svn commit: r741743 - /ofbiz/trunk/framework/base/co
Locked
 
|
Author: jonesde
Date: Fri Feb 6 21:38:26 2009 New Revision: 741743 URL: http://svn.apache.org/viewvc?rev=741743&view=rev Log: Added basic ESAPI.properties file for the owasp esapi library, based on default with the ones I don't think we'll use commented out Added: ofbiz/trunk/framework/base/config/ESAPI.properties (with props) Added: ofbiz/trunk/framework/base/config/ESAPI.properties URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ESAPI.properties?rev=741743&view=auto ============================================================================== --- ofbiz/trunk/framework/base/config/ESAPI.properties (added) +++ ofbiz/trunk/framework/base/config/ESAPI.properties Fri Feb 6 21:38:26 2009 @@ -0,0 +1,128 @@ +# Properties file for OWASP Enterprise Security API (ESAPI) +# You can find more information about ESAPI at http://www.owasp.org/esapi +# + +# Validation +# +# The ESAPI validator does many security checks on input, such as canonicalization +# and whitelist validation. Note that all of these validation rules are applied *after* +# canonicalization. Double-encoded characters (even with different encodings involved, +# are never allowed. +# +# To use: +# +# First set up a pattern below. You can choose any name you want, prefixed by the word +# "Validation." For example: +# Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +# +# Then you can validate in your code against the pattern like this: +# Validator.getInstance().getValidDataFromBrowser( "Email", input ); +# Validator.getInstance().isValidDataFromBrowser( "Email", input ); +# +Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$ +Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ +Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ +Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ +Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ + +# Validators used by ESAPI +Validator.AccountName=^[a-zA-Z0-9]{3,20}$ +Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$ +Validator.RoleName=^[a-z]{1,20}$ +Validator.Redirect=^\\/test.*$ + +# Global HTTP Validation Rules +# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] +Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$ +Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$ +Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$ +Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ + +# Validation of file related input +Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$ +Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$ + +# File upload configuration +ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll +MaxUploadFileBytes=500000000 + +# Content-Type header +ResponseContentType=text/html; charset=UTF-8 + +# Logging +# +# Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG? +LogLevel=ALL +LogEncodingRequired=false + +# Intrusion Detection +# +# Each event has a base to which .count, .interval, and .action are added +# The IntrusionException will fire if we receive "count" events within "interval" seconds +# The IntrusionDetector is configurable to take the following actions: log, logout, and disable +# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable +# +# Custom Events +# Names must start with "event." as the base +# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here +# +event.test.count=2 +event.test.interval=10 +event.test.actions=disable,log + +# Exception Events +# All EnterpriseSecurityExceptions are registered automatically +# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException +# Use the fully qualified classname of the exception as the base + +# any intrusion is an attack +org.owasp.esapi.errors.IntrusionException.count=1 +org.owasp.esapi.errors.IntrusionException.interval=1 +org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout + +# for test purposes +org.owasp.esapi.errors.IntegrityException.count=10 +org.owasp.esapi.errors.IntegrityException.interval=5 +org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout + +# rapid validation errors indicate scans or attacks in progress +# org.owasp.esapi.errors.ValidationException.count=10 +# org.owasp.esapi.errors.ValidationException.interval=10 +# org.owasp.esapi.errors.ValidationException.actions=log,logout + + +# ================= PROPERTIES NOT CURRENTLY USED IN OFBIZ ================= +# These are not likely to be used, but leaving here commented out for future +# references, just in case. + +# Authentication +#RememberTokenDuration=14 +#AllowedLoginAttempts=3 +#MaxOldPasswordHashes=13 +#UsernameParameterName=username +#PasswordParameterName=password + +# Encryption +#MasterPassword=owasp1 +#MasterSalt=testtest + +# Algorithms +# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data +# WARNING: Reasonable values for these algorithms will be tested and documented in a future release +# +#CharacterEncoding=UTF-8 +#HashAlgorithm=SHA-512 +#HashIterations=1024 +##EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding +#EncryptionAlgorithm=PBEWithMD5AndDES +#RandomAlgorithm=SHA1PRNG +#DigitalSignatureAlgorithm=SHAwithDSA + +# sessions jumping between hosts indicates a session hijacking +#org.owasp.esapi.errors.AuthenticationHostException.count=2 +#org.owasp.esapi.errors.AuthenticationHostException.interval=10 +#org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout + Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties ------------------------------------------------------------------------------ svn:executable = * Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties ------------------------------------------------------------------------------ svn:keywords = "Date Rev Author URL Id" Propchange: ofbiz/trunk/framework/base/config/ESAPI.properties ------------------------------------------------------------------------------ svn:mime-type = text/plain |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |