Polish toLower/UpperCase Usage

Apply the common security hardening
technique of specifying Locale when
calling toLowerCase and toUpperCase

Closes gh-965

Author: jzheaux

Diff for: core/src/main/java/org/springframework/ldap/core/LdapRdnComponent.java

@@ -15,16 +15,18 @@
  */
 package org.springframework.ldap.core;
 
+import java.io.Serializable;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Locale;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+
 import org.springframework.ldap.support.LdapEncoder;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
-import java.io.Serializable;
-import java.net.URI;
-import java.net.URISyntaxException;
-
 /**
  * Represents part of an LdapRdn. As specified in RFC2253 an LdapRdn may be
  * composed of several attributes, separated by "+". An
@@ -74,9 +76,9 @@ public LdapRdnComponent(String key, String value, boolean decodeValue) {
 
 		String caseFold = System.getProperty(DistinguishedName.KEY_CASE_FOLD_PROPERTY);
 		if (!StringUtils.hasText(caseFold) || caseFold.equals(DistinguishedName.KEY_CASE_FOLD_LOWER)) {
-			this.key = key.toLowerCase();
+			this.key = key.toLowerCase(Locale.ROOT);
 		} else if (caseFold.equals(DistinguishedName.KEY_CASE_FOLD_UPPER)) {
-			this.key = key.toUpperCase();
+			this.key = key.toUpperCase(Locale.ROOT);
 		} else if (caseFold.equals(DistinguishedName.KEY_CASE_FOLD_NONE)) {
 			this.key = key;
 		} else {
@@ -85,7 +87,7 @@ public LdapRdnComponent(String key, String value, boolean decodeValue) {
                             + "; expected \"" + DistinguishedName.KEY_CASE_FOLD_LOWER + "\", \""
                             + DistinguishedName.KEY_CASE_FOLD_UPPER + "\", or \""
                             + DistinguishedName.KEY_CASE_FOLD_NONE + "\"");
-			this.key = key.toLowerCase();
+			this.key = key.toLowerCase(Locale.ROOT);
 		}
 		if (decodeValue) {
 			this.value = LdapEncoder.nameDecode(value);
@@ -191,7 +193,7 @@ public String encodeUrl() {
 	 * @see java.lang.Object#hashCode()
 	 */
 	public int hashCode() {
-		return key.toUpperCase().hashCode() ^ value.toUpperCase().hashCode();
+		return key.toUpperCase(Locale.ROOT).hashCode() ^ value.toUpperCase(Locale.ROOT).hashCode();
 	}
 
 	/*
@@ -227,9 +229,9 @@ public int compareTo(Object obj) {
 
         // It's safe to compare directly against key and value,
         // because they are validated not to be null on instance creation.
-        int keyCompare = this.key.toLowerCase().compareTo(that.key.toLowerCase());
+        int keyCompare = this.key.toLowerCase(Locale.ROOT).compareTo(that.key.toLowerCase(Locale.ROOT));
         if(keyCompare == 0) {
-            return this.value.toLowerCase().compareTo(that.value.toLowerCase());
+            return this.value.toLowerCase(Locale.ROOT).compareTo(that.value.toLowerCase(Locale.ROOT));
         } else {
             return keyCompare;
         }

Diff for: core/src/main/java/org/springframework/ldap/core/NameAwareAttributes.java

@@ -16,13 +16,15 @@
 
 package org.springframework.ldap.core;
 
-import org.springframework.util.Assert;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
 
 import javax.naming.NamingEnumeration;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
-import java.util.HashMap;
-import java.util.Map;
+
+import org.springframework.util.Assert;
 
 /**
  * Used internally to help DirContextAdapter properly handle Names as values.
@@ -65,7 +67,7 @@ public int size() {
     @Override
     public NameAwareAttribute get(String attrID) {
         Assert.hasLength(attrID, "Attribute ID must not be empty");
-        return attributes.get(attrID.toLowerCase());
+        return attributes.get(attrID.toLowerCase(Locale.ROOT));
     }
 
     @Override
@@ -82,7 +84,7 @@ public NamingEnumeration<String> getIDs() {
     public Attribute put(String attrID, Object val) {
         Assert.hasLength(attrID, "Attribute ID must not be empty");
         NameAwareAttribute newAttribute = new NameAwareAttribute(attrID, val);
-        attributes.put(attrID.toLowerCase(), newAttribute);
+        attributes.put(attrID.toLowerCase(Locale.ROOT), newAttribute);
 
         return newAttribute;
     }
@@ -91,15 +93,15 @@ public Attribute put(String attrID, Object val) {
     public Attribute put(Attribute attr) {
         Assert.notNull(attr, "Attribute must not be null");
         NameAwareAttribute newAttribute = new NameAwareAttribute(attr);
-        attributes.put(attr.getID().toLowerCase(), newAttribute);
+        attributes.put(attr.getID().toLowerCase(Locale.ROOT), newAttribute);
 
         return newAttribute;
     }
 
     @Override
     public Attribute remove(String attrID) {
         Assert.hasLength(attrID, "Attribute ID must not be empty");
-        return attributes.remove(attrID.toLowerCase());
+        return attributes.remove(attrID.toLowerCase(Locale.ROOT));
     }
 
     @Override

Diff for: core/src/main/java/org/springframework/ldap/odm/core/impl/CaseIgnoreString.java

@@ -16,6 +16,8 @@
 
 package org.springframework.ldap.odm.core.impl;
 
+import java.util.Locale;
+
 import org.springframework.util.Assert;
 
 // A case independent String wrapper.
@@ -26,7 +28,7 @@
     public CaseIgnoreString(String string) {
         Assert.notNull(string, "string must not be null");
         this.string = string;
-        hashCode = string.toUpperCase().hashCode();
+        hashCode = string.toUpperCase(Locale.ROOT).hashCode();
     }
 
     public boolean equals(Object other) {

Diff for: core/src/main/java/org/springframework/ldap/support/LdapEncoder.java

@@ -17,10 +17,10 @@
 package org.springframework.ldap.support;
 
 import java.util.Base64;
+import java.util.Locale;
 
 import org.springframework.ldap.BadLdapGrammarException;
 import org.springframework.util.Assert;
-import org.springframework.util.ClassUtils;
 
 
 /**
@@ -82,7 +82,7 @@ private LdapEncoder() {
 
     protected static String toTwoCharHex(char c) {
 
-        String raw = Integer.toHexString(c).toUpperCase();
+        String raw = Integer.toHexString(c).toUpperCase(Locale.ROOT);
 
         if (raw.length() > 1) {
             return raw;

Diff for: odm/src/main/java/org/springframework/ldap/odm/tools/SchemaReader.java

@@ -16,15 +16,17 @@
 
 package org.springframework.ldap.odm.tools;
 
-import org.springframework.ldap.odm.tools.SyntaxToJavaClass.ClassInfo;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
 
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.DirContext;
-import java.util.HashSet;
-import java.util.Set;
+
+import org.springframework.ldap.odm.tools.SyntaxToJavaClass.ClassInfo;
 
 // Processes LDAP Schema
 /* package */ final class SchemaReader {
@@ -148,7 +150,7 @@ private void createObjectClass(Set<String> objectClasses, DirContext schemaConte
                 Attribute currentAttribute = valuesEnumeration.nextElement();
 
                 // Get the attribute name and lower case it (as this is all case indep)
-                String currentId = currentAttribute.getID().toUpperCase();
+                String currentId = currentAttribute.getID().toUpperCase(Locale.ROOT);
 
                 // Is this a MUST, MAY or SUP attribute
                 SchemaAttributeType type = getSchemaAttributeType(currentId);
@@ -160,7 +162,7 @@ private void createObjectClass(Set<String> objectClasses, DirContext schemaConte
                     switch (type) {
                         case SUP:
                             // Its a super class
-                            String lowerCased=currentValue.toLowerCase();
+                            String lowerCased=currentValue.toLowerCase(Locale.ROOT);
                             if (!schema.getObjectClass().contains(lowerCased)) {
                                 supList.add(lowerCased);
                             }

Diff for: odm/src/main/java/org/springframework/ldap/odm/tools/SchemaToJava.java

@@ -16,23 +16,6 @@
 
 package org.springframework.ldap.odm.tools;
 
-import freemarker.template.Configuration;
-import freemarker.template.DefaultObjectWrapper;
-import freemarker.template.Template;
-import freemarker.template.TemplateException;
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.PosixParser;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.naming.Context;
-import javax.naming.NamingException;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.InitialDirContext;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -44,11 +27,30 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Hashtable;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+
+import freemarker.template.Configuration;
+import freemarker.template.DefaultObjectWrapper;
+import freemarker.template.Template;
+import freemarker.template.TemplateException;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.PosixParser;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 /**
  * This tool creates a Java class representation of a set of LDAP object classes for use 
  * with {@link org.springframework.ldap.odm.core.OdmManager}.
@@ -328,7 +330,7 @@ private static Set<String> parseObjectClassesFlag(String objectClassesFlag) {
 
         for (String objectClassFlag : objectClassesFlag.split(",")) {
             if (objectClassFlag.length() > 0) {
-                objectClasses.add(objectClassFlag.toLowerCase().trim());
+                objectClasses.add(objectClassFlag.toLowerCase(Locale.ROOT).trim());
             }
         }
 

Diff for: samples/user-admin/src/main/webapp/resources/jquery/jquery.min.js

@@ -39,6 +39,7 @@
 import javax.naming.directory.ModificationItem;
 import java.io.UnsupportedEncodingException;
 import java.util.List;
+import java.util.Locale;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@@ -107,7 +108,7 @@ private void createUser(String username) throws UnsupportedEncodingException {
         ctx.setAttributeValue("userPrincipalName", username + "@example.com");
         ctx.setAttributeValue("cn", username);
         ctx.setAttributeValue("description", "Dummy user");
-        ctx.setAttributeValue("sAMAccountName", username.toUpperCase() + "." + username.toUpperCase());
+        ctx.setAttributeValue("sAMAccountName", username.toUpperCase(Locale.ENGLISH) + "." + username.toUpperCase(Locale.ENGLISH));
         ctx.setAttributeValue("userAccountControl", "512");
 
         String newQuotedPassword = "\"" + DEFAULT_PASSWORD + "\"";