[hibernate-issues] [Hibernate-JIRA] Resolved: (HV-473) Add option to Canonicalize String Input
Hardy Ferentschik (JIRA)
noreply at atlassian.com
Wed Dec 7 05:55:20 EST 2011
[ http://opensource.atlassian.com/projects/hibernate/browse/HV-473?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hardy Ferentschik resolved HV-473.
----------------------------------
Resolution: Rejected
Rejecting issue as is. A possible new constraint _ at SafeString_ or _ at AssertEncoding_ could be considered.
> Add option to Canonicalize String Input
> ---------------------------------------
>
> Key: HV-473
> URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-473
> Project: Hibernate Validator
> Issue Type: Improvement
> Components: engine
> Affects Versions: 4.2.0.Final
> Environment: n/a
> Reporter: Chris Schmidt
> Fix For: 4.3.0.next
>
>
> Add the ability to enable canonicalization (normalization) of Strings prior to validation processing. By default this behavior should be enabled.
> Canonicalization is imperative in validation logic, without it - it is possible to bypass many validation contraints (string based) to perform things like encoding attacks (XSS, SQLi) and Path traversal attacks (RFI, LFI).
> This canonicalization should be configurable to allow Multiple or Mixed encoding in a string (with a default to fail validation if either condition is true) through the use of annotation:
> @Canonicalize(allowMixed=true, allowMultiple=true)
> @Pattern(regexp=".*")
> private String someString;
> This is necessary, especially when using validation on machine generated values (webservices, etc.) to allow a string to be canonicalized to it's base form even if there are multiple or mixed encodings in the string. However, this is not behavior that a normal application user would display - hence the approach of disallowing a string of this type by default.
> Please reference the OWASP ESAPI for an example of how to implement:
> http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java#137
> For additional information on the importance of canonicalization in validation see:
> https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
> Feel free to use the ESAPI Library or any of it's code to help Hibernate-Validator be more secure and complete!
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the hibernate-issues
mailing list