Error using esapi check

Question

Error using esapi check

I hope someone can help me with some problems.

I am using OWASP ESAPI 2.1.0 with JavaEE to help me check some entries in a web application. At some point, I needed to check the path to the Windows file, so I added a new property entry in "validation.properties", like this one:

Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$

When I try to check, for example, a string like "C: \ TEMP \ file.txt" through ESAPI, I get a ValidationException:

ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);

As an alternative, I also tried the java.util.regex.Pattern class to test the same regular expression with the same string example, and it works fine:

Pattern.matches("^([a-zA-Z]:)?(\\\\[\\w. -]+)+$", "C:\\TEMP\\file.txt")

I have to say that I added another regular expression in 'validation.properties' and it worked fine. Why is it so hard? Can anyone help me with this?

+2

java regex validation owasp esapi

Nextor Jun 30 '14 at 22:21

source share

1 answer

avgvstvs · Accepted Answer · 2014-07-02T15:48:44+0000

This is because the call validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);ends the call ESAPI.encoder().canonicalize(), which converts the input to a char (Not literal String!) Sequence C:TEMP'0x0C'ile.txtbefore it moves on to the regular expression engine.

Except that the second "\" is converted to char 0x0c, this is usually the desired behavior. This may be a bug in ESAPI.

What you want to do is call ESAPI.validator (). getValidDirectoryPath ()

Error using esapi check

More articles: