[Esapi-user] Can you help - Is this a question for one of the esapi lists?

Jim Manico jim.manico at owasp.org
Tue Apr 8 20:06:00 UTC 2014


I suggest avoiding use the ESAPI URL validator. A better path...

1) Use the URI class to validate if the URL is legal.
2) Get the cannonical path from the URI class
3) Ensure the URL only starts with http or https
4) Then output encode the URL in the right context when displaying it to 
other users.

I'll provide sample code as soon as I can.

Aloha
Jim


On 4/8/14, 12:53 PM, August Detlefsen wrote:
> This might be an issue of ReDoS - Regular Expression Denial of 
> Service. Do you know which specific validator was hanging and the 
> regex that was used? Do you have a log of the input?
>
> Thanks,
> August
>
>
> On Tue, Apr 8, 2014 at 10:28 AM, Sarah Baso <sarah.baso at owasp.org 
> <mailto:sarah.baso at owasp.org>> wrote:
>
>     All -
>
>     We received this question through the contact us form and I want
>     to make sure it gets routed to the right place.  The submitter of
>     the question is cc'ed...
>     /
>     /
>     /
>     /
>     /
>     Having an issue with URL validator. Where do these get reported to ?
>
>     Description:
>
>     Noticed that the server CPU which I'm running Jboss is pegged out
>     at 100%.
>     After dumping the threads out using jstack we are noticing the
>     offending
>     threads hung up on a call to the ESAPI.validator().inValidInput()
>     method.
>
>     Only posting I could find which describes my issue is found here.
>     http://stackoverflow.com/questions/20123412/regular-expression-high-cpu
>     Not clear however if their implementation was invoked by ESAPI or
>     not.
>
>     Current version used is
>     <dependency>
>     <groupId>org.owasp.esapi</groupId>
>     <artifactId>esapi</artifactId>
>     <version>2.0.1</version>
>     </dependency>
>
>     Is this a known issue and if so should I be updating to the latest
>     version?
>
>
>     Thread 24862: (state = IN_JAVA)
>     - java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=16, line=5151
>     (Compiled frame; information may be imprecise)
>     - java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=5, line=5151
>     (Compiled frame)
>     - java.util.regex.Pattern$5.isSatisfiedBy(int) @bci=5, line=5151
>     (Compiled frame)
>
>     ....
>
>
>     -
>     java.util.regex.Pattern$BranchConn.match(java.util.regex.Matcher,
>     int, java.lang.CharSequence) @bci=7, line=4466 (Compiled frame)
>     - java.util.regex.Pattern$Slice.match(java.util.regex.Matcher,
>     int, java.lang.CharSequence) @bci=75, line=3870 (Compiled frame)
>     - java.util.regex.Pattern$Branch.match(java.util.regex.Matcher,
>     int, java.lang.CharSequence) @bci=50, line=4502 (Compiled frame)
>     - java.util.regex.Pattern$GroupHead.match(java.util.regex.Matcher,
>     int, java.lang.CharSequence) @bci=28, line=4556 (Compiled frame)
>     - java.util.regex.Pattern$Begin.match(java.util.regex.Matcher,
>     int, java.lang.CharSequence) @bci=30, line=3472 (Compiled frame)
>     - java.util.regex.Matcher.match(int, int) @bci=86, line=1221
>     (Compiled frame)
>     - java.util.regex.Matcher.matches() @bci=6, line=559 (Compiled frame)
>     -
>     org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(java.lang.String,
>     java.lang.String, java.lang.String) @bci=39, line=143 (Compiled frame)
>     -
>     org.owasp.esapi.reference.validation.StringValidationRule.getValid(java.lang.String,
>     java.lang.String) @bci=81, line=306 (Interpreted frame)
>     -
>     org.owasp.esapi.reference.DefaultValidator.getValidInput(java.lang.String,
>     java.lang.String, java.lang.String, int, boolean, boolean)
>     @bci=97, line=214 (Interpreted frame)
>     -
>     org.owasp.esapi.reference.DefaultValidator.isValidInput(java.lang.String,
>     java.lang.String, java.lang.String, int, boolean, boolean)
>     @bci=10, line=152 (Interpreted frame)
>     -
>     org.owasp.esapi.reference.DefaultValidator.isValidInput(java.lang.String,
>     java.lang.String, java.lang.String, int, boolean) @bci=9, line=143
>     (Interpreted frame)
>     /
>
>
>     Thanks,
>     Sarah Baso
>     -- 
>     Executive Director
>     OWASP Foundation
>
>     sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     +1.312.869.2779 <tel:%2B1.312.869.2779>
>
>
>
>
>
>     _______________________________________________
>     Esapi-user mailing list
>     Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/esapi-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140408/c27a43c9/attachment.html>


More information about the Esapi-user mailing list