demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

ESAPI.validator().getValidInput() returns misleading Exception #278

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Calling

ESAPI.validator().getValidInput("...", "%252%35252\u0036lt;", SafeString, 200, 
false)

with

Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$

in my validation.properties throws an ValidationException instead of an 
IntrusionException because of the multiple and mixed encoding 
(Encoder.AllowMultipleEncoding and Encoder.AllowMixedEncoding are both set to 
false in the esapi.properties).
The expected default behavior of the getValidInput method is that it 
canonicalize the input and validate them after all. But when I had a look into 
the code I saw that it first validates the input than canonicalize it and than 
validate it once again and leads to the ValidationException during the first 
validation because % is no alphanumerical character. The api docs of 
getValidInput says "Input is canonicalized by default before validation. ". 
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/refe
rence/DefaultValidator.html#getValidInput(java.lang.String,%20java.lang.String,%
20java.lang.String,%20int,%20boolean)

Original issue reported on code.google.com by Christop...@googlemail.com on 18 Jul 2012 at 4:45