You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jo...@apache.org on 2009/02/06 22:38:27 UTC
svn commit: r741743 - /ofbiz/trunk/framework/base/config/ESAPI.properties
Author: jonesde
Date: Fri Feb 6 21:38:26 2009
New Revision: 741743
URL: http://svn.apache.org/viewvc?rev=741743&view=rev
Log:
Added basic ESAPI.properties file for the owasp esapi library, based on default with the ones I don't think we'll use commented out
Added:
ofbiz/trunk/framework/base/config/ESAPI.properties (with props)
Added: ofbiz/trunk/framework/base/config/ESAPI.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ESAPI.properties?rev=741743&view=auto
==============================================================================
--- ofbiz/trunk/framework/base/config/ESAPI.properties (added)
+++ ofbiz/trunk/framework/base/config/ESAPI.properties Fri Feb 6 21:38:26 2009
@@ -0,0 +1,128 @@
+# Properties file for OWASP Enterprise Security API (ESAPI)
+# You can find more information about ESAPI at http://www.owasp.org/esapi
+#
+
+# Validation
+#
+# The ESAPI validator does many security checks on input, such as canonicalization
+# and whitelist validation. Note that all of these validation rules are applied *after*
+# canonicalization. Double-encoded characters (even with different encodings involved,
+# are never allowed.
+#
+# To use:
+#
+# First set up a pattern below. You can choose any name you want, prefixed by the word
+# "Validation." For example:
+# Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
+#
+# Then you can validate in your code against the pattern like this:
+# Validator.getInstance().getValidDataFromBrowser( "Email", input );
+# Validator.getInstance().isValidDataFromBrowser( "Email", input );
+#
+Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$
+Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
+Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
+Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
+Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
+Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
+
+# Validators used by ESAPI
+Validator.AccountName=^[a-zA-Z0-9]{3,20}$
+Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$
+Validator.RoleName=^[a-z]{1,20}$
+Validator.Redirect=^\\/test.*$
+
+# Global HTTP Validation Rules
+# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
+Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
+Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
+Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
+Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
+
+# Validation of file related input
+Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
+Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$
+
+# File upload configuration
+ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
+MaxUploadFileBytes=500000000
+
+# Content-Type header
+ResponseContentType=text/html; charset=UTF-8
+
+# Logging
+#
+# Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG?
+LogLevel=ALL
+LogEncodingRequired=false
+
+# Intrusion Detection
+#
+# Each event has a base to which .count, .interval, and .action are added
+# The IntrusionException will fire if we receive "count" events within "interval" seconds
+# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
+# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
+#
+# Custom Events
+# Names must start with "event." as the base
+# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
+#
+event.test.count=2
+event.test.interval=10
+event.test.actions=disable,log
+
+# Exception Events
+# All EnterpriseSecurityExceptions are registered automatically
+# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
+# Use the fully qualified classname of the exception as the base
+
+# any intrusion is an attack
+org.owasp.esapi.errors.IntrusionException.count=1
+org.owasp.esapi.errors.IntrusionException.interval=1
+org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
+
+# for test purposes
+org.owasp.esapi.errors.IntegrityException.count=10
+org.owasp.esapi.errors.IntegrityException.interval=5
+org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
+
+# rapid validation errors indicate scans or attacks in progress
+# org.owasp.esapi.errors.ValidationException.count=10
+# org.owasp.esapi.errors.ValidationException.interval=10
+# org.owasp.esapi.errors.ValidationException.actions=log,logout
+
+
+# ================= PROPERTIES NOT CURRENTLY USED IN OFBIZ =================
+# These are not likely to be used, but leaving here commented out for future
+# references, just in case.
+
+# Authentication
+#RememberTokenDuration=14
+#AllowedLoginAttempts=3
+#MaxOldPasswordHashes=13
+#UsernameParameterName=username
+#PasswordParameterName=password
+
+# Encryption
+#MasterPassword=owasp1
+#MasterSalt=testtest
+
+# Algorithms
+# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data
+# WARNING: Reasonable values for these algorithms will be tested and documented in a future release
+#
+#CharacterEncoding=UTF-8
+#HashAlgorithm=SHA-512
+#HashIterations=1024
+##EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding
+#EncryptionAlgorithm=PBEWithMD5AndDES
+#RandomAlgorithm=SHA1PRNG
+#DigitalSignatureAlgorithm=SHAwithDSA
+
+# sessions jumping between hosts indicates a session hijacking
+#org.owasp.esapi.errors.AuthenticationHostException.count=2
+#org.owasp.esapi.errors.AuthenticationHostException.interval=10
+#org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
+
Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties
------------------------------------------------------------------------------
svn:executable = *
Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties
------------------------------------------------------------------------------
svn:keywords = "Date Rev Author URL Id"
Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties
------------------------------------------------------------------------------
svn:mime-type = text/plain