Why the OOTB Infocenter ESAPI Security Framework Does Not First Decode/Canonicalize The Input String Before Performing the Validator Regex Checking?

(Doc ID 2114825.1)

Last updated on AUGUST 22, 2017

Applies to:

Oracle Knowledge - Version 8.5.1 and later
Information in this document applies to any platform.

Symptoms

Currently the OOTB Infocenter ESAPI Security Framework Does Not First Decode/Canonicalize The Input String Before Performing the Validator Regex Checking.  As a result, the input string cannot have arbitrary % escaped input characters and one must explicitly define the exact characters to be included/excluded with the corresponding ESAPI Validator regex pattern.

For example, assuming that you have added a new simple login form with input field LASTNAME without defining its corresponding ESAPI regex pattern (ie, the default OOTB ESAPI regex DefaultValidator=^[\^\p{L}\p{P}\p{N}\p{S}\s+%26&=&amp%\\\-|]+$ will be used)

If IC end-user enters the LASTNAME field with something like GRIÑAN or GRI%C3%91AN

==> the ESAPI validation will fail with errors something like below:
...

12950596 [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] WARN IntrusionDetector - [SECURITY FAILURE Anonymous:null@unknown -> /InfoCenter/IntrusionDetector] Invalid input: context=LASTNAME, type(DefaultValidator)=^[\^\p{L}\p{P}\p{N}\p{S}\s+%26&=&amp%\\\-|]+$, input=GRIìĎAN, orig=GRI%C3%91AN

com.inquira.esapi.IQValidationException: LASTNAME: Invalid input. Please conform to regex ^[\^\p{L}\p{P}\p{N}\p{S}\s+%26&=&amp%\\\-|]+$ with a maximum length of 100000000

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms