Housekeeping, OSGI start/stop, Parameterized some hardcoded values. (#…

…663) * Signed key history for MATT SEIL begins here. * Signed key history for MATT SEIL begins here. Fixed email typo. * Revert "Signed key history for MATT SEIL begins here. Fixed email typo." This reverts commit 87c4c4e. * created file on main. * Deleted foo.txt * #661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'. * Updated to AntiSamy 1.6.5. * Revert "#661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'." This reverts commit 9fa2a53. * #656 --> Parameterized cookie name length and value to correspond with the HTTP maxes defined in esapi.properties. * Adjusted regex to allow for zero-length matches. * Added per review comments for PR #663 Co-authored-by: Matt Seil <xeno6696[at]gmail.com>
ESAPI · Feb 26, 2022 · 0f9ab8a · 0f9ab8a
1 parent 699291c
commit 0f9ab8a
Show file tree

Hide file tree

Showing 7 changed files with 9 additions and 8 deletions.
diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
@@ -469,7 +469,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 # Note that headerName and Value length is also configured in the HTTPUtilities section
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
@@ -189,8 +189,9 @@ public void addCookie(HttpServletResponse response, Cookie cookie) {
 
         // validate the name and value
         ValidationErrorList errors = new ValidationErrorList();
-        String cookieName = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", 50, false, errors);
-        String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", 5000, false, errors);
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
+        String cookieName = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false, errors);
+        String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false, errors);
 
         // if there are no errors, then set the cookie either with a header or normally
         if (errors.size() == 0) {

diff --git a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
@@ -468,7 +468,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$

diff --git a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
@@ -469,7 +469,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$

diff --git a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
@@ -467,7 +467,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$

diff --git a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
@@ -467,7 +467,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$

diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties
@@ -498,7 +498,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 # Note that headerName and Value length is also configured in the HTTPUtilities section
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$