HBASE-16317 revert all ESAPI changes
Revert "HBASE-15270 Use appropriate encoding for "filter" field in TaskMonitorTmpl.jamon." This reverts commitbba4f107c1
. Revert "HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings (Samir Ahmic)" This reverts commit68b300173f
. Conflicts: hbase-server/pom.xml Revert "HBASE-15329 Cross-Site Scripting: Reflected in table.jsp (Samir Ahmic)" This reverts commit4b3e38705c
. Conflicts: hbase-server/src/main/resources/hbase-webapps/master/table.jsp Revert "HBASE-15369 Handle NPE in region.jsp (Samir Ahmic)" This reverts commit3826894f89
.
This commit is contained in:
parent
81b06b3bdd
commit
209b6f74c7
|
@ -61,24 +61,6 @@ under the License.
|
||||||
</licenses>
|
</licenses>
|
||||||
</project>
|
</project>
|
||||||
</supplement>
|
</supplement>
|
||||||
<supplement>
|
|
||||||
<project>
|
|
||||||
<groupId>commons-beanutils</groupId>
|
|
||||||
<artifactId>commons-beanutils-core</artifactId>
|
|
||||||
|
|
||||||
<organization>
|
|
||||||
<name>The Apache Software Foundation</name>
|
|
||||||
<url>http://www.apache.org/</url>
|
|
||||||
</organization>
|
|
||||||
<licenses>
|
|
||||||
<license>
|
|
||||||
<name>Apache Software License, Version 2.0</name>
|
|
||||||
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
|
|
||||||
<distribution>repo</distribution>
|
|
||||||
</license>
|
|
||||||
</licenses>
|
|
||||||
</project>
|
|
||||||
</supplement>
|
|
||||||
<!-- Artifacts with ambiguously named licenses in POM -->
|
<!-- Artifacts with ambiguously named licenses in POM -->
|
||||||
<supplement>
|
<supplement>
|
||||||
<project>
|
<project>
|
||||||
|
@ -1213,22 +1195,4 @@ Copyright (c) 2007-2011 The JRuby project
|
||||||
</licenses>
|
</licenses>
|
||||||
</project>
|
</project>
|
||||||
</supplement>
|
</supplement>
|
||||||
<supplement>
|
|
||||||
<project>
|
|
||||||
<groupId>xalan</groupId>
|
|
||||||
<artifactId>xalan</artifactId>
|
|
||||||
|
|
||||||
<organization>
|
|
||||||
<name>The Apache Software Foundation</name>
|
|
||||||
<url>http://www.apache.org/</url>
|
|
||||||
</organization>
|
|
||||||
<licenses>
|
|
||||||
<license>
|
|
||||||
<name>The Apache Software License, Version 2.0</name>
|
|
||||||
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
|
|
||||||
<distribution>repo</distribution>
|
|
||||||
</license>
|
|
||||||
</licenses>
|
|
||||||
</project>
|
|
||||||
</supplement>
|
|
||||||
</supplementalDataModels>
|
</supplementalDataModels>
|
||||||
|
|
|
@ -561,17 +561,6 @@
|
||||||
<artifactId>bcprov-jdk16</artifactId>
|
<artifactId>bcprov-jdk16</artifactId>
|
||||||
<scope>test</scope>
|
<scope>test</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
|
||||||
<groupId>org.owasp.esapi</groupId>
|
|
||||||
<artifactId>esapi</artifactId>
|
|
||||||
<version>2.1.0.1</version>
|
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<artifactId>xercesImpl</artifactId>
|
|
||||||
<groupId>xerces</groupId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.apache.kerby</groupId>
|
<groupId>org.apache.kerby</groupId>
|
||||||
<artifactId>kerb-client</artifactId>
|
<artifactId>kerb-client</artifactId>
|
||||||
|
|
|
@ -20,22 +20,12 @@ limitations under the License.
|
||||||
java.util.*;
|
java.util.*;
|
||||||
org.apache.hadoop.hbase.monitoring.*;
|
org.apache.hadoop.hbase.monitoring.*;
|
||||||
org.apache.hadoop.util.StringUtils;
|
org.apache.hadoop.util.StringUtils;
|
||||||
org.owasp.esapi.ESAPI;
|
|
||||||
org.owasp.esapi.errors.EncodingException;
|
|
||||||
</%import>
|
</%import>
|
||||||
<%args>
|
<%args>
|
||||||
TaskMonitor taskMonitor = TaskMonitor.get();
|
TaskMonitor taskMonitor = TaskMonitor.get();
|
||||||
String filter = "general";
|
String filter = "general";
|
||||||
String format = "html";
|
String format = "html";
|
||||||
</%args>
|
</%args>
|
||||||
<%class>
|
|
||||||
public String encodeFilter() {
|
|
||||||
try {
|
|
||||||
return ESAPI.encoder().encodeForURL(filter);
|
|
||||||
}catch(EncodingException e) {}
|
|
||||||
return ESAPI.encoder().encodeForHTML(filter);
|
|
||||||
}
|
|
||||||
</%class>
|
|
||||||
<%java>
|
<%java>
|
||||||
List<? extends MonitoredTask> tasks = taskMonitor.getTasks();
|
List<? extends MonitoredTask> tasks = taskMonitor.getTasks();
|
||||||
Iterator<? extends MonitoredTask> iter = tasks.iterator();
|
Iterator<? extends MonitoredTask> iter = tasks.iterator();
|
||||||
|
@ -72,7 +62,7 @@ boolean first = true;
|
||||||
<li <%if filter.equals("handler")%>class="active"</%if>><a href="?filter=handler">Show All RPC Handler Tasks</a></li>
|
<li <%if filter.equals("handler")%>class="active"</%if>><a href="?filter=handler">Show All RPC Handler Tasks</a></li>
|
||||||
<li <%if filter.equals("rpc")%>class="active"</%if>><a href="?filter=rpc">Show Active RPC Calls</a></li>
|
<li <%if filter.equals("rpc")%>class="active"</%if>><a href="?filter=rpc">Show Active RPC Calls</a></li>
|
||||||
<li <%if filter.equals("operation")%>class="active"</%if>><a href="?filter=operation">Show Client Operations</a></li>
|
<li <%if filter.equals("operation")%>class="active"</%if>><a href="?filter=operation">Show Client Operations</a></li>
|
||||||
<li><a href="?format=json&filter=<% encodeFilter() %>">View as JSON</a></li>
|
<li><a href="?format=json&filter=<% filter %>">View as JSON</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
<%if tasks.isEmpty()%>
|
<%if tasks.isEmpty()%>
|
||||||
<p>No tasks currently running on this node.</p>
|
<p>No tasks currently running on this node.</p>
|
||||||
|
|
|
@ -35,7 +35,6 @@ import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.hbase.http.HttpServer;
|
import org.apache.hadoop.hbase.http.HttpServer;
|
||||||
import org.apache.hadoop.hbase.util.JSONBean;
|
import org.apache.hadoop.hbase.util.JSONBean;
|
||||||
import org.owasp.esapi.ESAPI;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has
|
* This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has
|
||||||
|
@ -168,7 +167,7 @@ public class JMXJsonServlet extends HttpServlet {
|
||||||
jsonpcb = request.getParameter(CALLBACK_PARAM);
|
jsonpcb = request.getParameter(CALLBACK_PARAM);
|
||||||
if (jsonpcb != null) {
|
if (jsonpcb != null) {
|
||||||
response.setContentType("application/javascript; charset=utf8");
|
response.setContentType("application/javascript; charset=utf8");
|
||||||
writer.write(encodeJS(jsonpcb) + "(");
|
writer.write(jsonpcb + "(");
|
||||||
} else {
|
} else {
|
||||||
response.setContentType("application/json; charset=utf8");
|
response.setContentType("application/json; charset=utf8");
|
||||||
}
|
}
|
||||||
|
@ -221,9 +220,4 @@ public class JMXJsonServlet extends HttpServlet {
|
||||||
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
|
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private String encodeJS(String inputStr) {
|
|
||||||
return ESAPI.encoder().encodeForJavaScript(inputStr);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,431 +0,0 @@
|
||||||
#
|
|
||||||
# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
|
|
||||||
#
|
|
||||||
# This file is part of the Open Web Application Security Project (OWASP)
|
|
||||||
# Enterprise Security API (ESAPI) project. For details, please see
|
|
||||||
# http://www.owasp.org/index.php/ESAPI.
|
|
||||||
#
|
|
||||||
# Copyright (c) 2008,2009 - The OWASP Foundation
|
|
||||||
#
|
|
||||||
# DISCUSS: This may cause a major backwards compatibility issue, etc. but
|
|
||||||
# from a name space perspective, we probably should have prefaced
|
|
||||||
# all the property names with ESAPI or at least OWASP. Otherwise
|
|
||||||
# there could be problems is someone loads this properties file into
|
|
||||||
# the System properties. We could also put this file into the
|
|
||||||
# esapi.jar file (perhaps as a ResourceBundle) and then allow an external
|
|
||||||
# ESAPI properties be defined that would overwrite these defaults.
|
|
||||||
# That keeps the application's properties relatively simple as usually
|
|
||||||
# they will only want to override a few properties. If looks like we
|
|
||||||
# already support multiple override levels of this in the
|
|
||||||
# DefaultSecurityConfiguration class, but I'm suggesting placing the
|
|
||||||
# defaults in the esapi.jar itself. That way, if the jar is signed,
|
|
||||||
# we could detect if those properties had been tampered with. (The
|
|
||||||
# code to check the jar signatures is pretty simple... maybe 70-90 LOC,
|
|
||||||
# but off course there is an execution penalty (similar to the way
|
|
||||||
# that the separate sunjce.jar used to be when a class from it was
|
|
||||||
# first loaded). Thoughts?
|
|
||||||
###############################################################################
|
|
||||||
#
|
|
||||||
# WARNING: Operating system protection should be used to lock down the .esapi
|
|
||||||
# resources directory and all the files inside and all the directories all the
|
|
||||||
# way up to the root directory of the file system. Note that if you are using
|
|
||||||
# file-based implementations, that some files may need to be read-write as they
|
|
||||||
# get updated dynamically.
|
|
||||||
#
|
|
||||||
# Before using, be sure to update the MasterKey and MasterSalt as described below.
|
|
||||||
# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
|
|
||||||
# you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
|
|
||||||
# re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
|
|
||||||
# able to decrypt your data with ESAPI 2.0.
|
|
||||||
#
|
|
||||||
# YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
|
|
||||||
#
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Configuration
|
|
||||||
#
|
|
||||||
# If true, then print all the ESAPI properties set here when they are loaded.
|
|
||||||
# If false, they are not printed. Useful to reduce output when running JUnit tests.
|
|
||||||
# If you need to troubleshoot a properties related problem, turning this on may help.
|
|
||||||
# This is 'false' in the src/test/resources/.esapi version. It is 'true' by
|
|
||||||
# default for reasons of backward compatibility with earlier ESAPI versions.
|
|
||||||
ESAPI.printProperties=true
|
|
||||||
|
|
||||||
# ESAPI is designed to be easily extensible. You can use the reference implementation
|
|
||||||
# or implement your own providers to take advantage of your enterprise's security
|
|
||||||
# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
|
|
||||||
#
|
|
||||||
# String ciphertext =
|
|
||||||
# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0
|
|
||||||
# CipherText cipherText =
|
|
||||||
# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
|
|
||||||
#
|
|
||||||
# Below you can specify the classname for the provider that you wish to use in your
|
|
||||||
# application. The only requirement is that it implement the appropriate ESAPI interface.
|
|
||||||
# This allows you to switch security implementations in the future without rewriting the
|
|
||||||
# entire application.
|
|
||||||
#
|
|
||||||
# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
|
|
||||||
ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
|
|
||||||
# FileBasedAuthenticator requires users.txt file in .esapi directory
|
|
||||||
ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
|
|
||||||
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
|
|
||||||
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
|
|
||||||
|
|
||||||
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
|
|
||||||
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
|
|
||||||
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
|
|
||||||
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
|
|
||||||
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
|
|
||||||
#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
|
|
||||||
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
|
|
||||||
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Authenticator
|
|
||||||
#
|
|
||||||
Authenticator.AllowedLoginAttempts=3
|
|
||||||
Authenticator.MaxOldPasswordHashes=13
|
|
||||||
Authenticator.UsernameParameterName=username
|
|
||||||
Authenticator.PasswordParameterName=password
|
|
||||||
# RememberTokenDuration (in days)
|
|
||||||
Authenticator.RememberTokenDuration=14
|
|
||||||
# Session Timeouts (in minutes)
|
|
||||||
Authenticator.IdleTimeoutDuration=20
|
|
||||||
Authenticator.AbsoluteTimeoutDuration=120
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Encoder
|
|
||||||
#
|
|
||||||
# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
|
|
||||||
# Failure to canonicalize input is a very common mistake when implementing validation schemes.
|
|
||||||
# Canonicalization is automatic when using the ESAPI Validator, but you can also use the
|
|
||||||
# following code to canonicalize data.
|
|
||||||
#
|
|
||||||
# ESAPI.Encoder().canonicalize( "%22hello world"" );
|
|
||||||
#
|
|
||||||
# Multiple encoding is when a single encoding format is applied multiple times, multiple
|
|
||||||
# different encoding formats are applied, or when multiple formats are nested. Allowing
|
|
||||||
# multiple encoding is strongly discouraged.
|
|
||||||
Encoder.AllowMultipleEncoding=false
|
|
||||||
#
|
|
||||||
# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
|
|
||||||
# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
|
|
||||||
# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
|
|
||||||
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Encryption
|
|
||||||
#
|
|
||||||
# The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
|
|
||||||
# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
|
|
||||||
# There is not currently any support for key rotation, so be careful when changing your key and salt as it
|
|
||||||
# will invalidate all signed, encrypted, and hashed data.
|
|
||||||
#
|
|
||||||
# WARNING: Not all combinations of algorithms and key lengths are supported.
|
|
||||||
# If you choose to use a key length greater than 128, you MUST download the
|
|
||||||
# unlimited strength policy files and install in the lib directory of your JRE/JDK.
|
|
||||||
# See http://java.sun.com/javase/downloads/index.jsp for more information.
|
|
||||||
#
|
|
||||||
# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
|
|
||||||
# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
|
|
||||||
# possible, these methods should be avoided as they use ECB cipher mode, which in almost
|
|
||||||
# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
|
|
||||||
# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you
|
|
||||||
# should only use this compatibility setting if you have persistent data encrypted with
|
|
||||||
# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
|
|
||||||
# you have decrypted all of your old encrypted data and then re-encrypted it with
|
|
||||||
# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
|
|
||||||
# with the new 2.0 methods, make sure that you use the same cipher algorithm for both
|
|
||||||
# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
|
|
||||||
# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
|
|
||||||
# where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
|
|
||||||
# that requires downloading the special jurisdiction policy files mentioned above.)
|
|
||||||
#
|
|
||||||
# ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
|
|
||||||
# To calculate these values, you can run:
|
|
||||||
# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
|
|
||||||
#
|
|
||||||
Encryptor.MasterKey=
|
|
||||||
Encryptor.MasterSalt=
|
|
||||||
|
|
||||||
# Provides the default JCE provider that ESAPI will "prefer" for its symmetric
|
|
||||||
# encryption and hashing. (That is it will look to this provider first, but it
|
|
||||||
# will defer to other providers if the requested algorithm is not implemented
|
|
||||||
# by this provider.) If left unset, ESAPI will just use your Java VM's current
|
|
||||||
# preferred JCE provider, which is generally set in the file
|
|
||||||
# "$JAVA_HOME/jre/lib/security/java.security".
|
|
||||||
#
|
|
||||||
# The main intent of this is to allow ESAPI symmetric encryption to be
|
|
||||||
# used with a FIPS 140-2 compliant crypto-module. For details, see the section
|
|
||||||
# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
|
|
||||||
# the ESAPI 2.0 Symmetric Encryption User Guide, at:
|
|
||||||
# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
|
|
||||||
# However, this property also allows you to easily use an alternate JCE provider
|
|
||||||
# such as "Bouncy Castle" without having to make changes to "java.security".
|
|
||||||
# See Javadoc for SecurityProviderLoader for further details. If you wish to use
|
|
||||||
# a provider that is not known to SecurityProviderLoader, you may specify the
|
|
||||||
# fully-qualified class name of the JCE provider class that implements
|
|
||||||
# java.security.Provider. If the name contains a '.', this is interpreted as
|
|
||||||
# a fully-qualified class name that implements java.security.Provider.
|
|
||||||
#
|
|
||||||
# NOTE: Setting this property has the side-effect of changing it in your application
|
|
||||||
# as well, so if you are using JCE in your application directly rather than
|
|
||||||
# through ESAPI (you wouldn't do that, would you? ;-), it will change the
|
|
||||||
# preferred JCE provider there as well.
|
|
||||||
#
|
|
||||||
# Default: Keeps the JCE provider set to whatever JVM sets it to.
|
|
||||||
Encryptor.PreferredJCEProvider=
|
|
||||||
|
|
||||||
# AES is the most widely used and strongest encryption algorithm. This
|
|
||||||
# should agree with your Encryptor.CipherTransformation property.
|
|
||||||
# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
|
|
||||||
# very weak. It is essentially a password-based encryption key, hashed
|
|
||||||
# with MD5 around 1K times and then encrypted with the weak DES algorithm
|
|
||||||
# (56-bits) using ECB mode and an unspecified padding (it is
|
|
||||||
# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
|
|
||||||
# "AES/CBC/PKCSPadding". If you want to change these, change them here.
|
|
||||||
# Warning: This property does not control the default reference implementation for
|
|
||||||
# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
|
|
||||||
# in the future.
|
|
||||||
# @deprecated
|
|
||||||
Encryptor.EncryptionAlgorithm=AES
|
|
||||||
# For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
|
|
||||||
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
|
|
||||||
|
|
||||||
# Applies to ESAPI 2.0 and later only!
|
|
||||||
# Comma-separated list of cipher modes that provide *BOTH*
|
|
||||||
# confidentiality *AND* message authenticity. (NIST refers to such cipher
|
|
||||||
# modes as "combined modes" so that's what we shall call them.) If any of these
|
|
||||||
# cipher modes are used then no MAC is calculated and stored
|
|
||||||
# in the CipherText upon encryption. Likewise, if one of these
|
|
||||||
# cipher modes is used with decryption, no attempt will be made
|
|
||||||
# to validate the MAC contained in the CipherText object regardless
|
|
||||||
# of whether it contains one or not. Since the expectation is that
|
|
||||||
# these cipher modes support support message authenticity already,
|
|
||||||
# injecting a MAC in the CipherText object would be at best redundant.
|
|
||||||
#
|
|
||||||
# Note that as of JDK 1.5, the SunJCE provider does not support *any*
|
|
||||||
# of these cipher modes. Of these listed, only GCM and CCM are currently
|
|
||||||
# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
|
|
||||||
# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
|
|
||||||
# padding modes.
|
|
||||||
Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
|
|
||||||
|
|
||||||
# Applies to ESAPI 2.0 and later only!
|
|
||||||
# Additional cipher modes allowed for ESAPI 2.0 encryption. These
|
|
||||||
# cipher modes are in _addition_ to those specified by the property
|
|
||||||
# 'Encryptor.cipher_modes.combined_modes'.
|
|
||||||
# Note: We will add support for streaming modes like CFB & OFB once
|
|
||||||
# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
|
|
||||||
# (probably in ESAPI 2.1).
|
|
||||||
# DISCUSS: Better name?
|
|
||||||
Encryptor.cipher_modes.additional_allowed=CBC
|
|
||||||
|
|
||||||
# 128-bit is almost always sufficient and appears to be more resistant to
|
|
||||||
# related key attacks than is 256-bit AES. Use '_' to use default key size
|
|
||||||
# for cipher algorithms (where it makes sense because the algorithm supports
|
|
||||||
# a variable key size). Key length must agree to what's provided as the
|
|
||||||
# cipher transformation, otherwise this will be ignored after logging a
|
|
||||||
# warning.
|
|
||||||
#
|
|
||||||
# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
|
|
||||||
Encryptor.EncryptionKeyLength=128
|
|
||||||
|
|
||||||
# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
|
|
||||||
# (All cipher modes except ECB require an IV.) There are two choices: we can either
|
|
||||||
# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
|
|
||||||
# the IV does not need to be hidden from adversaries, it is important that the
|
|
||||||
# adversary not be allowed to choose it. Also, random IVs are generally much more
|
|
||||||
# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
|
|
||||||
# such as CFB and OFB use a different IV for each encryption with a given key so
|
|
||||||
# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
|
|
||||||
# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
|
|
||||||
# uncomment the Encryptor.fixedIV.
|
|
||||||
#
|
|
||||||
# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1
|
|
||||||
Encryptor.ChooseIVMethod=random
|
|
||||||
# If you choose to use a fixed IV, then you must place a fixed IV here that
|
|
||||||
# is known to all others who are sharing your secret key. The format should
|
|
||||||
# be a hex string that is the same length as the cipher block size for the
|
|
||||||
# cipher algorithm that you are using. The following is an example for AES
|
|
||||||
# from an AES test vector for AES-128/CBC as described in:
|
|
||||||
# NIST Special Publication 800-38A (2001 Edition)
|
|
||||||
# "Recommendation for Block Cipher Modes of Operation".
|
|
||||||
# (Note that the block size for AES is 16 bytes == 128 bits.)
|
|
||||||
#
|
|
||||||
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
|
|
||||||
|
|
||||||
# Whether or not CipherText should use a message authentication code (MAC) with it.
|
|
||||||
# This prevents an adversary from altering the IV as well as allowing a more
|
|
||||||
# fool-proof way of determining the decryption failed because of an incorrect
|
|
||||||
# key being supplied. This refers to the "separate" MAC calculated and stored
|
|
||||||
# in CipherText, not part of any MAC that is calculated as a result of a
|
|
||||||
# "combined mode" cipher mode.
|
|
||||||
#
|
|
||||||
# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
|
|
||||||
# set this property to false.
|
|
||||||
Encryptor.CipherText.useMAC=true
|
|
||||||
|
|
||||||
# Whether or not the PlainText object may be overwritten and then marked
|
|
||||||
# eligible for garbage collection. If not set, this is still treated as 'true'.
|
|
||||||
Encryptor.PlainText.overwrite=true
|
|
||||||
|
|
||||||
# Do not use DES except in a legacy situations. 56-bit is way too small key size.
|
|
||||||
#Encryptor.EncryptionKeyLength=56
|
|
||||||
#Encryptor.EncryptionAlgorithm=DES
|
|
||||||
|
|
||||||
# TripleDES is considered strong enough for most purposes.
|
|
||||||
# Note: There is also a 112-bit version of DESede. Using the 168-bit version
|
|
||||||
# requires downloading the special jurisdiction policy from Sun.
|
|
||||||
#Encryptor.EncryptionKeyLength=168
|
|
||||||
#Encryptor.EncryptionAlgorithm=DESede
|
|
||||||
|
|
||||||
Encryptor.HashAlgorithm=SHA-512
|
|
||||||
Encryptor.HashIterations=1024
|
|
||||||
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
|
|
||||||
Encryptor.DigitalSignatureKeyLength=1024
|
|
||||||
Encryptor.RandomAlgorithm=SHA1PRNG
|
|
||||||
Encryptor.CharacterEncoding=UTF-8
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI HttpUtilties
|
|
||||||
#
|
|
||||||
# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
|
|
||||||
# protect against malicious data from attackers, such as unprintable characters, escaped characters,
|
|
||||||
# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
|
|
||||||
# headers, and CSRF tokens.
|
|
||||||
#
|
|
||||||
# Default file upload location (remember to escape backslashes with \\)
|
|
||||||
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
|
|
||||||
HttpUtilities.UploadTempDir=C:\\temp
|
|
||||||
# Force flags on cookies, if you use HttpUtilities to set cookies
|
|
||||||
HttpUtilities.ForceHttpOnlySession=false
|
|
||||||
HttpUtilities.ForceSecureSession=false
|
|
||||||
HttpUtilities.ForceHttpOnlyCookies=true
|
|
||||||
HttpUtilities.ForceSecureCookies=true
|
|
||||||
# Maximum size of HTTP headers
|
|
||||||
HttpUtilities.MaxHeaderSize=4096
|
|
||||||
# File upload configuration
|
|
||||||
HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
|
|
||||||
HttpUtilities.MaxUploadFileBytes=500000000
|
|
||||||
# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
|
|
||||||
# container, and any other technologies you may be using. Failure to do this may expose you
|
|
||||||
# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
|
|
||||||
HttpUtilities.ResponseContentType=text/html; charset=UTF-8
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Executor
|
|
||||||
# CHECKME - Not sure what this is used for, but surely it should be made OS independent.
|
|
||||||
Executor.WorkingDirectory=C:\\Windows\\Temp
|
|
||||||
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Logging
|
|
||||||
# Set the application name if these logs are combined with other applications
|
|
||||||
Logger.ApplicationName=ExampleApplication
|
|
||||||
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
|
|
||||||
Logger.LogEncodingRequired=false
|
|
||||||
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
|
|
||||||
Logger.LogApplicationName=true
|
|
||||||
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
|
|
||||||
Logger.LogServerIP=true
|
|
||||||
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
|
|
||||||
# want to place it in a specific directory.
|
|
||||||
Logger.LogFileName=ESAPI_logging_file
|
|
||||||
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
|
|
||||||
Logger.MaxLogFileSize=10000000
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Intrusion Detection
|
|
||||||
#
|
|
||||||
# Each event has a base to which .count, .interval, and .action are added
|
|
||||||
# The IntrusionException will fire if we receive "count" events within "interval" seconds
|
|
||||||
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
|
|
||||||
# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
|
|
||||||
#
|
|
||||||
# Custom Events
|
|
||||||
# Names must start with "event." as the base
|
|
||||||
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
|
|
||||||
# You can also disable intrusion detection completely by changing
|
|
||||||
# the following parameter to true
|
|
||||||
#
|
|
||||||
IntrusionDetector.Disable=false
|
|
||||||
#
|
|
||||||
IntrusionDetector.event.test.count=2
|
|
||||||
IntrusionDetector.event.test.interval=10
|
|
||||||
IntrusionDetector.event.test.actions=disable,log
|
|
||||||
|
|
||||||
# Exception Events
|
|
||||||
# All EnterpriseSecurityExceptions are registered automatically
|
|
||||||
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
|
|
||||||
# Use the fully qualified classname of the exception as the base
|
|
||||||
|
|
||||||
# any intrusion is an attack
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
|
|
||||||
|
|
||||||
# for test purposes
|
|
||||||
# CHECKME: Shouldn't there be something in the property name itself that designates
|
|
||||||
# that these are for testing???
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
|
|
||||||
|
|
||||||
# rapid validation errors indicate scans or attacks in progress
|
|
||||||
