feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

internal/security/validator.go

@@ -0,0 +1,185 @@
+package security
+
+import (
+	"net"
+	"regexp"
+	"strings"
+)
+
+// Validator groups lightweight validation and sanitization helpers.
+type Validator struct {
+	passwordMinLength      int
+	passwordRequireSpecial bool
+	passwordRequireNumber  bool
+}
+
+// NewValidator creates a validator with the configured password rules.
+func NewValidator(minLength int, requireSpecial, requireNumber bool) *Validator {
+	return &Validator{
+		passwordMinLength:      minLength,
+		passwordRequireSpecial: requireSpecial,
+		passwordRequireNumber:  requireNumber,
+	}
+}
+
+// ValidateEmail validates email format.
+func (v *Validator) ValidateEmail(email string) bool {
+	if email == "" {
+		return false
+	}
+
+	pattern := `^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`
+	matched, _ := regexp.MatchString(pattern, email)
+	return matched
+}
+
+// ValidatePhone validates mainland China mobile numbers.
+func (v *Validator) ValidatePhone(phone string) bool {
+	if phone == "" {
+		return false
+	}
+
+	pattern := `^1[3-9]\d{9}$`
+	matched, _ := regexp.MatchString(pattern, phone)
+	return matched
+}
+
+// ValidateUsername validates usernames.
+func (v *Validator) ValidateUsername(username string) bool {
+	if username == "" {
+		return false
+	}
+
+	pattern := `^[a-zA-Z][a-zA-Z0-9_]{3,19}$`
+	matched, _ := regexp.MatchString(pattern, username)
+	return matched
+}
+
+// ValidatePassword validates passwords using the shared runtime policy.
+func (v *Validator) ValidatePassword(password string) bool {
+	policy := PasswordPolicy{
+		MinLength:      v.passwordMinLength,
+		RequireSpecial: v.passwordRequireSpecial,
+		RequireNumber:  v.passwordRequireNumber,
+	}
+
+	return policy.Validate(password) == nil
+}
+
+// SanitizeSQL removes obviously dangerous SQL injection patterns using regex.
+// This is a defense-in-depth measure; parameterized queries should always be used.
+func (v *Validator) SanitizeSQL(input string) string {
+	// Escape SQL special characters by doubling them (SQL standard approach)
+	// Order matters: escape backslash first to avoid double-escaping
+	replacer := strings.NewReplacer(
+		`\`, `\\`,
+		`'`, `''`,
+		`"`, `""`,
+	)
+
+	// Remove common SQL injection patterns that could bypass quoting
+	dangerousPatterns := []string{
+		`;[\s]*--`,           // SQL comment
+		`/\*.*?\*/`,          // Block comment (non-greedy)
+		`\bxp_\w+`,           // Extended stored procedures
+		`\bexec[\s\(]`,       // EXEC statements
+		`\bsp_\w+`,           // System stored procedures
+		`\bwaitfor[\s]+delay`, // Time-based blind SQL injection
+		`\bunion[\s]+select`, // UNION injection
+		`\bdrop[\s]+table`,   // DROP TABLE
+		`\binsert[\s]+into`,   // INSERT
+		`\bupdate[\s]+\w+[\s]+set`, // UPDATE
+		`\bdelete[\s]+from`,   // DELETE
+	}
+
+	result := replacer.Replace(input)
+
+	// Apply pattern removal
+	for _, pattern := range dangerousPatterns {
+		re := regexp.MustCompile(`(?i)` + pattern) // Case-insensitive
+		result = re.ReplaceAllString(result, "")
+	}
+
+	return result
+}
+
+// SanitizeXSS removes obviously dangerous XSS patterns using regex.
+// This is a defense-in-depth measure; output encoding should always be used.
+func (v *Validator) SanitizeXSS(input string) string {
+	// Remove dangerous tags and attributes using pattern matching
+	dangerousPatterns := []struct {
+		pattern     string
+		replaceAll  bool
+	}{
+		{`(?i)<script[^>]*>.*?</script>`, true},    // Script tags
+		{`(?i)</script>`, false},                   // Closing script
+		{`(?i)<iframe[^>]*>.*?</iframe>`, true},   // Iframe injection
+		{`(?i)<object[^>]*>.*?</object>`, true},   // Object injection
+		{`(?i)<embed[^>]*>.*?</embed>`, true},     // Embed injection
+		{`(?i)<applet[^>]*>.*?</applet>`, true},   // Applet injection
+		{`(?i)javascript\s*:`, false},              // JavaScript protocol
+		{`(?i)vbscript\s*:`, false},               // VBScript protocol
+		{`(?i)data\s*:`, false},                   // Data URL protocol
+		{`(?i)on\w+\s*=`, false},                  // Event handlers
+		{`(?i)<style[^>]*>.*?</style>`, true},    // Style injection
+	}
+
+	result := input
+
+	for _, p := range dangerousPatterns {
+		re := regexp.MustCompile(p.pattern)
+		if p.replaceAll {
+			result = re.ReplaceAllString(result, "")
+		} else {
+			result = re.ReplaceAllString(result, "")
+		}
+	}
+
+	// Encode < and > to prevent tag construction
+	result = strings.ReplaceAll(result, "<", "&lt;")
+	result = strings.ReplaceAll(result, ">", "&gt;")
+
+	// Restore entities if they were part of legitimate content
+	result = strings.ReplaceAll(result, "&lt;", "<")
+	result = strings.ReplaceAll(result, "&gt;", ">")
+
+	return result
+}
+
+// ValidateURL validates a basic HTTP/HTTPS URL.
+func (v *Validator) ValidateURL(url string) bool {
+	if url == "" {
+		return false
+	}
+
+	pattern := `^https?://[a-zA-Z0-9\-._~:/?#[\]@!$&'()*+,;=]+$`
+	matched, _ := regexp.MatchString(pattern, url)
+	return matched
+}
+
+// ValidateIP validates IPv4 or IPv6 addresses using net.ParseIP.
+// Supports all valid formats including compressed IPv6 (::1, fe80::1, etc.)
+func (v *Validator) ValidateIP(ip string) bool {
+	if ip == "" {
+		return false
+	}
+	return net.ParseIP(ip) != nil
+}
+
+// ValidateIPv4 validates IPv4 addresses only.
+func (v *Validator) ValidateIPv4(ip string) bool {
+	if ip == "" {
+		return false
+	}
+	parsed := net.ParseIP(ip)
+	return parsed != nil && parsed.To4() != nil
+}
+
+// ValidateIPv6 validates IPv6 addresses only.
+func (v *Validator) ValidateIPv6(ip string) bool {
+	if ip == "" {
+		return false
+	}
+	parsed := net.ParseIP(ip)
+	return parsed != nil && parsed.To4() == nil
+}