-1

当我运行测试用例程序时,我的两个 str29 和 str32 测试用例失败了,所以我需要可以成功所有测试用例的正则表达式模式。

我的测试课程如下:

package com.csam.wsc.enabling.core.util.test;

import java.util.regex.Pattern;

public class RegularExTest {

    private static Pattern xssAttackPattern;
        // this pattern for whilte list character 
    private static final String XSS_ATTACK_REGULAR_EXPRESSION = "([A-Za-z0-9,()[\\\\]{}\\\":./_\\\\s]|(?<!-)-)*";

    public static void main(String arg[]) {
        testSQLOrXSSInjectionAsWhiteListApproach();
    }

    private static Pattern getXSSAttackPattern() {
        xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION);
        return xssAttackPattern;
    }

    public static boolean hasXSSAttackOrSQLInjection(String value) {
        if (getXSSAttackPattern().matcher(value).matches())
            return false;
        return true;
    }

    public static void testSQLOrXSSInjectionAsWhiteListApproach() {

        String str0 = "";
        String str1 = ",:4,5}{A{,}1{}r,'ee4534:r,p],[A},{1}}{A{,}345:,";
        String str2 = "a";
        String str3 = "A#";
        String str4 = "#";
        String str5 = "#'";
        String str6 = "123";
        String str7 = "As";
        String str8 = "{#}";
        String str9 = "#{}";
        String str10 = "!";
        String str11 = "'124";
        String str12 = "123'";
        String str13 = "'";
        String str14 = "''";
        String str15 = "Hello";
        String str16 = "<>";
        String str17 = "<>/?\":;";
        String str18 = "!@#$%^&*()_+}{|\":<>?,./[]\\";
        String str19 = "Good";
        String str20 = "A\\%27";
        String str21 = ".";
        String str22 = "/";
        String str23 = "_";
        String str24 = ".'";
        String str25 = "/_";
        String str26 = "_.";
        String str27 = "http://rss.cnn.com/rss/edition_business.rss";
        String str28 = "http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";
        String str29 = "Communication in progress...";
        String str30 = "(";
        String str31 = ")";
        String str32 = "(.:[]{} ";
        String str33 = "(.:[]{} #";
        String str34 = "&";
        String str35 = "$";
        String str36 = "-dsfdsfddsfd2112212s";
        String str37 = "--dsfdsfddsfd2112212s";
        String str38 = "-dsfdsfdd-sfd2112212s";
        String str39 = "--";
        String str40 = "-";


        assertFalse(str0);
        assertTrue(str1);
        assertFalse(str2);
        assertTrue(str3);
        assertTrue(str4);
        assertTrue(str5);
        assertFalse(str6);
        assertFalse(str7);
        assertTrue(str8);
        assertTrue(str9);
        assertTrue(str10);
        assertTrue(str11);
        assertTrue(str12);
        assertTrue(str13);
        assertTrue(str14);
        assertFalse(str15);
        assertTrue(str16);
        assertTrue(str17);
        assertTrue(str18);
        assertFalse(str19);
        assertTrue(str20);
        assertFalse(str21);
        assertFalse(str22);
        assertFalse(str23);
        assertTrue(str24);
        assertFalse(str25);
        assertFalse(str26);
        assertFalse(str27);
        assertTrue(str28);
        assertFalse(str29);
        assertFalse(str30);
        assertFalse(str31);
        assertFalse(str32);
        assertTrue(str33);
        assertTrue(str34);
        assertTrue(str35);
        assertFalse(str36);
        assertTrue(str37);
        assertFalse(str38);
        assertTrue(str39);
        assertFalse(str40);


    }

    public static void assertFalse(String value) {
        boolean result = hasXSSAttackOrSQLInjection(value);
        String var = "undefined";
        if (result == false) {
            var = "success";
        } else {
            var = "fail";
        }
        System.out.println("For given string -> " + value + " -> " + var);
    }

    public static void assertTrue(String value) {
        boolean result = hasXSSAttackOrSQLInjection(value);
        String var = "undefined";
        if (result == true) {
            var = "success";
        } else {
            var = "fail";
        }
        System.out.println("For given string -> " + value + " -> " + var);
    }
}
4

1 回答 1

0

这是您的正则表达式作为字符串文字:

"([A-Za-z0-9,()[\\\\]{}\\\":./_\\\\s]|(?<!-)-)*"

真正的正则表达式是:

([A-Za-z0-9,()[\\]{}\":./_\\s]|(?<!-)-)*

我在这里看到两个主要问题。

  1. 与大多数风格不同,Java 允许您将一个字符类嵌入到另一个字符类中。[您的正则表达式与方括号(或)不匹配,]因为它[\\]被解释为与反斜杠匹配的嵌入字符类。

  2. \\\\s在字符串文字中变成\\s了正则表达式。您可能的意思是\s,空白字符的类简写,但它实际上是一个文字反斜杠,后跟s.

您需要转义方括号并修复\s. 此正则表达式匹配您的所有示例字符串:

([A-Za-z0-9,()\[\]{}":./_\s\\]|(?<!-)-)*

当我创建一个带有文字反斜杠的字符类时,我喜欢把反斜杠放在最后。我发现这样读起来更容易一些,如果我把事情搞砸了,它更有可能抛出异常而不是默默地匹配错误的东西。

另请注意,对于正则表达式解析器,引号 ( ") 不需要转义,仅对于 Java 解析器。这意味着您在字符串文字中只需要一个反斜杠,而不是三个。这是您的正则表达式的最终字符串文字形式:

"([A-Za-z0-9,()\\[\\]{}\":./_\\s\\\\]|(?<!-)-)*"
于 2013-05-23T07:05:43.033 回答