0

I am retrieving URL from database and it contains special characters like % - = / ? etc. so while I try to populate that in my page JSON is not able to parse that URL and it is giving me some exception when I was debugging I got like this 

(Log4JLogger.java:log:449) [SECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionException] INTRUSION - Mixed encoding (2x) detected

I tried from these link here this my offending URL here

but it is not working he mentioned that bug is solved. but for which version version here I am using is 2.1.0 below is my code

package com.ghn.repufact.review.extractor;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;

import javax.ws.rs.core.UriBuilder;

import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.log4j.Logger;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.EncodingException;
import org.owasp.esapi.reference.DefaultValidator;
import org.springframework.stereotype.Component;

@Component
public class ValidateURL {
    private static final Logger logger=Logger.getLogger(ValidateResponse.class);
    public  String parseOrgConsumerLink(String myLink) throws URISyntaxException {
        if(myLink==null || "".equalsIgnoreCase(myLink))
            return myLink;
        Encoder enc=ESAPI.encoder();
        URI mixURI=new URI(myLink);
        UriBuilder uriBuider=UriBuilder.fromUri(enc.canonicalize(mixURI.getAuthority()+mixURI.getPath()));
        uriBuider.path(enc.canonicalize(mixURI.getAuthority() + mixURI.getPath()));
        logger.info("Uri after URIbuilder:"+uriBuider.build().toString());
        List<NameValuePair> params = URLEncodedUtils.parse(mixURI, "UTF-8");
        for (NameValuePair nameValuePair : params) 
            uriBuider.queryParam(enc.canonicalize(nameValuePair.getName()), enc.canonicalize(nameValuePair.getValue()));
        String canonicalizedUrl = uriBuider.build().toString();
        logger.info("canonicaliz URI:"+canonicalizedUrl);
        return canonicalizedUrl;
    }

    public boolean isCanonicalizedURI(String myLink) throws EncodingException {
        Validator validator=DefaultValidator.getInstance();
        //boolean flag=validator.isValidInput("test", myLink, "URI", 200, false);
        myLink = ESAPI.encoder().encodeForURL(myLink);

        boolean flag = validator.isValidInput("APPNAME", myLink, "URLSTRING", 600, true, false);
        logger.info("checking for URI:"+myLink+" isCanonical:"+flag);
        return flag;
    }


}

please let me know if any work around here. By the way I am using spring MVC

Community
  • 1
  • 1
LowCool
  • 1,187
  • 5
  • 25
  • 51
  • The most recent release is 2.1.0.1. – avgvstvs May 12 '17 at 02:16
  • But it doesn't contain the bugfix you seek. We are still prepping the next release. – avgvstvs May 12 '17 at 02:17
  • Please share the offending URL from the ESAPI log. – avgvstvs May 12 '17 at 02:17
  • @avgvstvs: have updated question with offending URL – LowCool May 12 '17 at 04:50
  • Okay, so you missed a comment towards the very very bottom where a link was provided to the ESAPI project with some code that is actually much more up to date. The version of the code in the original question you linked was not prime-time, it was done just to show a basic example. https://github.com/ESAPI/esapi-java-legacy/commit/aafa3539002e01cc40b7d12868ab043838e62563 – avgvstvs May 16 '17 at 14:26
  • So, further up the API chain, it IS failing, but its failing on the original regex used in esapi: `^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\:\'\/\\\+=&%\$#_]*)?$` We haven't settled on what a safe alternative should be, but the path in the next version's API eliminates the need for much of what the legacy regex is trying to check for. – avgvstvs May 16 '17 at 15:51

0 Answers0