From bc3bd831c79cc47abae4e6f6481c7338d01b3cf9 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sat, 28 May 2022 16:33:27 -0400
Subject: [PATCH 001/197] Delete unneed log4j import.
---
src/examples/java/PersistedEncryptedData.java | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/examples/java/PersistedEncryptedData.java b/src/examples/java/PersistedEncryptedData.java
index a034d0a50..06a0512eb 100644
--- a/src/examples/java/PersistedEncryptedData.java
+++ b/src/examples/java/PersistedEncryptedData.java
@@ -4,7 +4,6 @@
import org.owasp.esapi.errors.*;
import org.owasp.esapi.codecs.*;
import javax.servlet.ServletRequest;
-import org.apache.log4j.Logger;
/** A slightly more complex example showing encoding encrypted data and writing
* it out to a file. This is very similar to the example in the ESAPI User
From 5ae813538f29762d75d3a615e86fa48f836b5e64 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sat, 28 May 2022 22:32:21 -0400
Subject: [PATCH 002/197] Mark 2 public static variables as deprecated as they
are not used.
---
.../waf/configuration/AppGuardianConfiguration.java | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java b/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
index 78140cdfc..8523c2ceb 100644
--- a/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
+++ b/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
@@ -46,12 +46,25 @@ public class AppGuardianConfiguration {
public static final int OPERATOR_IN_LIST = 2;
public static final int OPERATOR_EXISTS = 3;
+ //// TODO - Delete these comments and the next 2 declarations on log4j clean-up.
/*
* We have static copies of the log settings so that the Rule objects
* can access them, because they don't have access to the instance of
* the configuration object.
*/
+ /**
+ * @deprecated This {@code LOG_LEVEL} has never actually been used
+ * internally and this will be deleted when we remove all Log4J 1.x
+ * references.
+ */
+ @Deprecated
public static Level LOG_LEVEL = Level.INFO;
+ /**
+ * @deprecated This {@code LOG_DIRECTORY} has never actually been used
+ * internally and this will be deleted when we remove all Log4J 1.x
+ * references.
+ */
+ @Deprecated
public static String LOG_DIRECTORY = "/WEB-INF/logs";
/*
From 85ce010730f878a6420a030fb78f04a71765f9a1 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 29 May 2022 21:14:30 -0400
Subject: [PATCH 003/197] Update versions of 3 plugins.
---
pom.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index 83add7749..d9dde1dda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,7 +140,7 @@
2.0.94.7.01.12.0
- 4.6.0.0
+ 4.7.0.03.0.0-M61.8
@@ -426,7 +426,7 @@
org.codehaus.mojoversions-maven-plugin
- 2.10.0
+ 2.11.0file:${project.basedir}/versionRuleset.xml
@@ -439,7 +439,7 @@
org.cyclonedxcyclonedx-maven-plugin
- 2.6.1
+ 2.7.0package
From 26a499491ff061f6744a3ef4f61b65eb4c2c2654 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 29 May 2022 23:14:04 -0400
Subject: [PATCH 004/197] Issue #620. Reorganize source to get stuff out of
implementatiopn class. Moved ESAPI propery variables ('public static final
String') from DefaultSecurityConfiguration to here. Moved DefaultSearchPath
enum from DefaultSecurityConfiguration to here.
---
src/main/java/org/owasp/esapi/PropNames.java | 201 +++++++++++++++++++
1 file changed, 201 insertions(+)
create mode 100644 src/main/java/org/owasp/esapi/PropNames.java
diff --git a/src/main/java/org/owasp/esapi/PropNames.java b/src/main/java/org/owasp/esapi/PropNames.java
new file mode 100644
index 000000000..33a5eb4e1
--- /dev/null
+++ b/src/main/java/org/owasp/esapi/PropNames.java
@@ -0,0 +1,201 @@
+// TODO: Discuss: Should the name of this be PropConstants or PropertConstants
+// since there are some property values included here? I don't
+// really like that as much as PropNames, but I could live with
+// it.
+/*
+ * OWASP Enterprise Security API (ESAPI)
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * https://owasp.org/www-project-enterprise-security-api/.
+ *
+ * Copyright (c) 2022 - The OWASP Foundation
+ *
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ *
+ */
+package org.owasp.esapi;
+
+
+/**
+ * This non-constructable class of public constants defines all the property names used in {@code ESAPI.properties} as
+ * well as some of the default property values for some of those properties. This class is not intended
+ * to be extended or instantiated. Technically, an interface would have worked here, but we
+ * also wanted to be able to prevent 'implements PropNames', which really does not make much
+ * sense since no specific behavior is promised here. Another alternative would have
+ * been to place all of these in the {@code org.owasp.esapi.SecurityConfiguration} interface,
+ * but that interface is already overly bloated. Hence this was decided as a compromise.
+ *
+ * Note that the constants herein were originally all defined within
+ * {@code org.owasp.esapi.reference.DefaultSecurityConfiguration}, but those
+ * values are now marked deprecated and they are candidates for removal 2 years
+ * from the date of this release.
+ *
+ * Mostly this is intended to prevent having to hard-code property names all
+ * over the place in implementation-level classes (e.g.,
+ * {@code org.owasp.esapi.reference.DefaultSecurityConfiguration}).
+ * It is suggested that this file be used as a 'static import';
+ * e.g.,
+ *
+ * import static org.owasp.esapi.PropNames.*; // Import all properties, en masse
+ * or
+ * import static org.owasp.esapi.PropNames.SomeSpecificPropName; // Import specific property name
+ *
+ * This can be extremely useful when used with methods such as
+ * {@code SecurityConfiguration.getIntProp(String propName)},
+ * {@code SecurityConfiguration.getBooleanProp(String propName)},
+ * {@code SecurityConfiguration.getStringProp(String propName)}, etc.
+ *
+ * @author Kevin W. Wall (kevin.w.wall .at. gmail.com)
+ * @since 2.4.1.0
+ * @see org.owasp.esapi.reference.DefaultSecurityConfiguration
+ */
+
+public final class PropNames {
+
+ public static final String REMEMBER_TOKEN_DURATION = "Authenticator.RememberTokenDuration";
+ public static final String IDLE_TIMEOUT_DURATION = "Authenticator.IdleTimeoutDuration";
+ public static final String ABSOLUTE_TIMEOUT_DURATION = "Authenticator.AbsoluteTimeoutDuration";
+ public static final String ALLOWED_LOGIN_ATTEMPTS = "Authenticator.AllowedLoginAttempts";
+ public static final String USERNAME_PARAMETER_NAME = "Authenticator.UsernameParameterName";
+ public static final String PASSWORD_PARAMETER_NAME = "Authenticator.PasswordParameterName";
+ public static final String MAX_OLD_PASSWORD_HASHES = "Authenticator.MaxOldPasswordHashes";
+
+ public static final String ALLOW_MULTIPLE_ENCODING = "Encoder.AllowMultipleEncoding";
+ public static final String ALLOW_MIXED_ENCODING = "Encoder.AllowMixedEncoding";
+ public static final String CANONICALIZATION_CODECS = "Encoder.DefaultCodecList";
+
+ public static final String DISABLE_INTRUSION_DETECTION = "IntrusionDetector.Disable";
+
+ public static final String MASTER_KEY = "Encryptor.MasterKey";
+ public static final String MASTER_SALT = "Encryptor.MasterSalt";
+ public static final String KEY_LENGTH = "Encryptor.EncryptionKeyLength";
+ public static final String ENCRYPTION_ALGORITHM = "Encryptor.EncryptionAlgorithm";
+ public static final String HASH_ALGORITHM = "Encryptor.HashAlgorithm";
+ public static final String HASH_ITERATIONS = "Encryptor.HashIterations";
+ public static final String CHARACTER_ENCODING = "Encryptor.CharacterEncoding";
+ public static final String RANDOM_ALGORITHM = "Encryptor.RandomAlgorithm";
+ public static final String DIGITAL_SIGNATURE_ALGORITHM = "Encryptor.DigitalSignatureAlgorithm";
+ public static final String DIGITAL_SIGNATURE_KEY_LENGTH = "Encryptor.DigitalSignatureKeyLength";
+ public static final String PREFERRED_JCE_PROVIDER = "Encryptor.PreferredJCEProvider";
+ public static final String CIPHER_TRANSFORMATION_IMPLEMENTATION = "Encryptor.CipherTransformation";
+ public static final String CIPHERTEXT_USE_MAC = "Encryptor.CipherText.useMAC";
+ public static final String PLAINTEXT_OVERWRITE = "Encryptor.PlainText.overwrite";
+ public static final String IV_TYPE = "Encryptor.ChooseIVMethod"; // Will be removed in future release.
+ public static final String COMBINED_CIPHER_MODES = "Encryptor.cipher_modes.combined_modes";
+ public static final String ADDITIONAL_ALLOWED_CIPHER_MODES = "Encryptor.cipher_modes.additional_allowed";
+ public static final String KDF_PRF_ALG = "Encryptor.KDF.PRF";
+ public static final String PRINT_PROPERTIES_WHEN_LOADED = "ESAPI.printProperties";
+
+ public static final String WORKING_DIRECTORY = "Executor.WorkingDirectory";
+ public static final String APPROVED_EXECUTABLES = "Executor.ApprovedExecutables";
+
+ public static final String FORCE_HTTPONLYSESSION = "HttpUtilities.ForceHttpOnlySession";
+ public static final String FORCE_SECURESESSION = "HttpUtilities.SecureSession";
+ public static final String FORCE_HTTPONLYCOOKIES = "HttpUtilities.ForceHttpOnlyCookies";
+ public static final String FORCE_SECURECOOKIES = "HttpUtilities.ForceSecureCookies";
+ public static final String MAX_HTTP_HEADER_SIZE = "HttpUtilities.MaxHeaderSize";
+ public static final String UPLOAD_DIRECTORY = "HttpUtilities.UploadDir";
+ public static final String UPLOAD_TEMP_DIRECTORY = "HttpUtilities.UploadTempDir";
+ public static final String APPROVED_UPLOAD_EXTENSIONS = "HttpUtilities.ApprovedUploadExtensions";
+ public static final String MAX_UPLOAD_FILE_BYTES = "HttpUtilities.MaxUploadFileBytes";
+ public static final String RESPONSE_CONTENT_TYPE = "HttpUtilities.ResponseContentType";
+ public static final String HTTP_SESSION_ID_NAME = "HttpUtilities.HttpSessionIdName";
+
+ public static final String APPLICATION_NAME = "Logger.ApplicationName";
+ public static final String LOG_USER_INFO = "Logger.UserInfo";
+ public static final String LOG_CLIENT_INFO = "Logger.ClientInfo";
+ public static final String LOG_ENCODING_REQUIRED = "Logger.LogEncodingRequired";
+ public static final String LOG_APPLICATION_NAME = "Logger.LogApplicationName";
+ public static final String LOG_SERVER_IP = "Logger.LogServerIP";
+
+ public static final String VALIDATION_PROPERTIES = "Validator.ConfigurationFile";
+ public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued";
+ public static final String ACCEPT_LENIENT_DATES = "Validator.AcceptLenientDates";
+ public static final String VALIDATOR_HTML_VALIDATION_ACTION = "Validator.HtmlValidationAction";
+ public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE = "Validator.HtmlValidationConfigurationFile";
+
+ /**
+ * Special {@code java.lang.System} property that, if set to {@code true}, will
+ * disable logging from {@code DefaultSecurityConfiguration.logToStdout()}
+ * methods, which is called from various {@code logSpecial()} methods.
+ *
+ * @see org.owasp.esapi.reference.DefaultSecurityConfiguration#logToStdout(String msg, Throwable t)
+ */
+ public static final String DISCARD_LOGSPECIAL = "org.owasp.esapi.logSpecial.discard";
+
+ /*
+ * Implementation Keys
+ */
+ public static final String LOG_IMPLEMENTATION = "ESAPI.Logger";
+ public static final String AUTHENTICATION_IMPLEMENTATION = "ESAPI.Authenticator";
+ public static final String ENCODER_IMPLEMENTATION = "ESAPI.Encoder";
+ public static final String ACCESS_CONTROL_IMPLEMENTATION = "ESAPI.AccessControl";
+ public static final String ENCRYPTION_IMPLEMENTATION = "ESAPI.Encryptor";
+ public static final String INTRUSION_DETECTION_IMPLEMENTATION = "ESAPI.IntrusionDetector";
+ public static final String RANDOMIZER_IMPLEMENTATION = "ESAPI.Randomizer";
+ public static final String EXECUTOR_IMPLEMENTATION = "ESAPI.Executor";
+ public static final String VALIDATOR_IMPLEMENTATION = "ESAPI.Validator";
+ public static final String HTTP_UTILITIES_IMPLEMENTATION = "ESAPI.HTTPUtilities";
+
+
+ //////////////////////////////////////////////////////////////////////////////
+ // //
+ // These are not really property names, but the shouldn't really be in an //
+ // implementation class that we want to only deal with via the //
+ // SecurityConfiguration interface. //
+ // //
+ //////////////////////////////////////////////////////////////////////////////
+
+
+ /*
+ * These are default implementation classes.
+ */
+ public static final String DEFAULT_LOG_IMPLEMENTATION = "org.owasp.esapi.logging.java.JavaLogFactory";
+ public static final String DEFAULT_AUTHENTICATION_IMPLEMENTATION = "org.owasp.esapi.reference.FileBasedAuthenticator";
+ public static final String DEFAULT_ENCODER_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultEncoder";
+ public static final String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultAccessController";
+ public static final String DEFAULT_ENCRYPTION_IMPLEMENTATION = "org.owasp.esapi.reference.crypto.JavaEncryptor";
+ public static final String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultIntrusionDetector";
+ public static final String DEFAULT_RANDOMIZER_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultRandomizer";
+ public static final String DEFAULT_EXECUTOR_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultExecutor";
+ public static final String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultHTTPUtilities";
+ public static final String DEFAULT_VALIDATOR_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultValidator";
+
+ /** The name of the ESAPI property file */
+ public static final String DEFAULT_RESOURCE_FILE = "ESAPI.properties";
+
+ //
+ // Private CTOR to prevent creation of PropName objects. We wouldn't need
+ // this if this were an interface, nor would we need the explict 'public static final'.
+ //
+ private PropNames() {
+ throw new AssertionError("Thought you'd cheat using reflection or JNI, huh? :)");
+ }
+
+
+ /** Enum used with the search paths used to locate an
+ * {@code ESAPI.properties} and/or a {@code validation.properties}
+ * file.
+ */
+ public enum DefaultSearchPath {
+
+ RESOURCE_DIRECTORY("resourceDirectory/"),
+ SRC_MAIN_RESOURCES("src/main/resources/"),
+ ROOT(""),
+ DOT_ESAPI(".esapi/"),
+ ESAPI("esapi/"),
+ RESOURCES("resources/");
+
+ private final String path;
+
+ private DefaultSearchPath(String s){
+ this.path = s;
+ }
+
+ public String value(){
+ return path;
+ }
+ }
+}
From 0123aa24af801825ed56c4b9ad11277f2e997740 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 29 May 2022 23:17:23 -0400
Subject: [PATCH 005/197] Reorganized by moving public stuff from this
implementation class to the new PropNames class. Also some misc code cleanup
such as removing extraneous whitespace at end of lines, etc.
---
.../DefaultSecurityConfiguration.java | 500 +++++++++++-------
1 file changed, 316 insertions(+), 184 deletions(-)
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
index f9cf95fe4..da64fd894 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -2,7 +2,7 @@
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
+ * Enterprise Security API (ESAPI) project. For details, please see{
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
@@ -36,6 +36,8 @@
import org.apache.commons.lang.text.StrTokenizer;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Logger;
+import org.owasp.esapi.PropNames; // <== Actual property names moved to here. Eventually we'll do static import.
+import org.owasp.esapi.PropNames.DefaultSearchPath;
import org.owasp.esapi.SecurityConfiguration;
import org.owasp.esapi.configuration.EsapiPropertyManager;
import org.owasp.esapi.errors.ConfigurationException;
@@ -63,10 +65,17 @@
* keys and passwords, logging locations, error thresholds, and allowed file extensions.
*
* WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
+ *
+ * DEPRECATION WARNING: All of the variables of the type '{@code public static final String}'
+ * are now declared and defined in the {@code org.owasp.esapi.PropNames}. These public fields
+ * representing property names and values in this class will be eventually deleted and
+ * no longer available, so please migrate to the corresponding names in {@code PropNames}. Removal of these
+ * public fields from this class will likely occur sometime in 2Q2024.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @author Jim Manico (jim .at. manico.net) Manico.net
- * @author Kevin Wall (kevin.w.wall .at. gmail.com)
+ * @author Kevin W. Wall (kevin.w.wall .at. gmail.com)
+ *
*/
public class DefaultSecurityConfiguration implements SecurityConfiguration {
@@ -82,123 +91,267 @@ public static SecurityConfiguration getInstance() {
}
return instance;
}
-
+
private Properties properties = null;
private String cipherXformFromESAPIProp = null; // New in ESAPI 2.0
- private String cipherXformCurrent = null; // New in ESAPI 2.0
-
- /** The name of the ESAPI property file */
- public static final String DEFAULT_RESOURCE_FILE = "ESAPI.properties";
-
- public static final String REMEMBER_TOKEN_DURATION = "Authenticator.RememberTokenDuration";
- public static final String IDLE_TIMEOUT_DURATION = "Authenticator.IdleTimeoutDuration";
- public static final String ABSOLUTE_TIMEOUT_DURATION = "Authenticator.AbsoluteTimeoutDuration";
- public static final String ALLOWED_LOGIN_ATTEMPTS = "Authenticator.AllowedLoginAttempts";
- public static final String USERNAME_PARAMETER_NAME = "Authenticator.UsernameParameterName";
- public static final String PASSWORD_PARAMETER_NAME = "Authenticator.PasswordParameterName";
- public static final String MAX_OLD_PASSWORD_HASHES = "Authenticator.MaxOldPasswordHashes";
-
- public static final String ALLOW_MULTIPLE_ENCODING = "Encoder.AllowMultipleEncoding";
- public static final String ALLOW_MIXED_ENCODING = "Encoder.AllowMixedEncoding";
- public static final String CANONICALIZATION_CODECS = "Encoder.DefaultCodecList";
-
- public static final String DISABLE_INTRUSION_DETECTION = "IntrusionDetector.Disable";
-
- public static final String MASTER_KEY = "Encryptor.MasterKey";
- public static final String MASTER_SALT = "Encryptor.MasterSalt";
- public static final String KEY_LENGTH = "Encryptor.EncryptionKeyLength";
- public static final String ENCRYPTION_ALGORITHM = "Encryptor.EncryptionAlgorithm";
- public static final String HASH_ALGORITHM = "Encryptor.HashAlgorithm";
- public static final String HASH_ITERATIONS = "Encryptor.HashIterations";
- public static final String CHARACTER_ENCODING = "Encryptor.CharacterEncoding";
- public static final String RANDOM_ALGORITHM = "Encryptor.RandomAlgorithm";
- public static final String DIGITAL_SIGNATURE_ALGORITHM = "Encryptor.DigitalSignatureAlgorithm";
- public static final String DIGITAL_SIGNATURE_KEY_LENGTH = "Encryptor.DigitalSignatureKeyLength";
+ private String cipherXformCurrent = null; // New in ESAPI 2.0
+
+ /** The name of the ESAPI property file.
+ * @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead.
+ */
+ @Deprecated public static final String DEFAULT_RESOURCE_FILE = PropNames.DEFAULT_RESOURCE_FILE;
+
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String REMEMBER_TOKEN_DURATION = PropNames.REMEMBER_TOKEN_DURATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String IDLE_TIMEOUT_DURATION = PropNames.IDLE_TIMEOUT_DURATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ABSOLUTE_TIMEOUT_DURATION = PropNames.ABSOLUTE_TIMEOUT_DURATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ALLOWED_LOGIN_ATTEMPTS = PropNames.ALLOWED_LOGIN_ATTEMPTS;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String USERNAME_PARAMETER_NAME = PropNames.USERNAME_PARAMETER_NAME;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String PASSWORD_PARAMETER_NAME = PropNames.PASSWORD_PARAMETER_NAME;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String MAX_OLD_PASSWORD_HASHES = PropNames.MAX_OLD_PASSWORD_HASHES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ALLOW_MULTIPLE_ENCODING = PropNames.ALLOW_MULTIPLE_ENCODING;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ALLOW_MIXED_ENCODING = PropNames.ALLOW_MIXED_ENCODING ;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String CANONICALIZATION_CODECS = PropNames.CANONICALIZATION_CODECS;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DISABLE_INTRUSION_DETECTION = PropNames.DISABLE_INTRUSION_DETECTION ;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String MASTER_KEY = PropNames.MASTER_KEY;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String MASTER_SALT = PropNames.MASTER_SALT;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String KEY_LENGTH = PropNames.KEY_LENGTH;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ENCRYPTION_ALGORITHM = PropNames.ENCRYPTION_ALGORITHM;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String HASH_ALGORITHM = PropNames.HASH_ALGORITHM;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String HASH_ITERATIONS = PropNames.HASH_ITERATIONS;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String CHARACTER_ENCODING = PropNames.CHARACTER_ENCODING;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String RANDOM_ALGORITHM = PropNames.RANDOM_ALGORITHM;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DIGITAL_SIGNATURE_ALGORITHM = PropNames.DIGITAL_SIGNATURE_ALGORITHM;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DIGITAL_SIGNATURE_KEY_LENGTH = PropNames.DIGITAL_SIGNATURE_KEY_LENGTH;
+
// ==================================//
- // New in ESAPI Java 2.x //
+ // New in ESAPI Java 2.x //
// ================================= //
- public static final String PREFERRED_JCE_PROVIDER = "Encryptor.PreferredJCEProvider";
- public static final String CIPHER_TRANSFORMATION_IMPLEMENTATION = "Encryptor.CipherTransformation";
- public static final String CIPHERTEXT_USE_MAC = "Encryptor.CipherText.useMAC";
- public static final String PLAINTEXT_OVERWRITE = "Encryptor.PlainText.overwrite";
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String PREFERRED_JCE_PROVIDER = PropNames.PREFERRED_JCE_PROVIDER;
- @Deprecated
- public static final String IV_TYPE = "Encryptor.ChooseIVMethod"; // Will be removed in future release.
-
- public static final String COMBINED_CIPHER_MODES = "Encryptor.cipher_modes.combined_modes";
- public static final String ADDITIONAL_ALLOWED_CIPHER_MODES = "Encryptor.cipher_modes.additional_allowed";
- public static final String KDF_PRF_ALG = "Encryptor.KDF.PRF";
- public static final String PRINT_PROPERTIES_WHEN_LOADED = "ESAPI.printProperties";
-
- public static final String WORKING_DIRECTORY = "Executor.WorkingDirectory";
- public static final String APPROVED_EXECUTABLES = "Executor.ApprovedExecutables";
-
- public static final String FORCE_HTTPONLYSESSION = "HttpUtilities.ForceHttpOnlySession";
- public static final String FORCE_SECURESESSION = "HttpUtilities.SecureSession";
- public static final String FORCE_HTTPONLYCOOKIES = "HttpUtilities.ForceHttpOnlyCookies";
- public static final String FORCE_SECURECOOKIES = "HttpUtilities.ForceSecureCookies";
- public static final String MAX_HTTP_HEADER_SIZE = "HttpUtilities.MaxHeaderSize";
- public static final String UPLOAD_DIRECTORY = "HttpUtilities.UploadDir";
- public static final String UPLOAD_TEMP_DIRECTORY = "HttpUtilities.UploadTempDir";
- public static final String APPROVED_UPLOAD_EXTENSIONS = "HttpUtilities.ApprovedUploadExtensions";
- public static final String MAX_UPLOAD_FILE_BYTES = "HttpUtilities.MaxUploadFileBytes";
- public static final String RESPONSE_CONTENT_TYPE = "HttpUtilities.ResponseContentType";
- public static final String HTTP_SESSION_ID_NAME = "HttpUtilities.HttpSessionIdName";
-
- public static final String APPLICATION_NAME = "Logger.ApplicationName";
- public static final String LOG_ENCODING_REQUIRED = "Logger.LogEncodingRequired";
- public static final String LOG_APPLICATION_NAME = "Logger.LogApplicationName";
- public static final String LOG_SERVER_IP = "Logger.LogServerIP";
- public static final String LOG_USER_INFO = "Logger.UserInfo";
- public static final String LOG_CLIENT_INFO = "Logger.ClientInfo";
- public static final String VALIDATION_PROPERTIES = "Validator.ConfigurationFile";
- public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued";
- public static final String ACCEPT_LENIENT_DATES = "Validator.AcceptLenientDates";
- public static final String VALIDATOR_HTML_VALIDATION_ACTION = "Validator.HtmlValidationAction";
- public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE = "Validator.HtmlValidationConfigurationFile";
-
- /**
- * Special {@code System} property that, if set to {@code true}, will
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String CIPHER_TRANSFORMATION_IMPLEMENTATION = PropNames.CIPHER_TRANSFORMATION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String CIPHERTEXT_USE_MAC = PropNames.CIPHERTEXT_USE_MAC;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String PLAINTEXT_OVERWRITE = PropNames.PLAINTEXT_OVERWRITE;
+
+ @Deprecated public static final String IV_TYPE = PropNames.IV_TYPE; // Will be removed in future release.
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String COMBINED_CIPHER_MODES = PropNames.COMBINED_CIPHER_MODES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ADDITIONAL_ALLOWED_CIPHER_MODES = PropNames.ADDITIONAL_ALLOWED_CIPHER_MODES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String KDF_PRF_ALG = PropNames.KDF_PRF_ALG;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String PRINT_PROPERTIES_WHEN_LOADED = PropNames.PRINT_PROPERTIES_WHEN_LOADED;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String WORKING_DIRECTORY = PropNames.WORKING_DIRECTORY;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String APPROVED_EXECUTABLES = PropNames.APPROVED_EXECUTABLES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String FORCE_HTTPONLYSESSION = PropNames.FORCE_HTTPONLYSESSION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String FORCE_SECURESESSION = PropNames.FORCE_SECURESESSION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String FORCE_HTTPONLYCOOKIES = PropNames.FORCE_HTTPONLYCOOKIES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String FORCE_SECURECOOKIES = PropNames.FORCE_SECURECOOKIES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String MAX_HTTP_HEADER_SIZE = PropNames.MAX_HTTP_HEADER_SIZE;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String UPLOAD_DIRECTORY = PropNames.UPLOAD_DIRECTORY;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String UPLOAD_TEMP_DIRECTORY = PropNames.UPLOAD_TEMP_DIRECTORY;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String APPROVED_UPLOAD_EXTENSIONS = PropNames.APPROVED_UPLOAD_EXTENSIONS;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String MAX_UPLOAD_FILE_BYTES = PropNames.MAX_UPLOAD_FILE_BYTES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String RESPONSE_CONTENT_TYPE = PropNames.RESPONSE_CONTENT_TYPE;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String HTTP_SESSION_ID_NAME = PropNames.HTTP_SESSION_ID_NAME;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String APPLICATION_NAME = PropNames.APPLICATION_NAME;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String LOG_ENCODING_REQUIRED = PropNames.LOG_ENCODING_REQUIRED;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String LOG_APPLICATION_NAME = PropNames.LOG_APPLICATION_NAME;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String LOG_SERVER_IP = PropNames.LOG_SERVER_IP;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String LOG_USER_INFO = PropNames.LOG_USER_INFO;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String LOG_CLIENT_INFO = PropNames.LOG_CLIENT_INFO;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String VALIDATION_PROPERTIES = PropNames.VALIDATION_PROPERTIES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String VALIDATION_PROPERTIES_MULTIVALUED = PropNames.VALIDATION_PROPERTIES_MULTIVALUED;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ACCEPT_LENIENT_DATES = PropNames.ACCEPT_LENIENT_DATES;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String VALIDATOR_HTML_VALIDATION_ACTION = PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE = PropNames.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE;
+
+ /**
+ * Special {@code java.lang.System} property that, if set to {@code true}, will
* disable logging from {@code DefaultSecurityConfiguration.logToStdout()}
* methods, which is called from various {@code logSpecial()} methods.
* @see org.owasp.esapi.reference.DefaultSecurityConfiguration#logToStdout(String msg, Throwable t)
+ * @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead.
*/
- public static final String DISCARD_LOGSPECIAL = "org.owasp.esapi.logSpecial.discard";
+ @Deprecated public static final String DISCARD_LOGSPECIAL = PropNames.DISCARD_LOGSPECIAL;
// We assume that this does not change in the middle of processing the
// ESAPI.properties files and thus only fetch its value once.
- private static final String logSpecialValue = System.getProperty(DISCARD_LOGSPECIAL, "false");
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated private static final String logSpecialValue = System.getProperty( PropNames.DISCARD_LOGSPECIAL, "false" );
protected final int MAX_REDIRECT_LOCATION = 1000;
-
+
+
/*
* Implementation Keys
*/
- public static final String LOG_IMPLEMENTATION = "ESAPI.Logger";
- public static final String AUTHENTICATION_IMPLEMENTATION = "ESAPI.Authenticator";
- public static final String ENCODER_IMPLEMENTATION = "ESAPI.Encoder";
- public static final String ACCESS_CONTROL_IMPLEMENTATION = "ESAPI.AccessControl";
- public static final String ENCRYPTION_IMPLEMENTATION = "ESAPI.Encryptor";
- public static final String INTRUSION_DETECTION_IMPLEMENTATION = "ESAPI.IntrusionDetector";
- public static final String RANDOMIZER_IMPLEMENTATION = "ESAPI.Randomizer";
- public static final String EXECUTOR_IMPLEMENTATION = "ESAPI.Executor";
- public static final String VALIDATOR_IMPLEMENTATION = "ESAPI.Validator";
- public static final String HTTP_UTILITIES_IMPLEMENTATION = "ESAPI.HTTPUtilities";
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String LOG_IMPLEMENTATION = PropNames.LOG_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String AUTHENTICATION_IMPLEMENTATION = PropNames.AUTHENTICATION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ENCODER_IMPLEMENTATION = PropNames.ENCODER_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ACCESS_CONTROL_IMPLEMENTATION = PropNames.ACCESS_CONTROL_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String ENCRYPTION_IMPLEMENTATION = PropNames.ENCRYPTION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String INTRUSION_DETECTION_IMPLEMENTATION = PropNames.INTRUSION_DETECTION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String RANDOMIZER_IMPLEMENTATION = PropNames.RANDOMIZER_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String EXECUTOR_IMPLEMENTATION = PropNames.EXECUTOR_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String VALIDATOR_IMPLEMENTATION = PropNames.VALIDATOR_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String HTTP_UTILITIES_IMPLEMENTATION = PropNames.HTTP_UTILITIES_IMPLEMENTATION;
+
/*
* Default Implementations
*/
- public static final String DEFAULT_LOG_IMPLEMENTATION = "org.owasp.esapi.logging.java.JavaLogFactory";
- public static final String DEFAULT_AUTHENTICATION_IMPLEMENTATION = "org.owasp.esapi.reference.FileBasedAuthenticator";
- public static final String DEFAULT_ENCODER_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultEncoder";
- public static final String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultAccessController";
- public static final String DEFAULT_ENCRYPTION_IMPLEMENTATION = "org.owasp.esapi.reference.crypto.JavaEncryptor";
- public static final String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultIntrusionDetector";
- public static final String DEFAULT_RANDOMIZER_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultRandomizer";
- public static final String DEFAULT_EXECUTOR_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultExecutor";
- public static final String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultHTTPUtilities";
- public static final String DEFAULT_VALIDATOR_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultValidator";
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_LOG_IMPLEMENTATION = PropNames.DEFAULT_LOG_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_AUTHENTICATION_IMPLEMENTATION = PropNames.DEFAULT_AUTHENTICATION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_ENCODER_IMPLEMENTATION = PropNames.DEFAULT_ENCODER_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION = PropNames.DEFAULT_ACCESS_CONTROL_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_ENCRYPTION_IMPLEMENTATION = PropNames.DEFAULT_ENCRYPTION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION = PropNames.DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_RANDOMIZER_IMPLEMENTATION = PropNames.DEFAULT_RANDOMIZER_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_EXECUTOR_IMPLEMENTATION = PropNames.DEFAULT_EXECUTOR_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION = PropNames.DEFAULT_HTTP_UTILITIES_IMPLEMENTATION;
+
+ /** @deprecated Use same field name, but from {@code org.owasp.esapi.PropNames} instead. */
+ @Deprecated public static final String DEFAULT_VALIDATOR_IMPLEMENTATION = PropNames.DEFAULT_VALIDATOR_IMPLEMENTATION;
private static final Map patternCache = new HashMap();
@@ -220,11 +373,10 @@ public static SecurityConfiguration getInstance() {
private final String resourceFile;
private EsapiPropertyManager esapiPropertyManager;
-// private static long lastModified = -1;
/**
- * Instantiates a new configuration, using the provided property file name
- *
+ * Instantiates a new configuration, using the provided property file name.
+ *
* @param resourceFile The name of the property file to load
*/
DefaultSecurityConfiguration(String resourceFile) {
@@ -239,13 +391,13 @@ public static SecurityConfiguration getInstance() {
throw new ConfigurationException("Failed to load security configuration", e);
}
}
-
+
/**
* Instantiates a new configuration with the supplied properties.
- *
+ *
* Warning - if the setResourceDirectory() method is invoked the properties will
* be re-loaded, replacing the supplied properties.
- *
+ *
* @param properties
*/
public DefaultSecurityConfiguration(Properties properties) {
@@ -257,10 +409,10 @@ public DefaultSecurityConfiguration(Properties properties) {
logSpecial("Failed to load security configuration", e );
throw new ConfigurationException("Failed to load security configuration", e);
}
- this.properties = properties;
+ this.properties = properties;
this.setCipherXProperties();
}
-
+
/**
* Instantiates a new configuration.
*/
@@ -438,7 +590,7 @@ private Properties loadPropertiesFromStream( InputStream is, String name ) throw
/**
* Load configuration. Never prints properties.
- *
+ *
* @throws java.io.IOException
* if the file is inaccessible
*/
@@ -447,34 +599,33 @@ protected void loadConfiguration() throws IOException {
//first attempt file IO loading of properties
logSpecial("Attempting to load " + resourceFile + " via file I/O.");
properties = loadPropertiesFromStream(getResourceStream(resourceFile), resourceFile);
-
} catch (Exception iae) {
//if file I/O loading fails, attempt classpath based loading next
logSpecial("Loading " + resourceFile + " via file I/O failed. Exception was: " + iae);
logSpecial("Attempting to load " + resourceFile + " via the classpath.");
try {
properties = loadConfigurationFromClasspath(resourceFile);
- } catch (Exception e) {
+ } catch (Exception e) {
logSpecial(resourceFile + " could not be loaded by any means. Fail.", e);
throw new ConfigurationException(resourceFile + " could not be loaded by any means. Fail.", e);
- }
+ }
}
-
+
// if properties loaded properly above, get validation properties and merge them into the main properties
if (properties != null) {
final Iterator validationPropFileNames;
-
+
//defaults to single-valued for backwards compatibility
final boolean multivalued= getESAPIProperty(VALIDATION_PROPERTIES_MULTIVALUED, false);
final String validationPropValue = getESAPIProperty(VALIDATION_PROPERTIES, "validation.properties");
-
+
if(multivalued){
- // the following cast warning goes away if the apache commons lib is updated to current version
+ // the following cast warning goes away if the apache commons lib is updated to current version
validationPropFileNames = StrTokenizer.getCSVInstance(validationPropValue);
} else {
validationPropFileNames = Collections.singletonList(validationPropValue).iterator();
}
-
+
//clear any cached validation patterns so they can be reloaded from validation.properties
patternCache.clear();
while(validationPropFileNames.hasNext()){
@@ -484,18 +635,17 @@ protected void loadConfiguration() throws IOException {
//first attempt file IO loading of properties
logSpecial("Attempting to load " + validationPropFileName + " via file I/O.");
validationProperties = loadPropertiesFromStream(getResourceStream(validationPropFileName), validationPropFileName);
-
} catch (Exception iae) {
//if file I/O loading fails, attempt classpath based loading next
logSpecial("Loading " + validationPropFileName + " via file I/O failed.");
- logSpecial("Attempting to load " + validationPropFileName + " via the classpath.");
+ logSpecial("Attempting to load " + validationPropFileName + " via the classpath.");
try {
validationProperties = loadConfigurationFromClasspath(validationPropFileName);
- } catch (Exception e) {
+ } catch (Exception e) {
logSpecial(validationPropFileName + " could not be loaded by any means. fail.", e);
- }
+ }
}
-
+
if (validationProperties != null) {
Iterator> i = validationProperties.keySet().iterator();
while( i.hasNext() ) {
@@ -504,27 +654,29 @@ protected void loadConfiguration() throws IOException {
properties.put( key, value);
}
}
-
+
if ( shouldPrintProperties() ) {
-
- //FIXME - make this chunk configurable
- /*
- logSpecial(" ========Master Configuration========", null);
- //logSpecial( " ResourceDirectory: " + DefaultSecurityConfiguration.resourceDirectory );
- Iterator j = new TreeSet( properties.keySet() ).iterator();
- while (j.hasNext()) {
- String key = (String)j.next();
- // print out properties, but not sensitive ones like MasterKey and MasterSalt
- if ( !key.contains( "Master" ) ) {
- logSpecial(" | " + key + "=" + properties.get(key), null);
- }
+ // Gotta give them something.
+ logSpecial("DefaultSecurityConfiguration: The code to print all the properties is currently commented out");
+
+ //FIXME - make this chunk configurable
+ /*
+ logSpecial(" ========Master Configuration========", null);
+ //logSpecial( " ResourceDirectory: " + DefaultSecurityConfiguration.resourceDirectory );
+ Iterator j = new TreeSet( properties.keySet() ).iterator();
+ while (j.hasNext()) {
+ String key = (String)j.next();
+ // print out properties, but not sensitive ones like MasterKey and MasterSalt
+ if ( !key.contains( "Master" ) ) {
+ logSpecial(" | " + key + "=" + properties.get(key), null);
+ }
+ }
+ */
}
- */
- }
}
}
- }
-
+ }
+
/**
* @param filename
* @return An {@code InputStream} associated with the specified file name as
@@ -547,7 +699,7 @@ public InputStream getResourceStream(String filename) throws IOException {
throw new FileNotFoundException();
}
-
+
/**
* {@inheritDoc}
*/
@@ -623,9 +775,10 @@ public File getResourceFile(String filename) {
// return null if not found
return null;
}
-
+
/**
- * Used to load ESAPI.properties from a variety of different classpath locations.
+ * Used to load ESAPI.properties from a variety of different classpath locations. The order is described in the
+ * class overview Javadoc for this class.
*
* @param fileName The properties file filename.
*/
@@ -636,7 +789,7 @@ private Properties loadConfigurationFromClasspath(String fileName) throws Illega
ClassLoader[] loaders = new ClassLoader[] {
Thread.currentThread().getContextClassLoader(),
ClassLoader.getSystemClassLoader(),
- getClass().getClassLoader()
+ getClass().getClassLoader()
};
String[] classLoaderNames = {
"current thread context class loader",
@@ -658,7 +811,7 @@ private Properties loadConfigurationFromClasspath(String fileName) throws Illega
// in = loaders[i].getResourceAsStream(fileName);
//
in = loaders[i].getResourceAsStream(DefaultSearchPath.ROOT.value() + fileName);
-
+
// try resourceDirectory folder
if (in == null) {
currentClasspathSearchLocation = resourceDirectory + "/";
@@ -669,26 +822,26 @@ private Properties loadConfigurationFromClasspath(String fileName) throws Illega
if (in == null) {
currentClasspathSearchLocation = ".esapi/";
in = currentLoader.getResourceAsStream(DefaultSearchPath.DOT_ESAPI.value() + fileName);
- }
-
+ }
+
// try esapi folder (new directory)
if (in == null) {
currentClasspathSearchLocation = "esapi/";
in = currentLoader.getResourceAsStream(DefaultSearchPath.ESAPI.value() + fileName);
- }
-
+ }
+
// try resources folder
if (in == null) {
currentClasspathSearchLocation = "resources/";
in = currentLoader.getResourceAsStream(DefaultSearchPath.RESOURCES.value() + fileName);
}
-
+
// try src/main/resources folder
if (in == null) {
currentClasspathSearchLocation = "src/main/resources/";
in = currentLoader.getResourceAsStream(DefaultSearchPath.SRC_MAIN_RESOURCES.value() + fileName);
}
-
+
// now load the properties
if (in != null) {
result = new Properties();
@@ -699,7 +852,6 @@ private Properties loadConfigurationFromClasspath(String fileName) throws Illega
}
} catch (Exception e) {
result = null;
-
} finally {
try {
in.close();
@@ -749,7 +901,7 @@ public final synchronized static void logToStdout(String msg, Throwable t) {
"; exception message was: " + t);
}
}
-
+
/**
* Used to log errors to the console during the loading of the properties file itself. Can't use
* standard logging in this case, since the Logger may not be initialized yet. Output is sent to
@@ -834,7 +986,7 @@ public boolean useMACforCipherText() {
public boolean overwritePlainText() {
return getESAPIProperty(PLAINTEXT_OVERWRITE, true);
}
-
+
/**
* {@inheritDoc}
*/
@@ -965,7 +1117,7 @@ public File getUploadTempDirectory() {
);
return new File( dir );
}
-
+
/**
* {@inheritDoc}
*/
@@ -1064,7 +1216,7 @@ public String getResponseContentType() {
public String getHttpSessionIdName() {
return getESAPIProperty( HTTP_SESSION_ID_NAME, "JSESSIONID" );
}
-
+
/**
* {@inheritDoc}
*/
@@ -1126,13 +1278,13 @@ public File getWorkingDirectory() {
}
return null;
}
-
+
/**
* {@inheritDoc}
*/
public String getPreferredJCEProvider() {
return properties.getProperty(PREFERRED_JCE_PROVIDER); // No default!
- }
+ }
/**
* {@inheritDoc}
@@ -1151,7 +1303,7 @@ public List getAdditionalAllowedCipherModes()
List empty = new ArrayList(); // Default is empty list
return getESAPIProperty(ADDITIONAL_ALLOWED_CIPHER_MODES, empty);
}
-
+
/**
* {@inheritDoc}
*/
@@ -1214,7 +1366,7 @@ protected int getESAPIProperty( String key, int def ) {
/**
* Returns a {@code List} representing the parsed, comma-separated property.
- *
+ *
* @param key The specified property name
* @param def A default value for the property name to return if the property
* is not set.
@@ -1233,9 +1385,9 @@ protected List getESAPIProperty( String key, List def ) {
/**
* {@inheritDoc}
* Looks for property in three configuration files in following order:
- * 1.) In file defined as org.owasp.esapi.opsteam system property
- * 2.) In file defined as org.owasp.esapi.devteam system property
- * 3.) In ESAPI.properties*
+ * 1.) In file defined as org.owasp.esapi.opsteam system property
+ * 2.) In file defined as org.owasp.esapi.devteam system property
+ * 3.) In ESAPI.properties
*/
@Override
public int getIntProp(String propertyName) throws ConfigurationException {
@@ -1255,8 +1407,8 @@ public int getIntProp(String propertyName) throws ConfigurationException {
/**
* {@inheritDoc}
* Looks for property in three configuration files in following order:
- * 1.) In file defined as org.owasp.esapi.opsteam system property
- * 2.) In file defined as org.owasp.esapi.devteam system property
+ * 1.) In file defined as org.owasp.esapi.opsteam system property
+ * 2.) In file defined as org.owasp.esapi.devteam system property
* 3.) In ESAPI.properties
*/
@Override
@@ -1278,10 +1430,10 @@ public byte[] getByteArrayProp(String propertyName) throws ConfigurationExceptio
}
/**
- * {@inheritDoc}
+ * {@inheritDoc}
* Looks for property in three configuration files in following order:
- * 1.) In file defined as org.owasp.esapi.opsteam system property
- * 2.) In file defined as org.owasp.esapi.devteam system property
+ * 1.) In file defined as org.owasp.esapi.opsteam system property
+ * 2.) In file defined as org.owasp.esapi.devteam system property
* 3.) In ESAPI.properties
*/
@Override
@@ -1332,24 +1484,4 @@ protected boolean shouldPrintProperties() {
protected Properties getESAPIProperties() {
return properties;
}
-
- public enum DefaultSearchPath {
-
- RESOURCE_DIRECTORY("resourceDirectory/"),
- SRC_MAIN_RESOURCES("src/main/resources/"),
- ROOT(""),
- DOT_ESAPI(".esapi/"),
- ESAPI("esapi/"),
- RESOURCES("resources/");
-
- private final String path;
-
- private DefaultSearchPath(String s){
- this.path = s;
- }
-
- public String value(){
- return path;
- }
- }
}
From acae408f64be2eafc8b0d7b505f7e7420a8eedc4 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 29 May 2022 23:28:06 -0400
Subject: [PATCH 006/197] Issue #620 - changed DefaultSecurityConfiguration
refs to PropNames.
---
.../esapi/crypto/KeyDerivationFunction.java | 7 +-
.../errors/EnterpriseSecurityException.java | 7 +-
.../esapi/logging/java/JavaLogFactory.java | 21 +++--
.../esapi/logging/log4j/Log4JLogFactory.java | 21 +++--
.../logging/log4j/Log4JLoggerFactory.java | 20 +++--
.../esapi/logging/slf4j/Slf4JLogFactory.java | 20 +++--
.../validation/HTMLValidationRule.java | 19 ++--
.../filters/SecurityWrapperRequestTest.java | 3 +-
.../filters/SecurityWrapperResponseTest.java | 2 +-
.../DefaultSecurityConfigurationTest.java | 88 ++++++++++---------
.../validation/DateValidationRuleTest.java | 4 +-
.../HTMLValidationRuleClasspathTest.java | 6 +-
.../HTMLValidationRuleCleanTest.java | 3 +-
.../HTMLValidationRuleThrowsTest.java | 3 +-
14 files changed, 124 insertions(+), 100 deletions(-)
diff --git a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java
index cc50b5ee8..51032eec7 100644
--- a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java
+++ b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java
@@ -21,7 +21,7 @@
import org.owasp.esapi.Logger;
import org.owasp.esapi.errors.ConfigurationException;
import org.owasp.esapi.errors.EncryptionException;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+import static org.owasp.esapi.PropNames.KDF_PRF_ALG;
import org.owasp.esapi.util.ByteConversionUtil;
/**
@@ -133,7 +133,7 @@ public KeyDerivationFunction() {
if ( ! KeyDerivationFunction.isValidPRF(prfName) ) {
throw new ConfigurationException("Algorithm name " + prfName +
" not a valid algorithm name for property " +
- DefaultSecurityConfiguration.KDF_PRF_ALG);
+ KDF_PRF_ALG);
}
prfAlg_ = prfName;
}
@@ -159,8 +159,7 @@ static int getDefaultPRFSelection() {
}
}
throw new ConfigurationException("Algorithm name " + prfName +
- " not a valid algorithm name for property " +
- DefaultSecurityConfiguration.KDF_PRF_ALG);
+ " not a valid algorithm name for property " + KDF_PRF_ALG);
}
/**
diff --git a/src/main/java/org/owasp/esapi/errors/EnterpriseSecurityException.java b/src/main/java/org/owasp/esapi/errors/EnterpriseSecurityException.java
index 1be227524..4e05d0cf7 100644
--- a/src/main/java/org/owasp/esapi/errors/EnterpriseSecurityException.java
+++ b/src/main/java/org/owasp/esapi/errors/EnterpriseSecurityException.java
@@ -18,12 +18,7 @@
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Logger;
-// At some point, all these property names will be moved to a new class named
-// org.owasp.esapi.PropNames
-// but until then, while this is an ugly kludge, we are importing it via a
-// reference implementation class until we have a chance to clean it up.
-// (Note: kwwall's Bitbucket code already has that class.)
-import static org.owasp.esapi.reference.DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION;
+import static org.owasp.esapi.PropNames.DISABLE_INTRUSION_DETECTION;
/**
diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java
index 016c37dde..038d19b5e 100644
--- a/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java
+++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java
@@ -33,7 +33,14 @@
import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
import org.owasp.esapi.logging.cleaning.LogScrubber;
import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
+
/**
* LogFactory implementation which creates JAVA supporting Loggers.
*
@@ -55,15 +62,15 @@ public class JavaLogFactory implements LogFactory {
private static JavaLogBridge LOG_BRIDGE;
static {
- boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+ boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
JAVA_LOG_SCRUBBER = createLogScrubber(encodeLog);
- boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
- boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
- boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
- String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
- boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+ boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+ boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+ boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+ String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+ boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
JAVA_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
Map levelLookup = new HashMap<>();
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java
index 0f318600a..a71cf3141 100644
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java
+++ b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java
@@ -29,7 +29,14 @@
import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
import org.owasp.esapi.logging.cleaning.LogScrubber;
import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
+
/**
* LogFactory implementation which creates Log4J supporting Loggers.
*
@@ -48,15 +55,15 @@ public class Log4JLogFactory implements LogFactory {
private static Log4JLogBridge LOG_BRIDGE;
static {
- boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+ boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
Log4J_LOG_SCRUBBER = createLogScrubber(encodeLog);
- boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
- boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
- boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
- String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
- boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+ boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+ boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+ boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+ String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+ boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
Log4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
Map levelLookup = new HashMap<>();
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java
index 931ae6267..91dd0da4f 100644
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java
+++ b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java
@@ -20,7 +20,13 @@
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.logging.appender.LogAppender;
import org.owasp.esapi.logging.cleaning.LogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
/**
* Service Provider Interface implementation that can be provided as the org.apache.log4j.spi.LoggerFactory reference in a Log4J configuration.
@@ -37,14 +43,14 @@ public class Log4JLoggerFactory implements LoggerFactory {
private static LogScrubber LOG4J_LOG_SCRUBBER;
static {
- boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+ boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
LOG4J_LOG_SCRUBBER = Log4JLogFactory.createLogScrubber(encodeLog);
- boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
- boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
- boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
- String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
- boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+ boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+ boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+ boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+ String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+ boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
LOG4J_LOG_APPENDER = Log4JLogFactory.createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
}
diff --git a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java
index 85341b2df..d2e6c6305 100644
--- a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java
+++ b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java
@@ -29,7 +29,13 @@
import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
import org.owasp.esapi.logging.cleaning.LogScrubber;
import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
import org.slf4j.LoggerFactory;
/**
* LogFactory implementation which creates SLF4J supporting Loggers.
