[OWASP-ESAPI] Validation
silky
michaelslists at gmail.com
Sun Apr 13 19:43:47 EDT 2008
On Mon, Apr 14, 2008 at 9:41 AM, Jim Manico <jim at manico.net> wrote:
>
> "is" just returns a boolean if the input data is valid
> "get" actually return the input data from the function and only throws an
> exception if the data is invalid
yeah, i figured that much out :)
> "context" is a reference to the input field in question (like "first_name")
oh; that's not what i expected .... 'valid' shouldn't be based on the
input field, it should be based on the location that the thing is
going to be written into, surely? [i.e. "value" property of control,
"style" property of control, "background: " property of a "style"
property of a control, etc, etc.
> We are still debating changes to the file validation API's. I did not plan
> on making major changes to those.
>
> - Jim
>
>
>
> i'm new to this whole api but with 'is/getValidFileContent' these
> don't seem to accept the 'type' of file. what is the 'context' anyway
> (and why is it a string, and not an enum)?
>
>
>
> On Mon, Apr 14, 2008 at 9:29 AM, Jim Manico <jim at manico.net> wrote:
>
>
> I've attached my proposal for the next generation of IValidator. Feedback
> greatly appreciated ASAP - I'd like to finish the reference implementation
> early in the week.
>
> - Jim
>
>
>
>
>
>
> I'm glad to revisit this. I definitely agree that there's a need for
> exception throwing validation methods.
>
>
>
> There are good use cases for the boolean methods too. I suggest supporting
> BOTH. This is already started with the isValidSafeHTML() and
> getValidSafeHTML(). I propose extending this to ALL the data types
> supported in Validator.
>
>
>
> · String getValidXXX( String context, String input, boolean allowNull
> ) throws ValidationException - returns the canonical form of the input if it
> passes validation. Otherwise it throws a specific validation exception that
> details the exact reason for the failure. May throw an IntrusionException
> if the input is clearly an attack (like double encoded characters)
>
>
>
> · boolean isValidXXX( String context, String input, boolean allowNull
> ) – returns boolean if validation passes. Could throw an IntrusionException
> if the input is clearly an attack (like double encoded characters). Will
> typically delegate to the getValidXXX method and return false if a
> ValidationException is thrown.
>
>
>
> A few design choices:
>
>
>
>
> 1) Specific error messages. To keep things simple, I propose using
> ValidationException for all types of errors. Each ValidationException will
> contain a user message that provides a user-safe description of the problem
> AND a log message, which has all the details about specifically what is
> wrong.
>
>
>
> 2) Required parameters – See the "allowNull" parameter above. Another
> option is to pass in the list of required and optional parameter names when
> creating the Validator. But this seems too HTTP request centric.
>
>
>
> 3) Length – It seems painful to have to define a separate regular
> expression when the only thing that differs is the length. Does adding a
> length parameter overcomplicate things?
>
>
>
> 4) More types – Have seen requests for more numeric types (with
> ranges). What other types should we support out of the box. Note that we
> only need special methods for types that can't be specified easily with a
> regex. If a regex will suffice, then you can just use
> getValidDataFromBrowser() with a type from the ESAPI.properties.
>
>
>
> 5) Building a list of all the error messages. I think this is best
> left to a framework. But I could be convinced otherwise.
>
>
>
> Please let me know your thoughts on these issues. Thanks!
>
>
>
> --Jeff
>
>
>
>
>
> From: owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Saturday, April 12, 2008 4:09 AM
> To: 'owasp-esapi'
> Subject: [OWASP-ESAPI] Validation
>
>
>
> Hello,
>
> I still think we need to make some major changes to the current ESAPI
> Validation strategy.
>
> Summary:
>
> 1) Have most IValidator functions return the validated data, and throw a
> org.owasp.esapi.errors.ValidationException on error.
> 2) I'm using ESAPI for a project that I'm currently working on - and I have
> a need to validate integers for some fields, and doubles for others.
> 3) Number range checking is still missing.
>
> Examples:
>
> 1a) boolean isValidCreditCard(String context, String value); goes away.
> 1b) String isValidCreditCard(String context, String value) throw
> ValidationException get added
>
> 2a) boolean isValidNumber(String input); goes away
> 2b) Double isValidDouble(String input, double min, double max) gets added
> 2b) Integer isValidInteger(String input, int min, int max) gets added
>
> Another reason why ALL boolean return values should go away for the
> Validation strategy is that we need a deeper message as to why validation is
> failing.
>
> If you give me the OK, Jeff, I'll make this change to the interface and
> reference implementation myself.
>
> --
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security™
> Securing your applications at the source
> http://www.aspectsecurity.com
>
>
> --
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security™
> Securing your applications at the source
> http://www.aspectsecurity.com
>
> /**
> * OWASP Enterprise Security API (ESAPI)
> *
> * This file is part of the Open Web Application Security Project (OWASP)
> * Enterprise Security API (ESAPI) project. For details, please see
> * http://www.owasp.org/esapi.
> *
> * Copyright (c) 2007 - The OWASP Foundation
> *
> * The ESAPI is published by OWASP under the LGPL. You should read and
> accept the
> * LICENSE before you use, modify, and/or redistribute this software.
> *
> * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
> Security</a>
> * @created 2007
> */
> package org.owasp.esapi.interfaces;
>
> import java.io.InputStream;
> import java.text.DateFormat;
> import java.util.Date;
> import java.util.List;
> import java.util.Set;
>
> import javax.servlet.http.HttpServletRequest;
>
> import org.owasp.esapi.errors.ValidationException;
> import org.owasp.esapi.errors.IntrusionException;
>
> /**
> * The IValidator interface defines a set of methods for canonicalizing and
> * validating untrusted input. Implementors should feel free to extend this
> * interface to accomodate their own data formats. Rather than throw
> exceptions,
> * this interface returns boolean results because not all validation
> problems
> * are security issues. Boolean returns allow developers to handle both
> valid
> * and invalid results more cleanly than exceptions.
> * <P>
> * <img src="doc-files/Validator.jpg" height="600">
> * <P>
> * Implementations must adopt a "whitelist" approach to validation where a
> * specific pattern or character set is matched. "Blacklist" approaches
> that
> * attempt to identify the invalid or disallowed characters are much more
> likely
> * to allow a bypass with encoding or other tricks.
> *
> * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
> * href="http://www.aspectsecurity.com">Aspect Security</a>
> * @since June 1, 2007
> */
> public interface IValidator {
>
> /**
> * Checks if input from browser is valid according to the specified
> type. The types are configured
> * as regular expressions in ESAPI.config.
> *
> * @param context
> * @param type
> * @param value
> * @return
> * @throws ValidationException
> */
> public boolean isValidDataFromBrowser(String name, String type,
> String value, int maxLength, boolean allowNull) throws IntrusionException;
> public String getValidDataFromBrowser(String context, String type,
> String value, int maxLength, boolean allowNull) throws ValidationException;
>
> /**
> * Gets a valid date from the input.
> *
> * Maximum length is mandated by proper DateFormat
> */
> public boolean isValidDate(String context, String value, DateFormat
> format, boolean allowNull) throws IntrusionException;
> public Date getValidDate(String context, String value, DateFormat
> format, boolean allowNull) throws ValidationException;
>
> /**
> * Checks if input is valid safe HTML. Implementors should reference
> the OWASP AntiSamy project for ideas
> * on how to do HTML validation in a whitelist way.
> */
> public boolean isValidSafeHTML(String context, String value, int
> maxLength, boolean allowNull) throws IntrusionException;
> public String getValidSafeHTML(String context, String value, int
> maxLength, boolean allowNull) throws ValidationException;
>
> /**
> * Checks if input is a valid credit card.
> *
> * Maxlentht is mandated by valid credit card type
> */
> public boolean isValidCreditCard(String context, String value,
> boolean allowNull) throws IntrusionException;
> public String getValidCreditCard(String context, String value,
> boolean allowNull) throws ValidationException;
>
>
> /**
> * Checks if input is a valid directory path.
> */
> public boolean isValidDirectoryPath(String context, String value,
> int maxLength, boolean allowNull) throws IntrusionException;
> public String getValidDirectoryPath(String context, String value,
> int maxLength, boolean allowNull) throws ValidationException;
>
> /**
> * Checks if input is a valid file name.
> *
> * @param input
> * the input
> *
> * @return true, if is valid file name
> */
> public boolean isValidFileName(String context, String input, int
> maxLength, boolean allowNull) throws IntrusionException;
> public String getValidFileName(String context, String input, int
> maxLength, boolean allowNull) throws ValidationException;
>
> /**
> * Replacements for isValueNumber
> *
> * @param context
> * @param value
> * @param minValue
> * @param maxValue
> * @param allowNull
> * @return
> * @throws IntrusionException
> */
> public boolean isValueInteger(String context, String value, int
> minValue, int maxValue, boolean allowNull) throws IntrusionException;
> public Integer getValueInteger(String context, String value, int
> minValue, int maxValue, boolean allowNull) throws ValidationException;
> public boolean isValueDouble(String context, String value, double
> minValue, double maxValue, boolean allowNull) throws IntrusionException;
> public Double getValueDouble(String context, String value, double
> minValue, double maxValue, boolean allowNull) throws ValidationException;
>
> /**
> * Checks if input is a valid file upload.
> *
> * @param content
> * the content
> *
> * @return true, if is valid file upload
> */
> public boolean isValidFileContent(String context, byte[] content,
> int maxBytes, boolean allowNull) throws IntrusionException;
> public byte[] getValidFileContent(String context, byte[] content,
> int maxBytes, boolean allowNull) throws ValidationException;
>
> /**
> * Checks whether a file upload has a valid name, path, and content.
> *
> * @param filepath
> * the filepath
> * @param filename
> * the filename
> * @param content
> * the content
> *
> * @return true if the file is safe
> */
> public boolean isValidFileUpload(String context, String filepath,
> String filename, byte[] content, int maxBytes, boolean allowNull) throws
> IntrusionException;
> public byte[] getValidFileUpload(String context, String filepath,
> String filename, byte[] content, int maxBytes, boolean allowNull) throws
> ValidationException;
>
> /**
> * Validate an HTTP requests by comparing parameters, headers, and
> cookies to a predefined whitelist of allowed
> * characters. See the SecurityConfiguration class for the methods to
> retrieve the whitelists.
> *
> * @param request
> * @return
> */
> public boolean isValidHTTPRequest(HttpServletRequest request) throws
> IntrusionException;
>
> /**
> * Checks if input is a valid list item.
> */
> public boolean isValidListItem(List list, String value) throws
> IntrusionException;
>
>
> /**
> * Checks if the supplied set of parameters matches the required
> parameter set, with no extra and no missing parameters.
> */
> public boolean isValidParameterSet(Set required, Set optional)
> throws IntrusionException;
>
> /**
> * Checks if input is valid printable ASCII characters.
> */
> public boolean isValidPrintable(byte[] input) throws
> IntrusionException;
>
> /**
> * Checks if input is valid printable ASCII characters.
> */
> public boolean isValidPrintable(String input) throws
> IntrusionException;
>
> /**
> * Checks if input is a valid redirect location.
> */
> public boolean isValidRedirectLocation(String context, String
> location) throws IntrusionException;
>
>
> /**
> * Reads from an input stream until end-of-line or a maximum number
> of
> * characters. This method protects against the inherent denial of
> service
> * attack in reading until the end of a line. If an attacker doesn't
> ever
> * send a newline character, then a normal input stream reader will
> read
> * until all memory is exhausted and the platform throws an
> OutOfMemoryError
> * and probably terminates.
> *
> * @param inputStream
> * the InputStream
> * @param maxsChar
> * the maxs char
> *
> * @return the line
> *
> * @throws ValidationException
> * the validation exception
> */
> // FIXME: ENHANCE timeout too!
> String safeReadLine(InputStream inputStream, int maxsChar) throws
> ValidationException;
>
> /**
> * @Deprecated
> */
> public boolean isValidNumber(String input);
> }
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
>
>
>
>
>
>
> --
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security™
> Securing your applications at the source
> http://www.aspectsecurity.com
>
--
http://lets.coozi.com.au/
There's not a problem I can't fix, because I can do it in the mix.
More information about the OWASP-ESAPI
mailing list