# org.owasp.esapi.errors.ValidationException.count=10
|
|
||||||
# org.owasp.esapi.errors.ValidationException.interval=10
|
|
||||||
# org.owasp.esapi.errors.ValidationException.actions=log,logout
|
|
||||||
|
|
||||||
# sessions jumping between hosts indicates session hijacking
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Validation
|
|
||||||
#
|
|
||||||
# The ESAPI Validator works on regular expressions with defined names. You can define names
|
|
||||||
# either here, or you may define application specific patterns in a separate file defined below.
|
|
||||||
# This allows enterprises to specify both organizational standards as well as application specific
|
|
||||||
# validation rules.
|
|
||||||
#
|
|
||||||
Validator.ConfigurationFile=validation.properties
|
|
||||||
|
|
||||||
# Validators used by ESAPI
|
|
||||||
Validator.AccountName=^[a-zA-Z0-9]{3,20}$
|
|
||||||
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
|
|
||||||
Validator.RoleName=^[a-z]{1,20}$
|
|
||||||
|
|
||||||
#the word TEST below should be changed to your application
|
|
||||||
#name - only relative URL's are supported
|
|
||||||
Validator.Redirect=^\\/test.*$
|
|
||||||
|
|
||||||
# Global HTTP Validation Rules
|
|
||||||
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
|
|
||||||
Validator.HTTPScheme=^(http|https)$
|
|
||||||
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
|
|
||||||
Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
|
|
||||||
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
|
|
||||||
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
|
|
||||||
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
|
|
||||||
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
|
|
||||||
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
|
|
||||||
Validator.HTTPContextPath=^[a-zA-Z0-9.\\-\\/_]*$
|
|
||||||
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
|
|
||||||
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
|
|
||||||
Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
|
|
||||||
Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
|
|
||||||
Validator.HTTPURL=^.*$
|
|
||||||
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$
|
|
||||||
|
|
||||||
# Validation of file related input
|
|
||||||
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
|
||||||
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
|
|
@ -29,7 +29,6 @@
|
||||||
import="java.util.Collection"
|
import="java.util.Collection"
|
||||||
import="java.util.Collections"
|
import="java.util.Collections"
|
||||||
import="java.util.Comparator"
|
import="java.util.Comparator"
|
||||||
import="org.owasp.esapi.ESAPI"
|
|
||||||
import="org.apache.hadoop.conf.Configuration"
|
import="org.apache.hadoop.conf.Configuration"
|
||||||
import="org.apache.hadoop.util.StringUtils"
|
import="org.apache.hadoop.util.StringUtils"
|
||||||
import="org.apache.hadoop.hbase.HRegionInfo"
|
import="org.apache.hadoop.hbase.HRegionInfo"
|
||||||
|
@ -85,7 +84,7 @@
|
||||||
<% if ( !readOnly && action != null ) { %>
|
<% if ( !readOnly && action != null ) { %>
|
||||||
<title>HBase Master: <%= master.getServerName() %></title>
|
<title>HBase Master: <%= master.getServerName() %></title>
|
||||||
<% } else { %>
|
<% } else { %>
|
||||||
<title>Table: <%= ESAPI.encoder().encodeForHTML(fqtn) %></title>
|
<title>Table: <%= fqtn %></title>
|
||||||
<% } %>
|
<% } %>
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||||
<meta name="description" content="">
|
<meta name="description" content="">
|
||||||
|
@ -181,7 +180,7 @@ if ( fqtn != null ) {
|
||||||
<div class="container-fluid content">
|
<div class="container-fluid content">
|
||||||
<div class="row inner_header">
|
<div class="row inner_header">
|
||||||
<div class="page-header">
|
<div class="page-header">
|
||||||
<h1>Table <small><%= ESAPI.encoder().encodeForHTML(fqtn) %></small></h1>
|
<h1>Table <small><%= fqtn %></small></h1>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="row">
|
<div class="row">
|
||||||
|
|
|
@ -21,7 +21,6 @@
|
||||||
import="java.util.Collection"
|
import="java.util.Collection"
|
||||||
import="java.util.Date"
|
import="java.util.Date"
|
||||||
import="java.util.List"
|
import="java.util.List"
|
||||||
import="org.owasp.esapi.ESAPI"
|
|
||||||
import="static org.apache.commons.lang.StringEscapeUtils.escapeXml"
|
import="static org.apache.commons.lang.StringEscapeUtils.escapeXml"
|
||||||
import="org.apache.hadoop.conf.Configuration"
|
import="org.apache.hadoop.conf.Configuration"
|
||||||
import="org.apache.hadoop.hbase.HTableDescriptor"
|
import="org.apache.hadoop.hbase.HTableDescriptor"
|
||||||
|
@ -36,14 +35,10 @@
|
||||||
String regionName = request.getParameter("name");
|
String regionName = request.getParameter("name");
|
||||||
HRegionServer rs = (HRegionServer) getServletContext().getAttribute(HRegionServer.REGIONSERVER);
|
HRegionServer rs = (HRegionServer) getServletContext().getAttribute(HRegionServer.REGIONSERVER);
|
||||||
Configuration conf = rs.getConfiguration();
|
Configuration conf = rs.getConfiguration();
|
||||||
String displayName = null;
|
|
||||||
Region region = rs.getFromOnlineRegions(regionName);
|
Region region = rs.getFromOnlineRegions(regionName);
|
||||||
if(region == null) {
|
String displayName = HRegionInfo.getRegionNameAsStringForDisplay(region.getRegionInfo(),
|
||||||
displayName= ESAPI.encoder().encodeForHTML(regionName) + " does not exist";
|
|
||||||
} else {
|
|
||||||
displayName = HRegionInfo.getRegionNameAsStringForDisplay(region.getRegionInfo(),
|
|
||||||
rs.getConfiguration());
|
rs.getConfiguration());
|
||||||
}
|
|
||||||
%>
|
%>
|
||||||
<!--[if IE]>
|
<!--[if IE]>
|
||||||
<!DOCTYPE html>
|
<!DOCTYPE html>
|
||||||
|
@ -126,14 +121,7 @@
|
||||||
<p> <%= storeFiles.size() %> StoreFile(s) in set.</p>
|
<p> <%= storeFiles.size() %> StoreFile(s) in set.</p>
|
||||||
</table>
|
</table>
|
||||||
<% }
|
<% }
|
||||||
} else { %>
|
}%>
|
||||||
<div class="container-fluid content">
|
|
||||||
<div class="row inner_header">
|
|
||||||
</div>
|
|
||||||
<p><hr><p>
|
|
||||||
<p>Go <a href="javascript:history.back()">Back</a>
|
|
||||||
</div>
|
|
||||||
<% } %>
|
|
||||||
</div>
|
</div>
|
||||||
<script src="/static/js/jquery.min.js" type="text/javascript"></script>
|
<script src="/static/js/jquery.min.js" type="text/javascript"></script>
|
||||||
<script src="/static/js/bootstrap.min.js" type="text/javascript"></script>
|
<script src="/static/js/bootstrap.min.js" type="text/javascript"></script>
|
||||||
|
|
|
@ -105,11 +105,5 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
|
||||||
assertReFind("\"committed\"\\s*:", result);
|
assertReFind("\"committed\"\\s*:", result);
|
||||||
assertReFind("\\}\\);$", result);
|
assertReFind("\\}\\);$", result);
|
||||||
|
|
||||||
// test to get XSS JSONP result
|
|
||||||
result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Memory&callback=<script>alert('hello')</script>"));
|
|
||||||
LOG.info("/jmx?qry=java.lang:type=Memory&callback=<script>alert('hello')</script> RESULT: "+result);
|
|
||||||
assertTrue(!result.contains("<script>"));
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,431 +0,0 @@
|
||||||
#
|
|
||||||
# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
|
|
||||||
#
|
|
||||||
# This file is part of the Open Web Application Security Project (OWASP)
|
|
||||||
# Enterprise Security API (ESAPI) project. For details, please see
|
|
||||||
# http://www.owasp.org/index.php/ESAPI.
|
|
||||||
#
|
|
||||||
# Copyright (c) 2008,2009 - The OWASP Foundation
|
|
||||||
#
|
|
||||||
# DISCUSS: This may cause a major backwards compatibility issue, etc. but
|
|
||||||
# from a name space perspective, we probably should have prefaced
|
|
||||||
# all the property names with ESAPI or at least OWASP. Otherwise
|
|
||||||
# there could be problems is someone loads this properties file into
|
|
||||||
# the System properties. We could also put this file into the
|
|
||||||
# esapi.jar file (perhaps as a ResourceBundle) and then allow an external
|
|
||||||
# ESAPI properties be defined that would overwrite these defaults.
|
|
||||||
# That keeps the application's properties relatively simple as usually
|
|
||||||
# they will only want to override a few properties. If looks like we
|
|
||||||
# already support multiple override levels of this in the
|
|
||||||
# DefaultSecurityConfiguration class, but I'm suggesting placing the
|
|
||||||
# defaults in the esapi.jar itself. That way, if the jar is signed,
|
|
||||||
# we could detect if those properties had been tampered with. (The
|
|
||||||
# code to check the jar signatures is pretty simple... maybe 70-90 LOC,
|
|
||||||
# but off course there is an execution penalty (similar to the way
|
|
||||||
# that the separate sunjce.jar used to be when a class from it was
|
|
||||||
# first loaded). Thoughts?
|
|
||||||
###############################################################################
|
|
||||||
#
|
|
||||||
# WARNING: Operating system protection should be used to lock down the .esapi
|
|
||||||
# resources directory and all the files inside and all the directories all the
|
|
||||||
# way up to the root directory of the file system. Note that if you are using
|
|
||||||
# file-based implementations, that some files may need to be read-write as they
|
|
||||||
# get updated dynamically.
|
|
||||||
#
|
|
||||||
# Before using, be sure to update the MasterKey and MasterSalt as described below.
|
|
||||||
# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
|
|
||||||
# you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
|
|
||||||
# re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
|
|
||||||
# able to decrypt your data with ESAPI 2.0.
|
|
||||||
#
|
|
||||||
# YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
|
|
||||||
#
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Configuration
|
|
||||||
#
|
|
||||||
# If true, then print all the ESAPI properties set here when they are loaded.
|
|
||||||
# If false, they are not printed. Useful to reduce output when running JUnit tests.
|
|
||||||
# If you need to troubleshoot a properties related problem, turning this on may help.
|
|
||||||
# This is 'false' in the src/test/resources/.esapi version. It is 'true' by
|
|
||||||
# default for reasons of backward compatibility with earlier ESAPI versions.
|
|
||||||
ESAPI.printProperties=true
|
|
||||||
|
|
||||||
# ESAPI is designed to be easily extensible. You can use the reference implementation
|
|
||||||
# or implement your own providers to take advantage of your enterprise's security
|
|
||||||
# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
|
|
||||||
#
|
|
||||||
# String ciphertext =
|
|
||||||
# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0
|
|
||||||
# CipherText cipherText =
|
|
||||||
# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
|
|
||||||
#
|
|
||||||
# Below you can specify the classname for the provider that you wish to use in your
|
|
||||||
# application. The only requirement is that it implement the appropriate ESAPI interface.
|
|
||||||
# This allows you to switch security implementations in the future without rewriting the
|
|
||||||
# entire application.
|
|
||||||
#
|
|
||||||
# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
|
|
||||||
ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
|
|
||||||
# FileBasedAuthenticator requires users.txt file in .esapi directory
|
|
||||||
ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
|
|
||||||
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
|
|
||||||
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
|
|
||||||
|
|
||||||
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
|
|
||||||
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
|
|
||||||
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
|
|
||||||
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
|
|
||||||
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
|
|
||||||
#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
|
|
||||||
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
|
|
||||||
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Authenticator
|
|
||||||
#
|
|
||||||
Authenticator.AllowedLoginAttempts=3
|
|
||||||
Authenticator.MaxOldPasswordHashes=13
|
|
||||||
Authenticator.UsernameParameterName=username
|
|
||||||
Authenticator.PasswordParameterName=password
|
|
||||||
# RememberTokenDuration (in days)
|
|
||||||
Authenticator.RememberTokenDuration=14
|
|
||||||
# Session Timeouts (in minutes)
|
|
||||||
Authenticator.IdleTimeoutDuration=20
|
|
||||||
Authenticator.AbsoluteTimeoutDuration=120
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Encoder
|
|
||||||
#
|
|
||||||
# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
|
|
||||||
# Failure to canonicalize input is a very common mistake when implementing validation schemes.
|
|
||||||
# Canonicalization is automatic when using the ESAPI Validator, but you can also use the
|
|
||||||
# following code to canonicalize data.
|
|
||||||
#
|
|
||||||
# ESAPI.Encoder().canonicalize( "%22hello world"" );
|
|
||||||
#
|
|
||||||
# Multiple encoding is when a single encoding format is applied multiple times, multiple
|
|
||||||
# different encoding formats are applied, or when multiple formats are nested. Allowing
|
|
||||||
# multiple encoding is strongly discouraged.
|
|
||||||
Encoder.AllowMultipleEncoding=false
|
|
||||||
#
|
|
||||||
# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
|
|
||||||
# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
|
|
||||||
# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
|
|
||||||
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Encryption
|
|
||||||
#
|
|
||||||
# The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
|
|
||||||
# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
|
|
||||||
# There is not currently any support for key rotation, so be careful when changing your key and salt as it
|
|
||||||
# will invalidate all signed, encrypted, and hashed data.
|
|
||||||
#
|
|
||||||
# WARNING: Not all combinations of algorithms and key lengths are supported.
|
|
||||||
# If you choose to use a key length greater than 128, you MUST download the
|
|
||||||
# unlimited strength policy files and install in the lib directory of your JRE/JDK.
|
|
||||||
# See http://java.sun.com/javase/downloads/index.jsp for more information.
|
|
||||||
#
|
|
||||||
# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
|
|
||||||
# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
|
|
||||||
# possible, these methods should be avoided as they use ECB cipher mode, which in almost
|
|
||||||
# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
|
|
||||||
# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you
|
|
||||||
# should only use this compatibility setting if you have persistent data encrypted with
|
|
||||||
# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
|
|
||||||
# you have decrypted all of your old encrypted data and then re-encrypted it with
|
|
||||||
# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
|
|
||||||
# with the new 2.0 methods, make sure that you use the same cipher algorithm for both
|
|
||||||
# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
|
|
