RegEx Validators are handy for implementing Whitelist input validation so it pays to see what they actually do under the covers.
try
{
Match match = Regex.Match(controlValidationValue,
this.ValidationExpression);
return ((match.Success && (match.Index == 0))
&& (match.Length == controlValidationValue.Length));
}
catch
{
return true;
}
A final thing that caught my eye was the try ... catch ... block. If the Regex.Match() call throws an exception, the validator returns true indicting the input is safe. This means in event of an error, the validator fails open instead of failing closed! Deciding when applications/appliances/software/hardware/structures should fail open or fail closed is way beyond the scope of this post and the answer is almost always circumstantial based on the individual situations. Quick, should firewalls fail open or closed? Fail open? Well then an attacker knocks out your firewalls and its open seasons on the FTP servers and Samba shares inside your organization. Fail closed? Thats a nifty DoS you built into your network infrastructure now isn't it? when should input validation fail open or fail closed? Again depend, but my gut tells me it should fail closed more often than it fails open.
More web sec people read Memestreams than read the SPI Labs blog. I'm not really sure what to make of that. :-)
