如何在ColdFusion中实现OWASP ESAPI验证器与验证尝试组？ [英] How to implement the OWASP ESAPI validator with groups of validation attempts in ColdFusion?

问题描述

我一直在使用ColdFusion 9附带的OWASP ESAPI实用程序。 ColdFusion的内置企业安全API 。 编码器实用程序是相当简单的，我相信我有他们的工作正常。我的问题是验证程序实用程序。

我可以让他们单独工作 。也就是说，如果我调用带有无效数据的 validator.getValidInput（）方法，它会抛出一个我可以捕获的错误。但是，当我尝试调用批处理中的 validator 方法时，我得到一个空指针异常。按批处理我的意思是尝试执行验证尝试组。这应该通过传递 validator.getValidInput（）方法a ValidationErrorList 参数，应该告诉它不要抛出错误，而只是将错误添加到错误列表。我不能让它工作在这种模式。我最好的尝试是给我一个空指针异常。

这里是具体的错误：

  java.lang.NullPointerException 
  

使用此堆栈跟踪：

  java.lang.NullPointerException at 
 org.owasp.esapi.reference.DefaultValidator.getValidInput（DefaultValidator.java:238）at 
 sun.reflect.GeneratedMethodAccessor377.invoke（Unknown Source）at 
 sun.reflect.DelegatingMethodAccessorImpl.invoke（Unknown Source）at 
 java.lang.reflect.Method.invoke（Unknown Source）at 
 coldfusion.runtime.StructBean.invoke（StructBean.java:536）at 
 coldfusion.runtime.CfJspPage._invoke（CfJspPage.java:2393）at 
 cftest2ecfm989071068.runPage（D：\Web \\ \\ netNetwork \fboc \test.cfm：19）at 
 coldfusion.runtime.CfJspPage.invoke（CfJspPage.java:231）at 
 coldfusion.tagext.lang.IncludeTag.doStartTag（IncludeTag.java ：416）at 
 coldfusion.runtime.CfJspPage._emptyTcfTag（CfJspPage.java:2722）at 
 cfApplication2ecfc1705903666 $ funcONREQUEST.runFunction（D：\Web\internet\fboc\Application.cfc： 70）at 
 coldfusion.runtime.UDFMethod.invoke（UDFMethod.java:472）at 
 coldfusion.runtime.UDFMethod $ ReturnTypeFilter.invoke（UDFMethod.java:405）at 
 coldfusion.runtime .UDFMethod $ ArgumentCollectionFilter.invoke（UDFMethod.java:368）at 
 coldfusion.filter.FunctionAccessFilter.invoke（FunctionAccessFilter.java:55）at 
 coldfusion.runtime.UDFMethod.runFilterChain（UDFMethod.java:321 ）at 
 coldfusion.runtime.UDFMethod.invoke（UDFMethod.java:220）at 
 coldfusion.runtime.TemplateProxy.invoke（TemplateProxy.java:491）at 
 coldfusion.runtime.TemplateProxy。在
上调用（TemplateProxy.java:337）$ b coldfusion.runtime.AppEventInvoker.invoke（AppEventInvoker.java:88）at 
 coldfusion.runtime.AppEventInvoker.onRequest（AppEventInvoker.java:280）at 
 coldfusion.filter.ApplicationFilter.invoke（ApplicationFilter.java:356）at 
 coldfusion.filter.RequestMonitorFilter.invoke（RequestMonitorFilter.java:48）at 
 coldfusion.filter.MonitoringFilter.invoke（MonitoringFilter.java ：40）at 
 coldfusion.filter.PathFilter.invoke（PathFilter.java:94）at 
 coldfusion.filter.ExceptionFilter.invoke（ExceptionFilter.java:70）at 
 coldfusion.filter。 BrowserDebugFilter.invoke（BrowserDebugFilter.java:79）at 
 coldfusion.filter.ClientScopePersistenceFilter.invoke（ClientScopePersistenceFilter.java:28）at 
 coldfusion.filter.BrowserFilter.invoke（BrowserFilter.java:38）at 
 coldfusion.filter.NoCacheFilter.invoke（NoCacheFilter.java:46）at 
 coldfusion.filter.GlobalsFilter.invoke（GlobalsFilter.java:38）at 
 coldfusion.filter.DatasourceFilter.invoke（DatasourceFilter .java：22）at 
 coldfusion.filter.CachingFilter.invoke（CachingFilter.java:62）at 
 coldfusion.filter.RequestThrottleFilter.invoke（RequestThrottleFilter.java:126）at 
 coldfusion。 CfmServlet.service（CfmServlet.java:201）at 
 coldfusion.bootstrap.BootstrapServlet.service（BootstrapServlet.java:89）at 
 jrun.servlet.FilterChain.doFilter（FilterChain.java:86）at 
 coldfusion.monitor.event.MonitoringServletFilter.doFilter（MonitoringServletFilter.java:42）at 
 coldfusion.bootstrap.BootstrapFilter.doFilter（BootstrapFilter.java:46）at 
 jrun.servlet.FilterChain.doFilter （FilterChain.java:94）at 
 jrun.servlet.FilterChain.service（FilterChain.java:101）at 
 jrun.servlet.ServletInvoker.invoke（ServletInvoker.java:106）at 
 jrun.servlet.JRunInvokerChain.invokeNext（JRunInvokerChain.java:42）at 
 jrun.servlet.JRunRequestDispatcher.invoke（JRunRequestDispatcher.java:286）at 
 jrun.servlet.ServletEngineService.dispatch（ServletEngineService.java： 543）at 
 jrun.servlet.jrpp.JRunProxyService.invokeRunnable（JRunProxyService.java:203）at 
 jrunx.scheduler.ThreadPool $ ThreadThrottle.invokeRunnable（ThreadPool.java:428）at 
 jrunx .scheduler.WorkerThread.run（WorkerThread.java:66）
  

这是一个简单的测试脚本。你会注意到我有一行注释掉了。该行工作没有 ErrorList 但抛出一个错误（因为它应该）。我试图让方法工作，而不抛出的错误：

 < cftry> 
< cfsilent> 
< cfparam name =form.TestFielddefault =type =string/> 
 
< cfset Esapi = CreateObject（java，org.owasp.esapi.ESAPI）/> 
< cfset EsapiEncoder = Esapi.encoder（）/> 
< cfset EsapiValidator = Esapi.validator（）/> 
 
< cfset Clean = StructNew（）/> 
< cfset Clean.Css = EsapiEncoder.encodeForCss（form.TestField）/> 
< cfset Clean.Html = EsapiEncoder.encodeForHtml（form.TestField）/> 
< cfset Clean.HtmlAttribute = EsapiEncoder.encodeForHtmlAttribute（form.TestField）/> 
< cfset Clean.JavaScript = EsapiEncoder.encodeForJavaScript（form.TestField）/> 
< cfset Clean.Url = EsapiEncoder.encodeForUrl（form.TestField）/> 
< cfset Clean.Xml = EsapiEncoder.encodeForXml（form.TestField）/> 
 
< cfset ErrorList = CreateObject（java，org.owasp.esapi.ValidationErrorList）/> 
< cfset有效= StructNew（）/> 
< cfset Valid.Input = EsapiValidator.getValidInput（Test Field，form.TestField，SafeString，128，false，true，ErrorList）/> 
<！---< cfset Valid.Input = EsapiValidator.getValidInput（Test Field，form.TestField，SafeString，128，false，true）/> ---& 
< / cfsilent> 
 
<！DOCTYPE HTML> 
< head> 
< meta charset ='UTF-8'/> 
< title> ESAPI Test< / title> 
< / head> 
< body> 
< div> 
< h3> ESAPI测试< / h3> 
< cfoutput> 
< form name =frmtestid =frmtestaction =＃cgi.script_name＃method =post> 
< p>输入要测试的文字：< / p> 
< p>< input type =textname =TestFieldid =TestFieldsize =64maxlength =128value =＃Clean.HtmlAttribute＃/> / p> 
< p>< input type =submitname =submitid =submitvalue =Submit/>< / p& 
< / form> 
< / cfoutput> 
< hr /> 
< cfdump var =＃Clean＃label =清洁结构/> 
< hr /> 
< cfdump var =＃Valid＃label =有效结构/> 
< / div> 
< / body> 
< / html> 
< cfcatch type =any> 
< hr /> 
< div> 
< h3>错误< / h3> 
< cfdump var =＃cfcatch＃label =错误/> 
< / div> 
< / cfcatch> 
< / cftry> 
 

当我用有效数据运行这个脚本时，它工作正常（没有错误抛出）。如果我输入一个无效字符，那么我得到空指针异常。

有效数据示例：这是一个安全字符串0123456789

无效数据示例：这是一个安全的字符串0123456789 - （注意最后的连字符） / p>

这里是一个链接到我想要实现的validator.getValidInput方法的文档。

这是一个指向文档的链接，其中显示了我要实现的内容。

对于值得的，验证规则在ColdFusion附带的 validation.properties 文件中定义。该文件位于{cfusion lib}目录中。以下是我的服务器中该文件的内容：

 ＃ESAPI验证器对输入执行许多安全检查，例如规范化
＃和白名单验证。注意，所有这些验证规则在* 
＃canonicalization之后应用*。双重编码的字符（即使有不同的编码，
＃是不允许的）
＃
＃要使用：
＃
＃首先设置一个模式。例如：
＃Validation.Email = ^ [A-Za-z0-9 ._％ - ] + @ [您可以选择任何您想要的名称，前缀为
＃ A-Za-z0-9 .-] + \\。[a-zA-Z] {2,4} $ 
＃
＃然后你可以在你的代码中验证这是：
＃ESAPI.validator（）。isValidInput（User Email，input，Email，maxLength，allowNull）; 
＃其中maxLength和allowNull分别为您设置$ b但是注意，当你使用验证函数的布尔变量时，你失去了关键的
＃canonicalization，最好使用get方法（抛出异常）和
 ＃，并使用返回的用户输入的规范形式。考虑以下：
＃
＃try {
＃someObject.setEmail（ESAPI.validator（）。getValidInput（User Email ，input，Email，maxLength，allowNull））; 
＃
 Validator.SafeString = ^ [。\\p {Alnum} \\p {Space}] {0,1024 } $ 
 Validator.Email = ^ [A-Za-z0-9 ._％ - ] + @ [A-Za-z0-9 .-] + \\。[a-zA-Z] {2,4} $ 
 Validator.IPAddress = ^（？:(？ -  25 [0-5] | 2 [0-4] [0-9] | [01]？[0-9] 0-9]？[0-9]？）\\。）{3}（？：25 [0-5] | 2 [0-4] [0-9] | [01]？[0-9] [0-9 ]？$ 
 Validator.URL = ^（ht | f）tp（s？）\\：\\ / \\ / [0-9a-zA-Z] 。[0-9a-zA-Z]）*（（0-9）*）*（\\ /？）（[a-zA-Z0-9 \\ -\\。\\？\\，\\：\\\\\ / \\\\\\ + =& amp;％ \\ $＃_] *）？$ 
 Validator.CreditCard = ^（\\d {4} [ - ]？）{3} \\d {4} $ 
 Validator.SSN = ^（?! 000）（[0-6] \\d {2} | 7（[0-6] \\d | 7 [012]）） ）（?! 00）\\d\\d\\3（？！0000）\\d {4} $ 
 Validator.CFContainerID = ^ [\\p {Alnum} _\\ -\\。：] + $ 
 Validator.GOOGLEMAPAPI = ^ [\\p {Alnum} _\\ + = \\ / \ \  - ] + $ 
 Validator.CFFORMSCRIPTSRC = ^ [^ \\ * \\？\'<> |％] * $ 
  
 
 
 
我假设这个想法是为自己的应用程序添加规则到此文件中。
 
 
 
有没有人获得 validator.getValidInput（）方法在批处理（验证尝试组）中工作？
 
 
 
 
 
 更新1  
 
 
 
