[hibernate-issues] [Hibernate-JIRA] Created: (HV-473) Add option to Canonicalize String Input

Chris Schmidt (JIRA) noreply at atlassian.com
Tue May 17 17:50:24 EDT 2011 

Add option to Canonicalize String Input
---------------------------------------

                 Key: HV-473
                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-473
             Project: Hibernate Validator
          Issue Type: Improvement
          Components: engine
         Environment: n/a
            Reporter: Chris Schmidt


Add the ability to enable canonicalization (normalization) of Strings prior to validation processing. By default this behavior should be enabled. 

Canonicalization is imperative in validation logic, without it - it is possible to bypass many validation contraints (string based) to perform things like encoding attacks (XSS, SQLi) and Path traversal attacks (RFI, LFI). 

This canonicalization should be configurable to allow Multiple or Mixed encoding in a string (with a default to fail validation if either condition is true) through the use of annotation:

   @Canonicalize(allowMixed=true, allowMultiple=true)
   @Pattern(regexp=".*")
   private String someString;

This is necessary, especially when using validation on machine generated values (webservices, etc.) to allow a string to be canonicalized to it's base form even if there are multiple or mixed encodings in the string. However, this is not behavior that a normal application user would display - hence the approach of disallowing a string of this type by default.

Please reference the OWASP ESAPI for an example of how to implement:
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java#137

For additional information on the importance of canonicalization in validation see:
https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode

Feel free to use the ESAPI Library or any of it's code to help Hibernate-Validator be more secure and complete!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the hibernate-issues mailing list