[Owasp-leaders] Question on Regex

Jim Manico jim.manico at owasp.org
Wed Oct 14 12:17:31 EDT 2009


James,

Please move this conversation to the ESAPI list.

But since I've already sent you all an email, let me answer.

1) We load those RegEx's and cache them at config load time (and do  
not hit disc each time we validate).
2) I prefer to map each parameter to a unique RegEx for maximum  
flexibilty.
3) The goal is to allow a secuity pro to modify your RegExs without  
having to modify actual code.
4) Hard-coding RegEx's in your code is a significant design anti- 
pattern, IMO.

I ask you to please rip the leaders list out of this conversation and  
take it to the ESAPI list.

Jim Manico

On Oct 14, 2009, at 11:45 AM, "McGovern, James F. (eBusiness)" <James.McGovern at thehartford.com 
 > wrote:

> Having a debate with some developers and I wanted to understand if  
> there was any security perspectives that have merit when it comes to  
> using Regex. So, I noted that ESAPI for example, has a single  
> properties file where regex compilation happens in each validation  
> action and not via uber-singleton upfront compilation. Is this  
> developer religion?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091014/8f8443a5/attachment.html 


More information about the OWASP-Leaders mailing list