search

ibnemahdi / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

HTTPParameterValue regular expression is too restriction #151

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. we are entering email-id in field but it throws an exception for email id. 
following is code for the same.

ESAPI.httpUtilities().setCurrentHTTP(request, response);

// log this request, obfuscating any parameter named password
            ESAPI.httpUtilities().logHTTPRequest(ESAPI.httpUtilities().getCurrentRequest(), logger, Arrays.asList(obfuscate));

if ( !ESAPI.validator().isValidHTTPRequest(request) ) {
                    request.setAttribute("message", "Validation error" );
                    RequestDispatcher dispatcher = request.getRequestDispatcher("/test/common/pagenotfound.jsp");
                    dispatcher.forward(request, response);
                    ESAPI.authenticator().clearCurrent();
                    ESAPI.httpUtilities().setCurrentHTTP(null, null);
                    return;
                }

2.
3.

What is the expected output? What do you see instead?
email should be allowed and instead of giving exception for valid email id.
i am using ESAPI-2.0.jar 

What version of the product are you using? On what operating system?
ESAPI-2.0.jar 
XP

Please provide any additional information below.

Exception throws by ESAPI.

WARNING: [Anonymous:696153@unknown -> 
127.0.0.1:8080/DefaultName/IntrusionDetector] Invalid input: context=HTTP 
request parameter: email, type(HTTPParameterValue)=^[a-zA-Z0-9.\-\/+=_ ]*$, 
input=tejas.makwana@gmail.com
org.owasp.esapi.errors.ValidationException: HTTP request parameter: email: 
Invalid input. Please conform to regex ^[a-zA-Z0-9.\-\/+=_ ]*$ with a maximum 
length of 65535
    at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:121)
    at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:172)
    at org.owasp.esapi.reference.DefaultValidator.assertIsValidHTTPRequest(DefaultValidator.java:692)
    at org.owasp.esapi.reference.DefaultValidator.isValidHTTPRequest(DefaultValidator.java:662)
    at com.org.esapi.ESAPIFilterJava.doFilter(ESAPIFilterJava.java:84)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)

Original issue reported on code.google.com by tejas.ma...@gmail.com on 28 Sep 2010 at 9:34

GoogleCodeExporter commented 9 years ago 
You need to modify the regex for HTTPParameterValue to include the @ symbol. In 
ESAPI.properties, change this line: 

Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$

To: 

Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$

An even better approach would be to validate the "email" parameter against an 
email-specific regular expression. 

DEVELOPERS: Should we add the @ symbol to HTTPParameterValue by default?

Original comment by augu...@gmail.com on 28 Sep 2010 at 7:45

GoogleCodeExporter commented 9 years ago 
You are refering

Original comment by manico.james@gmail.com on 28 Sep 2010 at 9:00

GoogleCodeExporter commented 9 years ago 
thanks a lot :)

Original comment by tejas.ma...@gmail.com on 30 Sep 2010 at 4:35

GoogleCodeExporter commented 9 years ago 
August, lets make this change - it should be in there by default.

Original comment by manico.james@gmail.com on 2 Nov 2010 at 8:07

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Simple 1 char change (this time in both esapi.properties files) as recommended 
above - attached patch, but probably easier just to make the change yourselves.

Original comment by jtmel...@gmail.com on 3 Nov 2010 at 3:45

Attachments:

GoogleCodeExporter commented 9 years ago 
Checked in to SVN as revision #1638

Original comment by augu...@gmail.com on 4 Nov 2010 at 12:18

GoogleCodeExporter commented 9 years ago 
Added a few unit tests to ensure fix functions properly.

Original comment by jtmel...@gmail.com on 4 Nov 2010 at 2:48

GoogleCodeExporter commented 9 years ago 
Hi All,
       I require one help regarding the implementation for esapi in java.when i am providing an input as 
instance.isValidInput("test", "hello@world.com", "Email", 100, false)
then it throws the following error on console--->
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid input: 
context=test, type=Email( Email), input=hello@world.com
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)
false

On using this as Input to my source code--->getValidInput("test", 
"hello12@world.com", "Email", 100, false)
i get the following error as --->

Jun 22, 2011 11:34:16 AM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid input: 
context=test, type=Email( Email), input=hello12@world.com
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)
org.owasp.esapi.errors.ValidationException: test: Invalid input. Please conform 
to: Email with a maximum length of 100
    at org.owasp.esapi.reference.DefaultValidator.getValidInput(Unknown Source)
    at Esapi.testIsValidEmail(Esapi.java:38)
    at Esapi.main(Esapi.java:49)

can anyone please suggest on the above errors
Appreciate your help !!!!

Original comment by arjunpro...@gmail.com on 22 Jun 2011 at 6:45

Attachments: