add new method to extract sensitive information.

Author: righettod

.idea/inspectionProfiles/Project_Default.xml

@@ -74,6 +74,11 @@
             <artifactId>java-jwt</artifactId>
             <version>4.5.0</version>
         </dependency>
+        <dependency>
+            <groupId>org.iban4j</groupId>
+            <artifactId>iban4j</artifactId>
+            <version>3.2.11-RELEASE</version>
+        </dependency>
         <!-- TEST ONLY PURPOSE -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>

.idea/runConfigurations/Run_Unt_Tests.xml …runConfigurations/Run_All_Unit_Tests.xml.idea/runConfigurations/Run_Unt_Tests.xml renamed to .idea/runConfigurations/Run_All_Unit_Tests.xml .idea/runConfigurations/Run_Unt_Tests.xml renamed to .idea/runConfigurations/Run_All_Unit_Tests.xml

@@ -30,6 +30,7 @@
 import org.apache.tika.metadata.Metadata;
 import org.apache.tika.mime.MediaType;
 import org.apache.tika.mime.MimeTypes;
+import org.iban4j.IbanUtil;
 import org.w3c.dom.Document;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
@@ -63,10 +64,14 @@
 import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.time.Duration;
+import java.time.LocalDate;
+import java.time.YearMonth;
+import java.time.ZoneId;
 import java.util.*;
 import java.util.List;
 import java.util.concurrent.*;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
@@ -1422,4 +1427,91 @@ public static boolean isXSDSafe(String xsdFilePath) {
         }
         return isSafe;
     }
+
+
+    /**
+     * Extract all sensitive information from a string provided.<br>
+     * This can be used to identify any sensitive information into a message expected to be written in a log and then replace every sensitive values by an obfuscated ones.<br>
+     * For the luxembourg national identification number, this method focus on detecting identifiers for a physical entity (people) and not a moral one (company).<br>
+     * I delegated the validation of the IBAN to a dedicated library to not "reinvent the wheel" and then introduce buggy validation myself.
+     *
+     * @param content String in which sensitive information must be searched.
+     * @return A map with the collection of identified sensitive information gathered by sensitive information type. If nothing is found then the map is empty. A type of sensitive information is only present if there is at least one item found. A set is used to not store duplicates occurrence of the same sensitive information.
+     * @throws Exception If any error occurs during the processing.
+     * @see "https://guichet.public.lu/en/citoyens/citoyennete/registre-national/identification/demande-numero-rnpp.html"
+     * @see "https://cnpd.public.lu/fr/decisions-avis/2009/identifiant-unique.html"
+     * @see "https://cnpd.public.lu/content/dam/cnpd/fr/decisions-avis/2009/identifiant-unique/48_2009.pdf"
+     * @see "https://en.wikipedia.org/wiki/International_Bank_Account_Number"
+     * @see "https://www.iban.com/structure"
+     * @see "https://github.com/arturmkrtchyan/iban4j"
+     * @see "https://cwe.mitre.org/data/definitions/532.html"
+     */
+    public static Map<SensitiveInformationType, Set<String>> extractAllSensitiveInformation(String content) throws Exception {
+        Pattern nationalIdentifierRegex = Pattern.compile("([0-9]{13})");
+        Pattern ibanNonHumanFormattedRegex = Pattern.compile("([A-Z]{2}[0-9]{2}[A-Z0-9]{11,30})", Pattern.CASE_INSENSITIVE);
+        Pattern ibanHumanFormattedRegex = Pattern.compile("([A-Z]{2}[0-9]{2}(?:\\s[A-Z0-9]{4}){2,7}\\s[A-Z0-9]{1,4})", Pattern.CASE_INSENSITIVE);
