2

I hope someone could help me with some issue.

I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one:

Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$

When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException:

ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);

Alternatively, I also tried the java.util.regex.Pattern class to test the same regular expression with the same string example and it works OK:

Pattern.matches("^([a-zA-Z]:)?(\\\\[\\w. -]+)+$", "C:\\TEMP\\file.txt")

I must say that I added other regex in 'validation.properties' and worked OK. Why this one is so hard? Could anyone help me out with this one?

Etheryte
  • 24,589
  • 11
  • 71
  • 116
Nextor
  • 95
  • 1
  • 1
  • 7
  • Why are we being asked to validate Windows file paths? What is the use case? – avgvstvs Jul 02 '14 at 14:44
  • Hi, @avgvstvs , thanx a lot for you answer below. That file path is just a context parameter for my web application meant for writing a log file somewhere. Since that param should be written in the web.xml file by one of the administrators it wouldn't mean any intrusion into the application, but I wanted to use ESAPI validation anyway to check that the path is correctly formed. I didn't notice that getValidDirectoryPath method. I better off read the Validator doc carefully. Thanx again ;-) – Nextor Jul 04 '14 at 01:26
  • I'm still points-hungry... so if you could, would you mark the answer as accepted, or at least upvote? I would really appreciate it! – avgvstvs Jul 08 '14 at 17:55
  • Hi @avgvstvs, I've just accepted the answer (didn't know I could do that) but I'm not allowed to upvote anything yet, I have only 13 points!! I'm sorry! I'll do it as soon as I can, promise. – Nextor Jul 10 '14 at 11:19

1 Answers1

5

This is happening because the call to validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false); wraps a call to ESAPI.encoder().canonicalize() that is transforming the input to the char sequence (Not literal String!) C:TEMP'0x0C'ile.txt before it passes to the regex engine.

Except for the second "\" getting converted to the char 0x0c this is normally desired behavior. That could be a bug in ESAPI.

What you want, is to make a call to ESAPI.validator().getValidDirectoryPath()

avgvstvs
  • 6,196
  • 6
  • 43
  • 74