Anchit Jindal / ofbiz-wink

Blame view

framework/base/config/ESAPI.properties 5.94 KB
edit raw normal view history
c16038356   Anchit Jindal   first commit 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
 
  #####################################################################
  # Based on the default ESAPI.properties file, which is BSD licensed.
  #
  # Licensed to the Apache Software Foundation (ASF) under one
  # or more contributor license agreements.  See the NOTICE file
  # distributed with this work for additional information
  # regarding copyright ownership.  The ASF licenses this file
  # to you under the Apache License, Version 2.0 (the
  # "License"); you may not use this file except in compliance
  # with the License.  You may obtain a copy of the License at
  #
  # http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing,
  # software distributed under the License is distributed on an
  # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  # KIND, either express or implied.  See the License for the
  # specific language governing permissions and limitations
  # under the License.
  #####################################################################
  
  # Properties file for OWASP Enterprise Security API (ESAPI)
  # You can find more information about ESAPI at http://www.owasp.org/esapi
  
  # Validation
  #
  # The ESAPI validator does many security checks on input, such as canonicalization
  # and whitelist validation. Note that all of these validation rules are applied *after*
  # canonicalization. Double-encoded characters (even with different encodings involved,
  # are never allowed.
  #
  # To use:
  #
  # First set up a pattern below. You can choose any name you want, prefixed by the word
  # "Validation." For example:
  #   Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
  #
  # Then you can validate in your code against the pattern like this:
  #   Validator.getInstance().getValidDataFromBrowser( "Email", input );
  #   Validator.getInstance().isValidDataFromBrowser( "Email", input );
  #
  Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$
  Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
  Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
  Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
  Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
  Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
  
  # Validators used by ESAPI
  Validator.AccountName=^[a-zA-Z0-9]{3,20}$
  Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$
  Validator.RoleName=^[a-z]{1,20}$
  Validator.Redirect=^\\/test.*$
  
  # Global HTTP Validation Rules
  # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
  Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
  Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
  Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
  Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
  Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
  Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
  
  # Validation of file related input
  Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
  Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$
  
  # File upload configuration
  ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
  MaxUploadFileBytes=500000000
  
  # Content-Type header
  ResponseContentType=text/html; charset=UTF-8
  
  # Logging
  #
  # Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG?
  LogLevel=ALL
  LogEncodingRequired=false
  
  # Intrusion Detection
  #
  # Each event has a base to which .count, .interval, and .action are added
  # The IntrusionException will fire if we receive "count" events within "interval" seconds
  # The IntrusionDetector is configurable to take the following actions: log, logout, and disable
  #  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
  #
  # Custom Events
  # Names must start with "event." as the base
  # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
  #
  event.test.count=2
  event.test.interval=10
  event.test.actions=disable,log
  
  # Exception Events
  # All EnterpriseSecurityExceptions are registered automatically
  # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
  # Use the fully qualified classname of the exception as the base
  
  # any intrusion is an attack
  org.owasp.esapi.errors.IntrusionException.count=1
  org.owasp.esapi.errors.IntrusionException.interval=1
  org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
  
  # for test purposes
  org.owasp.esapi.errors.IntegrityException.count=10
  org.owasp.esapi.errors.IntegrityException.interval=5
  org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
  
  # rapid validation errors indicate scans or attacks in progress
  # org.owasp.esapi.errors.ValidationException.count=10
  # org.owasp.esapi.errors.ValidationException.interval=10
  # org.owasp.esapi.errors.ValidationException.actions=log,logout
  
  
  # ================= PROPERTIES NOT CURRENTLY USED IN OFBIZ =================
  # These are not likely to be used, but leaving here commented out for future
  # references, just in case.
  
  # Authentication
  #RememberTokenDuration=14
  #AllowedLoginAttempts=3
  #MaxOldPasswordHashes=13
  #UsernameParameterName=username
  #PasswordParameterName=password
  
  # Encryption
  #MasterPassword=owasp1
  #MasterSalt=testtest
  
  # Algorithms
  # WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data
  # WARNING: Reasonable values for these algorithms will be tested and documented in a future release
  #
  #CharacterEncoding=UTF-8
  #HashAlgorithm=SHA-512
  #HashIterations=1024
  ##EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding
  #EncryptionAlgorithm=PBEWithMD5AndDES
  #RandomAlgorithm=SHA1PRNG
  #DigitalSignatureAlgorithm=SHAwithDSA
  
  # sessions jumping between hosts indicates a session hijacking
  #org.owasp.esapi.errors.AuthenticationHostException.count=2
  #org.owasp.esapi.errors.AuthenticationHostException.interval=10
  #org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout