如何在ColdFusion中实现OWASP ESAPI验证器与验证尝试组? [英] How to implement the OWASP ESAPI validator with groups of validation attempts in ColdFusion?
问题描述
我一直在使用ColdFusion 9附带的OWASP ESAPI实用程序。 ColdFusion的内置企业安全API 。 编码器
实用程序是相当简单的,我相信我有他们的工作正常。我的问题是验证程序
实用程序。
我可以让他们单独工作 。也就是说,如果我调用带有无效数据的 validator.getValidInput()
方法,它会抛出一个我可以捕获的错误。但是,当我尝试调用批处理中的 validator
方法时,我得到一个空指针异常。按批处理我的意思是尝试执行验证尝试组。这应该通过传递 validator.getValidInput()
方法a ValidationErrorList
参数,应该告诉它不要抛出错误,而只是将错误添加到错误列表。我不能让它工作在这种模式。我最好的尝试是给我一个空指针异常。
这里是具体的错误:
java.lang.NullPointerException
使用此堆栈跟踪:
java.lang.NullPointerException at
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:238)at
sun.reflect.GeneratedMethodAccessor377.invoke(Unknown Source)at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)at
java.lang.reflect.Method.invoke(Unknown Source)at
coldfusion.runtime.StructBean.invoke(StructBean.java:536)at
coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393)at
cftest2ecfm989071068.runPage(D:\Web \\ \\ netNetwork \fboc \test.cfm:19)at
coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231)at
coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java :416)at
coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722)at
cfApplication2ecfc1705903666 $ funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc: 70)at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)at
coldfusion.runtime.UDFMethod $ ReturnTypeFilter.invoke(UDFMethod.java:405)at
coldfusion.runtime .UDFMethod $ ArgumentCollectionFilter.invoke(UDFMethod.java:368)at
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55)at
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321 )at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220)at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491)at
coldfusion.runtime.TemplateProxy。在
上调用(TemplateProxy.java:337)$ b coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88)at
coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280)at
coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356)at
coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)at
coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java :40)at
coldfusion.filter.PathFilter.invoke(PathFilter.java:94)at
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)at
coldfusion.filter。 BrowserDebugFilter.invoke(BrowserDebugFilter.java:79)at
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)at
coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)at
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)at
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)at
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter .java:22)at
coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)at
coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)at
coldfusion。 CfmServlet.service(CfmServlet.java:201)at
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)at
jrun.servlet.FilterChain.doFilter(FilterChain.java:86)at
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)at
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)at
jrun.servlet.FilterChain.doFilter (FilterChain.java:94)at
jrun.servlet.FilterChain.service(FilterChain.java:101)at
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)at
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)at
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)at
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java: 543)at
jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)at
jrunx.scheduler.ThreadPool $ ThreadThrottle.invokeRunnable(ThreadPool.java:428)at
jrunx .scheduler.WorkerThread.run(WorkerThread.java:66)
这是一个简单的测试脚本。你会注意到我有一行注释掉了。该行工作没有 ErrorList
但抛出一个错误(因为它应该)。我试图让方法工作,而不抛出的错误:
< cftry>
< cfsilent>
< cfparam name =form.TestFielddefault =type =string/>
< cfset Esapi = CreateObject(java,org.owasp.esapi.ESAPI)/>
< cfset EsapiEncoder = Esapi.encoder()/>
< cfset EsapiValidator = Esapi.validator()/>
< cfset Clean = StructNew()/>
< cfset Clean.Css = EsapiEncoder.encodeForCss(form.TestField)/>
< cfset Clean.Html = EsapiEncoder.encodeForHtml(form.TestField)/>
< cfset Clean.HtmlAttribute = EsapiEncoder.encodeForHtmlAttribute(form.TestField)/>
< cfset Clean.JavaScript = EsapiEncoder.encodeForJavaScript(form.TestField)/>
< cfset Clean.Url = EsapiEncoder.encodeForUrl(form.TestField)/>
< cfset Clean.Xml = EsapiEncoder.encodeForXml(form.TestField)/>
< cfset ErrorList = CreateObject(java,org.owasp.esapi.ValidationErrorList)/>
< cfset有效= StructNew()/>
< cfset Valid.Input = EsapiValidator.getValidInput(Test Field,form.TestField,SafeString,128,false,true,ErrorList)/>
<!---< cfset Valid.Input = EsapiValidator.getValidInput(Test Field,form.TestField,SafeString,128,false,true)/> ---&
< / cfsilent>
<!DOCTYPE HTML>
< head>
< meta charset ='UTF-8'/>
< title> ESAPI Test< / title>
< / head>
< body>
< div>
< h3> ESAPI测试< / h3>
< cfoutput>
< form name =frmtestid =frmtestaction =#cgi.script_name#method =post>
< p>输入要测试的文字:< / p>
< p>< input type =textname =TestFieldid =TestFieldsize =64maxlength =128value =#Clean.HtmlAttribute#/> / p>
< p>< input type =submitname =submitid =submitvalue =Submit/>< / p&
< / form>
< / cfoutput>
< hr />
< cfdump var =#Clean#label =清洁结构/>
< hr />
< cfdump var =#Valid#label =有效结构/>
< / div>
< / body>
< / html>
< cfcatch type =any>
< hr />
< div>
< h3>错误< / h3>
< cfdump var =#cfcatch#label =错误/>
< / div>
< / cfcatch>
< / cftry>
当我用有效数据运行这个脚本时,它工作正常(没有错误抛出)。如果我输入一个无效字符,那么我得到空指针异常。
有效数据示例:这是一个安全字符串0123456789
无效数据示例:这是一个安全的字符串0123456789 -
(注意最后的连字符) / p>
这里是一个链接到我想要实现的validator.getValidInput方法的文档。
对于值得的,验证规则在ColdFusion附带的 validation.properties
文件中定义。该文件位于{cfusion lib}目录中。以下是我的服务器中该文件的内容:
#ESAPI验证器对输入执行许多安全检查,例如规范化
#和白名单验证。注意,所有这些验证规则在*
#canonicalization之后应用*。双重编码的字符(即使有不同的编码,
#是不允许的)
#
#要使用:
#
#首先设置一个模式。例如:
#Validation.Email = ^ [A-Za-z0-9 ._% - ] + @ [您可以选择任何您想要的名称,前缀为
# A-Za-z0-9 .-] + \\。[a-zA-Z] {2,4} $
#
#然后你可以在你的代码中验证这是:
#ESAPI.validator()。isValidInput(User Email,input,Email,maxLength,allowNull);
#其中maxLength和allowNull分别为您设置$ b但是注意,当你使用验证函数的布尔变量时,你失去了关键的
#canonicalization,最好使用get方法(抛出异常)和
#,并使用返回的用户输入的规范形式。考虑以下:
#
#try {
#someObject.setEmail(ESAPI.validator()。getValidInput(User Email ,input,Email,maxLength,allowNull));
#
Validator.SafeString = ^ [。\\p {Alnum} \\p {Space}] {0,1024 } $
Validator.Email = ^ [A-Za-z0-9 ._% - ] + @ [A-Za-z0-9 .-] + \\。[a-zA-Z] {2,4} $
Validator.IPAddress = ^(?:(? - 25 [0-5] | 2 [0-4] [0-9] | [01]?[0-9] 0-9]?[0-9]?)\\。){3}(?:25 [0-5] | 2 [0-4] [0-9] | [01]?[0-9] [0-9 ]?$
Validator.URL = ^(ht | f)tp(s?)\\:\\ / \\ / [0-9a-zA-Z] 。[0-9a-zA-Z])*((0-9)*)*(\\ /?)([a-zA-Z0-9 \\ -\\。\\?\\,\\:\\\\\ / \\\\\\ + =& amp;% \\ $#_] *)?$
Validator.CreditCard = ^(\\d {4} [ - ]?){3} \\d {4} $
Validator.SSN = ^(?! 000)([0-6] \\d {2} | 7([0-6] \\d | 7 [012])) )(?! 00)\\d\\d\\3(?!0000)\\d {4} $
Validator.CFContainerID = ^ [\\p {Alnum} _\\ -\\。:] + $
Validator.GOOGLEMAPAPI = ^ [\\p {Alnum} _\\ + = \\ / \ \ - ] + $
Validator.CFFORMSCRIPTSRC = ^ [^ \\ * \\?\'<> |%] * $
我假设这个想法是为自己的应用程序添加规则到此文件中。
有没有人获得
validator.getValidInput()
方法在批处理(验证尝试组)中工作?
更新1
我注意到以下内容正写入我的
cfusion-out.log
在服务器上每次我获得空指针异常。它使我相信它正在工作到一个点,但随后获得一个空指针,同时尝试分配验证异常:06/25 16:08:14 [jrpp-3225] WARN [安全故障匿名:null @ unknown - > / IntrusionDetector]输入无效:context =测试字段,类型(SafeString)= ^ [。\p {Alnum} \p {Space}] {0,1024} $,input =这是一个安全字符串0123456789-
org.owasp.esapi.errors.ValidationException:测试字段:无效的输入。请遵循org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist中的regex ^ [。\p {Alnum} \p {Space}] {0,1024} $(最大长度为128
) (StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid (StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:199)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java :236)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native方法)
at sun.reflect.NativeMethodAccessorImpl.invoke(未知源)
at sun.reflect.DelegatingMethodAccessorImpl.invoke )
at java.lang.reflect.Method.invoke(Unknown Source)
at coldfusion.runtime.StructBean.invoke(StructBean.java:508)
at coldfusion.runtime.CfJspPage._invoke (CfJspPage.java:2393)
at cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage。 java:231)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416)
at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722)
at cfApplication2ecfc1705903666 $ funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70)
在coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)
在coldfusion。 runtime.UDFMethod $ ReturnTypeFilter.invoke(UDFMethod.java:405)
at coldfusion.runtime.UDFMethod $ ArgumentCollectionFilter.invoke(UDFMethod.java:368)
在coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter。 java:55)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220)
at coldfusion.runtime .TemplateProxy.invoke(TemplateProxy.java:491)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337)
at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88)
at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356)
在coldfusion.filter.RequestMonitorFilter.invoke RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:94)
在coldfusion .filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28 )
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter。 invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
在coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)
在coldfusion.CfmServlet.service(CfmServlet.java:201)
在coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89 )
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap。 BootstrapFilter.doFilter(BootstrapFilter.java:46)
在jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
在jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
在jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
在jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher .java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool $ ThreadThrottle.invokeRunnable(ThreadPool.java:428)
在jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
更新2
作为一个旁白,我试图不使用像他的库,以避免额外的膨胀
摘录自他的代码:
if(structKeyExists(arguments,errorList)){
try {
return getValidInput(arguments.context,arguments.input,arguments.type,arguments.maxLength,arguments.allowNull);
}
catch(esapi4cf.org.owasp.esapi.errors.ValidationException e){
arguments.errorList.addError(arguments.context,e);
}
return arguments.input;
}
else {
...
解决方案这看起来是ESAPI的Coldfusion实现中的一个错误 - 我们在ESAPI的单元测试套件中对getValidInput方法进行了全面覆盖测试,以证明该方法的工作原理。
根据你第二次更新我猜想在CF实现代码中有一个未初始化的变量被访问(或许errorList在这个上下文中未初始化)
我是OWASP ESAPI项目的项目负责人,非常熟悉ESAPI本身的这一段代码,但不是CF开发人员,没有看到所有CF9的实现代码。
** 编辑 **
使用ColdFusion批处理工作
org.owasp.esapi.ValidationErrorList
需要调用init()
在之前调用validator
方法。将以下行添加到测试脚本,它将工作:< cfset ErrorList = ErrorList.init()/>
在上下文中:
< cfset ErrorList = CreateObject(java,org.owasp.esapi.ValidationErrorList)/>
< cfset ErrorList = ErrorList.init()/>
< cfset Valid.TestField = EsapiValidator.getValidInput(Test Field,form.TestField,SafeString,128,true,true,ErrorList)/>
现在当输入无效的输入时,错误将被添加到
ErrorList
变量,而不是引发错误。I have been playing around with the OWASP ESAPI utilities that are included with ColdFusion 9. ColdFusion's Builtin Enterprise Security API. The
encoder
utilities are pretty straight forward and I believe I have them working fine. My problem is with thevalidator
utilities.I can get them to work singly. That is, if I call the
validator.getValidInput()
method with "invalid" data it will throw an error that I can catch. However, when I try to call thevalidator
method in batch I get a null pointer exception. By batch I mean attempting to execute groups of validation attempts. This is supposed to work by passing thevalidator.getValidInput()
method aValidationErrorList
parameter which should tell it NOT to throw an error but instead just add the error to the error list. I cannot get it to work in this mode. My best attempt is giving me a null pointer exception.Here is the specific error:
java.lang.NullPointerException
With this stack trace:
java.lang.NullPointerException at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:238) at sun.reflect.GeneratedMethodAccessor377.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at coldfusion.runtime.StructBean.invoke(StructBean.java:536) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393) at cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at coldfusion.CfmServlet.service(CfmServlet.java:201) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Here is a simple test script. You will notice that I have one line commented out. That line works without the
ErrorList
but throws an error (as it should). I am trying to get the method to work without throwing the error:<cftry> <cfsilent> <cfparam name="form.TestField" default="" type="string" /> <cfset Esapi = CreateObject("java", "org.owasp.esapi.ESAPI") /> <cfset EsapiEncoder = Esapi.encoder() /> <cfset EsapiValidator = Esapi.validator() /> <cfset Clean = StructNew() /> <cfset Clean.Css = EsapiEncoder.encodeForCss(form.TestField) /> <cfset Clean.Html = EsapiEncoder.encodeForHtml(form.TestField) /> <cfset Clean.HtmlAttribute = EsapiEncoder.encodeForHtmlAttribute(form.TestField) /> <cfset Clean.JavaScript = EsapiEncoder.encodeForJavaScript(form.TestField) /> <cfset Clean.Url = EsapiEncoder.encodeForUrl(form.TestField) /> <cfset Clean.Xml = EsapiEncoder.encodeForXml(form.TestField) /> <cfset ErrorList = CreateObject("java", "org.owasp.esapi.ValidationErrorList") /> <cfset Valid = StructNew() /> <cfset Valid.Input = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, false, true, ErrorList) /> <!---<cfset Valid.Input = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, false, true) />---> </cfsilent> <!DOCTYPE HTML> <head> <meta charset='UTF-8' /> <title>ESAPI Test</title> </head> <body> <div> <h3>ESAPI Test</h3> <cfoutput> <form name="frmtest" id="frmtest" action="#cgi.script_name#" method="post"> <p>Enter text to test:</p> <p><input type="text" name="TestField" id="TestField" size="64" maxlength="128" value="#Clean.HtmlAttribute#" /></p> <p><input type="submit" name="submit" id="submit" value=" Submit " /></p> </form> </cfoutput> <hr /> <cfdump var="#Clean#" label="Clean Structure" /> <hr /> <cfdump var="#Valid#" label="Valid Structure" /> </div> </body> </html> <cfcatch type="any"> <hr /> <div> <h3>ERROR</h3> <cfdump var="#cfcatch#" label="Error" /> </div> </cfcatch> </cftry>
When I run this script with "valid" data it works fine (no errors thrown). If I enter an "invalid" character then I get the null pointer exception.
Example of "valid" data:
this is a safe string 0123456789
Example of "invalid" data:this is a safe string 0123456789-
(notice the hyphen at the end)Here is a link to the documentation that shows what I am trying to implement.
For what it's worth, the validation "rules" are defined in the
validation.properties
file that comes with ColdFusion. That file is located in the {cfusion lib} directory. Here are the contents of that file from my server:# The ESAPI validator does many security checks on input, such as canonicalization # and whitelist validation. Note that all of these validation rules are applied *after* # canonicalization. Double-encoded characters (even with different encodings involved, # are never allowed. # # To use: # # First set up a pattern below. You can choose any name you want, prefixed by the word # "Validation." For example: # Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ # # Then you can validate in your code against the pattern like this: # ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); # Where maxLength and allowNull are set for you needs, respectively. # # But note, when you use boolean variants of validation functions, you lose critical # canonicalization. It is preferable to use the "get" methods (which throw exceptions) and # and use the returned user input which is in canonical form. Consider the following: # # try { # someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); # Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ Validator.CFContainerID=^[\\p{Alnum}_\\-\\.:]+$ Validator.GOOGLEMAPAPI=^[\\p{Alnum}_\\+=\\/\\-]+$ Validator.CFFORMSCRIPTSRC=^[^\\*\\?\"'<>|%]*$
I presume that the idea is to add rules to this file for your own applications.
Has anyone gotten the
validator.getValidInput()
method to work in batch (groups of validation attempts)?
Update 1I noticed that the following is being written to my
cfusion-out.log
on the server every time I get the null pointer exception. It leads me to believe that it is working to a point but then gets a null pointer while attempting to assign the validation exception:06/25 16:08:14 [jrpp-3225] WARN [SECURITY FAILURE Anonymous:null@unknown -> /IntrusionDetector] Invalid input: context=Test Field, type(SafeString)=^[.\p{Alnum}\p{Space}]{0,1024}$, input=this is a safe string 0123456789- org.owasp.esapi.errors.ValidationException: Test Field: Invalid input. Please conform to regex ^[.\p{Alnum}\p{Space}]{0,1024}$ with a maximum length of 128 at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144) at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160) at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284) at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:199) at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:236) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at coldfusion.runtime.StructBean.invoke(StructBean.java:508) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393) at cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at coldfusion.CfmServlet.service(CfmServlet.java:201) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Update 2I have been digging through Damon Miller's implementation of the OWASP ESAPI methods for ColdFusion. I noticed in his code that he does not call the
getValidInput()
method with theValidationErrorList
attribute. Rather he wrote the code to catch the generated error and then add the error to the list himself. Hmmm? I thought the method was supposed to do that for you????As an aside, I am trying not to use a library such as his to avoid the additional bloat that I do not need.
Excerpt from his code:
if(structKeyExists( arguments, "errorList" )) { try { return getValidInput( arguments.context, arguments.input, arguments.type, arguments.maxLength, arguments.allowNull ); } catch(esapi4cf.org.owasp.esapi.errors.ValidationException e) { arguments.errorList.addError( arguments.context, e ); } return arguments.input; } else { ...
解决方案This looks to be a bug in the Coldfusion implementation of ESAPI - we have full coverage testing of the getValidInput method in your unit test suite for ESAPI that demonstrate that the method works as advertised.
Based off of your second update above I would guess that in the CF implementation code there is an uninitialized variable being accessed (perhaps errorList is uninitialized in this context)
I am the project leader of the OWASP ESAPI project and very familiar with this bit of code in ESAPI itself but am not a CF developer and have not seen all of the implementation code for CF9.
** Edit **
In order to make the validation methods work in batch using ColdFusion a call to the
init()
method is required for theorg.owasp.esapi.ValidationErrorList
class before calling thevalidator
methods. Add the following line to the test script and it will work:<cfset ErrorList = ErrorList.init() />
In context:
<cfset ErrorList = CreateObject("java", "org.owasp.esapi.ValidationErrorList") /> <cfset ErrorList = ErrorList.init() /> <cfset Valid.TestField = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, true, true, ErrorList) />
Now when invalid input is entered the error will be added to the
ErrorList
variable instead of throwing an error.这篇关于如何在ColdFusion中实现OWASP ESAPI验证器与验证尝试组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!