release13.07/framework/base/config/ESAPI.properties

#####################################################################
# Based on the default ESAPI.properties file, which is BSD licensed.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#####################################################################

# Properties file for OWASP Enterprise Security API (ESAPI)
# You can find more information about ESAPI at http://www.owasp.org/esapi

# Validation
#
# The ESAPI validator does many security checks on input, such as canonicalization
# and whitelist validation. Note that all of these validation rules are applied *after*
# canonicalization. Double-encoded characters (even with different encodings involved,
# are never allowed.
#
# To use:
#
# First set up a pattern below. You can choose any name you want, prefixed by the word
# "Validation." For example:
#   Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
#
# Then you can validate in your code against the pattern like this:
#   Validator.getInstance().getValidDataFromBrowser( "Email", input );
#   Validator.getInstance().isValidDataFromBrowser( "Email", input );
#
Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$
Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$

# Validators used by ESAPI
Validator.AccountName=^[a-zA-Z0-9]{3,20}$
Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$
Validator.RoleName=^[a-z]{1,20}$
Validator.Redirect=^\\/test.*$

# Global HTTP Validation Rules
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

# Validation of file related input
Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$

# File upload configuration
ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
MaxUploadFileBytes=500000000

# Content-Type header
ResponseContentType=text/html; charset=UTF-8

# Logging
#
# Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG?
LogLevel=ALL
LogEncodingRequired=false

# Intrusion Detection
#
# Each event has a base to which .count, .interval, and .action are added
# The IntrusionException will fire if we receive "count" events within "interval" seconds
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
#  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
#
# Custom Events
# Names must start with "event." as the base
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
#
event.test.count=2
event.test.interval=10
event.test.actions=disable,log

# Exception Events
# All EnterpriseSecurityExceptions are registered automatically
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
# Use the fully qualified classname of the exception as the base

# any intrusion is an attack
org.owasp.esapi.errors.IntrusionException.count=1
org.owasp.esapi.errors.IntrusionException.interval=1
org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

# for test purposes
org.owasp.esapi.errors.IntegrityException.count=10
org.owasp.esapi.errors.IntegrityException.interval=5
org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

# rapid validation errors indicate scans or attacks in progress
# org.owasp.esapi.errors.ValidationException.count=10
# org.owasp.esapi.errors.ValidationException.interval=10
# org.owasp.esapi.errors.ValidationException.actions=log,logout


# ================= PROPERTIES NOT CURRENTLY USED IN OFBIZ =================
# These are not likely to be used, but leaving here commented out for future
# references, just in case.

# Authentication
#RememberTokenDuration=14
#AllowedLoginAttempts=3
#MaxOldPasswordHashes=13
#UsernameParameterName=username
#PasswordParameterName=password

# Encryption
#MasterPassword=owasp1
#MasterSalt=testtest

# Algorithms
# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data
# WARNING: Reasonable values for these algorithms will be tested and documented in a future release
#
#CharacterEncoding=UTF-8
#HashAlgorithm=SHA-512
#HashIterations=1024
##EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding
#EncryptionAlgorithm=PBEWithMD5AndDES
#RandomAlgorithm=SHA1PRNG
#DigitalSignatureAlgorithm=SHAwithDSA

# sessions jumping between hosts indicates a session hijacking
#org.owasp.esapi.errors.AuthenticationHostException.count=2
#org.owasp.esapi.errors.AuthenticationHostException.interval=10
#org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout