I have this line of code:
ESAPI.validator().isValidInput("user id", userID, "USERID", 8, false);
I have written a test for it, when I run the test and the test fails I get the following warining:
WARNING: [SECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionDetector] Input exceeds maximum allowed length of 8 by 5 characters: context=user id, type=USERID, orig=userid1234567, input=userid1234567
What does the warning mean and how can I get rid of it?
Short answer: You get rid of the warning by passing in valid input.
You are calling Validator.isValidInput(String context, String input, String type, int maxLength, boolean allowNull)
You have the 'maxLength' parameter (the 4th parameter) set to 8. So you are telling this method that it should only return true if the 'input' parameter (your 2nd parameter in this method) has a length of <= maxLength.
Your logged output shows that you are passing it a value of 'userID' which is set to "userid1234567", which has a length of 13 characters. Thus the log message is correctly telling you that your input exceeds the maximum allowed length of 8 by 5 characters. In other words, it is doing exactly what it was designed to do.