[Esapi-user] Can you help - Is this a question for one of the esapi lists?

Sarah Baso sarah.baso at owasp.org
Tue Apr 8 17:28:01 UTC 2014


All -

We received this question through the contact us form and I want to make
sure it gets routed to the right place.  The submitter of the question is
cc'ed...












































*Having an issue with URL validator. Where do these get reported to
? Description:Noticed that the server CPU which I'm running Jboss is pegged
out at 100%.After dumping the threads out using jstack we are noticing the
offending threads hung up on a call to the ESAPI.validator().inValidInput()
method.Only posting I could find which describes my issue is found
here. http://stackoverflow.com/questions/20123412/regular-expression-high-cpu
<http://stackoverflow.com/questions/20123412/regular-expression-high-cpu>Not
clear however if their implementation was invoked by ESAPI or not. Current
version used
is <dependency><groupId>org.owasp.esapi</groupId><artifactId>esapi</artifactId><version>2.0.1</version></dependency>Is
this a known issue and if so should I be updating to the latest
version? Thread 24862: (state = IN_JAVA)-
java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=16, line=5151 (Compiled
frame; information may be imprecise)-
java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=5, line=5151 (Compiled
frame)- java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=5, line=5151
(Compiled frame)....-
java.util.regex.Pattern$BranchConn.match(java.util.regex.Matcher, int,
java.lang.CharSequence) @bci=7, line=4466 (Compiled frame)-
java.util.regex.Pattern$Slice.match(java.util.regex.Matcher, int,
java.lang.CharSequence) @bci=75, line=3870 (Compiled frame)-
java.util.regex.Pattern$Branch.match(java.util.regex.Matcher, int,
java.lang.CharSequence) @bci=50, line=4502 (Compiled frame)-
java.util.regex.Pattern$GroupHead.match(java.util.regex.Matcher, int,
java.lang.CharSequence) @bci=28, line=4556 (Compiled frame)-
java.util.regex.Pattern$Begin.match(java.util.regex.Matcher, int,
java.lang.CharSequence) @bci=30, line=3472 (Compiled frame)-
java.util.regex.Matcher.match(int, int) @bci=86, line=1221 (Compiled
frame)- java.util.regex.Matcher.matches() @bci=6, line=559 (Compiled
frame)-
org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(java.lang.String,
java.lang.String, java.lang.String) @bci=39, line=143 (Compiled frame)-
org.owasp.esapi.reference.validation.StringValidationRule.getValid(java.lang.String,
java.lang.String) @bci=81, line=306 (Interpreted frame)-
org.owasp.esapi.reference.DefaultValidator.getValidInput(java.lang.String,
java.lang.String, java.lang.String, int, boolean, boolean) @bci=97,
line=214 (Interpreted frame)-
org.owasp.esapi.reference.DefaultValidator.isValidInput(java.lang.String,
java.lang.String, java.lang.String, int, boolean, boolean) @bci=10,
line=152 (Interpreted frame)-
org.owasp.esapi.reference.DefaultValidator.isValidInput(java.lang.String,
java.lang.String, java.lang.String, int, boolean) @bci=9, line=143
(Interpreted frame)*


Thanks,
Sarah Baso
-- 
Executive Director
OWASP Foundation

sarah.baso at owasp.org
+1.312.869.2779
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140408/a24dd5b7/attachment.html>


More information about the Esapi-user mailing list