||||||
# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
|
|
||||||
# where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
|
|
||||||
# that requires downloading the special jurisdiction policy files mentioned above.)
|
|
||||||
#
|
|
||||||
# ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
|
|
||||||
# To calculate these values, you can run:
|
|
||||||
# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
|
|
||||||
#
|
|
||||||
Encryptor.MasterKey=
|
|
||||||
Encryptor.MasterSalt=
|
|
||||||
|
|
||||||
# Provides the default JCE provider that ESAPI will "prefer" for its symmetric
|
|
||||||
# encryption and hashing. (That is it will look to this provider first, but it
|
|
||||||
# will defer to other providers if the requested algorithm is not implemented
|
|
||||||
# by this provider.) If left unset, ESAPI will just use your Java VM's current
|
|
||||||
# preferred JCE provider, which is generally set in the file
|
|
||||||
# "$JAVA_HOME/jre/lib/security/java.security".
|
|
||||||
#
|
|
||||||
# The main intent of this is to allow ESAPI symmetric encryption to be
|
|
||||||
# used with a FIPS 140-2 compliant crypto-module. For details, see the section
|
|
||||||
# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
|
|
||||||
# the ESAPI 2.0 Symmetric Encryption User Guide, at:
|
|
||||||
# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
|
|
||||||
# However, this property also allows you to easily use an alternate JCE provider
|
|
||||||
# such as "Bouncy Castle" without having to make changes to "java.security".
|
|
||||||
# See Javadoc for SecurityProviderLoader for further details. If you wish to use
|
|
||||||
# a provider that is not known to SecurityProviderLoader, you may specify the
|
|
||||||
# fully-qualified class name of the JCE provider class that implements
|
|
||||||
# java.security.Provider. If the name contains a '.', this is interpreted as
|
|
||||||
# a fully-qualified class name that implements java.security.Provider.
|
|
||||||
#
|
|
||||||
# NOTE: Setting this property has the side-effect of changing it in your application
|
|
||||||
# as well, so if you are using JCE in your application directly rather than
|
|
||||||
# through ESAPI (you wouldn't do that, would you? ;-), it will change the
|
|
||||||
# preferred JCE provider there as well.
|
|
||||||
#
|
|
||||||
# Default: Keeps the JCE provider set to whatever JVM sets it to.
|
|
||||||
Encryptor.PreferredJCEProvider=
|
|
||||||
|
|
||||||
# AES is the most widely used and strongest encryption algorithm. This
|
|
||||||
# should agree with your Encryptor.CipherTransformation property.
|
|
||||||
# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
|
|
||||||
# very weak. It is essentially a password-based encryption key, hashed
|
|
||||||
# with MD5 around 1K times and then encrypted with the weak DES algorithm
|
|
||||||
# (56-bits) using ECB mode and an unspecified padding (it is
|
|
||||||
# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
|
|
||||||
# "AES/CBC/PKCSPadding". If you want to change these, change them here.
|
|
||||||
# Warning: This property does not control the default reference implementation for
|
|
||||||
# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
|
|
||||||
# in the future.
|
|
||||||
# @deprecated
|
|
||||||
Encryptor.EncryptionAlgorithm=AES
|
|
||||||
# For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
|
|
||||||
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
|
|
||||||
|
|
||||||
# Applies to ESAPI 2.0 and later only!
|
|
||||||
# Comma-separated list of cipher modes that provide *BOTH*
|
|
||||||
# confidentiality *AND* message authenticity. (NIST refers to such cipher
|
|
||||||
# modes as "combined modes" so that's what we shall call them.) If any of these
|
|
||||||
# cipher modes are used then no MAC is calculated and stored
|
|
||||||
# in the CipherText upon encryption. Likewise, if one of these
|
|
||||||
# cipher modes is used with decryption, no attempt will be made
|
|
||||||
# to validate the MAC contained in the CipherText object regardless
|
|
||||||
# of whether it contains one or not. Since the expectation is that
|
|
||||||
# these cipher modes support support message authenticity already,
|
|
||||||
# injecting a MAC in the CipherText object would be at best redundant.
|
|
||||||
#
|
|
||||||
# Note that as of JDK 1.5, the SunJCE provider does not support *any*
|
|
||||||
# of these cipher modes. Of these listed, only GCM and CCM are currently
|
|
||||||
# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
|
|
||||||
# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
|
|
||||||
# padding modes.
|
|
||||||
Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
|
|
||||||
|
|
||||||
# Applies to ESAPI 2.0 and later only!
|
|
||||||
# Additional cipher modes allowed for ESAPI 2.0 encryption. These
|
|
||||||
# cipher modes are in _addition_ to those specified by the property
|
|
||||||
# 'Encryptor.cipher_modes.combined_modes'.
|
|
||||||
# Note: We will add support for streaming modes like CFB & OFB once
|
|
||||||
# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
|
|
||||||
# (probably in ESAPI 2.1).
|
|
||||||
# DISCUSS: Better name?
|
|
||||||
Encryptor.cipher_modes.additional_allowed=CBC
|
|
||||||
|
|
||||||
# 128-bit is almost always sufficient and appears to be more resistant to
|
|
||||||
# related key attacks than is 256-bit AES. Use '_' to use default key size
|
|
||||||
# for cipher algorithms (where it makes sense because the algorithm supports
|
|
||||||
# a variable key size). Key length must agree to what's provided as the
|
|
||||||
# cipher transformation, otherwise this will be ignored after logging a
|
|
||||||
# warning.
|
|
||||||
#
|
|
||||||
# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
|
|
||||||
Encryptor.EncryptionKeyLength=128
|
|
||||||
|
|
||||||
# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
|
|
||||||
# (All cipher modes except ECB require an IV.) There are two choices: we can either
|
|
||||||
# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
|
|
||||||
# the IV does not need to be hidden from adversaries, it is important that the
|
|
||||||
# adversary not be allowed to choose it. Also, random IVs are generally much more
|
|
||||||
# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
|
|
||||||
# such as CFB and OFB use a different IV for each encryption with a given key so
|
|
||||||
# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
|
|
||||||
# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
|
|
||||||
# uncomment the Encryptor.fixedIV.
|
|
||||||
#
|
|
||||||
# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1
|
|
||||||
Encryptor.ChooseIVMethod=random
|
|
||||||
# If you choose to use a fixed IV, then you must place a fixed IV here that
|
|
||||||
# is known to all others who are sharing your secret key. The format should
|
|
||||||
# be a hex string that is the same length as the cipher block size for the
|
|
||||||
# cipher algorithm that you are using. The following is an example for AES
|
|
||||||
# from an AES test vector for AES-128/CBC as described in:
|
|
||||||
# NIST Special Publication 800-38A (2001 Edition)
|
|
||||||
# "Recommendation for Block Cipher Modes of Operation".
|
|
||||||
# (Note that the block size for AES is 16 bytes == 128 bits.)
|
|
||||||
#
|
|
||||||
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
|
|
||||||
|
|
||||||
# Whether or not CipherText should use a message authentication code (MAC) with it.
|
|
||||||
# This prevents an adversary from altering the IV as well as allowing a more
|
|
||||||
# fool-proof way of determining the decryption failed because of an incorrect
|
|
||||||
# key being supplied. This refers to the "separate" MAC calculated and stored
|
|
||||||
# in CipherText, not part of any MAC that is calculated as a result of a
|
|
||||||
# "combined mode" cipher mode.
|
|
||||||
#
|
|
||||||
# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
|
|
||||||
# set this property to false.
|
|
||||||
Encryptor.CipherText.useMAC=true
|
|
||||||
|
|
||||||
# Whether or not the PlainText object may be overwritten and then marked
|
|
||||||
# eligible for garbage collection. If not set, this is still treated as 'true'.
|
|
||||||
Encryptor.PlainText.overwrite=true
|
|
||||||
|
|
||||||
# Do not use DES except in a legacy situations. 56-bit is way too small key size.
|
|
||||||
#Encryptor.EncryptionKeyLength=56
|
|
||||||
#Encryptor.EncryptionAlgorithm=DES
|
|
||||||
|
|
||||||
# TripleDES is considered strong enough for most purposes.
|
|
||||||
# Note: There is also a 112-bit version of DESede. Using the 168-bit version
|
|
||||||
# requires downloading the special jurisdiction policy from Sun.
|
|
||||||
#Encryptor.EncryptionKeyLength=168
|
|
||||||
#Encryptor.EncryptionAlgorithm=DESede
|
|
||||||
|
|
||||||
Encryptor.HashAlgorithm=SHA-512
|
|
||||||
Encryptor.HashIterations=1024
|
|
||||||
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
|
|
||||||
Encryptor.DigitalSignatureKeyLength=1024
|
|
||||||
Encryptor.RandomAlgorithm=SHA1PRNG
|
|
||||||
Encryptor.CharacterEncoding=UTF-8
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI HttpUtilties
|
|
||||||
#
|
|
||||||
# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
|
|
||||||
# protect against malicious data from attackers, such as unprintable characters, escaped characters,
|
|
||||||
# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
|
|
||||||
# headers, and CSRF tokens.
|
|
||||||
#
|
|
||||||
# Default file upload location (remember to escape backslashes with \\)
|
|
||||||
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
|
|
||||||
HttpUtilities.UploadTempDir=C:\\temp
|
|
||||||
# Force flags on cookies, if you use HttpUtilities to set cookies
|
|
||||||
HttpUtilities.ForceHttpOnlySession=false
|
|
||||||
HttpUtilities.ForceSecureSession=false
|
|
||||||
HttpUtilities.ForceHttpOnlyCookies=true
|
|
||||||
HttpUtilities.ForceSecureCookies=true
|
|
||||||
# Maximum size of HTTP headers
|
|
||||||
HttpUtilities.MaxHeaderSize=4096
|
|
||||||
# File upload configuration
|
|
||||||
HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
|
|
||||||
HttpUtilities.MaxUploadFileBytes=500000000
|
|
||||||
# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
|
|
||||||
# container, and any other technologies you may be using. Failure to do this may expose you
|
|
||||||
# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
|
|
||||||
HttpUtilities.ResponseContentType=text/html; charset=UTF-8
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Executor
|
|
||||||
# CHECKME - Not sure what this is used for, but surely it should be made OS independent.
|
|
||||||
Executor.WorkingDirectory=C:\\Windows\\Temp
|
|
||||||
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Logging
|
|
||||||
# Set the application name if these logs are combined with other applications
|
|
||||||
Logger.ApplicationName=ExampleApplication
|
|
||||||
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
|
|
||||||
Logger.LogEncodingRequired=false
|
|
||||||
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
|
|
||||||
Logger.LogApplicationName=true
|
|
||||||
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
|
|
||||||
Logger.LogServerIP=true
|
|
||||||
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
|
|
||||||
# want to place it in a specific directory.
|
|
||||||
Logger.LogFileName=ESAPI_logging_file
|
|
||||||
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
|
|
||||||
Logger.MaxLogFileSize=10000000
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Intrusion Detection
|
|
||||||
#
|
|
||||||
# Each event has a base to which .count, .interval, and .action are added
|
|
||||||
# The IntrusionException will fire if we receive "count" events within "interval" seconds
|
|
||||||
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
|
|
||||||
# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
|
|
||||||
#
|
|
||||||
# Custom Events
|
|
||||||
# Names must start with "event." as the base
|
|
||||||
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
|
|
||||||
# You can also disable intrusion detection completely by changing
|
|
||||||
# the following parameter to true
|
|
||||||
#
|
|
||||||
IntrusionDetector.Disable=false
|
|
||||||
#
|
|
||||||
IntrusionDetector.event.test.count=2
|
|
||||||
IntrusionDetector.event.test.interval=10
|
|
||||||
IntrusionDetector.event.test.actions=disable,log
|
|
||||||
|
|
||||||
# Exception Events
|
|
||||||
# All EnterpriseSecurityExceptions are registered automatically
|
|
||||||
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
|
|
||||||
# Use the fully qualified classname of the exception as the base
|
|
||||||
|
|
||||||
# any intrusion is an attack
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
|
|
||||||
|
|
||||||
# for test purposes
|
|
||||||
# CHECKME: Shouldn't there be something in the property name itself that designates
|
|
||||||
# that these are for testing???
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
|
|
||||||
|
|
||||||
# rapid validation errors indicate scans or attacks in progress
|
|
||||||
# org.owasp.esapi.errors.ValidationException.count=10
|
|
||||||
# org.owasp.esapi.errors.ValidationException.interval=10
|
|
||||||
# org.owasp.esapi.errors.ValidationException.actions=log,logout
|
|
||||||
|
|
||||||
# sessions jumping between hosts indicates session hijacking
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
|
|
||||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
|
|
||||||
|
|
||||||
|
|
||||||
#===========================================================================
|
|
||||||
# ESAPI Validation
|
|
||||||
#
|
|
||||||
# The ESAPI Validator works on regular expressions with defined names. You can define names
|
|
||||||
# either here, or you may define application specific patterns in a separate file defined below.
|
|
||||||
# This allows enterprises to specify both organizational standards as well as application specific
|
|
||||||
# validation rules.
|
|
||||||
#
|
|
||||||
Validator.ConfigurationFile=validation.properties
|
|
||||||
|
|
||||||
# Validators used by ESAPI
|
|
||||||
Validator.AccountName=^[a-zA-Z0-9]{3,20}$
|
|
||||||
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
|
|
||||||
Validator.RoleName=^[a-z]{1,20}$
|
|
||||||
|
|
||||||
#the word TEST below should be changed to your application
|
|
||||||
#name - only relative URL's are supported
|
|
||||||
Validator.Redirect=^\\/test.*$
|
|
||||||
|
|
||||||
# Global HTTP Validation Rules
|
|
||||||
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
|
|
||||||
Validator.HTTPScheme=^(http|https)$
|
|
||||||
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
|
|
||||||
Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
|
|
||||||
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
|
|
||||||
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
|
|
||||||
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
|
|
||||||
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
|
|
||||||
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
|
|
||||||
Validator.HTTPContextPath=^[a-zA-Z0-9.\\-\\/_]*$
|
|
||||||
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
|
|
||||||
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
|
|
||||||
Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
|
|
||||||
Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
|
|
||||||
Validator.HTTPURL=^.*$
|
|
||||||
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$
|
|
||||||
|
|
||||||
# Validation of file related input
|
|
||||||
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
|
||||||
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
|
1
pom.xml
1
pom.xml
|
@ -874,7 +874,6 @@
|
||||||
<exclude>**/patchprocess/**</exclude>
|
<exclude>**/patchprocess/**</exclude>
|
||||||
<exclude>src/main/site/resources/repo/**</exclude>
|
<exclude>src/main/site/resources/repo/**</exclude>
|
||||||
<exclude>**/dependency-reduced-pom.xml</exclude>
|
<exclude>**/dependency-reduced-pom.xml</exclude>
|
||||||
<exclude>**/ESAPI.properties</exclude>
|
|
||||||
<exclude>**/rat.txt</exclude>
|
<exclude>**/rat.txt</exclude>
|
||||||
</excludes>
|
</excludes>
|
||||||
</configuration>
|
</configuration>
|
||||||
|
|
Loading…
Reference in New Issue