Trying to include the \b in regular expressions in ESAPI.properties, but its throwing an error as not a valid regex

Question

I have below regex value defined in ESAPI.properties of HTTPParameterValue.

Validator.HTTPParameterName=^\[\\u0080-\\uFFFFa-zA-Z0-9.,;?!:%'\\\\p{L}$\\\\-\\\\"\\\\\<\\\\\>\\\\\~\\\\\[\\\\\]\\\\\`\\\\^\\\\#\\\\&\\\\(\\\\)\\\\\\n\\\\\\t\\\\\\r\\\\\*\\\\/+=@\_}{|\\\\\\\\ \]\*$

Validator.HTTPParameterValue=^\[\\u0080-\\uFFFFa-zA-Z0-9.,;?!:%'\\\\p{L}$\\\\-\\\\"\\\\\<\\\\\>\\\\\~\\\\\[\\\\\]\\\\\`\\\\^\\\\#\\\\&\\\\(\\\\)\\\\\\n\\\\\\t\\\\\\r\\\\\*\\\\/+=@\_}{|\\\\\\\\ \]\*$

I'm trying to include \b (i.e backspace escape character) in this regex. But I'm getting the below errors.

INFO [stdout] (default task-1) ESAPI: SecurityConfiguration for HTTPParameterName not a valid regex in ESAPI.properties. Returning null

INFO [stdout] (default task-1) 11:25:04.358 [default task-1] ERROR

The selected type [HTTPParameterName] was not set via the ESAPI validation configuration

Is there any particular format to include this backspace in regex? Tried few of types like (\\\b, [\b], \\b). But for all of these types resulted in error.

how to resolve this?

Answer 1

First, as Chris mentioned, \b is not a backspace character. (The list of escape sequences and their meanings is in the documentation.) You can use \x08 or \ch or \010 instead. (There are other ways, but those are probably the simplest.)

Second, you want to clearly understand what backslashes are doing, rather than just trying random things. Start with your actual regular expression:

^[\x08\u0080-\uFFFFa-zA-Z0-9.,;?!:%'\p{L}$\-"<>~\[\]`\^#&()\n\t\r*/+=@_}{|\\ ]*$

(Most characters do not need to be escaped inside a […] expression. You only need backslashes for actual escape sequences, like \p{L}, and characters which have meaning in a bracketed expression, like hyphen, caret, a literal backslash, and the brackets themselves.)

In the properties file syntax, a literal backslash character is represented as \\. So all you need to do is replace every backslash in your regex with two backslashes:

Validator.HTTPParameterName=^[\\x08\\u0080-\\uFFFFa-zA-Z0-9.,;?!:%'\\p{L}$\\-"<>~\\[\\]`\\^#&()\\n\\t\\r*/+=@_}{|\\\\ ]*$
Validator.HTTPParameterValue=^[\\x08\\u0080-\\uFFFFa-zA-Z0-9.,;?!:%'\\p{L}$\\-"<>~\\[\\]`\\^#&()\\n\\t\\r*/+=@_}{|\\\\ ]*$

You might want to use a line continuation, for readability:

Validator.HTTPParameterName=\
    ^[\\x08\\u0080-\\uFFFFa-zA-Z0-9.,;?!:%'\\p{L}$\\-"<>~\\[\\]`\\^#&()\\n\\t\\r*/+=@_}{|\\\\ ]*$
Validator.HTTPParameterValue=\
    ^[\\x08\\u0080-\\uFFFFa-zA-Z0-9.,;?!:%'\\p{L}$\\-"<>~\\[\\]`\\^#&()\\n\\t\\r*/+=@_}{|\\\\ ]*$

Update:

I just realized that your regex contains every single printable ASCII character. Therefore, you can shorten it to this:

Validator.HTTPParameterName=^[\\x08\\n\\t\\r -~\\u0080-\\uFFFF\\p{L}]*$
Validator.HTTPParameterValue=^[\\x08\\n\\t\\r -~\\u0080-\\uFFFF\\p{L}]*$

Or even this:

Validator.HTTPParameterName=^[\\x08\\s!-~\\u0080-\\uFFFF\\p{L}]*$
Validator.HTTPParameterValue=^[\\x08\\s!-~\\u0080-\\uFFFF\\p{L}]*$