似乎无法让 ESAPI 验证程序 getValidInput() 为 URL 参数工作
Can't seem to get ESAPI Validator getValidInput() Working for URL Parameters
我正在尝试使用 ESAPI 编码器来识别和规范化 URL 编码的查询参数。它有点工作,但不是 API 似乎表明的方式。这是我的 class,下面是它生成的输出:
代码
package test.test;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.EncodingException;
import org.owasp.esapi.errors.IntrusionException;
import org.owasp.esapi.errors.ValidationException;
public class ESAPITester {
public static void main(String argsp[]) throws ValidationException,
IntrusionException, EncodingException {
String searchString = "-/+=_ !$*?@";
String singleEncoded = ESAPI.encoder().encodeForURL(searchString);
String doubleEncoded = ESAPI.encoder().encodeForURL(singleEncoded);
Validator validator = ESAPI.validator();
System.out.println("Searched : " + searchString);
System.out.println("Single encoded : " + singleEncoded);
System.out.println("Double encoded : " + doubleEncoded);
System.out.println("Decode from URL : " + ESAPI.encoder().decodeFromURL(singleEncoded));
System.out.println("Canonicalized : " + ESAPI.encoder().canonicalize(singleEncoded));
System.out.println("Valid input : " + validator.getValidInput("http",
searchString, "HTTPParameterValue", 100, true, true));
System.out.println("Valid from Encoded : " + validator.getValidInput("http",
singleEncoded, "HTTPParameterValue", 100, true, true));
}
}
输出
Searched : -/+=_ !$*?@
Single encoded : -%2F%2B%3D_+%21%24*%3F%40
Double encoded : -%252F%252B%253D_%2B%2521%2524*%253F%2540
Decode from URL : -/ =_ !$*?@
Canonicalized : -/+=_+!$*?@
Valid input : -/+=_ !$*?@
log4j:WARN No appenders could be found for logger (IntrusionDetector).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Exception in thread "main" org.owasp.esapi.errors.ValidationException: http: Invalid input. Please conform to regex ^[\p{L}\p{N}.\-/+=_ !$*?@]{0,1000}$ with a maximum length of 100
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
at test.test.ESAPITester.main(ESAPITester.java:25)
我的问题是:为什么 getValidInput() 没有规范化 URL 编码的输入参数?我很好奇为什么 canonicalize() 方法会这样做,但是将最后一个参数 ('canonicalize') 设置为 true 的 getValidInput() 却不会。
所以问题变成:
why the 2nd validator.getValidInput() call throws an exception, when
all it is expected to do is to canonicalize the input and validate
that it matches the expected value. In other words, the direct call to
canonicalize() works, but the call to getValidInput() fails.
这里出了点问题。在您从 OWASP 源代码库获得的 HTTPParameterValue 版本中,正则表达式是 ^[a-zA-Z0-9.\-\/+=@_ ]*$ 有人操纵 HTTPParameterValue 看起来更像 SafeString:^[\s\p{L}\p{N}.]{0,1024}$
这是错误的。不应更改默认的 ESAPI 值,如果您需要自定义更改,请使用已建立的模式编写一个全新的 validator.properties 条目。
但是您的测试仍然会失败,因为字符串解码为 -/+=_ !$*?@ 并且 ? 是 http 查询中的保留字符。
3.4. Query Component
The query component is a string of information to be interpreted by
the resource.
query = *uric
Within a query component, the characters ";", "/", "?", ":", "@",
"&", "=", "+", ",", and "$" are reserved.
至于根据您 运行 处的正则表达式输入失败的原因,^[\p{L}\p{N}.\-/+=_ !$*?@]{0,1000}$,read the code. 在第 266 行,您将看到受影响的方法。
这是你想看的:
public String getValid( String context, String input ) throws ValidationException
{
String data = null;
// checks on input itself
// check for empty/null
if(checkEmpty(context, input) == null)
return null;
if (validateInputAndCanonical)
{
//first validate pre-canonicalized data
// check length
checkLength(context, input);
// check whitelist patterns
checkWhitelist(context, input);
// check blacklist patterns
checkBlacklist(context, input);
// canonicalize
data = encoder.canonicalize( input );
} else {
//skip canonicalization
data = input;
}
// check for empty/null
if(checkEmpty(context, data, input) == null)
return null;
// check length
checkLength(context, data, input);
// check whitelist patterns
checkWhitelist(context, data, input);
// check blacklist patterns
checkBlacklist(context, data, input);
// validation passed
return data;
正则表达式在尝试规范化您的输入之前就已经过检查。
我正在尝试使用 ESAPI 编码器来识别和规范化 URL 编码的查询参数。它有点工作,但不是 API 似乎表明的方式。这是我的 class,下面是它生成的输出:
代码
package test.test;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.EncodingException;
import org.owasp.esapi.errors.IntrusionException;
import org.owasp.esapi.errors.ValidationException;
public class ESAPITester {
public static void main(String argsp[]) throws ValidationException,
IntrusionException, EncodingException {
String searchString = "-/+=_ !$*?@";
String singleEncoded = ESAPI.encoder().encodeForURL(searchString);
String doubleEncoded = ESAPI.encoder().encodeForURL(singleEncoded);
Validator validator = ESAPI.validator();
System.out.println("Searched : " + searchString);
System.out.println("Single encoded : " + singleEncoded);
System.out.println("Double encoded : " + doubleEncoded);
System.out.println("Decode from URL : " + ESAPI.encoder().decodeFromURL(singleEncoded));
System.out.println("Canonicalized : " + ESAPI.encoder().canonicalize(singleEncoded));
System.out.println("Valid input : " + validator.getValidInput("http",
searchString, "HTTPParameterValue", 100, true, true));
System.out.println("Valid from Encoded : " + validator.getValidInput("http",
singleEncoded, "HTTPParameterValue", 100, true, true));
}
}
输出
Searched : -/+=_ !$*?@
Single encoded : -%2F%2B%3D_+%21%24*%3F%40
Double encoded : -%252F%252B%253D_%2B%2521%2524*%253F%2540
Decode from URL : -/ =_ !$*?@
Canonicalized : -/+=_+!$*?@
Valid input : -/+=_ !$*?@
log4j:WARN No appenders could be found for logger (IntrusionDetector).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Exception in thread "main" org.owasp.esapi.errors.ValidationException: http: Invalid input. Please conform to regex ^[\p{L}\p{N}.\-/+=_ !$*?@]{0,1000}$ with a maximum length of 100
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
at test.test.ESAPITester.main(ESAPITester.java:25)
我的问题是:为什么 getValidInput() 没有规范化 URL 编码的输入参数?我很好奇为什么 canonicalize() 方法会这样做,但是将最后一个参数 ('canonicalize') 设置为 true 的 getValidInput() 却不会。
所以问题变成:
why the 2nd validator.getValidInput() call throws an exception, when all it is expected to do is to canonicalize the input and validate that it matches the expected value. In other words, the direct call to canonicalize() works, but the call to getValidInput() fails.
这里出了点问题。在您从 OWASP 源代码库获得的 HTTPParameterValue 版本中,正则表达式是 ^[a-zA-Z0-9.\-\/+=@_ ]*$ 有人操纵 HTTPParameterValue 看起来更像 SafeString:^[\s\p{L}\p{N}.]{0,1024}$
这是错误的。不应更改默认的 ESAPI 值,如果您需要自定义更改,请使用已建立的模式编写一个全新的 validator.properties 条目。
但是您的测试仍然会失败,因为字符串解码为 -/+=_ !$*?@ 并且 ? 是 http 查询中的保留字符。
3.4. Query Component
The query component is a string of information to be interpreted by the resource.
query = *uricWithin a query component, the characters ";", "/", "?", ":", "@",
"&", "=", "+", ",", and "$" are reserved.
至于根据您 运行 处的正则表达式输入失败的原因,^[\p{L}\p{N}.\-/+=_ !$*?@]{0,1000}$,read the code. 在第 266 行,您将看到受影响的方法。
这是你想看的:
public String getValid( String context, String input ) throws ValidationException
{
String data = null;
// checks on input itself
// check for empty/null
if(checkEmpty(context, input) == null)
return null;
if (validateInputAndCanonical)
{
//first validate pre-canonicalized data
// check length
checkLength(context, input);
// check whitelist patterns
checkWhitelist(context, input);
// check blacklist patterns
checkBlacklist(context, input);
// canonicalize
data = encoder.canonicalize( input );
} else {
//skip canonicalization
data = input;
}
// check for empty/null
if(checkEmpty(context, data, input) == null)
return null;
// check length
checkLength(context, data, input);
// check whitelist patterns
checkWhitelist(context, data, input);
// check blacklist patterns
checkBlacklist(context, data, input);
// validation passed
return data;
正则表达式在尝试规范化您的输入之前就已经过检查。