Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

isValidDate fails to identify injection attack #258

Closed
meg23 opened this issue Nov 13, 2014 · 3 comments
Closed

isValidDate fails to identify injection attack #258

meg23 opened this issue Nov 13, 2014 · 3 comments

Comments

@meg23
Copy link

meg23 commented Nov 13, 2014

From andrew.g...@gmail.com on November 07, 2011 08:28:17

What steps will reproduce the problem? 1. Instantiate a SimpleDateFormat object called myFormat
2. Make a call to ESAPI.validator().dateIsValid using the following arguments: "datetest4", "September 11, 2001' union select * from another_table where user_id like '%", myFormat, false What is the expected output? What do you see instead? I think it's reasonable to expect the library to report "September 11, 2001' union select * from another_table where user_id like '%" as an invalid date; but, the method returns true. What version of the product are you using? On what operating system? I fetched the source from http://owasp-esapi-java.googlecode.com/svn/trunk , revision 1867 , compiled using the Oracle JDK 6 Standard Edition (build 1.6.0_24-b07) in Eclipse configured for J2SE-1.5 compliance. The host OS was Windows 7. Does this issue affect only a specified browser or set of browsers? No. Please provide any additional information below. I added the following line to org.owasp.esapi.reference.ValidatorTest.java at line 330:

assertFalse(instance.isValidDate("datetest4", "September 11, 2001' union select * from another_table where user_id like '%", format, false));

and this assertion fails.

I believe I have traced the root cause to org.owasp.esapi.reference.validation.DateValidationRule.java line 97:

return format.parse(canonical);

According to the JavaDoc for DateFormat.parse at http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html#parse%28java.lang.String,%20java.text.ParsePosition%29 , the parse method does not necessarily use up all characters to the end of the string. Thus the current implementation apparently reads to the end of the valid date and returns true, without checking whether additional characters are present.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=251

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From chrisisbeef on September 18, 2014 13:47:10

This is being looked at currently

Status: Accepted

@xeno6696
Copy link
Collaborator

xeno6696 commented Jul 27, 2017

@kwwall, there are three issues here that are all related. Going to close this and the other and work with the one I started last weekend.

@xeno6696
Copy link
Collaborator

xeno6696 commented Jul 27, 2017

Duplicate of #299

@xeno6696 xeno6696 marked this as a duplicate of #299 Jul 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants