| ##################################################################### |
| # Based on the default ESAPI.properties file, which is BSD licensed. |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| ##################################################################### |
| |
| # Properties file for OWASP Enterprise Security API (ESAPI) |
| # You can find more information about ESAPI at http://www.owasp.org/esapi |
| |
| # Validation |
| # |
| # The ESAPI validator does many security checks on input, such as canonicalization |
| # and whitelist validation. Note that all of these validation rules are applied *after* |
| # canonicalization. Double-encoded characters (even with different encodings involved, |
| # are never allowed. |
| # |
| # To use: |
| # |
| # First set up a pattern below. You can choose any name you want, prefixed by the word |
| # "Validation." For example: |
| # Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ |
| # |
| # Then you can validate in your code against the pattern like this: |
| # Validator.getInstance().getValidDataFromBrowser( "Email", input ); |
| # Validator.getInstance().isValidDataFromBrowser( "Email", input ); |
| # |
| Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$ |
| Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ |
| Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ |
| Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ |
| Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ |
| Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ |
| |
| # Validators used by ESAPI |
| Validator.AccountName=^[a-zA-Z0-9]{3,20}$ |
| Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$ |
| Validator.RoleName=^[a-z]{1,20}$ |
| Validator.Redirect=^\\/test.*$ |
| |
| # Global HTTP Validation Rules |
| # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] |
| Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$ |
| Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$ |
| Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$ |
| Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ |
| Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$ |
| Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ |
| |
| # Validation of file related input |
| Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$ |
| Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$ |
| |
| # File upload configuration |
| ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll |
| MaxUploadFileBytes=500000000 |
| |
| # Content-Type header |
| ResponseContentType=text/html; charset=UTF-8 |
| |
| # Logging |
| # |
| # Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG? |
| LogLevel=ALL |
| LogEncodingRequired=false |
| |
| # Intrusion Detection |
| # |
| # Each event has a base to which .count, .interval, and .action are added |
| # The IntrusionException will fire if we receive "count" events within "interval" seconds |
| # The IntrusionDetector is configurable to take the following actions: log, logout, and disable |
| # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable |
| # |
| # Custom Events |
| # Names must start with "event." as the base |
| # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here |
| # |
| event.test.count=2 |
| event.test.interval=10 |
| event.test.actions=disable,log |
| |
| # Exception Events |
| # All EnterpriseSecurityExceptions are registered automatically |
| # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException |
| # Use the fully qualified classname of the exception as the base |
| |
| # any intrusion is an attack |
| org.owasp.esapi.errors.IntrusionException.count=1 |
| org.owasp.esapi.errors.IntrusionException.interval=1 |
| org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout |
| |
| # for test purposes |
| org.owasp.esapi.errors.IntegrityException.count=10 |
| org.owasp.esapi.errors.IntegrityException.interval=5 |
| org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout |
| |
| # rapid validation errors indicate scans or attacks in progress |
| # org.owasp.esapi.errors.ValidationException.count=10 |
| # org.owasp.esapi.errors.ValidationException.interval=10 |
| # org.owasp.esapi.errors.ValidationException.actions=log,logout |
| |
| |
| # ================= PROPERTIES NOT CURRENTLY USED IN OFBIZ ================= |
| # These are not likely to be used, but leaving here commented out for future |
| # references, just in case. |
| |
| # Authentication |
| #RememberTokenDuration=14 |
| #AllowedLoginAttempts=3 |
| #MaxOldPasswordHashes=13 |
| #UsernameParameterName=username |
| #PasswordParameterName=password |
| |
| # Encryption |
| #MasterPassword=owasp1 |
| #MasterSalt=testtest |
| |
| # Algorithms |
| # WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data |
| # WARNING: Reasonable values for these algorithms will be tested and documented in a future release |
| # |
| #CharacterEncoding=UTF-8 |
| #HashAlgorithm=SHA-512 |
| #HashIterations=1024 |
| ##EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding |
| #EncryptionAlgorithm=PBEWithMD5AndDES |
| #RandomAlgorithm=SHA1PRNG |
| #DigitalSignatureAlgorithm=SHAwithDSA |
| |
| # sessions jumping between hosts indicates a session hijacking |
| #org.owasp.esapi.errors.AuthenticationHostException.count=2 |
| #org.owasp.esapi.errors.AuthenticationHostException.interval=10 |
| #org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout |
| |