This repository has been archived by the owner on Apr 29, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #37 from phaus/master
some smaller updates
- Loading branch information
Showing
9 changed files
with
237 additions
and
140 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| # | ||
| # OWASP Enterprise Security API (ESAPI) Properties file -- TEST Version | ||
| # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version | ||
| # | ||
| # This file is part of the Open Web Application Security Project (OWASP) | ||
| # Enterprise Security API (ESAPI) project. For details, please see | ||
|
|
@@ -45,10 +45,10 @@ | |
| # | ||
| # If true, then print all the ESAPI properties set here when they are loaded. | ||
| # If false, they are not printed. Useful to reduce output when running JUnit tests. | ||
| # If you need to troubleshoot a properties related problem, turning this on may help, | ||
| # but we leave it off for running JUnit tests. (It will be 'true' in the one delivered | ||
| # as part of production ESAPI, mostly for backward compatibility.) | ||
| ESAPI.printProperties=false | ||
| # If you need to troubleshoot a properties related problem, turning this on may help. | ||
| # This is 'false' in the src/test/resources/.esapi version. It is 'true' by | ||
| # default for reasons of backward compatibility with earlier ESAPI versions. | ||
| ESAPI.printProperties=true | ||
|
|
||
| # ESAPI is designed to be easily extensible. You can use the reference implementation | ||
| # or implement your own providers to take advantage of your enterprise's security | ||
|
|
@@ -77,7 +77,6 @@ ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector | |
| # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html | ||
| ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory | ||
| #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory | ||
| #ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory | ||
| ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer | ||
| ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator | ||
|
|
||
|
|
@@ -108,7 +107,7 @@ Authenticator.AbsoluteTimeoutDuration=120 | |
| # multiple encoding is strongly discouraged. | ||
| Encoder.AllowMultipleEncoding=false | ||
|
|
||
| # Mixed encoding is when multiple different encoding formats are applied, or when | ||
| # Mixed encoding is when multiple different encoding formats are applied, or when | ||
| # multiple formats are nested. Allowing multiple encoding is strongly discouraged. | ||
| Encoder.AllowMixedEncoding=false | ||
|
|
||
|
|
@@ -146,21 +145,12 @@ Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec | |
| # where you can specify a SecretKey. (Note that if you are using the 256-bit AES, | ||
| # that requires downloading the special jurisdiction policy files mentioned above.) | ||
| # | ||
| # ***** IMPORTANT: These are for JUnit testing. Test files may have been | ||
| # encrypted using these values so do not change these or | ||
| # those tests will fail. The version under | ||
| # src/main/resources/.esapi/ESAPI.properties | ||
| # will be delivered with Encryptor.MasterKey and | ||
| # Encryptor.MasterSalt set to the empty string. | ||
| # | ||
| # FINAL NOTE: | ||
| # If Maven changes these when run, that needs to be fixed. | ||
| # 256-bit key... requires unlimited strength jurisdiction policy files | ||
| ### Encryptor.MasterKey=pJhlri8JbuFYDgkqtHmm9s0Ziug2PE7ovZDyEPm4j14= | ||
| # 128-bit key | ||
| Encryptor.MasterKey=a6H9is3hEVGKB4Jut+lOVA== | ||
| Encryptor.MasterSalt=SbftnvmEWD5ZHHP+pX3fqugNysc= | ||
| # Encryptor.MasterSalt= | ||
| # ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** | ||
| # To calculate these values, you can run: | ||
| # java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor | ||
| # | ||
| #Encryptor.MasterKey= | ||
| #Encryptor.MasterSalt= | ||
|
|
||
| # Provides the default JCE provider that ESAPI will "prefer" for its symmetric | ||
| # encryption and hashing. (That is it will look to this provider first, but it | ||
|
|
@@ -232,15 +222,8 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC | |
| # Note: We will add support for streaming modes like CFB & OFB once | ||
| # we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' | ||
| # (probably in ESAPI 2.1). | ||
| # | ||
| # IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB | ||
| # here as this is an extremely weak mode. However, we *must* | ||
| # allow it here so we can test ECB mode. That is important | ||
| # since the logic is somewhat different (i.e., ECB mode does | ||
| # not use an IV). | ||
| # DISCUSS: Better name? | ||
| # NOTE: ECB added only for testing purposes. Don't try this at home! | ||
| Encryptor.cipher_modes.additional_allowed=CBC,ECB | ||
| Encryptor.cipher_modes.additional_allowed=CBC | ||
|
|
||
| # 128-bit is almost always sufficient and appears to be more resistant to | ||
| # related key attacks than is 256-bit AES. Use '_' to use default key size | ||
|
|
@@ -268,7 +251,7 @@ Encryptor.ChooseIVMethod=random | |
| # If you choose to use a fixed IV, then you must place a fixed IV here that | ||
| # is known to all others who are sharing your secret key. The format should | ||
| # be a hex string that is the same length as the cipher block size for the | ||
| # cipher algorithm that you are using. The following is an example for AES | ||
| # cipher algorithm that you are using. The following is an *example* for AES | ||
| # from an AES test vector for AES-128/CBC as described in: | ||
| # NIST Special Publication 800-38A (2001 Edition) | ||
| # "Recommendation for Block Cipher Modes of Operation". | ||
|
|
@@ -307,13 +290,19 @@ Encryptor.DigitalSignatureAlgorithm=SHA1withDSA | |
| Encryptor.DigitalSignatureKeyLength=1024 | ||
| Encryptor.RandomAlgorithm=SHA1PRNG | ||
| Encryptor.CharacterEncoding=UTF-8 | ||
|
|
||
| # This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function | ||
| # (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and | ||
| # *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for | ||
| # the MAC, mostly to keep the overall size at a minimum.) | ||
| # | ||
| # Currently supported choices for JDK 1.5 and 1.6 are: | ||
| # HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and | ||
| # HmacSHA512 (512 bits). | ||
| # Note that HmacMD5 is *not* supported for the PRF used by the KDF even though | ||
| # these JDKs support it. | ||
| # the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide | ||
| # further details. | ||
| Encryptor.KDF.PRF=HmacSHA256 | ||
|
|
||
| #=========================================================================== | ||
| # ESAPI HttpUtilties | ||
| # | ||
|
|
@@ -324,8 +313,7 @@ Encryptor.KDF.PRF=HmacSHA256 | |
| # | ||
| # Default file upload location (remember to escape backslashes with \\) | ||
| HttpUtilities.UploadDir=C:\\ESAPI\\testUpload | ||
| # let this default to java.io.tmpdir for testing | ||
| #HttpUtilities.UploadTempDir=C:\\temp | ||
| HttpUtilities.UploadTempDir=C:\\temp | ||
| # Force flags on cookies, if you use HttpUtilities to set cookies | ||
| HttpUtilities.ForceHttpOnlySession=false | ||
| HttpUtilities.ForceSecureSession=false | ||
|
|
@@ -348,9 +336,16 @@ HttpUtilities.HttpSessionIdName=JSESSIONID | |
|
|
||
| #=========================================================================== | ||
| # ESAPI Executor | ||
| # CHECKME - Not sure what this is used for, but surely it should be made OS independent. | ||
| Executor.WorkingDirectory=C:\\Windows\\Temp | ||
| Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe | ||
| # CHECKME - This should be made OS independent. Don't use unsafe defaults. | ||
| # # Examples only -- do NOT blindly copy! | ||
| # For Windows: | ||
| # Executor.WorkingDirectory=C:\\Windows\\Temp | ||
| # Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe | ||
| # For *nux, MacOS: | ||
| # Executor.WorkingDirectory=/tmp | ||
| # Executor.ApprovedExecutables=/bin/bash | ||
| Executor.WorkingDirectory= | ||
| Executor.ApprovedExecutables= | ||
|
|
||
|
|
||
| #=========================================================================== | ||
|
|
@@ -437,36 +432,34 @@ Validator.ConfigurationFile=validation.properties | |
| Validator.AccountName=^[a-zA-Z0-9]{3,20}$ | ||
| Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ | ||
| Validator.RoleName=^[a-z]{1,20}$ | ||
|
|
||
| #the word TEST below should be changed to your application | ||
| #name - only relative URL's are supported | ||
| Validator.Redirect=^\\/test.*$ | ||
|
|
||
| # Global HTTP Validation Rules | ||
| # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] | ||
| Validator.HTTPScheme=^(http|https)$ | ||
| Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ | ||
| Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ | ||
| Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ | ||
| Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ | ||
| Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ | ||
| # Note that max header name capped at 150 in SecurityRequestWrapper! | ||
| Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,50}$ | ||
| Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ | ||
| Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ | ||
| Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ | ||
| Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ | ||
| Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ | ||
| Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ | ||
| Validator.HTTPURL=^.*$ | ||
| Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ | ||
|
|
||
| # Contributed by [email protected] | ||
| # Googlecode Issue 116 (http://code.google.com/p/owasp-esapi-java/issues/detail?id=116) | ||
| Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$ | ||
| Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_ !$*?@]{0,1000}$ | ||
| Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$ | ||
| Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$ | ||
| Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$ | ||
|
|
||
|
|
||
| # Validation of file related input | ||
| Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ | ||
| Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ | ||
|
|
||
| # Validation of dates. Controls whether or not 'lenient' dates are accepted. | ||
| # See DataFormat.setLenient(boolean flag) for further details. | ||
| Validator.AcceptLenientDates=false | ||
|
|
||
29 changes: 29 additions & 0 deletions
29
ldap-connector/src/main/resources/esapi/validation.properties
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # The ESAPI validator does many security checks on input, such as canonicalization | ||
| # and whitelist validation. Note that all of these validation rules are applied *after* | ||
| # canonicalization. Double-encoded characters (even with different encodings involved, | ||
| # are never allowed. | ||
| # | ||
| # To use: | ||
| # | ||
| # First set up a pattern below. You can choose any name you want, prefixed by the word | ||
| # "Validation." For example: | ||
| # Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ | ||
| # | ||
| # Then you can validate in your code against the pattern like this: | ||
| # ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); | ||
| # Where maxLength and allowNull are set for you needs, respectively. | ||
| # | ||
| # But note, when you use boolean variants of validation functions, you lose critical | ||
| # canonicalization. It is preferable to use the "get" methods (which throw exceptions) and | ||
| # and use the returned user input which is in canonical form. Consider the following: | ||
| # | ||
| # try { | ||
| # someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); | ||
| # | ||
| Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ | ||
| Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ | ||
| Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | ||
| Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ | ||
| Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ | ||
| Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ | ||
|
|
Oops, something went wrong.