[hibernate-issues] [Hibernate-JIRA] Updated: (HV-473) Add option to Canonicalize String Input

Hardy Ferentschik (JIRA) noreply at atlassian.com
Wed Sep 28 04:16:40 EDT 2011 

     [ http://opensource.atlassian.com/projects/hibernate/browse/HV-473?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hardy Ferentschik updated HV-473:
---------------------------------

    Affects Version/s: 4.2.0.Final
        Fix Version/s: 4.3.0.next

> Add option to Canonicalize String Input
> ---------------------------------------
>
>                 Key: HV-473
>                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-473
>             Project: Hibernate Validator
>          Issue Type: Improvement
>          Components: engine
>    Affects Versions: 4.2.0.Final
>         Environment: n/a
>            Reporter: Chris Schmidt
>             Fix For: 4.3.0.next
>
>
> Add the ability to enable canonicalization (normalization) of Strings prior to validation processing. By default this behavior should be enabled. 
> Canonicalization is imperative in validation logic, without it - it is possible to bypass many validation contraints (string based) to perform things like encoding attacks (XSS, SQLi) and Path traversal attacks (RFI, LFI). 
> This canonicalization should be configurable to allow Multiple or Mixed encoding in a string (with a default to fail validation if either condition is true) through the use of annotation:
>    @Canonicalize(allowMixed=true, allowMultiple=true)
>    @Pattern(regexp=".*")
>    private String someString;
> This is necessary, especially when using validation on machine generated values (webservices, etc.) to allow a string to be canonicalized to it's base form even if there are multiple or mixed encodings in the string. However, this is not behavior that a normal application user would display - hence the approach of disallowing a string of this type by default.
> Please reference the OWASP ESAPI for an example of how to implement:
> http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java#137
> For additional information on the importance of canonicalization in validation see:
> https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
> Feel free to use the ESAPI Library or any of it's code to help Hibernate-Validator be more secure and complete!

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the hibernate-issues mailing list