ESAPI-C 1.0
The OWASP Enterprise Security API for C

access_ref.h File Reference

Access Reference Map module header. More...

#include <stdbool.h>
#include "crypto.h"
#include "uthash.h"

Go to the source code of this file.

Data Structures

struct  Map_t
 A hashable key-value pair for an access reference map. More...

Defines

#define _ACCESS_REF_H
#define KEY_LEN   7
 The fixed length of an access reference map key, generated by get_unique_reference().
#define VAL_LEN   64
 The maximum length of an access reference map value.

Typedefs

typedef struct Map_t map_t

Functions

bool esapi_put_reference (const char *, const char *)
 Adds an entry to the map.
char * esapi_get_indirect_reference (const char *)
 Returns the indirect object reference for the given direct object reference.
char * esapi_get_direct_reference (const char *)
 Returns the direct object reference (original value) for the given indirect object reference.
bool esapi_remove_direct_reference (const char *)
 Removes the direct object reference from the map.
bool esapi_remove_indirect_reference (const char *)
 Removes the indirect object reference from the map.
char * esapi_get_unique_reference ()
 Return a unique token string suitable for use as an indirect reference.

Variables

map_tv_map
 Value-to-key map.
map_tk_map
 Key-to-value map.

Detailed Description

Access Reference Map module header.

The Access Reference Map is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.

Indirect references are handled as strings, to facilitate their use in GUI controls or service messages.

Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the Access Reference Map. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user Access Reference Maps are used, then request forgery attacks will also be prevented.

        char *value = "This is a direct object reference";
        esapi_put_reference(esapi_get_unique_reference(value), value);
Since:
January 30, 2011

Definition in file access_ref.h.


Define Documentation

#define VAL_LEN   64

The maximum length of an access reference map value.

Todo:
Change to support dynamically sized values.

Definition at line 47 of file access_ref.h.


Function Documentation

char* esapi_get_direct_reference ( const char *  )

Returns the direct object reference (original value) for the given indirect object reference.

Parameters:
Acharacter array containing an indirect object reference
Returns:
A character array containing a direct object reference

Definition at line 64 of file access_ref.c.

char* esapi_get_indirect_reference ( const char *  )

Returns the indirect object reference for the given direct object reference.

Parameters:
Acharacter array containing a direct object reference
Returns:
A character array containing an indirect object reference

Definition at line 50 of file access_ref.c.

char* esapi_get_unique_reference ( )

Return a unique token string suitable for use as an indirect reference.

Returns:
A character array containing an indirect object reference

Definition at line 131 of file access_ref.c.

References esapi_fill_random_token(), and KEY_LEN.

bool esapi_put_reference ( const char *  ,
const char *   
)

Adds an entry to the map.

The indirect reference should be obtained by calling esapi_get_unique_reference().

Parameters:
Acharacter array containing an indirect object reference
Acharacter array containing a direct object reference
See also:
esapi_get_unique_reference()

Definition at line 110 of file access_ref.c.

bool esapi_remove_direct_reference ( const char *  )

Removes the direct object reference from the map.

Parameters:
Acharacter array containing a direct object reference

Definition at line 95 of file access_ref.c.

bool esapi_remove_indirect_reference ( const char *  )

Removes the indirect object reference from the map.

Parameters:
Acharacter array containing an indirect object reference

Definition at line 78 of file access_ref.c.

 All Data Structures Files Functions Variables Typedefs Defines