peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Move validation patterns of http fields out of ESAPI.properties and to an XML file or database. (1.4) #265

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The attached ziped project is finished and tested code for moving validation 
patterns of http fields like Email, etc out of ESAPI.properties.  This will 
improve the API since it will allow definition of http validation per web 
application instead of the system-wide effect of ESAPI.properties.

New packages:
1. org.owasp.esapi.fields
The ESAPI fields package provides interfaces to model a so called 
"SiteDefintion". A SiteDefinition allows for validation and checks of every 
possible Http Parameter that is used by a Java Web Application.  Unlike the 
ESAPI.properties which is set via a System Property, a SiteDefinition can (and 
should) be set per web application.

The idea is to provide the system with a list of the most important http 
parameters that you need to validate within a web site.  By http parameters we 
mean for example the name of a textbox or a list control on an html form.  For 
each of these paeameters the system needs to know:

The parameter name.
The parameter's validation pattern to match when validating its value received 
in a Http Request
Optionally, An String array of the allowed URIs that this parameter can appear 
on.
 Maximum allowed length of a received http parameter value.
Whether to allow blanks or not.

In addition, the SiteDefinition needs the following application-wide settings:

Website Name
Default validation pattern: Because it is impractical to define every single 
web site http parameter, this is the default validation pattern to be used for 
http parameters not explicitely defined.
Maximum allowed length: Default maximum length for http parameters not 
explicitely defined.
Parameter name validation pattern.
The maximum http parameter name length.
The maximum http cookie name length
The maximum http cookie value length
The validation pattern used to validate cookie values
The validation pattern used to validate cookie names
The maximum http header value length
The maximum http header name length
The validation pattern used to validate http header values 
The validation pattern used to validate http header names
The ESAPI-Site-Definition.xsd file within this package defines the structure 
mentioned above for loading site definitions from xml files.

org.owasp.esapi.reference.fields; : Contains implemenation of Web Site 
Validation from definitions stored into an XML file.

Original issue reported on code.google.com by christof...@gmail.com on 26 Feb 2012 at 8:08

Attachments:

GoogleCodeExporter commented 9 years ago
We have used Jdeveloper and Ant for developement and compilation, but the 
attached zip file contains all eclipse settings and projects included in the 
ESAPI 1.4 download.  

The zip file contains the following projects:
1. Esapi: The Esapi api 1.4
2. EsapiTest: JUnit tests
3. Web-Tester: Test web application.
4. Diagrams: Jdeveloper Diagram project, ignore.

Original comment by christof...@gmail.com on 26 Feb 2012 at 8:46

GoogleCodeExporter commented 9 years ago
I am reminded again by a blog post by Will Stranathan about the e-v-i-l-s of 
XML for configuration. So if this is something that we would expect an 
operations or system administration team to have to edit, I think XML is a bad 
idea.

For details, see:
http://will.thestranathans.com/post/20241350046/stop-it

Original comment by kevin.w.wall@gmail.com on 25 Jun 2012 at 12:55

GoogleCodeExporter commented 9 years ago
I did not read about the evils of XML conf on the post you mention. Just some 
frustration.  Who is Will Stranathan?  Is he a contributor to ESAPI?

Original comment by christof...@gmail.com on 26 Jun 2012 at 5:42

GoogleCodeExporter commented 9 years ago

Original comment by M.Gelma...@gmail.com on 13 Nov 2014 at 6:21