@@ -54,15 +60,15 @@ public class Slf4JLogFactory implements LogFactory {
private static Slf4JLogBridge LOG_BRIDGE;
static {
- boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+ boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
SLF4J_LOG_SCRUBBER = createLogScrubber(encodeLog);
- boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
- boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
- boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
- String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
- boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+ boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+ boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+ boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+ String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+ boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
SLF4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
Map levelLookup = new HashMap<>();
diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
index 41e60e697..e813a0222 100644
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -30,7 +30,10 @@
import org.owasp.esapi.StringUtilities;
import org.owasp.esapi.errors.ConfigurationException;
import org.owasp.esapi.errors.ValidationException;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration.DefaultSearchPath;
+import org.owasp.esapi.PropNames.DefaultSearchPath;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE;
+
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
@@ -106,13 +109,11 @@ public class HTMLValidationRule extends StringValidationRule {
/*package */ static String resolveAntisamyFilename() {
String antisamyPolicyFilename = ANTISAMYPOLICY_FILENAME;
try {
- antisamyPolicyFilename = ESAPI.securityConfiguration().getStringProp(
- // Future: This will be moved to a new PropNames class
- org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE );
+ antisamyPolicyFilename = ESAPI.securityConfiguration().getStringProp( VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE );
} catch (ConfigurationException cex) {
LOGGER.info(Logger.EVENT_FAILURE, "ESAPI property " +
- org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE +
+ VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE +
" not set, using default value: " + ANTISAMYPOLICY_FILENAME);
}
return antisamyPolicyFilename;
@@ -197,9 +198,7 @@ private boolean legacyHtmlValidation() {
// Hindsight: maybe we should have getBooleanProp(), getStringProp(),
// getIntProp() methods that take a default arg as well?
// At least for ESAPI 3.x.
- propValue = ESAPI.securityConfiguration().getStringProp(
- // Future: This will be moved to a new PropNames class
- org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION );
+ propValue = ESAPI.securityConfiguration().getStringProp( VALIDATOR_HTML_VALIDATION_ACTION );
switch ( propValue.toLowerCase() ) {
case "throw":
legacy = false; // New, presumably correct behavior, as addressed by GitHub issue 509
@@ -209,7 +208,7 @@ private boolean legacyHtmlValidation() {
break;
default:
LOGGER.warning(Logger.EVENT_FAILURE, "ESAPI property " +
- org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION +
+ VALIDATOR_HTML_VALIDATION_ACTION +
" was set to \"" + propValue + "\". Must be set to either \"clean\"" +
" (the default for legacy support) or \"throw\"; assuming \"clean\" for legacy behavior.");
legacy = true;
@@ -219,7 +218,7 @@ private boolean legacyHtmlValidation() {
// OPEN ISSUE: Should we log this? I think so. Convince me otherwise. But maybe
// we should only log it once or every Nth time??
LOGGER.warning(Logger.EVENT_FAILURE, "ESAPI property " +
- org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION +
+ VALIDATOR_HTML_VALIDATION_ACTION +
" must be set to either \"clean\" (the default for legacy support) or \"throw\"; assuming \"clean\"",
cex);
}
diff --git a/src/test/java/org/owasp/esapi/filters/SecurityWrapperRequestTest.java b/src/test/java/org/owasp/esapi/filters/SecurityWrapperRequestTest.java
index d7faddb8a..e7ee596e0 100644
--- a/src/test/java/org/owasp/esapi/filters/SecurityWrapperRequestTest.java
+++ b/src/test/java/org/owasp/esapi/filters/SecurityWrapperRequestTest.java
@@ -22,8 +22,7 @@
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
-// A hack for now; eventually, I plan to move this into a new org.owasp.esapi.PropNames class. -kww
-import static org.owasp.esapi.reference.DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION;
+import static org.owasp.esapi.PropNames.DISABLE_INTRUSION_DETECTION;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
diff --git a/src/test/java/org/owasp/esapi/filters/SecurityWrapperResponseTest.java b/src/test/java/org/owasp/esapi/filters/SecurityWrapperResponseTest.java
index 499da8799..951a57e5b 100644
--- a/src/test/java/org/owasp/esapi/filters/SecurityWrapperResponseTest.java
+++ b/src/test/java/org/owasp/esapi/filters/SecurityWrapperResponseTest.java
@@ -6,7 +6,7 @@
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
-import static org.owasp.esapi.reference.DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION;
+import static org.owasp.esapi.PropNames.DISABLE_INTRUSION_DETECTION;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
diff --git a/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java b/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java
index 6fd6d3ef4..225a8b117 100644
--- a/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java
+++ b/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java
@@ -16,7 +16,9 @@
import org.owasp.esapi.Logger;
import org.owasp.esapi.SecurityConfiguration;
import org.owasp.esapi.errors.ConfigurationException;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration.DefaultSearchPath;
+import org.owasp.esapi.PropNames.DefaultSearchPath;
+
+import static org.owasp.esapi.PropNames.*;
public class DefaultSecurityConfigurationTest {
@@ -29,7 +31,7 @@ private DefaultSecurityConfiguration createWithProperty(String key, String val)
@Test
public void testGetApplicationName() {
final String expected = "ESAPI_UnitTests";
- DefaultSecurityConfiguration secConf = this.createWithProperty(DefaultSecurityConfiguration.APPLICATION_NAME, expected);
+ DefaultSecurityConfiguration secConf = this.createWithProperty(APPLICATION_NAME, expected);
assertEquals(expected, secConf.getApplicationName());
}
@@ -37,10 +39,10 @@ public void testGetApplicationName() {
public void testGetLogImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_LOG_IMPLEMENTATION, secConf.getLogImplementation());
+ assertEquals(DEFAULT_LOG_IMPLEMENTATION, secConf.getLogImplementation());
final String expected = "TestLogger";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.LOG_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(LOG_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getLogImplementation());
}
@@ -48,10 +50,10 @@ public void testGetLogImplementation() {
public void testAuthenticationImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_AUTHENTICATION_IMPLEMENTATION, secConf.getAuthenticationImplementation());
+ assertEquals(DEFAULT_AUTHENTICATION_IMPLEMENTATION, secConf.getAuthenticationImplementation());
final String expected = "TestAuthentication";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.AUTHENTICATION_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(AUTHENTICATION_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getAuthenticationImplementation());
}
@@ -59,10 +61,10 @@ public void testAuthenticationImplementation() {
public void testEncoderImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_ENCODER_IMPLEMENTATION, secConf.getEncoderImplementation());
+ assertEquals(DEFAULT_ENCODER_IMPLEMENTATION, secConf.getEncoderImplementation());
final String expected = "TestEncoder";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ENCODER_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(ENCODER_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getEncoderImplementation());
}
@@ -70,10 +72,10 @@ public void testEncoderImplementation() {
public void testAccessControlImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_ACCESS_CONTROL_IMPLEMENTATION, secConf.getAccessControlImplementation());
+ assertEquals(DEFAULT_ACCESS_CONTROL_IMPLEMENTATION, secConf.getAccessControlImplementation());
final String expected = "TestAccessControl";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ACCESS_CONTROL_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(ACCESS_CONTROL_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getAccessControlImplementation());
}
@@ -81,10 +83,10 @@ public void testAccessControlImplementation() {
public void testEncryptionImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_ENCRYPTION_IMPLEMENTATION, secConf.getEncryptionImplementation());
+ assertEquals(DEFAULT_ENCRYPTION_IMPLEMENTATION, secConf.getEncryptionImplementation());
final String expected = "TestEncryption";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ENCRYPTION_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(ENCRYPTION_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getEncryptionImplementation());
}
@@ -92,10 +94,10 @@ public void testEncryptionImplementation() {
public void testIntrusionDetectionImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION, secConf.getIntrusionDetectionImplementation());
+ assertEquals(DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION, secConf.getIntrusionDetectionImplementation());
final String expected = "TestIntrusionDetection";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.INTRUSION_DETECTION_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(INTRUSION_DETECTION_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getIntrusionDetectionImplementation());
}
@@ -103,10 +105,10 @@ public void testIntrusionDetectionImplementation() {
public void testRandomizerImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_RANDOMIZER_IMPLEMENTATION, secConf.getRandomizerImplementation());
+ assertEquals(DEFAULT_RANDOMIZER_IMPLEMENTATION, secConf.getRandomizerImplementation());
final String expected = "TestRandomizer";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.RANDOMIZER_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(RANDOMIZER_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getRandomizerImplementation());
}
@@ -114,10 +116,10 @@ public void testRandomizerImplementation() {
public void testExecutorImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_EXECUTOR_IMPLEMENTATION, secConf.getExecutorImplementation());
+ assertEquals(DEFAULT_EXECUTOR_IMPLEMENTATION, secConf.getExecutorImplementation());
final String expected = "TestExecutor";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.EXECUTOR_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(EXECUTOR_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getExecutorImplementation());
}
@@ -125,10 +127,10 @@ public void testExecutorImplementation() {
public void testHTTPUtilitiesImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_HTTP_UTILITIES_IMPLEMENTATION, secConf.getHTTPUtilitiesImplementation());
+ assertEquals(DEFAULT_HTTP_UTILITIES_IMPLEMENTATION, secConf.getHTTPUtilitiesImplementation());
final String expected = "TestHTTPUtilities";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.HTTP_UTILITIES_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(HTTP_UTILITIES_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getHTTPUtilitiesImplementation());
}
@@ -136,10 +138,10 @@ public void testHTTPUtilitiesImplementation() {
public void testValidationImplementation() {
//test the default
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
- assertEquals(DefaultSecurityConfiguration.DEFAULT_VALIDATOR_IMPLEMENTATION, secConf.getValidationImplementation());
+ assertEquals(DEFAULT_VALIDATOR_IMPLEMENTATION, secConf.getValidationImplementation());
final String expected = "TestValidation";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.VALIDATOR_IMPLEMENTATION, expected);
+ secConf = this.createWithProperty(VALIDATOR_IMPLEMENTATION, expected);
assertEquals(expected, secConf.getValidationImplementation());
}
@@ -150,7 +152,7 @@ public void testGetEncryptionKeyLength() {
assertEquals(128, secConf.getEncryptionKeyLength());
final int expected = 256;
- secConf = this.createWithProperty(DefaultSecurityConfiguration.KEY_LENGTH, String.valueOf(expected));
+ secConf = this.createWithProperty(KEY_LENGTH, String.valueOf(expected));
assertEquals(expected, secConf.getEncryptionKeyLength());
}
@@ -161,7 +163,7 @@ public void testGetKDFPseudoRandomFunction() {
assertEquals("HmacSHA256", secConf.getKDFPseudoRandomFunction());
final String expected = "HmacSHA1";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.KDF_PRF_ALG, expected);
+ secConf = this.createWithProperty(KDF_PRF_ALG, expected);
assertEquals(expected, secConf.getKDFPseudoRandomFunction());
}
@@ -179,7 +181,7 @@ public void testGetMasterSalt() {
final String salt = "53081";
final String property = ESAPI.encoder().encodeForBase64(salt.getBytes(), false);
Properties properties = new Properties();
- properties.setProperty(DefaultSecurityConfiguration.MASTER_SALT, property);
+ properties.setProperty(MASTER_SALT, property);
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(properties);
assertEquals(salt, new String(secConf.getMasterSalt()));
}
@@ -195,7 +197,7 @@ public void testGetAllowedExecutables() {
Properties properties = new Properties();
- properties.setProperty(DefaultSecurityConfiguration.APPROVED_EXECUTABLES, String.valueOf("/bin/bzip2,/bin/diff, /bin/cvs"));
+ properties.setProperty(APPROVED_EXECUTABLES, String.valueOf("/bin/bzip2,/bin/diff, /bin/cvs"));
secConf = new DefaultSecurityConfiguration(properties);
allowedExecutables = secConf.getAllowedExecutables();
assertEquals(3, allowedExecutables.size());
@@ -216,7 +218,7 @@ public void testGetAllowedFileExtensions() {
Properties properties = new Properties();
- properties.setProperty(DefaultSecurityConfiguration.APPROVED_UPLOAD_EXTENSIONS, String.valueOf(".txt,.xml,.html,.png"));
+ properties.setProperty(APPROVED_UPLOAD_EXTENSIONS, String.valueOf(".txt,.xml,.html,.png"));
secConf = new DefaultSecurityConfiguration(properties);
allowedFileExtensions = secConf.getAllowedFileExtensions();
assertEquals(4, allowedFileExtensions.size());
@@ -230,7 +232,7 @@ public void testGetAllowedFileUploadSize() {
assertTrue(secConf.getAllowedFileUploadSize() > (1024 * 100));
final int expected = (1024 * 1000);
- secConf = this.createWithProperty(DefaultSecurityConfiguration.MAX_UPLOAD_FILE_BYTES, String.valueOf(expected));
+ secConf = this.createWithProperty(MAX_UPLOAD_FILE_BYTES, String.valueOf(expected));
assertEquals(expected, secConf.getAllowedFileUploadSize());
}
@@ -242,8 +244,8 @@ public void testGetParameterNames() {
assertEquals("username", secConf.getUsernameParameterName());
Properties properties = new Properties();
- properties.setProperty(DefaultSecurityConfiguration.PASSWORD_PARAMETER_NAME, "j_password");
- properties.setProperty(DefaultSecurityConfiguration.USERNAME_PARAMETER_NAME, "j_username");
+ properties.setProperty(PASSWORD_PARAMETER_NAME, "j_password");
+ properties.setProperty(USERNAME_PARAMETER_NAME, "j_username");
secConf = new DefaultSecurityConfiguration(properties);
assertEquals("j_password", secConf.getPasswordParameterName());
assertEquals("j_username", secConf.getUsernameParameterName());
@@ -255,7 +257,7 @@ public void testGetEncryptionAlgorithm() {
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
assertEquals("AES", secConf.getEncryptionAlgorithm());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ENCRYPTION_ALGORITHM, "3DES");
+ secConf = this.createWithProperty(ENCRYPTION_ALGORITHM, "3DES");
assertEquals("3DES", secConf.getEncryptionAlgorithm());
}
@@ -266,7 +268,7 @@ public void testGetCipherXProperties() {
//assertEquals("AES/CBC/PKCS5Padding", secConf.getC);
Properties properties = new Properties();
- properties.setProperty(DefaultSecurityConfiguration.CIPHER_TRANSFORMATION_IMPLEMENTATION, "Blowfish/CFB/ISO10126Padding");
+ properties.setProperty(CIPHER_TRANSFORMATION_IMPLEMENTATION, "Blowfish/CFB/ISO10126Padding");
secConf = new DefaultSecurityConfiguration(properties);
assertEquals("Blowfish/CFB/ISO10126Padding", secConf.getCipherTransformation());
@@ -285,18 +287,18 @@ public void testIV() {
Properties props = new Properties();
String ivType = null;
- props.setProperty(DefaultSecurityConfiguration.IV_TYPE, "fixed"); // No longer supported.
+ props.setProperty(IV_TYPE, "fixed"); // No longer supported.
secConf = new DefaultSecurityConfiguration( props );
try {
ivType = secConf.getIVType(); // This should now throw a Configuration Exception.
- fail("Expected ConfigurationException to be thrown for " + DefaultSecurityConfiguration.IV_TYPE + "=" + ivType);
+ fail("Expected ConfigurationException to be thrown for " + IV_TYPE + "=" + ivType);
}
catch (ConfigurationException ce) {
assertNotNull(ce.getMessage());
}
- props.setProperty(DefaultSecurityConfiguration.IV_TYPE, "illegal"); // This will just result in a logSpecial message & "random" is returned.
+ props.setProperty(IV_TYPE, "illegal"); // This will just result in a logSpecial message & "random" is returned.
secConf = new DefaultSecurityConfiguration(props);
ivType = secConf.getIVType();
assertEquals(ivType, "random");
@@ -307,13 +309,13 @@ public void testGetAllowMultipleEncoding() {
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
assertFalse(secConf.getAllowMultipleEncoding());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ALLOW_MULTIPLE_ENCODING, "yes");
+ secConf = this.createWithProperty(ALLOW_MULTIPLE_ENCODING, "yes");
assertTrue(secConf.getAllowMultipleEncoding());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ALLOW_MULTIPLE_ENCODING, "true");
+ secConf = this.createWithProperty(ALLOW_MULTIPLE_ENCODING, "true");
assertTrue(secConf.getAllowMultipleEncoding());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.ALLOW_MULTIPLE_ENCODING, "no");
+ secConf = this.createWithProperty(ALLOW_MULTIPLE_ENCODING, "no");
assertFalse(secConf.getAllowMultipleEncoding());
}
@@ -323,7 +325,7 @@ public void testGetDefaultCanonicalizationCodecs() {
assertFalse(secConf.getDefaultCanonicalizationCodecs().isEmpty());
String property = "org.owasp.esapi.codecs.TestCodec1,org.owasp.esapi.codecs.TestCodec2";
- secConf = this.createWithProperty(DefaultSecurityConfiguration.CANONICALIZATION_CODECS, property);
+ secConf = this.createWithProperty(CANONICALIZATION_CODECS, property);
assertTrue(secConf.getDefaultCanonicalizationCodecs().contains("org.owasp.esapi.codecs.TestCodec1"));
}
@@ -332,13 +334,13 @@ public void testGetDisableIntrusionDetection() {
DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties());
assertFalse(secConf.getDisableIntrusionDetection());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION, "TRUE");
+ secConf = this.createWithProperty(DISABLE_INTRUSION_DETECTION, "TRUE");
assertTrue(secConf.getDisableIntrusionDetection());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION, "true");
+ secConf = this.createWithProperty(DISABLE_INTRUSION_DETECTION, "true");
assertTrue(secConf.getDisableIntrusionDetection());
- secConf = this.createWithProperty(DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION, "false");
+ secConf = this.createWithProperty(DISABLE_INTRUSION_DETECTION, "false");
assertFalse(secConf.getDisableIntrusionDetection());
}
@@ -482,7 +484,7 @@ public void testDeprecatedMethods()
{
assertTrue("1: Deprecated (1st) method returns different value than new (2nd) method",
ESAPI.securityConfiguration().getDisableIntrusionDetection() ==
- ESAPI.securityConfiguration().getBooleanProp( DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION )
+ ESAPI.securityConfiguration().getBooleanProp( DISABLE_INTRUSION_DETECTION )
);
// TODO: add some more tests here for the deprecated replacements.
}
diff --git a/src/test/java/org/owasp/esapi/reference/validation/DateValidationRuleTest.java b/src/test/java/org/owasp/esapi/reference/validation/DateValidationRuleTest.java
index 3e25597d5..a289c77ec 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/DateValidationRuleTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/DateValidationRuleTest.java
@@ -23,9 +23,9 @@
import org.owasp.esapi.ValidationErrorList;
import org.owasp.esapi.errors.ValidationException;
import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+import static org.owasp.esapi.PropNames.ACCEPT_LENIENT_DATES;
import org.powermock.reflect.Whitebox;
-
public class DateValidationRuleTest {
@Rule
@@ -74,7 +74,7 @@ public void testsetDateFormatNullThrows() {
@Test
public void testsetDateFormat() {
- boolean acceptLenient = ESAPI.securityConfiguration().getBooleanProp( DefaultSecurityConfiguration.ACCEPT_LENIENT_DATES);
+ boolean acceptLenient = ESAPI.securityConfiguration().getBooleanProp( ACCEPT_LENIENT_DATES );
DateFormat newFormat = DateFormat.getDateInstance(DateFormat.SHORT, Locale.US);
newFormat.setLenient(!acceptLenient);
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java
index c05f9f236..3287f8348 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java
@@ -32,6 +32,8 @@
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.ValidationException;
import org.owasp.validator.html.PolicyException;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE;
/**
* The Class HTMLValidationRuleThrowsTest.
@@ -72,9 +74,9 @@ private static class ConfOverride extends SecurityConfigurationWrapper {
@Override
public String getStringProp(String propName) {
// Would it be better making this file a static import?
- if ( propName.equals( org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION ) ) {
+ if ( propName.equals( VALIDATOR_HTML_VALIDATION_ACTION ) ) {
return desiredReturnAction;
- } else if ( propName.equals( org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE ) ) {
+ } else if ( propName.equals( VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE ) ) {
return desiredReturnConfigurationFile;
} else {
return super.getStringProp( propName );
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
index f0c97ecd4..32ca5feca 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
@@ -26,6 +26,7 @@
import org.owasp.esapi.errors.ValidationException;
import org.owasp.esapi.filters.SecurityWrapperRequest;
import org.owasp.esapi.reference.validation.HTMLValidationRule;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
import org.junit.Test;
import org.junit.Before;
@@ -65,7 +66,7 @@ private static class ConfOverride extends SecurityConfigurationWrapper {
@Override
public String getStringProp(String propName) {
// Would it be better making this file a static import?
- if ( propName.equals( org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION ) ) {
+ if ( propName.equals( VALIDATOR_HTML_VALIDATION_ACTION ) ) {
return desiredReturn;
} else {
return super.getStringProp( propName );
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java
index 6130836dd..8965ea243 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java
@@ -23,6 +23,7 @@
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.ValidationException;
import org.owasp.esapi.reference.validation.HTMLValidationRule;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
import org.junit.Test;
import org.junit.Before;
@@ -59,7 +60,7 @@ private static class ConfOverride extends SecurityConfigurationWrapper {
@Override
public String getStringProp(String propName) {
// Would it be better making this file a static import?
