIVE
 	);
 
-	/**
-	 * Regular expression for the domain part of an email address (everything after '@')
-	 */
-	private static final Pattern DOMAIN_PATTERN = Pattern.compile(
-			DOMAIN + "|" + IP_DOMAIN + "|" + "\\[IPv6:" + IP_V6_DOMAIN + "\\]", CASE_INSENSITIVE
-	);
-
 	@Override
 	public boolean isValid(CharSequence value, ConstraintValidatorContext context) {
 		if ( value == null || value.length() == 0 ) {
@@ -71,7 +54,7 @@ public boolean isValid(CharSequence value, ConstraintValidatorContext context) {
 		// cannot split email string at @ as it can be a part of quoted local part of email.
 		// so we need to split at a position of last @ present in the string:
 		String stringValue = value.toString();
-		int splitPosition = stringValue.lastIndexOf( "@" );
+		int splitPosition = stringValue.lastIndexOf( '@' );
 
 		// need to check if
 		if ( splitPosition < 0 ) {
@@ -81,42 +64,19 @@ public boolean isValid(CharSequence value, ConstraintValidatorContext context) {
 		String localPart = stringValue.substring( 0, splitPosition );
 		String domainPart = stringValue.substring( splitPosition + 1 );
 
-		if ( !matchLocalPart( localPart ) ) {
+		if ( !isValidEmailLocalPart( localPart ) ) {
 			return false;
 		}
 
-		return matchDomain( domainPart );
+		return DomainNameUtil.isValidEmailDomainAddress( domainPart );
 	}
 
-	private boolean matchLocalPart(String localPart) {
+	private boolean isValidEmailLocalPart(String localPart) {
 		if ( localPart.length() > MAX_LOCAL_PART_LENGTH ) {
 			return false;
 		}
 		Matcher matcher = LOCAL_PART_PATTERN.matcher( localPart );
 		return matcher.matches();
 	}
 
-	private boolean matchDomain(String domain) {
-		// if we have a trailing dot the domain part we have an invalid email address.
-		// the regular expression match would take care of this, but IDN.toASCII drops the trailing '.'
-		if ( domain.endsWith( "." ) ) {
-			return false;
-		}
-
-		String asciiString;
-		try {
-			asciiString = IDN.toASCII( domain );
-		}
-		catch (IllegalArgumentException e) {
-			return false;
-		}
-
-		if ( asciiString.length() > MAX_DOMAIN_PART_LENGTH ) {
-			return false;
-		}
-
-		Matcher matcher = DOMAIN_PATTERN.matcher( asciiString );
-		return matcher.matches();
-	}
-
 }

engine/src/main/java/org/hibernate/validator/internal/util/DomainNameUtil.java

@@ -0,0 +1,103 @@
+/*
+ * Hibernate Validator, declare and validate application constraints
+ *
+ * License: Apache License, Version 2.0
+ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
+ */
+package org.hibernate.validator.internal.util;
+
+import static java.util.regex.Pattern.CASE_INSENSITIVE;
+
+import java.net.IDN;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * @author Marko Bekhta
+ */
+public final class DomainNameUtil {
+
+	/**
+	 * This is the maximum length of a domain name. But be aware that each label (parts separated by a dot) of the
+	 * domain name must be at most 63 characters long. This is verified by {@link IDN#toASCII(String)}.
+	 */
+	private static final int MAX_DOMAIN_PART_LENGTH = 255;
+
+	private static final String DOMAIN_CHARS_WITHOUT_DASH = "[a-z\u0080-\uFFFF0-9!#$%&'*+/=?^_`{|}~]";
+	private static final String DOMAIN_LABEL = "(" + DOMAIN_CHARS_WITHOUT_DASH + "-?)*" + DOMAIN_CHARS_WITHOUT_DASH + "+";
+
+	private static final String DOMAIN = DOMAIN_LABEL + "+(\\." + DOMAIN_LABEL + "+)*";
+
+	private static final String IP_DOMAIN = "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}";
+	//IP v6 regex taken from http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
+	private static final String IP_V6_DOMAIN = "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))";
+
+	/**
+	 * Regular expression for the domain part of an URL
+	 * <p>
+	 * A host string must be a domain string, an IPv4 address string, or "[", followed by an IPv6 address string,
+	 * followed by "]".
+	 */
+	private static final Pattern DOMAIN_PATTERN = Pattern.compile(
+			DOMAIN + "|\\[" + IP_V6_DOMAIN + "\\]", CASE_INSENSITIVE
+	);
+
+	/**
+	 * Regular expression for the domain part of an email address (everything after '@')
+	 */
+	private static final Pattern EMAIL_DOMAIN_PATTERN = Pattern.compile(
+			DOMAIN + "|\\[" + IP_DOMAIN + "\\]|" + "\\[IPv6:" + IP_V6_DOMAIN + "\\]", CASE_INSENSITIVE
+	);
+
+	private DomainNameUtil() {
+	}
+
+	/**
+	 * Checks the validity of the domain name used in an email. To be valid it should be either a valid host name, or an
+	 * IP address wrapped in [].
+	 *
+	 * @param domain domain to check for validity
+	 * @return {@code true} if the provided string is a valid domain, {@code false} otherwise
+	 */
+	public static boolean isValidEmailDomainAddress(String domain) {
+		return isValidDomainAddress( domain, EMAIL_DOMAIN_PATTERN );
+	}
+
+	/**
+	 * Checks validity of a domain name.
+	 *
+	 * @param domain the domain to check for validity
+	 * @return {@code true} if the provided string is a valid domain, {@code false} otherwise
+	 */
+	public static boolean isValidDomainAddress(String domain) {
+		return isValidDomainAddress( domain, DOMAIN_PATTERN );
+	}
+
+	private static boolean isValidDomainAddress(String domain, Pattern pattern) {
+		// if we have a trailing dot the domain part we have an invalid email address.
+		// the regular expression match would take care of this, but IDN.toASCII drops the trailing '.'
+		if ( domain.endsWith( "." ) ) {
+			return false;
+		}
+
+		Matcher matcher = pattern.matcher( domain );
+		if ( !matcher.matches() ) {
+			return false;
+		}
+
+		String asciiString;
+		try {
+			asciiString = IDN.toASCII( domain );
+		}
+		catch (IllegalArgumentException e) {
+			return false;
+		}
+
+		if ( asciiString.length() > MAX_DOMAIN_PART_LENGTH ) {
+			return false;
+		}
+
+		return true;
+	}
+
+}

engine/src/test/java/org/hibernate/validator/test/internal/constraintvalidators/hv/URLValidatorTest.java

@@ -290,10 +290,91 @@ private void runUrlContainerValidation(Validator validator, URLContainer contain
 	}
 
 	private void assertValidUrls(ConstraintValidator<URL, CharSequence> validator) {
+		//valid urls
 		assertTrue( validator.isValid( null, null ) );
+		assertTrue( validator.isValid( "ftp://abc.de", null ) );
+		assertTrue( validator.isValid( "http://foo.com/blah_blah", null ) );
+		assertTrue( validator.isValid( "http://foo.com/blah_blah/", null ) );
+		assertTrue( validator.isValid( "http://foo.com/blah_blah_(wikipedia)", null ) );
+		assertTrue( validator.isValid( "http://foo.com/blah_blah_(wikipedia)_(again)", null ) );
+		assertTrue( validator.isValid( "http://www.example.com/wpstyle/?p=364", null ) );
+		assertTrue( validator.isValid( "https://www.example.com/foo/?bar=baz&inga=42&quux", null ) );
+		assertTrue( validator.isValid( "http://✪df.ws/123", null ) );
+		assertTrue( validator.isValid( "http://userid:password@example.com:8080", null ) );
+		assertTrue( validator.isValid( "http://userid:password@example.com:8080/", null ) );
+		assertTrue( validator.isValid( "http://userid@example.com", null ) );
+		assertTrue( validator.isValid( "http://userid@example.com/", null ) );
+		assertTrue( validator.isValid( "http://userid@example.com:8080", null ) );
+		assertTrue( validator.isValid( "http://userid@example.com:8080/", null ) );
+		assertTrue( validator.isValid( "http://userid:password@example.com", null ) );
+		assertTrue( validator.isValid( "http://userid:password@example.com/", null ) );
+		assertTrue( validator.isValid( "http://142.42.1.1/", null ) );
+		assertTrue( validator.isValid( "http://142.42.1.1:8080/", null ) );
+		assertTrue( validator.isValid( "http://➡.ws/䨹", null ) );
+		assertTrue( validator.isValid( "http://⌘.ws", null ) );
+		assertTrue( validator.isValid( "http://⌘.ws/", null ) );
+		assertTrue( validator.isValid( "http://foo.com/blah_(wikipedia)#cite-1", null ) );
+		assertTrue( validator.isValid( "http://foo.com/blah_(wikipedia)_blah#cite-1", null ) );
+		assertTrue( validator.isValid( "http://foo.com/unicode_(✪)_in_parens", null ) );
+		assertTrue( validator.isValid( "http://foo.com/(something)?after=parens", null ) );
+		assertTrue( validator.isValid( "http://☺.damowmow.com/", null ) );
+		assertTrue( validator.isValid( "http://code.google.com/events/#&product=browser", null ) );
+		assertTrue( validator.isValid( "http://j.mp", null ) );
+		assertTrue( validator.isValid( "ftp://foo.bar/baz", null ) );
+		assertTrue( validator.isValid( "http://foo.bar/?q=Test%20URL-encoded%20stuff", null ) );
+		assertTrue( validator.isValid( "http://مثال.إختبار", null ) );
+		assertTrue( validator.isValid( "http://例子.测试", null ) );
+		assertTrue( validator.isValid( "http://उदाहरण.परीक्षा", null ) );
+		assertTrue( validator.isValid( "http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com", null ) );
+		assertTrue( validator.isValid( "http://1337.net", null ) );
+		assertTrue( validator.isValid( "http://a.b-c.de", null ) );
+		assertTrue( validator.isValid( "http://223.255.255.254", null ) );
+		assertTrue( validator.isValid( "http://[2001:0db8:0a0b:12f0:0000:0000:0000:0001]", null ) );
+
+		// invalid urls:
 		assertFalse( validator.isValid( "http", null ) );
 		assertFalse( validator.isValid( "ftp//abc.de", null ) );
-		assertTrue( validator.isValid( "ftp://abc.de", null ) );
+		assertFalse( validator.isValid( "//", null ) );
+		assertFalse( validator.isValid( "//a", null ) );
+		assertFalse( validator.isValid( "///", null ) );
+		assertFalse( validator.isValid( "///a", null ) );
+		assertFalse( validator.isValid( "foo.com", null ) );
+		assertFalse( validator.isValid( ":// should fail", null ) );
+
+		if ( validator instanceof URLValidator ) {
+			// 'exotic' protocols are considered valid using RegexpURLValidator but not URLValidator
+			// as the last one doesn't allow unknown protocols
+			assertFalse( validator.isValid( "rdar://1234", null ) );
+			assertFalse( validator.isValid( "ftps://foo.bar/", null ) );
+			assertFalse( validator.isValid( "h://test", null ) );
+		}
+
+		if ( validator instanceof RegexpURLValidator ) {
+			assertFalse( validator.isValid( "http://", null ) );
+			assertFalse( validator.isValid( "http://.", null ) );
+			assertFalse( validator.isValid( "http://..", null ) );
+			assertFalse( validator.isValid( "http://../", null ) );
+			assertFalse( validator.isValid( "http://?", null ) );
+			assertFalse( validator.isValid( "http://??", null ) );
+			assertFalse( validator.isValid( "http://??/", null ) );
+			assertFalse( validator.isValid( "http://#", null ) );
+			assertFalse( validator.isValid( "http://##", null ) );
+			assertFalse( validator.isValid( "http://##/", null ) );
+			assertFalse( validator.isValid( "http://foo.bar?q=Spaces should be encoded", null ) );
+			assertFalse( validator.isValid( "http:///a", null ) );
+			assertFalse( validator.isValid( "http:// shouldfail.com", null ) );
+			assertFalse( validator.isValid( "http://foo.bar/foo(bar)baz quux", null ) );
+			assertFalse( validator.isValid( "http://-error-.invalid/", null ) );
+			assertFalse( validator.isValid( "http://a.b--c.de/", null ) );
+			assertFalse( validator.isValid( "http://-a.b.co", null ) );
+			assertFalse( validator.isValid( "http://a.b-.co", null ) );
+//			assertFalse( validator.isValid( "http://123.123.123", null ) );
+//			assertFalse( validator.isValid( "http://3628126748", null ) );
+			assertFalse( validator.isValid( "http://.www.foo.bar/", null ) );
+			assertFalse( validator.isValid( "http://www.foo.bar./", null ) );
+			assertFalse( validator.isValid( "http://.www.foo.bar./", null ) );
+			assertFalse( validator.isValid( "http://2001:0db8:0a0b:12f0:0000:0000:0000:0001", null ) );
+		}
 	}
 
 	private void assertValidCharSequenceUrls(ConstraintValidator<URL, CharSequence> validator) {