Blacklist filter Bypass Feeling

Today, we find a problem that bypasses regular filtering, and many applications use regular expressions to authenticate input data, for example, when modifying a device name:

String regex = "^.*[\\\\/:\\*\\?\" <>\\| ' %&]+.*$ "; 1 or more "\:*?" appears <>| ' %& "character means illegal

Pattern pattern = pattern. Compile (regex);

Matcher Matcher = Pattern.matcher (str);

But we found that when the input carriage return (\ r \ n) The validation of the regular expression can be bypassed (followed by security problems), such as the input "abc\r\n<>" is not detected, because '. ' default is mismatch like ' \ r ', ' \ n ', etc. If you want to match then use options pattern.dotall, so write:

Pattern pattern = pattern. Compile (regex, Pattern.dotall);

However, no one can guarantee that this writing will not be able to continue to bypass the situation, so the essence of this problem is not the wrong way to use the method, but not the use of white list filter, that is, only allow the specified character pass, the other is not allowed, the following is owasp Esapi the White list filter rules for file names and directory names for your reference:

Validator.filename=^[[email protected]#$%^&{}\\[\\] () _+\\-=,.~ "]{1,255}$//[" characters are allowed to appear in white list characters, length 1-255, Any other characters are illegal.

Validator.directoryname=^[a-za-z0-9:/\\\\[email protected]#$%^&{}\\[\\] () _+\\-=,.~ "]{1,255}$

Similarly, we can also set a list of similar characters for various user input such as device name, so we strongly recommend that we use the Fu Bai to do data security verification.

Blacklist filter Bypass Feeling