我注意到以下内容正写入我的 cfusion-out.log 在服务器上每次我获得空指针异常。它使我相信它正在工作到一个点，但随后获得一个空指针，同时尝试分配验证异常：
  06/25 16:08:14 [jrpp-3225] WARN [安全故障匿名：null @ unknown  - > / IntrusionDetector]输入无效：context =测试字段，类型（SafeString）= ^ [。\p {Alnum} \p {Space}] {0,1024} $，input =这是一个安全字符串0123456789- 
 org.owasp.esapi.errors.ValidationException：测试字段：无效的输入。请遵循org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist中的regex ^ [。\p {Alnum} \p {Space}] {0,1024} $（最大长度为128 
） （StringValidationRule.java:144）
 at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist（StringValidationRule.java:160）
 at org.owasp.esapi.reference.validation.StringValidationRule.getValid （StringValidationRule.java:284）
 at org.owasp.esapi.reference.DefaultValidator.getValidInput（DefaultValidator.java:199）
 at org.owasp.esapi.reference.DefaultValidator.getValidInput（DefaultValidator.java ：236）
 at sun.reflect.NativeMethodAccessorImpl.invoke0（Native方法）
 at sun.reflect.NativeMethodAccessorImpl.invoke（未知源）
 at sun.reflect.DelegatingMethodAccessorImpl.invoke ）
 at java.lang.reflect.Method.invoke（Unknown Source）
 at coldfusion.runtime.StructBean.invoke（StructBean.java:508）
 at coldfusion.runtime.CfJspPage._invoke （CfJspPage.java:2393）
 at cftest2ecfm989071068.runPage（D：\Web\internet\fboc\test.cfm：19）
 at coldfusion.runtime.CfJspPage.invoke（CfJspPage。 java：231）
 at coldfusion.tagext.lang.IncludeTag.doStartTag（IncludeTag.java:416）
 at coldfusion.runtime.CfJspPage._emptyTcfTag（CfJspPage.java:2722）
 at cfApplication2ecfc1705903666 $ funcONREQUEST.runFunction（D：\Web\internet\fboc\Application.cfc：70）
在coldfusion.runtime.UDFMethod.invoke（UDFMethod.java:472）
在coldfusion。 runtime.UDFMethod $ ReturnTypeFilter.invoke（UDFMethod.java:405）
 at coldfusion.runtime.UDFMethod $ ArgumentCollectionFilter.invoke（UDFMethod.java:368）
在coldfusion.filter.FunctionAccessFilter.invoke（FunctionAccessFilter。 java：55）
 at coldfusion.runtime.UDFMethod.runFilterChain（UDFMethod.java:321）
 at coldfusion.runtime.UDFMethod.invoke（UDFMethod.java:220）
 at coldfusion.runtime .TemplateProxy.invoke（TemplateProxy.java:491）
 at coldfusion.runtime.TemplateProxy.invoke（TemplateProxy.java:337）
 at coldfusion.runtime.AppEventInvoker.invoke（AppEventInvoker.java:88）
 at coldfusion.runtime.AppEventInvoker.onRequest（AppEventInvoker.java:280）
 at coldfusion.filter.ApplicationFilter.invoke（ApplicationFilter.java:356）
在coldfusion.filter.RequestMonitorFilter.invoke RequestMonitorFilter.java:48）
 at coldfusion.filter.MonitoringFilter.invoke（MonitoringFilter.java:40）
 at coldfusion.filter.PathFilter.invoke（PathFilter.java:94）
在coldfusion .filter.ExceptionFilter.invoke（ExceptionFilter.java:70）
 at coldfusion.filter.BrowserDebugFilter.invoke（BrowserDebugFilter.java:79）
 at coldfusion.filter.ClientScopePersistenceFilter.invoke（ClientScopePersistenceFilter.java:28 ）
 at coldfusion.filter.BrowserFilter.invoke（BrowserFilter.java:38）
 at coldfusion.filter.NoCacheFilter.invoke（NoCacheFilter.java:46）
 at coldfusion.filter.GlobalsFilter。 invoke（GlobalsFilter.java:38）
 at coldfusion.filter.DatasourceFilter.invoke（DatasourceFilter.java:22）
 at coldfusion.filter.CachingFilter.invoke（CachingFilter.java:62）
在coldfusion.filter.RequestThrottleFilter.invoke（RequestThrottleFilter.java:126）
在coldfusion.CfmServlet.service（CfmServlet.java:201）
在coldfusion.bootstrap.BootstrapServlet.service（BootstrapServlet.java:89 ）
 at coldfusion.monitor.event.MonitoringServletFilter.doFilter（MonitoringServletFilter.java:42）
 at coldfusion.bootstrap。 BootstrapFilter.doFilter（BootstrapFilter.java:46）
在jrun.servlet.FilterChain.doFilter（FilterChain.java:94）
在jrun.servlet.FilterChain.service（FilterChain.java:101）
 at jrun.servlet.ServletInvoker.invoke（ServletInvoker.java:106）
在jrun.servlet.JRunInvokerChain.invokeNext（JRunInvokerChain.java:42）
在jrun.servlet.JRunRequestDispatcher.invoke（JRunRequestDispatcher .java：286）
 at jrun.servlet.ServletEngineService.dispatch（ServletEngineService.java:543）
 at jrun.servlet.jrpp.JRunProxyService.invokeRunnable（JRunProxyService.java:203）
 at jrunx.scheduler.ThreadPool $ ThreadThrottle.invokeRunnable（ThreadPool.java:428）
在jrunx.scheduler.WorkerThread.run（WorkerThread.java:66）
  
 
 
 更新2  
 
 
 
我一直在挖掘 Damon Miller的OWASP ESAPI实施< a> ColdFusion的方法。我在他的代码中注意到他不用 ValidationErrorList 属性调用 getValidInput（）相反，他编写代码来捕获生成的错误，然后将错误添加到列表中。嗯？我认为这个方法应该是为你做的？
 
 
 
作为一个旁白，我试图不使用像他的库，以避免额外的膨胀
 
 
 
摘录自他的代码：
  if（structKeyExists（arguments，errorList））{
 try {
 return getValidInput（arguments.context，arguments.input，arguments.type，arguments.maxLength，arguments.allowNull）; 
} 
 catch（esapi4cf.org.owasp.esapi.errors.ValidationException e）{
 arguments.errorList.addError（arguments.context，e）; 
} 
 return arguments.input; 
} 
 else {
 ... 
  
 
 
解决方案
这看起来是ESAPI的Coldfusion实现中的一个错误 - 我们在ESAPI的单元测试套件中对getValidInput方法进行了全面覆盖测试，以证明该方法的工作原理。 
 
 
 
根据你第二次更新我猜想在CF实现代码中有一个未初始化的变量被访问（或许errorList在这个上下文中未初始化）
 
 
 
我是OWASP ESAPI项目的项目负责人，非常熟悉ESAPI本身的这一段代码，但不是CF开发人员，没有看到所有CF9的实现代码。
 
 
 
 ** 编辑 ** 
 
 
 
使用ColdFusion批处理工作 org.owasp.esapi.ValidationErrorList 需要调用 init（）在之前调用 validator 方法。将以下行添加到测试脚本，它将工作：
 < cfset ErrorList = ErrorList.init（）/> 
  
在上下文中：
 < cfset ErrorList = CreateObject（java，org.owasp.esapi.ValidationErrorList）/> 
< cfset ErrorList = ErrorList.init（）/> 
< cfset Valid.TestField = EsapiValidator.getValidInput（Test Field，form.TestField，SafeString，128，true，true，ErrorList）/> 
  
现在当输入无效的输入时，错误将被添加到 ErrorList 变量，而不是引发错误。
 
I have been playing around with the OWASP ESAPI utilities that are included with ColdFusion 9. ColdFusion's Builtin Enterprise Security API. The encoder utilities are pretty straight forward and I believe I have them working fine. My problem is with the validator utilities.

I can get them to work singly. That is, if I call the validator.getValidInput() method with "invalid" data it will throw an error that I can catch. However, when I try to call the validator method in batch I get a null pointer exception. By batch I mean attempting to execute groups of validation attempts. This is supposed to work by passing the validator.getValidInput() method a ValidationErrorList parameter which should tell it NOT to throw an error but instead just add the error to the error list. I cannot get it to work in this mode. My best attempt is giving me a null pointer exception.

Here is the specific error:
java.lang.NullPointerException
With this stack trace:
java.lang.NullPointerException at 
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:238) at 
sun.reflect.GeneratedMethodAccessor377.invoke(Unknown Source) at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at 
java.lang.reflect.Method.invoke(Unknown Source) at 
coldfusion.runtime.StructBean.invoke(StructBean.java:536) at 
coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393) at 
cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19) at 
coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at 
coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at 
coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at 
cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70) at 
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at 
coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at 
coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at 
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at 
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at 
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at 
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at 
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at 
coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at 
coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280) at 
coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356) at 
coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at 
coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at 
coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at 
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at 
coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at 
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at 
coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at 
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at 
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at 
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at 
coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at 
coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at 
coldfusion.CfmServlet.service(CfmServlet.java:201) at 
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at 
jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at 
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at 
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at 
jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at 
jrun.servlet.FilterChain.service(FilterChain.java:101) at 
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at 
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at 
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at 
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at 
jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at 
jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at 
jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Here is a simple test script. You will notice that I have one line commented out. That line works without the ErrorList but throws an error (as it should). I am trying to get the method to work without throwing the error:
<cftry>
<cfsilent>
<cfparam name="form.TestField" default="" type="string" />

<cfset Esapi = CreateObject("java", "org.owasp.esapi.ESAPI") />
<cfset EsapiEncoder = Esapi.encoder() />
<cfset EsapiValidator = Esapi.validator() />

<cfset Clean = StructNew() />
<cfset Clean.Css = EsapiEncoder.encodeForCss(form.TestField) />
<cfset Clean.Html = EsapiEncoder.encodeForHtml(form.TestField) />
<cfset Clean.HtmlAttribute = EsapiEncoder.encodeForHtmlAttribute(form.TestField) />
<cfset Clean.JavaScript = EsapiEncoder.encodeForJavaScript(form.TestField) />
<cfset Clean.Url = EsapiEncoder.encodeForUrl(form.TestField) />
<cfset Clean.Xml = EsapiEncoder.encodeForXml(form.TestField) />

<cfset ErrorList = CreateObject("java", "org.owasp.esapi.ValidationErrorList") />
<cfset Valid = StructNew() />
<cfset Valid.Input = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, false, true, ErrorList) />
<!---<cfset Valid.Input = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, false, true) />--->
</cfsilent>

<!DOCTYPE HTML>
<head>
    <meta charset='UTF-8' />
    <title>ESAPI Test</title>
</head>
<body>
    <div>
        <h3>ESAPI Test</h3>
        <cfoutput>
        <form name="frmtest" id="frmtest" action="#cgi.script_name#" method="post">
            <p>Enter text to test:</p>
            <p><input type="text" name="TestField" id="TestField" size="64" maxlength="128" value="#Clean.HtmlAttribute#" /></p>
            <p><input type="submit" name="submit" id="submit" value=" Submit " /></p>
        </form>
        </cfoutput>
        <hr />
        <cfdump var="#Clean#" label="Clean Structure" />
        <hr />
        <cfdump var="#Valid#" label="Valid Structure" />
    </div>
</body>
</html>
<cfcatch type="any">
    <hr />
    <div>
        <h3>ERROR</h3>
        <cfdump var="#cfcatch#" label="Error" />
    </div>
</cfcatch>
</cftry>
When I run this script with "valid" data it works fine (no errors thrown). If I enter an "invalid" character then I get the null pointer exception.

Example of "valid" data: this is a safe string 0123456789

Example of "invalid" data: this is a safe string 0123456789- (notice the hyphen at the end)

Here is a link to the documentation for the validator.getValidInput method that I am trying to implement.

Here is a link to the documentation that shows what I am trying to implement.

For what it's worth, the validation "rules" are defined in the validation.properties file that comes with ColdFusion. That file is located in the {cfusion lib} directory. Here are the contents of that file from my server:
# The ESAPI validator does many security checks on input, such as canonicalization
# and whitelist validation. Note that all of these validation rules are applied *after*
# canonicalization. Double-encoded characters (even with different encodings involved,
# are never allowed.
#
# To use:
#
# First set up a pattern below. You can choose any name you want, prefixed by the word
# "Validation." For example:
#   Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
# 
# Then you can validate in your code against the pattern like this:
#     ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull);
# Where maxLength and allowNull are set for you needs, respectively.
#
# But note, when you use boolean variants of validation functions, you lose critical 
# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and 
# and use the returned user input which is in canonical form. Consider the following:
#  
# try {
#    someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull));
#
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&amp;%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
Validator.CFContainerID=^[\\p{Alnum}_\\-\\.:]+$
Validator.GOOGLEMAPAPI=^[\\p{Alnum}_\\+=\\/\\-]+$
Validator.CFFORMSCRIPTSRC=^[^\\*\\?\"'<>|%]*$
I presume that the idea is to add rules to this file for your own applications.

Has anyone gotten the validator.getValidInput() method to work in batch (groups of validation attempts)?



Update 1

I noticed that the following is being written to my cfusion-out.log on the server every time I get the null pointer exception. It leads me to believe that it is working to a point but then gets a null pointer while attempting to assign the validation exception:
06/25 16:08:14 [jrpp-3225] WARN  [SECURITY FAILURE Anonymous:null@unknown -> /IntrusionDetector] Invalid input: context=Test Field, type(SafeString)=^[.\p{Alnum}\p{Space}]{0,1024}$, input=this is a safe string 0123456789-
org.owasp.esapi.errors.ValidationException: Test Field: Invalid input. Please conform to regex ^[.\p{Alnum}\p{Space}]{0,1024}$ with a maximum length of 128
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:199)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:236)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at coldfusion.runtime.StructBean.invoke(StructBean.java:508)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393)
at cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416)
at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722)
at cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337)
at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88)
at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:94)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)
at coldfusion.CfmServlet.service(CfmServlet.java:201)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)


Update 2

I have been digging through Damon Miller's implementation of the OWASP ESAPI methods for ColdFusion. I noticed in his code that he does not call the getValidInput() method with the ValidationErrorList attribute. Rather he wrote the code to catch the generated error and then add the error to the list himself.  Hmmm?  I thought the method was supposed to do that for you????

As an aside, I am trying not to use a library such as his to avoid the additional bloat that I do not need.

Excerpt from his code:
if(structKeyExists( arguments, "errorList" )) {
        try {
            return getValidInput( arguments.context, arguments.input, arguments.type, arguments.maxLength, arguments.allowNull );
        }
        catch(esapi4cf.org.owasp.esapi.errors.ValidationException e) {
            arguments.errorList.addError( arguments.context, e );
        }
        return arguments.input;
    }
    else {
    ...

解决方案
This looks to be a bug in the Coldfusion implementation of ESAPI - we have full coverage testing of the getValidInput method in your unit test suite for ESAPI that demonstrate that the method works as advertised. 

Based off of your second update above I would guess that in the CF implementation code there is an uninitialized variable being accessed (perhaps errorList is uninitialized in this context)

I am the project leader of the OWASP ESAPI project and very familiar with this bit of code in ESAPI itself but am not a CF developer and have not seen all of the implementation code for CF9.

** Edit **

In order to make the validation methods work in batch using ColdFusion a call to the init() method is required for the org.owasp.esapi.ValidationErrorList class before calling the validator methods. Add the following line to the test script and it will work:
<cfset ErrorList = ErrorList.init() />
In context:
<cfset ErrorList = CreateObject("java", "org.owasp.esapi.ValidationErrorList") />
<cfset ErrorList = ErrorList.init() />
<cfset Valid.TestField = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, true, true, ErrorList) />
Now when invalid input is entered the error will be added to the ErrorList variable instead of throwing an error.

                        
这篇关于如何在ColdFusion中实现OWASP ESAPI验证器与验证尝试组？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！