search

vidyuthd / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

Move validation patterns of http fields out of ESAPI.properties and to an XML file or database. (1.4) #265

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
The attached ziped project is finished and tested code for moving validation 
patterns of http fields like Email, etc out of ESAPI.properties.  This will 
improve the API since it will allow definition of http validation per web 
application instead of the system-wide effect of ESAPI.properties.

New packages:
1. org.owasp.esapi.fields
The ESAPI fields package provides interfaces to model a so called 
"SiteDefintion". A SiteDefinition allows for validation and checks of every 
possible Http Parameter that is used by a Java Web Application.  Unlike the 
ESAPI.properties which is set via a System Property, a SiteDefinition can (and 
should) be set per web application.

The idea is to provide the system with a list of the most important http 
parameters that you need to validate within a web site.  By http parameters we 
mean for example the name of a textbox or a list control on an html form.  For 
each of these paeameters the system needs to know:

The parameter name.
The parameter's validation pattern to match when validating its value received 
in a Http Request
Optionally, An String array of the allowed URIs that this parameter can appear 
on.
 Maximum allowed length of a received http parameter value.
Whether to allow blanks or not.

In addition, the SiteDefinition needs the following application-wide settings:

Website Name
Default validation pattern: Because it is impractical to define every single 
web site http parameter, this is the default validation pattern to be used for 
http parameters not explicitely defined.
Maximum allowed length: Default maximum length for http parameters not 
explicitely defined.
Parameter name validation pattern.
The maximum http parameter name length.
The maximum http cookie name length
The maximum http cookie value length
The validation pattern used to validate cookie values
The validation pattern used to validate cookie names
The maximum http header value length
The maximum http header name length
The validation pattern used to validate http header values 
The validation pattern used to validate http header names
The ESAPI-Site-Definition.xsd file within this package defines the structure 
mentioned above for loading site definitions from xml files.

org.owasp.esapi.reference.fields; : Contains implemenation of Web Site 
Validation from definitions stored into an XML file.

Original issue reported on code.google.com by christof...@gmail.com on 26 Feb 2012 at 8:08

Attachments: