|
96 | 96 | * stores some untrusted data item such as an email address from a user. A |
97 | 97 | * developer thinks "let's output encode this and store the encoded data in |
98 | 98 | * the database, thus making the untrusted data safe to use all the time, thus |
99 | | -* saving all of us developers all the encoding troubles later on". On the surface, |
| 99 | + * saving all of us developers all the encoding troubles later on". On the surface, |
100 | 100 | * that sounds like a reasonable approach. The problem is how to know what |
101 | 101 | * output encoding to use, not only for now, but for all possible <i>future</i> |
102 | 102 | * uses? It might be that the current application code base is only using it in |
|
147 | 147 | * target="_blank" rel="noopener noreferrer">ESAPI Encoder JUnittest cases</a> for ideas. |
148 | 148 | * If you are really ambitious, an excellent resource for XSS attack patterns is |
149 | 149 | * <a href="https://beefproject.com/" target="_blank" rel="noopener noreferrer">BeEF - The Browser Exploitation Framework Project</a>. |
| 150 | + * </li><li><b>A final note on {@code Encoder} implementation details:</b> |
| 151 | + * Most of the {@code Encoder} methods make extensive use of ESAPI's {@link org.owasp.esapi.codecs.Codec} |
| 152 | + * classes under-the-hood. These {@code Codec} classes are intended for use for encoding and decoding |
| 153 | + * input based on some particular context or specification. While the OWASP team |
| 154 | + * over the years have made every effort to be cautious--often going to extremes |
| 155 | + * to make "safe harbor" decisions on harmful inputs other similar encoders assume are already safe |
| 156 | + * (we did this to in order to protect the client's users from buggy browsers that don't adhere |
| 157 | + * to the W3C HTML specications)&em;the various {@code Codec} implemtations can offer |
| 158 | + * NO GUARANTEE of safety of the content being encoded or decoded. Therefore, |
| 159 | + * it is highly advised to practice a security-in-depth approach for everything you do. |
| 160 | + * By following that advise, you will minimize the impact and/or likelihood of any |
| 161 | + * vulnerabilities from bugs in the ESAPI code or accidental misuse of the ESAPI |
| 162 | + * library on your part. In particular, whenever there are cases where cients use |
| 163 | + * any of these {@link org.owasp.esapi.codecs.Codec} classes drectly, it is highly |
| 164 | + * recommended to perform canonicalization followed by strict input valiation both |
| 165 | + * prior to encoding and after decoding to protect your application from input-based |
| 166 | + * attacks. |
150 | 167 | * </li> |
151 | 168 | * </ul> |
152 | | - * |
| 169 | + * </p> |
153 | 170 | * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">OWASP Cross-Site Scripting Prevention Cheat Sheet</a> |
| 171 | + * @see org.owasp.esapi.Validator |
154 | 172 | * @see <a href="https://owasp.org/www-project-proactive-controls/v3/en/c4-encode-escape-data">OWASP Proactive Controls: C4: Encode and Escape Data</a> |
155 | 173 | * @see <a href="https://www.onwebsecurity.com/security/properly-encoding-and-escaping-for-the-web.html" target="_blank" rel="noopener noreferrer">Properly encoding and escaping for the web</a> |
156 | 174 | * @author Jeff Williams (jeff.williams .at. owasp.org) |
@@ -215,7 +233,7 @@ public interface Encoder { |
215 | 233 | * <ul><li>Perverse but legal variants of escaping schemes</li> |
216 | 234 | * <li>Multiple escaping (%2526 or &lt;)</li> |
217 | 235 | * <li>Mixed escaping (%26lt;)</li> |
218 | | - * <li>Nested escaping (%%316 or &%6ct;)</li> |
| 236 | + * <li>Nested escaping (%%316 or &%6ct;)</li> |
219 | 237 | * <li>All combinations of multiple, mixed, and nested encoding/escaping (%253c or ┦gt;)</li></ul> |
220 | 238 | * <p> |
221 | 239 | * Using canonicalize is simple. The default is just... |
@@ -395,25 +413,69 @@ public interface Encoder { |
395 | 413 |
|
396 | 414 | /** |
397 | 415 | * Encode input for use in a SQL query, according to the selected codec |
398 | | - * (appropriate codecs include the MySQLCodec and OracleCodec). |
399 | | - * |
400 | | - * This method is not recommended. The use of the {@code PreparedStatement} |
401 | | - * interface is the preferred approach. However, if for some reason |
402 | | - * this is impossible, then this method is provided as a weaker |
403 | | - * alternative. |
404 | | - * |
405 | | - * The best approach is to make sure any single-quotes are double-quoted. |
406 | | - * Another possible approach is to use the {escape} syntax described in the |
407 | | - * JDBC specification in section 1.5.6. |
408 | | - * |
| 416 | + * (appropriate codecs include the {@link org.owasp.esapi.codecs.MySQLCodec} |
| 417 | + * and {@link org.owasp.esapi.codecs.OracleCodec}), but see |
| 418 | + * "<b>SECURITY WARNING</b>" below before using. |
| 419 | + * <p> |
| 420 | + * The this method attempts to ensure make sure any single-quotes are double-quoted |
| 421 | + * (i.e., as '', not double-quotes, as in "). Another possible approach |
| 422 | + * is to use the {escape} syntax described in the JDBC specification in section 1.5.6. |
409 | 423 | * However, this syntax does not work with all drivers, and requires |
410 | 424 | * modification of all queries. |
411 | | - * |
| 425 | + * </p><p> |
| 426 | + * <b>SECURITY WARNING:</b> This method is <u>NOT</u> recommended. The use of the {@code PreparedStatement} |
| 427 | + * interface is the preferred approach. However, if for some reason |
| 428 | + * this is impossible, then this method is provided as significantly weaker |
| 429 | + * alternative. In particular, it should be noted that if all you do to |
| 430 | + * address potential SQL Injection attacks is to use this method to escape |
| 431 | + * parameters, you <i>will</i> fail miserably. According to the |
| 432 | + * <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"> |
| 433 | + * OWASP SQL Injection Prevention Cheat Sheet</a>, these are the primary |
| 434 | + * defenses against SQL Injection (as of June 2025): |
| 435 | + * <ul> |
| 436 | + * <li>Option 1: Use of Prepared Statements (with Parameterized Queries)</li> |
| 437 | + * <li>Option 2: Use of Properly Constructed Stored Procedures</li> |
| 438 | + * <li>Option 3: Allow-list Input Validation</li> |
| 439 | + * <li>Option 4: STRONGLY DISCOURAGED: Escaping All User Supplied Input</li> |
| 440 | + * </ul> |
| 441 | + * </p><p> |
| 442 | + * According to "Option 4" (which is what this method implements), that OWASP Cheat Sheet |
| 443 | + * states: |
| 444 | + * <blockquote |
| 445 | + * cite="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#defense-option-4-strongly-discouraged-escaping-all-user-supplied-input"> |
| 446 | + * In this approach, the developer will escape all user input |
| 447 | + * before putting it in a query. It is very database specific |
| 448 | + * in its implementation. This methodology is frail compared |
| 449 | + * to other defenses, and <b>we <i>CANNOT</i> guarantee that this option |
| 450 | + * will prevent all SQL injections in all situations.</b> |
| 451 | + * </blockquote> |
| 452 | + * (Emphasis ours.) |
| 453 | + * </p><p> |
| 454 | + * Note you could give yourself a slightly better chance at success if prior to |
| 455 | + * escaping by this method, you first canonicalize the input and run it through |
| 456 | + * some strong allow-list validation. We will not provide anymore details than |
| 457 | + * that, lest we encourage its misuse; however, it should be noted that resorting |
| 458 | + * to use this method--especially by itself--should rarely, if ever, used. It |
| 459 | + * is intended as a last ditch, emergency, Hail Mary effort. (To be honest, you'd |
| 460 | + * likely have more success setting up a WAF such as |
| 461 | + * <a href="https://modsecurity.org/">OWASP ModSecurity</a> and |
| 462 | + * <a href="https://owasp.org/www-project-modsecurity-core-rule-set/">OWASP CRS</a> |
| 463 | + * if you need a temporary emergency SQLi defense shield, but using {@code PreparedStatement} |
| 464 | + * is still your best option if you have the time and resources. |
| 465 | + * </p><p> |
| 466 | + * <b>Note to AppSec / Security Auditor teams:</b> If see this method being used in |
| 467 | + * application code, the risk of an exploitable SQLi vulnerability is still high. We |
| 468 | + * stress the importance of the first two Options discussed in the |
| 469 | + * <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"> |
| 470 | + * OWASP SQL Injection Prevention Cheat Sheet</a>. If you allow this, we recommend only |
| 471 | + * doing so for a limited time duration and in the meantime creating some sort of security |
| 472 | + * exception ticket to track it. |
| 473 | + * </p> |
412 | 474 | * @see <a href="https://download.oracle.com/otn-pub/jcp/jdbc-4_2-mrel2-spec/jdbc4.2-fr-spec.pdf">JDBC Specification</a> |
413 | 475 | * @see <a href="https://docs.oracle.com/javase/8/docs/api/java/sql/PreparedStatement.html">java.sql.PreparedStatement</a> |
414 | 476 | * |
415 | 477 | * @param codec |
416 | | - * a Codec that declares which database 'input' is being encoded for (ie. MySQL, Oracle, etc.) |
| 478 | + * a {@link org.owasp.esapi.codecs.Codec} that declares which database 'input' is being encoded for (ie. MySQL, Oracle, etc.) |
417 | 479 | * @param input |
418 | 480 | * the text to encode for SQL |
419 | 481 | * |
@@ -526,7 +588,7 @@ public interface Encoder { |
526 | 588 | * For more information, refer to <a |
527 | 589 | * href="http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html">this |
528 | 590 | * article</a> which specifies the following list of characters as the most |
529 | | - * dangerous: ^&"*';<>(). <a |
| 591 | + * dangerous: ^ & " * ' ; < > ( ) . <a |
530 | 592 | * href="http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf">This |
531 | 593 | * paper</a> suggests disallowing ' and " in queries. |
532 | 594 | * |
|
0 commit comments