[hibernate-issues] [Hibernate-JIRA] Created: (HV-473) Add option to Canonicalize String Input
Chris Schmidt (JIRA)
noreply at atlassian.com
Tue May 17 17:50:24 EDT 2011
Add option to Canonicalize String Input
---------------------------------------
Key: HV-473
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-473
Project: Hibernate Validator
Issue Type: Improvement
Components: engine
Environment: n/a
Reporter: Chris Schmidt
Add the ability to enable canonicalization (normalization) of Strings prior to validation processing. By default this behavior should be enabled.
Canonicalization is imperative in validation logic, without it - it is possible to bypass many validation contraints (string based) to perform things like encoding attacks (XSS, SQLi) and Path traversal attacks (RFI, LFI).
This canonicalization should be configurable to allow Multiple or Mixed encoding in a string (with a default to fail validation if either condition is true) through the use of annotation:
@Canonicalize(allowMixed=true, allowMultiple=true)
@Pattern(regexp=".*")
private String someString;
This is necessary, especially when using validation on machine generated values (webservices, etc.) to allow a string to be canonicalized to it's base form even if there are multiple or mixed encodings in the string. However, this is not behavior that a normal application user would display - hence the approach of disallowing a string of this type by default.
Please reference the OWASP ESAPI for an example of how to implement:
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java#137
For additional information on the importance of canonicalization in validation see:
https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
Feel free to use the ESAPI Library or any of it's code to help Hibernate-Validator be more secure and complete!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the hibernate-issues
mailing list