peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

isValidInput failing for HTTPParameterValue {internalAction:getScreen} #343

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.Call validInput = ESAPI.validator().isValidInput("test", "{internal:getS}", 
"HTTPParameterValue", 20971520, false);
2.
3.

What is the expected output? What do you see instead?

Expected output should be matches but it is failing to match. Below is the 
stack trace - 
WARN (Log4JLogger.java:449) - [SECURITY FAILURE Anonymous:null@unknown -> 
/ExampleApplication/IntrusionDetector] Invalid input: context=test, 
type(HTTPParameterValue)=^[\p{L}\p{N}.\-/+=_ !$*?@]{0,1000}$, 
input={"internalAction":"getDisplayScreen"}
org.owasp.esapi.errors.ValidationException: test: Invalid input. Please conform 
to regex ^[\p{L}\p{N}.\-/+=_ !$*?@]{0,1000}$ with a maximum length of 20971520
    at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
    at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
    at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
    at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
    at org.owasp.esapi.reference.DefaultValidator.isValidInput(DefaultValidator.java:152)
    at org.owasp.esapi.reference.DefaultValidator.isValidInput(DefaultValidator.java:143)
    at com.aig.appsecurity.SecurityServletFilter.doFilter(SecurityServletFilter.java:210)
    at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:908)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:934)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:502)
    at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:181)
    at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864)
    at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1592)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:186)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:452)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:511)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:305)
    at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83)
    at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
    at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
    at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
    at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
    at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
    at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
    at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1646)
[3/20/15 15:43:39:455 EDT] 00000028 SystemOut     O InvalidInput - 
{"{internal:getS}"}

What version of the product are you using? On what operating system?
 I am using esapi-2.1.0

Does this issue affect only a specified browser or set of browsers?

No, this happens with all browsers.

Please provide any additional information below.

Original issue reported on code.google.com by pratikkhanna090909 on 20 Mar 2015 at 7:48

GoogleCodeExporter commented 9 years ago
There is a copy-paste issue while writing the parameter name , the correct 
parameter name is internal:getS

Original comment by pratikkhanna090909 on 20 Mar 2015 at 8:07