+        Map<SensitiveInformationType, Set<String>> data = new HashMap<>();
+        data.put(SensitiveInformationType.LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER, new HashSet<>());
+        data.put(SensitiveInformationType.IBAN, new HashSet<>());
+
+        if (content != null && !content.isBlank()) {
+            /* Step 1: Search for LU national identifier */
+            //A national identifier have the following structure: [BIRTHDATE_YEAR_YYYY][BIRTHDATE_MONTH_MM][BIRTHDATE_DAY_DD][FIVE_INTEGER]
+            //Define minimal and maximal birth year base on current year
+            //Assume people live less than 120 years
+            int maxBirthYear = LocalDate.now(ZoneId.of("Europe/Luxembourg")).getYear();
+            int minBirthYear = maxBirthYear - 120;
+            Matcher matcher = nationalIdentifierRegex.matcher(content);
+            String nationalIdentierFull;
+            int nationalIdentierYear, nationalIdentierMonth, nationalIdentierDay;
+            while (matcher.find()) {
+                nationalIdentierFull = matcher.group(1);
+                //Check that the string is a valid national identifier and if yes then add it
+                nationalIdentierYear = Integer.parseInt(nationalIdentierFull.substring(0, 4));
+                nationalIdentierMonth = Integer.parseInt(nationalIdentierFull.substring(4, 6));
+                nationalIdentierDay = Integer.parseInt(nationalIdentierFull.substring(6, 8));
+                if (nationalIdentierYear >= minBirthYear && nationalIdentierYear <= maxBirthYear) {
+                    if (nationalIdentierMonth >= 1 && nationalIdentierMonth <= 12) {
+                        if (YearMonth.of(nationalIdentierYear, nationalIdentierMonth).isValidDay(nationalIdentierDay)) {
+                            data.get(SensitiveInformationType.LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER).add(nationalIdentierFull);
+                        }
+                    }
+                }
+            }
+
+            /* Step 2a: Search for IBAN that are non human formatted */
+            matcher = ibanNonHumanFormattedRegex.matcher(content);
+            String iban, ibanUpperCased;
+            while (matcher.find()) {
+                iban = matcher.group(1);
+                ibanUpperCased = iban.toUpperCase(Locale.ROOT);
+                //Check that the string is a valid iban and if yes then add it
+                if (IbanUtil.isValid(ibanUpperCased)) {
+                    data.get(SensitiveInformationType.IBAN).add(iban);
+                }
+            }
+
+            /* Step 2b: Search for IBAN that are human formatted */
+            matcher = ibanHumanFormattedRegex.matcher(content);
+            String ibanUpperCasedNoSpace;
+            while (matcher.find()) {
+                iban = matcher.group(1);
+                ibanUpperCasedNoSpace = iban.toUpperCase(Locale.ROOT).replace(" ", "");
+                //Check that the string is a valid iban and if yes then add it
+                if (IbanUtil.isValid(ibanUpperCasedNoSpace)) {
+                    data.get(SensitiveInformationType.IBAN).add(iban);
+                }
+            }
+        }
+
+        //Cleanup if a set is empty
+        if (data.get(SensitiveInformationType.LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER).isEmpty()) {
+            data.remove(SensitiveInformationType.LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER);
+        }
+        if (data.get(SensitiveInformationType.IBAN).isEmpty()) {
+            data.remove(SensitiveInformationType.IBAN);
+        }
+
+        return data;
+    }
 }

pom.xml

@@ -0,0 +1,23 @@
+package eu.righettod;
+
+/**
+ * Enumeration used by the method <code>SecurityUtils.extractAllSensitiveInformation()</code> to identify types of information found.
+ */
+public enum SensitiveInformationType {
+    /**
+     * National identifier used by government entities in Luxembourg to identify uniquely citizens.
+     *
+     * @see "https://guichet.public.lu/en/citoyens/citoyennete/registre-national/identification/demande-numero-rnpp.html"
+     * @see "https://cnpd.public.lu/fr/decisions-avis/2009/identifiant-unique.html"
+     *
+     */
+    LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER,
+
+    /**
+     * International Bank Account Number.
+     *
+     * @see "https://en.wikipedia.org/wiki/International_Bank_Account_Number"
+     */
+    IBAN
+
+}

src/main/java/eu/righettod/SecurityUtils.java

@@ -663,11 +663,83 @@ public void isXSDSafe() {
             String testFile = getTestFilePath(f);
             assertFalse(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_NEGATIVE_FOR_FILE, testFile));
         });
-        List<String> safeFileList = Arrays.asList("test-xsd-no-external-schema.xsd");
+        List<String> safeFileList = List.of("test-xsd-no-external-schema.xsd");
         safeFileList.forEach(f -> {
             String testFile = getTestFilePath(f);
             assertTrue(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_POSITIVE_FOR_FILE, testFile));
         });
     }
+
+    @Test
+    public void extractAllSensitiveInformation() {
+        /* Test extraction of a single type of sensitive information */
+        //Case format is the following
+        //[0]: The string containing one or several sensitive information
+        //[1]: The collection of sensitive information separated by a ;
+        //[2]: The type of sensitive information
+        String luxNationalIdTypeName = SensitiveInformationType.LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER.name();
+        String ibanTypeName = SensitiveInformationType.IBAN.name();
+        final List<String[]> casesWithSensitiveData = new ArrayList<>();
+        casesWithSensitiveData.add(new String[]{"I expected to log 1955010112345", "1955010112345", luxNationalIdTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to log 1955010112345 from 1974052254321", "1955010112345;1974052254321", luxNationalIdTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to\nlog 1955010112345\nfrom\t1974052254321", "1955010112345;1974052254321", luxNationalIdTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to log BE71096123456769", "BE71096123456769", ibanTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to log BE71096123456769 with EG800002000156789012345180002", "BE71096123456769;EG800002000156789012345180002", ibanTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to\nlog BE71096123456769\nwith\tEG800002000156789012345180002", "BE71096123456769;EG800002000156789012345180002", ibanTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to log DE89 3704 0044 0532 0130 00", "DE89 3704 0044 0532 0130 00", ibanTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to log DE89 3704 0044 0532 0130 00 with FR14 2004 1010 0505 0001 3M02 606", "DE89 3704 0044 0532 0130 00;FR14 2004 1010 0505 0001 3M02 606", ibanTypeName});
+        casesWithSensitiveData.add(new String[]{"I expected to\nlog DE89 3704 0044 0532 0130 00 with\tFR14 2004 1010 0505 0001 3M02 606", "DE89 3704 0044 0532 0130 00;FR14 2004 1010 0505 0001 3M02 606", ibanTypeName});
+        casesWithSensitiveData.forEach(caseData -> {
+            try {
+                String content = caseData[0];
+                List<String> expectedInfos = Arrays.stream(caseData[1].split(";")).toList();
+                SensitiveInformationType expectedInfosType = SensitiveInformationType.valueOf(caseData[2]);
+                Map<SensitiveInformationType, Set<String>> data = SecurityUtils.extractAllSensitiveInformation(content);
+                assertEquals(1, data.size(), String.format("[%s] The number of type of identified information is incorrect!", caseData[2]));
+                assertEquals(expectedInfos.size(), data.get(expectedInfosType).size(), String.format("[%s] The number of identified information is incorrect!", caseData[2]));
+                assertTrue(expectedInfos.containsAll(data.get(expectedInfosType)), String.format("[%s] The identified information is incorrect!", caseData[2]));
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        });
+
+        /* Test extraction of all the types of sensitive information */
+        SensitiveInformationType luxNationalIdType = SensitiveInformationType.LUXEMBOURG_NATIONAL_IDENTIFICATION_NUMBER;
+        SensitiveInformationType ibanType = SensitiveInformationType.IBAN;
+        String content = "I expected\nto log 1955010112345 and 1974052254321\tfrom DE89 3704 0044 0532 0130 00\nwith BE71096123456769";
+        Set<String> nationalIdentifierExpected = Set.of("1955010112345", "1974052254321");
+        Set<String> ibanExpected = Set.of("DE89 3704 0044 0532 0130 00", "BE71096123456769");
+        try {
+            Map<SensitiveInformationType, Set<String>> data = SecurityUtils.extractAllSensitiveInformation(content);
+            assertEquals(2, data.size(), "[COMBINED] The number of type of identified information is incorrect!");
+            assertEquals(2, data.get(luxNationalIdType).size(), String.format("[COMBINED][%s] The number of identified information is incorrect!", luxNationalIdType));
+            assertEquals(2, data.get(ibanType).size(), String.format("[COMBINED][%s] The number of identified information is incorrect!", ibanType));
+            assertTrue(nationalIdentifierExpected.containsAll(data.get(luxNationalIdType)), String.format("[%s] The identified information is incorrect!", luxNationalIdType));
+            assertTrue(ibanExpected.containsAll(data.get(ibanType)), String.format("[%s] The identified information is incorrect!", ibanType));
+        } catch (Exception e) {
+            fail(e);
+        }
+
+        /* Test extraction of sensitive information from content without any sensitive information */
+        //Case format is the the direct string content
+        final List<String> casesWithoutSensitiveData = new ArrayList<>();
+        casesWithoutSensitiveData.add("Hello World");
+        casesWithoutSensitiveData.add("Hello World from 1111111111111");
+        casesWithoutSensitiveData.add("Hello World from 3000010112345");
+        casesWithoutSensitiveData.add("Hello World from 1800010112345");
+        casesWithoutSensitiveData.add("Hello\nWorld from\t1980130112345");
+        casesWithoutSensitiveData.add("Hello World from 1980023112345");
+        casesWithoutSensitiveData.add("Hello World from DE89 3704 0044 0532 0130 AA");
+        casesWithoutSensitiveData.add("Hello World from SV43ACAT000000000000001231XX");
+        casesWithoutSensitiveData.forEach(caseData -> {
+            try {
+                Map<SensitiveInformationType, Set<String>> data = SecurityUtils.extractAllSensitiveInformation(caseData);
+                assertTrue(data.isEmpty(), "The number of type of identified information is incorrect!");
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        });
+
+    }
 }