[Esapi-user] Interface Validator getValidInput

Ricardo Iramar dos Santos riramar at gmail.com
Thu Oct 23 18:48:12 UTC 2014


Hi All,

This is my first post so take easy with me.
My system receive a JSON from another system in a HTTP request in
order to create a user. This JSON has this format:

{
    "id": "12345",
    "name": "username",
    "pasword": "123\u005casd"
}

I'm using this java code in order to validate this JSON content
against a pattern:

Validator xpto = ESAPI.validator();
String validInput = xpto.getValidInput("JSON Validation",
Resquet_Body, "JSON-Pattern", 100, true);

But I getting an exception is this part:

2014-10-23 15:37:37,637 ERROR -
org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:449)
[SECURITY FAILURE Anonymous:null at unknown ->
/ExampleApplication/IntrusionException] INTRUSION - Multiple (2x)
encoding detected

I'm using the default ESAPI.properties
(https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties).
It seems that the error occur because I'm trying to canonicalize the
input. If I disable it with this code it worked:

String validInput = xpto.getValidInput("JSON Validation",
Resquet_Body, "JSON-Pattern", 100, true, false);

I'm afraid that I solve this problem but create new security issue.
I'm not sure about that.
As it is an input is it correct? All my outputs are canonicalized (encoded).

Thanks
Ricardo Iramar


More information about the Esapi-user mailing list