##################################################################### # Based on the default ESAPI.properties file, which is BSD licensed. # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. ##################################################################### # Properties file for OWASP Enterprise Security API (ESAPI) # You can find more information about ESAPI at http://www.owasp.org/esapi # Validation # # The ESAPI validator does many security checks on input, such as canonicalization # and whitelist validation. Note that all of these validation rules are applied *after* # canonicalization. Double-encoded characters (even with different encodings involved, # are never allowed. # # To use: # # First set up a pattern below. You can choose any name you want, prefixed by the word # "Validation." For example: # Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ # # Then you can validate in your code against the pattern like this: # Validator.getInstance().getValidDataFromBrowser( "Email", input ); # Validator.getInstance().isValidDataFromBrowser( "Email", input ); # Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$ Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ # Validators used by ESAPI Validator.AccountName=^[a-zA-Z0-9]{3,20}$ Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$ Validator.RoleName=^[a-z]{1,20}$ Validator.Redirect=^\\/test.*$ # Global HTTP Validation Rules # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$ Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$ Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ # Validation of file related input Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$ Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$ # File upload configuration ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll MaxUploadFileBytes=500000000 # Content-Type header ResponseContentType=text/html; charset=UTF-8 # Logging # # Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG? LogLevel=ALL LogEncodingRequired=false # Intrusion Detection # # Each event has a base to which .count, .interval, and .action are added # The IntrusionException will fire if we receive "count" events within "interval" seconds # The IntrusionDetector is configurable to take the following actions: log, logout, and disable # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable # # Custom Events # Names must start with "event." as the base # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here # event.test.count=2 event.test.interval=10 event.test.actions=disable,log # Exception Events # All EnterpriseSecurityExceptions are registered automatically # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException # Use the fully qualified classname of the exception as the base # any intrusion is an attack org.owasp.esapi.errors.IntrusionException.count=1 org.owasp.esapi.errors.IntrusionException.interval=1 org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout # for test purposes org.owasp.esapi.errors.IntegrityException.count=10 org.owasp.esapi.errors.IntegrityException.interval=5 org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout # rapid validation errors indicate scans or attacks in progress # org.owasp.esapi.errors.ValidationException.count=10 # org.owasp.esapi.errors.ValidationException.interval=10 # org.owasp.esapi.errors.ValidationException.actions=log,logout # ================= PROPERTIES NOT CURRENTLY USED IN OFBIZ ================= # These are not likely to be used, but leaving here commented out for future # references, just in case. # Authentication #RememberTokenDuration=14 #AllowedLoginAttempts=3 #MaxOldPasswordHashes=13 #UsernameParameterName=username #PasswordParameterName=password # Encryption #MasterPassword=owasp1 #MasterSalt=testtest # Algorithms # WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data # WARNING: Reasonable values for these algorithms will be tested and documented in a future release # #CharacterEncoding=UTF-8 #HashAlgorithm=SHA-512 #HashIterations=1024 ##EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding #EncryptionAlgorithm=PBEWithMD5AndDES #RandomAlgorithm=SHA1PRNG #DigitalSignatureAlgorithm=SHAwithDSA # sessions jumping between hosts indicates a session hijacking #org.owasp.esapi.errors.AuthenticationHostException.count=2 #org.owasp.esapi.errors.AuthenticationHostException.interval=10 #org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout