1 // Copyright 2021 Code Intelligence GmbH 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package com.example.el; 16 17 import static java.lang.String.format; 18 19 import javax.validation.ConstraintValidator; 20 import javax.validation.ConstraintValidatorContext; 21 22 public class InsecureEmailValidator implements ConstraintValidator<ValidEmailConstraint, String> { 23 @Override initialize(ValidEmailConstraint email)24 public void initialize(ValidEmailConstraint email) {} 25 26 @Override isValid(String email, ConstraintValidatorContext cxt)27 public boolean isValid(String email, ConstraintValidatorContext cxt) { 28 if (email == null || !email.matches(".+@.+\\..+")) { 29 // Insecure: do not call buildConstraintViolationWithTemplate with untrusted data! 30 cxt.buildConstraintViolationWithTemplate(format("Invalid email address: %s", email)) 31 .addConstraintViolation(); 32 return false; 33 } 34 return true; 35 } 36 } 37