[Esapi-user] Can you help - Is this a question for one of the esapi lists?

August Detlefsen augustd at codemagi.com
Tue Apr 8 19:53:39 UTC 2014


This might be an issue of ReDoS - Regular Expression Denial of Service. Do
you know which specific validator was hanging and the regex that was used?
Do you have a log of the input?

Thanks,
August


On Tue, Apr 8, 2014 at 10:28 AM, Sarah Baso <sarah.baso at owasp.org> wrote:

> All -
>
> We received this question through the contact us form and I want to make
> sure it gets routed to the right place.  The submitter of the question is
> cc'ed...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> * Having an issue with URL validator. Where do these get reported to ?
> Description:Noticed that the server CPU which I'm running Jboss is pegged
> out at 100%. After dumping the threads out using jstack we are noticing the
> offending threads hung up on a call to the ESAPI.validator().inValidInput()
> method. Only posting I could find which describes my issue is found
> here. http://stackoverflow.com/questions/20123412/regular-expression-high-cpu
> <http://stackoverflow.com/questions/20123412/regular-expression-high-cpu>
> Not clear however if their implementation was invoked by ESAPI or
> not. Current version used is
> <dependency><groupId>org.owasp.esapi</groupId><artifactId>esapi</artifactId>
> <version>2.0.1</version></dependency>Is this a known issue and if so should
> I be updating to the latest version?  Thread 24862: (state = IN_JAVA)-
> java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=16, line=5151 (Compiled
> frame; information may be imprecise) -
> java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=5, line=5151 (Compiled
> frame)- java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=5, line=5151
> (Compiled frame) ....-
> java.util.regex.Pattern$BranchConn.match(java.util.regex.Matcher, int,
> java.lang.CharSequence) @bci=7, line=4466 (Compiled frame) -
> java.util.regex.Pattern$Slice.match(java.util.regex.Matcher, int,
> java.lang.CharSequence) @bci=75, line=3870 (Compiled frame)-
> java.util.regex.Pattern$Branch.match(java.util.regex.Matcher, int,
> java.lang.CharSequence) @bci=50, line=4502 (Compiled frame) -
> java.util.regex.Pattern$GroupHead.match(java.util.regex.Matcher, int,
> java.lang.CharSequence) @bci=28, line=4556 (Compiled frame)-
> java.util.regex.Pattern$Begin.match(java.util.regex.Matcher, int,
> java.lang.CharSequence) @bci=30, line=3472 (Compiled frame) -
> java.util.regex.Matcher.match(int, int) @bci=86, line=1221 (Compiled
> frame)- java.util.regex.Matcher.matches() @bci=6, line=559 (Compiled frame)
> -
> org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(java.lang.String,
> java.lang.String, java.lang.String) @bci=39, line=143 (Compiled frame) -
> org.owasp.esapi.reference.validation.StringValidationRule.getValid(java.lang.String,
> java.lang.String) @bci=81, line=306 (Interpreted frame)-
> org.owasp.esapi.reference.DefaultValidator.getValidInput(java.lang.String,
> java.lang.String, java.lang.String, int, boolean, boolean) @bci=97,
> line=214 (Interpreted frame) -
> org.owasp.esapi.reference.DefaultValidator.isValidInput(java.lang.String,
> java.lang.String, java.lang.String, int, boolean, boolean) @bci=10,
> line=152 (Interpreted frame) -
> org.owasp.esapi.reference.DefaultValidator.isValidInput(java.lang.String,
> java.lang.String, java.lang.String, int, boolean) @bci=9, line=143
> (Interpreted frame)*
>
>
> Thanks,
> Sarah Baso
> --
> Executive Director
> OWASP Foundation
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140408/2420a8a5/attachment.html>


More information about the Esapi-user mailing list