Create rule in ESAPI validator

Question

I am starting work with ESAPI but I have a problem. I am trying to create an example rule (Validator.Single=[A-Z]$). I validate if a String only have an uppercase character.

I put Validator.Single=[A-Z]$ in the validator.properties file but when I use in the code:

System.out.println(v.isValidInput("Single", "A", "Single", 1, true));

The output tells me

SecurityConfiguration for Validator.Single not found in ESAPI.properties. Using default: 
false

And returns me a false, against of a true, because the "A" is a valid letter.

Anyone knows what more I nedd to do? Or I make the rule bad?

Thanks for your responses.

Answer 1

Your Validator.Single=[A-Z]$

should have been

Validator.Single=^[A-Z]$

Take note of the caret character (^) in the beginning of the regex. You can read more about Java Regular Expressions in Lars' Java Regex Tutorial

Answer 2

If you look at org.owasp.esapi.reference.DefaultSecurityConfiguration#getValidationPattern, you can see that if PatternSyntaxException is thrown the log would say "SecurityConfiguration for " + key + " not a valid regex in ESAPI.properties. Returning null" even though it's defined in validation.properties.

So it should work properly after you fix your regex syntax.

Answer 3

The problem here is most likely classpath related. When running the process that calls ESAPI, are you telling the jvm where your properties file is located, or are you compiling the library yourself from source?

I don't have enough about how you're running that line of code, but my suspicion is that there's a validation.properties file in the esapi jar you're using and its therefore not picking up the one you want.

However your process is run, make sure the following property is passed to the jvm:

-Dorg.owasp.esapi.resources="<path_to_your_resources_directory>"

Or if compiling, make sure you're changing validation.properties in src/main/resources