ESAPI canonicalize malforming url

ぐ巨炮叔叔 提交于 2019-12-22 12:38:58

问题


We have an application that accepts URLs from users. This data needs validation, and we're using ESAPI for this purpose. However, we're struggling with URLs containing ampersands.

The problem appears when ESAPI canonicalizes the data before validation. &pid=123 in the URL turns into πd=123 for example. Since π is not whitelisted, the validation fails.

I've tried encoding it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a bit stumped here and I'm not sure how to proceed.


回答1:


This problem is a known bug in ESAPI. I started working on resolving it, but since I don't know when a patch will get committed, I can only refer you to a workaround in my comments to the OP here where I linked a similar answer, using java.net.URI and javax.ws.rs.core.UriBuilder to parse/break down the URL, canonicalize the pieces, and then reconstruct the URL. I'll repost the link here. The example I put forth is on the second half of the question after the OP switched topics mid-question.




回答2:


I faced the same issue. In my case, for the string \fgdf\gghfh\fgh\dff the canonicalize method formed this into:

Case 1: canonicalize(string) --> INTRUSION - Multiple (2x) encoding detected in \fgdf\gghfh\fgh\dff

Case 2: canonicalize(string, false) --> input=fgdfgghfhfghdff And in this case, it failed with string validation since this ? character is not part of white list of characters.

I finally managed to get it working. Below is the code:

    value = ESAPI.encoder().encodeForURL(value);
    value = value.replaceAll("", "");
    isSafe = validator.isValidInput("APPNAME", value, "URLSTRING", 255, true, false);

The last parameter of false turns off internal canonicalization that is on by default.

I hope this helps.



来源:https://stackoverflow.com/questions/23267759/esapi-canonicalize-malforming-url

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!