使用Esapi验证时出错 [英] Error when using Esapi validation

问题描述

我希望有人可以帮助我解决一些问题.

I hope someone could help me with some issue.

我正在将OWASP ESAPI 2.1.0与JavaEE结合使用，以帮助我验证Web应用程序中的某些条目.在某些时候，我需要验证Windows文件路径，因此我在"validation.properties"中添加了一个新的属性条目，如下所示:

I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one:

Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$

例如，当我尝试通过ESAPI验证诸如"C:\ TEMP \ file.txt"之类的字符串时，会收到ValidationException:

When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException:

ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);

或者，我还尝试了 java.util.regex.Pattern 类，以相同的字符串示例测试相同的正则表达式，并且可以正常工作:

Alternatively, I also tried the java.util.regex.Pattern class to test the same regular expression with the same string example and it works OK:

Pattern.matches("^([a-zA-Z]:)?(\\\\[\\w. -]+)+$", "C:\\TEMP\\file.txt")

我必须说我在'validation.properties'中添加了其他正则表达式，并且工作正常.为什么这个这么难?有人可以帮我解决这个问题吗?

I must say that I added other regex in 'validation.properties' and worked OK. Why this one is so hard? Could anyone help me out with this one?

推荐答案

之所以会这样，是因为对validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);的调用包装了对ESAPI.encoder().canonicalize()的调用，该调用将输入转换为char序列(不是文字String！ )C:TEMP'0x0C'ile.txt传递给正则表达式引擎之前.

This is happening because the call to validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false); wraps a call to ESAPI.encoder().canonicalize() that is transforming the input to the char sequence (Not literal String!) C:TEMP'0x0C'ile.txt before it passes to the regex engine.

除了将第二个"\"转换为char 0x0c之外，这通常是期望的行为.这可能是ESAPI中的错误.

Except for the second "\" getting converted to the char 0x0c this is normally desired behavior. That could be a bug in ESAPI.

您想要的是拨打 查看全文