ESAPI-C 1.0
The OWASP Enterprise Security API for C
|
Access Reference Map module header. More...
Go to the source code of this file.
Data Structures | |
struct | Map_t |
A hashable key-value pair for an access reference map. More... | |
Defines | |
#define | _ACCESS_REF_H |
#define | KEY_LEN 7 |
The fixed length of an access reference map key, generated by get_unique_reference(). | |
#define | VAL_LEN 64 |
The maximum length of an access reference map value. | |
Typedefs | |
typedef struct Map_t | map_t |
Functions | |
bool | esapi_put_reference (const char *, const char *) |
Adds an entry to the map. | |
char * | esapi_get_indirect_reference (const char *) |
Returns the indirect object reference for the given direct object reference. | |
char * | esapi_get_direct_reference (const char *) |
Returns the direct object reference (original value) for the given indirect object reference. | |
bool | esapi_remove_direct_reference (const char *) |
Removes the direct object reference from the map. | |
bool | esapi_remove_indirect_reference (const char *) |
Removes the indirect object reference from the map. | |
char * | esapi_get_unique_reference () |
Return a unique token string suitable for use as an indirect reference. | |
Variables | |
map_t * | v_map |
Value-to-key map. | |
map_t * | k_map |
Key-to-value map. |
Access Reference Map module header.
The Access Reference Map is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.
Indirect references are handled as strings, to facilitate their use in GUI controls or service messages.
Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the Access Reference Map. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user Access Reference Maps are used, then request forgery attacks will also be prevented.
char *value = "This is a direct object reference"; esapi_put_reference(esapi_get_unique_reference(value), value);
Definition in file access_ref.h.
#define VAL_LEN 64 |
The maximum length of an access reference map value.
Definition at line 47 of file access_ref.h.
char* esapi_get_direct_reference | ( | const char * | ) |
Returns the direct object reference (original value) for the given indirect object reference.
A | character array containing an indirect object reference |
Definition at line 64 of file access_ref.c.
char* esapi_get_indirect_reference | ( | const char * | ) |
Returns the indirect object reference for the given direct object reference.
A | character array containing a direct object reference |
Definition at line 50 of file access_ref.c.
char* esapi_get_unique_reference | ( | ) |
Return a unique token string suitable for use as an indirect reference.
Definition at line 131 of file access_ref.c.
References esapi_fill_random_token(), and KEY_LEN.
bool esapi_put_reference | ( | const char * | , |
const char * | |||
) |
Adds an entry to the map.
The indirect reference should be obtained by calling esapi_get_unique_reference().
A | character array containing an indirect object reference |
A | character array containing a direct object reference |
Definition at line 110 of file access_ref.c.
bool esapi_remove_direct_reference | ( | const char * | ) |
Removes the direct object reference from the map.
A | character array containing a direct object reference |
Definition at line 95 of file access_ref.c.
bool esapi_remove_indirect_reference | ( | const char * | ) |
Removes the indirect object reference from the map.
A | character array containing an indirect object reference |
Definition at line 78 of file access_ref.c.