Description
From [email protected] on April 20, 2010 04:06:42
I'm a thankful user of the SafeRequest (1.4, in 2.0
SecurityWrapperRequest) which offers a very good protection against various
kinds of injection attacks.
I have some suggestions for improvements concerning the regular expressions
in use.
Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
I would add the "-", since some frameworks (like DisplayTag) create
ParameterNames of the kind "d-32143423-s".
Validator.HTTPParameterValue=^[a-zA-Z0-9.-/+=_ ]$
European languages, like French or German, take frequently use of special
characters like [äüöéèàç]. These are not covered here.
Furthermore, the regular expression is inconsistent with the output of
ESAPI.authenticator().generateStrongPassword(). A password generated by
this method would not pass the above RegEx. The following special chars
have to be added: '!', '$', '', '?', '@'
Validator.HTTPQueryString=^a-zA-Z0-9()-=*.?;,+/:&_ $ The
(1,50) at the end should be {1,50}. Furthermore 50 characters seem to be a
bit short, since most modern browsers support queryString of more than 2000
characters.
Validator.HTTPContextPath=^[a-zA-Z0-9.-]*$
Tomcat (it may depend on the configuration) returns "/application". So it
is necessary to add “/” at the beginning of the regular expression:
Validator.HTTPContextPath=^/[a-zA-Z0-9.-]*$. The same is true for
Validator.HTTPServletPath
Validator.HTTPURL=^.$
Why not use
Validator.URL=^(ht|f)tp(s?)://0-9a-zA-Z(:(0-9))(/?)([a-zA-Z0-9-.?,:'/\+=&%$#_]*)?$
instead?
I have seen that there only a few tests in SafeRequestTest.java. If you are
looking for someone to add some further TestCases, feel free to contact me.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=116