122. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 12/20/2017 5:56:12 PM Eastern Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

122.1 Files compared

#	Location	File	Last Modified
1	Genisis_2.0_v6_bld6.zip\Source Code\UI\Services\src\main\resources	ESAPI.properties	Thu Dec 14 19:56:30 2017 UTC
2	Genisis_2.0_v6_bld6.zip\Source Code\UI\Services\src\main\resources	ESAPI.properties	Wed Dec 20 22:20:52 2017 UTC

122.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	248
Changed	1	8
Inserted	0	0
Removed	0	0

122.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

122.4 Active regular expressions

No regular expressions were active.

122.5 Comparison detail

	1	########## ########## ########## ########## ########## ########## #########
	2	# Based on the defau lt ESAPI.p roperties file, whic h is BSD l icensed.
	3	#
	4	# Licensed to the Ap ache Softw are Founda tion (ASF) under one
	5	# or more contributo r license agreements . See the NOTICE fi le
	6	# distribu ted with t his work f or additio nal inform ation
	7	# regardin g copyrigh t ownershi p. The AS F licenses this file
	8	# to you u nder the A pache Lice nse, Versi on 2.0 (th e
	9	# "License "); you ma y not use this file except in compliance
	10	# with the License. You may o btain a co py of the License at
	11	#
	12	# http://w ww.apache. org/licens es/LICENSE -2.0
	13	#
	14	# Unless r equired by applicabl e law or a greed to i n writing,
	15	# software distribut ed under t he License is distri buted on a n
	16	# "AS IS" BASIS, WIT HOUT WARRA NTIES OR C ONDITIONS OF ANY
	17	# KIND, ei ther expre ss or impl ied. See the Licens e for the
	18	# specific language governing permission s and limi tations
	19	# under th e License.
	20	########## ########## ########## ########## ########## ########## #########
	21	# Properti es file fo r OWASP En terprise S ecurity AP I (ESAPI)
	22	# You can find more informatio n about ES API at htt p://www.ow asp.org/es api
	23	# Validati on
	24	#
	25	# The ESAP I validato r does man y security checks on input, su ch as cano nicalizati on
	26	# and whit elist vali dation. No te that al l of these validatio n rules ar e applied after
	27	# canonica lization. Double-enc oded chara cters (eve n with dif ferent enc odings inv olved,
	28	# are neve r allowed.
	29	#
	30	# To use:
	31	#
	32	# First se t up a pat tern below . You can choose any name you want, pref ixed by th e word
	33	# "Validat ion." For example:
	34	# Valida ton.email= ^[A-Za-z0- 9._%-]+@[A -Za-z0-9.- ]+\\.[a-zA -Z]{2,4}$
	35	#
	36	# Then you can valid ate in you r code aga inst the p attern lik e this:
	37	# Valida tor.getIns tance().ge tValidData FromBrowse r( "Email" , input );
	38	# Valida tor.getIns tance().is ValidDataF romBrowser ( "Email", input );
	39	#
	40	Validator. SafeString =^[.\\p{Al num}\\p{Sp ace},:_!\\ /\\\\]{0,1 024}$
	41	Validator. Email=^[A- Za-z0-9._% -]+@[A-Za- z0-9.-]+\\ .[a-zA-Z]{ 2,4}$
	42	Validator. IPAddress= ^(?:(?:25[ 0-5]\|2[0-4 ][0-9]\|[01 ]?[0-9][0- 9]?)\\.){3 }(?:25[0-5 ]\|2[0-4][0 -9]\|[01]?[ 0-9][0-9]? )$
	43	Validator. URL=^(ht\|f )tp(s?)\\: \\/\\/[0-9 a-zA-Z]([- .\\w][0-9 a-zA-Z])( :(0-9))( \\/?)([a-z A-Z0-9\\-\ \.\\?\\,\\ :\\'\\/\\\ \\\+=& %\\$#_]*)? $
	44	Validator. CreditCard =^(\\d{4}[ - ]?){3}\\ d{4}$
	45	Validator. SSN=^(?!00 0)([0-6]\\ d{2}\|7([0- 6]\\d\|7[01 2]))([ -]? )(?!00)\\d \\d\\3(?!0 000)\\d{4} $
	46	# Validato rs used by ESAPI
	47	Validator. AccountNam e=^[a-zA-Z 0-9]{3,20} $
	48	Validator. SystemComm and=^[a-zA -Z\\-\\/]{ 0,64}$
	49	Validator. RoleName=^ [a-z]{1,20 }$
	50	Validator. Redirect=^ \\/test.*$
	51	# Global H TTP Valida tion Rules
	52	# Values w ith Base64 encoded d ata (e.g. encrypted state) wil l need at least [a-z A-Z0-9\/+= ]
	53	Validator. HTTPParame terName=^[ a-zA-Z0-9_ ]{0,32}$
	54	Validator. HTTPParame terValue=^ [a-zA-Z0-9 .\\-\\/+=_ ]*$
	55	Validator. HTTPCookie Name=^[a-z A-Z0-9\\-_ ]{0,32}$
	56	Validator. HTTPCookie Value=^[a- zA-Z0-9\\- \\/+=_ ]*$
	57	Validator. HTTPHeader Name=^[a-z A-Z0-9\\-_ ]{0,32}$
	58	Validator. HTTPHeader Value=^[a- zA-Z0-9()\ \-=\\\\.\ \?;,+\\/:& _ ]$
	59	# Validati on of file related i nput
	60	Validator. FileName=^ [a-zA-Z0-9 .\\-_ ]{0, 255}$
	61	Validator. DirectoryN ame=^[a-zA -Z0-9.-\\_ ]{0,255}$
	62	# File upl oad config uration
	63	ValidExten sions=.zip ,.pdf,.doc ,.docx,.pp t,.pptx,.t ar,.gz,.tg z,.rar,.wa r,.jar,.ea r,.xls,.rt f,.propert ies,.java, .class,.tx t,.xml,.js p,.jsf,.ex e,.dll
	64	MaxUploadF ileBytes=5 00000000
	65	# Content- Type heade r
	66	ResponseCo ntentType= text/html; charset=U TF-8
	67	# Logging
	68	#
	69	# Logging level, val ues are AL L, SEVERE, WARNING, INFO, DEBU G?
	70	LogLevel=A LL
	71	LogEncodin gRequired= false
	72	# Intrusio n Detectio n
	73	#
	74	# Each eve nt has a b ase to whi ch .count, .interval , and .act ion are ad ded
	75	# The Intr usionExcep tion will fire if we receive " count" eve nts within "interval " seconds
	76	# The Intr usionDetec tor is con figurable to take th e followin g actions: log, logo ut, and di sable
	77	# (multip le actions separated by commas are allow ed e.g. ev ent.test.a ctions=log ,disable
	78	#
	79	# Custom E vents
	80	# Names mu st start w ith "event ." as the base
	81	# Use Intr usionDetec tor.addEve nt( "test" ) in your code to t rigger "ev ent.test" here
	82	#
	83	event.test .count=2
	84	event.test .interval= 10
	85	event.test .actions=d isable,log
	86	# Exceptio n Events
	87	# All Ente rpriseSecu rityExcept ions are r egistered automatica lly
	88	# Call Int rusionDete ctor.getIn stance().a ddExceptio n(e) for E xceptions that do no t extend E nterpriseS ecurityExc eption
	89	# Use the fully qual ified clas sname of t he excepti on as the base
	90	# any intr usion is a n attack
	91	org.owasp. esapi.erro rs.Intrusi onExceptio n.count=1
	92	org.owasp. esapi.erro rs.Intrusi onExceptio n.interval =1
	93	org.owasp. esapi.erro rs.Intrusi onExceptio n.actions= log,disabl e,logout
	94	# for test purposes
	95	org.owasp. esapi.erro rs.Integri tyExceptio n.count=10
	96	org.owasp. esapi.erro rs.Integri tyExceptio n.interval =5
	97	org.owasp. esapi.erro rs.Integri tyExceptio n.actions= log,disabl e,logout
	98	# rapid va lidation e rrors indi cate scans or attack s in progr ess
	99	# org.owas p.esapi.er rors.Valid ationExcep tion.count =10
	100	# org.owas p.esapi.er rors.Valid ationExcep tion.inter val=10
	101	# org.owas p.esapi.er rors.Valid ationExcep tion.actio ns=log,log out
	102	# ======== ========= PROPERTIES NOT CURRE NTLY USED IN OFBIZ = ========== ======
	103	# These ar e not like ly to be u sed, but l eaving her e commente d out for future
	104	# referenc es, just i n case.
	105	# Authenti cation
	106	#RememberT okenDurati on=14
	107	#AllowedLo ginAttempt s=3
	108	#MaxOldPas swordHashe s=13
	109	#UsernameP arameterNa me=usernam e
	110	#PasswordP arameterNa me=passwor d
	111	# Encrypti on
	112	#MasterPas sword=owas p1
	113	#MasterSal t=testtest
	114	# Algorith ms
	115	# WARNING: Changing these sett ings will invalidate all user passwords, hashes, a nd encrypt ed data
	116	# WARNING: Reasonabl e values f or these a lgorithms will be te sted and d ocumented in a futur e release
	117	#
	118	#Character Encoding=U TF-8
	119	#HashAlgor ithm=SHA-5 12
	120	#HashItera tions=1024
	121	##Encrypti onAlgorith m= E K L
	122	#Encryptio nAlgorithm = E KL
	123	#RandomAlg orithm= EKL
	124	#DigitalSi gnatureAlg orithm= EKL
	125	# sessions jumping b etween hos ts indicat es a sessi on hijacki ng
	126	#org.owasp .esapi.err ors.Authen ticationHo stExceptio n.count=2
	127	#org.owasp .esapi.err ors.Authen ticationHo stExceptio n.interval =10
	128	#org.owasp .esapi.err ors.Authen ticationHo stExceptio n.actions= log,logout