diff options
| author |   Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
|---|---|---|
| committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
| commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
| tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-app-overlay/src/main/resources/validation.properties | |
| parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) | |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-overlay/src/main/resources/validation.properties')
| -rw-r--r-- | ecomp-sdk/epsdk-app-overlay/src/main/resources/validation.properties | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/resources/validation.properties b/ecomp-sdk/epsdk-app-overlay/src/main/resources/validation.properties new file mode 100644 index 00000000..b275093f --- /dev/null +++ b/ecomp-sdk/epsdk-app-overlay/src/main/resources/validation.properties @@ -0,0 +1,32 @@ +# The ESAPI validator does many security checks on input, such as canonicalization +# and whitelist validation. Note that all of these validation rules are applied *after* +# canonicalization. Double-encoded characters (even with different encodings involved, +# are never allowed. +# +# To use: +# +# First set up a pattern below. You can choose any name you want, prefixed by the word +# "Validation." For example: +# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +# +# Then you can validate in your code against the pattern like this: +# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); +# Where maxLength and allowNull are set for you needs, respectively. +# +# But note, when you use boolean variants of validation functions, you lose critical +# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and +# and use the returned user input which is in canonical form. Consider the following: +# +# try { +# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); +# +Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ +#Given the discussion: https://github.com/ESAPI/esapi-java-legacy/issues/374, a better upper-bound for domain name +#was selected as 62. This is slightly under the length in RFC-1035 +Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,62}$ +Validator.Gmail=^[A-Za-z0-9._%'-+]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,62}$ +Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ +#Validator.URL=^(?:ht|f)tp(s?+)\\:\\/\\/[0-9a-zA-Z](?:[-.\\w]*[0-9a-zA-Z])*(?::(?:0-9)*)*(?:\\/?+)(?:[a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?+$ +Validator.URL=^(?:ht|f)tp(?:s?)(?:[:A-Za-z0-9%/#?&.=-]*)$ +Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ +Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
\ No newline at end of file |