Add method computing 'safe' hash - Implement #1

Author: drighetto

src/main/java/eu/righettod/SecurityUtils.java

@@ -32,7 +32,9 @@
 import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.security.MessageDigest;
 import java.util.*;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
@@ -532,4 +534,34 @@ public static boolean isPublicIPAddress(String ip) {
         }
         return isValid;
     }
+
+    /**
+     * Compute a SHA256 hash from an input composed of a collection of strings.<br>
+     * This method take care to build the source string in a way to prevent this source string to be prone to abuse<br>
+     * targeting the different parts composing it.<br>
+     * Example of abuse:<br>
+     * <code>SHA256("Hello" + "My" + "World!!!")</code> is not equals to <code>SHA256("Hell" + "oMyW" + "orld!!!")</code>
+     *
+     * @param parts Ordered list of strings to use to build the input string for which the hash must be computed on. No null value is accepted on object composing the collection.
+     * @return The hash, as an array of bytes, to allow caller to convert it to the final representation wanted (HEX, Base64, etc.). If the collection passed is null or empty then the method return null.
+     * @throws Exception If any exception occurs
+     * @see "https://pentesterlab.com/badges/codereview"
+     */
+    public static byte[] computeHashNoProneToAbuseOnParts(List<String> parts) throws Exception {
+        byte[] hash = null;
+        if (parts != null && !parts.isEmpty()) {
+            //Ensure that not part is null
+            if (parts.stream().anyMatch(Objects::isNull)) {
+                throw new IllegalArgumentException("No part must be null!");
+            }
+            String separator = "|";
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            final StringBuilder buffer = new StringBuilder(separator);
+            parts.forEach(p -> {
+                buffer.append(p).append(separator);
+            });
+            hash = digest.digest(buffer.toString().getBytes(StandardCharsets.UTF_8));
+        }
+        return hash;
+    }
 }

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -220,5 +220,34 @@ public void isPublicIPAddress() throws Exception {
             assertTrue(SecurityUtils.isPublicIPAddress(ip), String.format(templateMsgIPFalsePositive, ip));
         });
     }
+
+    @Test
+    public void computeHashNoProneToAbuseOnParts() throws Exception {
+        final String msgError = "Hash are expected to be different!";
+        final String exceptionMsg = "No part must be null!";
+        //Test cases for valid input passed
+        List<String> reference = Arrays.asList("Hello from", " my amazing country", " in europe!");
+        List<String> abuse1 = Arrays.asList("Hello fro", "m my amazing count", "ry in europe!");
+        List<String> abuse2 = Arrays.asList("", "Hello from my amazing country in europe!", "");
+        //--Ensure that source string are the sames when parts are joined
+        assertEquals(String.join("", reference), String.join("", abuse1));
+        assertEquals(String.join("", reference), String.join("", abuse2));
+        assertEquals(String.join("", abuse1), String.join("", abuse2));
+        //--Compute and validate hashes
+        byte[] hashReference = SecurityUtils.computeHashNoProneToAbuseOnParts(reference);
+        byte[] hashAbuse1 = SecurityUtils.computeHashNoProneToAbuseOnParts(abuse1);
+        byte[] hashAbuse2 = SecurityUtils.computeHashNoProneToAbuseOnParts(abuse2);
+        assertFalse(Arrays.equals(hashReference, hashAbuse1), msgError);
+        assertFalse(Arrays.equals(hashReference, hashAbuse2), msgError);
+        assertFalse(Arrays.equals(hashAbuse1, hashAbuse2), msgError);
+        //Test case for invalid input passed
+        List<String> invalidInput = Arrays.asList("Hello from", " my amazing country", " in europe!", null);
+        IllegalArgumentException thrown = assertThrows(
+                IllegalArgumentException.class,
+                () -> SecurityUtils.computeHashNoProneToAbuseOnParts(invalidInput),
+                "Expected IllegalArgumentException() to throw but invalid input was accepted!"
+        );
+        assertTrue(thrown.getMessage().contains(exceptionMsg));
+    }
 }