- if ( propName.equals( org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION ) ) {
+ if ( propName.equals( VALIDATOR_HTML_VALIDATION_ACTION ) ) {
return desiredReturn;
} else {
return super.getStringProp( propName );
From 613bc49cf6f05c2a796eee3efff982c25f4772e7 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Tue, 28 Jun 2022 14:01:30 -0400
Subject: [PATCH 007/197] Add forward slash encoding to DefaultEncoder's
encodeForLDAP and encodeForDN According to [1] and [2], the forward slash
('/') character should be encoded for LDAP filters and distinguished names
[1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
[2]
https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
---
.../org/owasp/esapi/reference/DefaultEncoder.java | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
index fe504e722..d781459ff 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
@@ -305,13 +305,18 @@ public String encodeForLDAP(String input, boolean encodeWildcards) {
}
// TODO: replace with LDAP codec
StringBuilder sb = new StringBuilder();
+ // According to "Special Characters" at [1], the encoder should escape '*', '(', ')', '\', '/', NUL. Also see [2].
+ // [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
+ // [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
-
switch (c) {
case '\\':
sb.append("\\5c");
break;
+ case '/':
+ sb.append("\\2f");
+ break;
case '*':
if (encodeWildcards) {
sb.append("\\2a");
@@ -349,12 +354,18 @@ public String encodeForDN(String input) {
if ((input.length() > 0) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) {
sb.append('\\'); // add the leading backslash if needed
}
+ // According to [1] and [2], the encoder should escape forward slash ('/') in DNs.
+ // [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
+ // [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
switch (c) {
case '\\':
sb.append("\\\\");
break;
+ case '/':
+ sb.append("\\/");
+ break;
case ',':
sb.append("\\,");
break;
From 90841862313fee99fef93ee8c233459ff9647f39 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Wed, 29 Jun 2022 12:49:45 -0400
Subject: [PATCH 008/197] Add forward slash encoding to DefaultEncoder's
encodeForLDAP and encodeForDN
According to [1] and [2], the forward slash ('/') character should be encoded for LDAP filters and distinguished names.
[1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
[2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
---
.../java/org/owasp/esapi/reference/DefaultEncoder.java | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
index d781459ff..aa019a810 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
@@ -305,9 +305,13 @@ public String encodeForLDAP(String input, boolean encodeWildcards) {
}
// TODO: replace with LDAP codec
StringBuilder sb = new StringBuilder();
- // According to "Special Characters" at [1], the encoder should escape '*', '(', ')', '\', '/', NUL. Also see [2].
+ // According to Microsoft docs [1,2], the forward slash ('/') MUST be escaped.
+ // According to RFC 4513 Section 3 [3], the forward slash (and other characters) MAY be escaped.
+ // Since Microsoft is a MUST, escape forward slash for all implementations. Also see discussion at [4].
// [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
// [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
+ // [3] https://tools.ietf.org/search/rfc4515#section-3
+ // [4] https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/thread/3QPDDLO356ONSJM3JUKD7NMPOOIKIQ5T/
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
switch (c) {
@@ -354,9 +358,7 @@ public String encodeForDN(String input) {
if ((input.length() > 0) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) {
sb.append('\\'); // add the leading backslash if needed
}
- // According to [1] and [2], the encoder should escape forward slash ('/') in DNs.
- // [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
- // [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
+ // See discussion of forward slash ('/') in encodeForLDAP()
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
switch (c) {
From 0ff0ddb174c9b96faf56c172e84033d8ceeb1687 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Wed, 29 Jun 2022 13:46:31 -0400
Subject: [PATCH 009/197] Add forward slash encoding to DefaultEncoder's
encodeForLDAP and encodeForDN (v3)
According to [1] and [2], the forward slash ('/') character should be encoded for LDAP filters and distinguished names.
[1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
[2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
---
src/test/java/org/owasp/esapi/reference/EncoderTest.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/test/java/org/owasp/esapi/reference/EncoderTest.java b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
index 66f95c5b8..1b586a073 100644
--- a/src/test/java/org/owasp/esapi/reference/EncoderTest.java
+++ b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
@@ -535,6 +535,7 @@ public void testEncodeForLDAP() {
assertEquals("Zeros", "Hi \\00", instance.encodeForLDAP("Hi \u0000"));
assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # � � �", instance.encodeForLDAP("Hi (This) = is * a \\ test # � � �"));
assertEquals("Hi \\28This\\29 =", instance.encodeForLDAP("Hi (This) ="));
+ assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
}
/**
@@ -547,6 +548,7 @@ public void testEncodeForLDAPWithoutEncodingWildcards() {
assertEquals("No special characters to escape", "Hi This is a test #��", instance.encodeForLDAP("Hi This is a test #��", false));
assertEquals("Zeros", "Hi \\00", instance.encodeForLDAP("Hi \u0000", false));
assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is * a \\5c test # � � �", instance.encodeForLDAP("Hi (This) = is * a \\ test # � � �", false));
+ assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
}
/**
@@ -563,6 +565,7 @@ public void testEncodeForDN() {
assertEquals("less than greater than", "Hello\\<\\>", instance.encodeForDN("Hello<>"));
assertEquals("only 3 spaces", "\\ \\ ", instance.encodeForDN(" "));
assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", instance.encodeForDN(" Hello\\ + , \"World\" ; "));
+ assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForDN("Forward slash for /Microsoft/ /AD/"));
}
/**
From c4276d67ee08e52da431d9464354a459ce197d23 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Thu, 30 Jun 2022 10:15:18 -0400
Subject: [PATCH 010/197] Add forward slash encoding to DefaultEncoder's
encodeForLDAP and encodeForDN (v4)
According to [1] and [2], the forward slash ('/') character should be encoded for LDAP filters and distinguished names.
[1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
[2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
---
src/test/java/org/owasp/esapi/reference/EncoderTest.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/test/java/org/owasp/esapi/reference/EncoderTest.java b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
index 1b586a073..51c306e1f 100644
--- a/src/test/java/org/owasp/esapi/reference/EncoderTest.java
+++ b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
@@ -548,7 +548,7 @@ public void testEncodeForLDAPWithoutEncodingWildcards() {
assertEquals("No special characters to escape", "Hi This is a test #��", instance.encodeForLDAP("Hi This is a test #��", false));
assertEquals("Zeros", "Hi \\00", instance.encodeForLDAP("Hi \u0000", false));
assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is * a \\5c test # � � �", instance.encodeForLDAP("Hi (This) = is * a \\ test # � � �", false));
- assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
+ assertEquals("Forward slash for \\/Microsoft\\/ \\/AD\\/", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
}
/**
From 0078dc0843de039ea75acb6293422d52768e4cd7 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Thu, 30 Jun 2022 10:19:57 -0400
Subject: [PATCH 011/197] Add forward slash encoding to DefaultEncoder's
encodeForLDAP and encodeForDN (v5)
According to [1] and [2], the forward slash ('/') character should be encoded for LDAP filters and distinguished names.
[1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
[2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
---
src/test/java/org/owasp/esapi/reference/EncoderTest.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/test/java/org/owasp/esapi/reference/EncoderTest.java b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
index 51c306e1f..261e51fa9 100644
--- a/src/test/java/org/owasp/esapi/reference/EncoderTest.java
+++ b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
@@ -548,7 +548,7 @@ public void testEncodeForLDAPWithoutEncodingWildcards() {
assertEquals("No special characters to escape", "Hi This is a test #��", instance.encodeForLDAP("Hi This is a test #��", false));
assertEquals("Zeros", "Hi \\00", instance.encodeForLDAP("Hi \u0000", false));
assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is * a \\5c test # � � �", instance.encodeForLDAP("Hi (This) = is * a \\ test # � � �", false));
- assertEquals("Forward slash for \\/Microsoft\\/ \\/AD\\/", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
+ assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
}
/**
@@ -565,7 +565,7 @@ public void testEncodeForDN() {
assertEquals("less than greater than", "Hello\\<\\>", instance.encodeForDN("Hello<>"));
assertEquals("only 3 spaces", "\\ \\ ", instance.encodeForDN(" "));
assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", instance.encodeForDN(" Hello\\ + , \"World\" ; "));
- assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForDN("Forward slash for /Microsoft/ /AD/"));
+ assertEquals("Forward slash for \\/Microsoft\\/ \\/AD\\/", instance.encodeForDN("Forward slash for /Microsoft/ /AD/"));
}
/**
From e4fc652ae20fe7ed69d0d18fc59846f0af067153 Mon Sep 17 00:00:00 2001
From: jeremiahjstacey
Date: Sat, 2 Jul 2022 20:43:11 -0500
Subject: [PATCH 012/197] Log4J Removal (#714)
Close issue #534 - This is a planned removal of all Log4J 1 dependencies after nearly 2 years of deprecation. The release for this will be released on or shortly after 2022-07-13.
* Suppression cleanup
Clearing log4j1 suppressions from baseline. Should cause maven site
goal to fail if cleanup is not incomplete.
* Log4J 1.x Source & Dependency Removal
Removing baseline code & tests pertaining to log4j 1.x support.
Removing log4j 1.x dependency from pom.
* WAF Cleanup - Removing customized Log handling
AppGuardianConfiguration had a declaration of a log4j log Level class
which appears to never be used.
ESAPIWebApplicationFirewallFilter attempts to compliment/override a
pre-existing log4j1.x configuratino through the filterConfig with an
expectation that ESAPI is configured for that Logger explicitly.
* This has just been removed to allow the implementation to use the
ESAPI Logger as configured.
* Removing ant-javadoc.xml artifact
Javadocs are generated in the maven build through the javadoc maven
plugin.
* log4j 1.x configuration file removal
Remvoing log4j.dtd and log4j.xml instances from baseline.
* log4j 1.x - Removing references in properties
Cleaning up source and test references to the removed content.
* log4j 1.x cleanup - scripts
Removing log4j class contexts from the release process scripts.
* JAVADOC CLEANUP
Addressing warnings in javadoc generation.
* Case sensitivity addressed in SecurityConfiguration.
* Removed invalid class reference from Logger. This would have been an
update; however, the reference point no longer fufills the reason
for the initial link.
This commit is superfluous to the log4j1.x removal intention of the
branch where it was committed.
* Merging suppressions file
* Version updates
Applying the latest plugin and dependency versions.
* Comment Grammer cleanup.
PR feedback.
---
ant-javadoc.xml | 8 -
configuration/esapi/ESAPI.properties | 3 -
configuration/log4j.dtd | 227 -----
configuration/log4j.xml | 62 --
pom.xml | 21 +-
...esapi4java-core-TEMPLATE-release-notes.txt | 1 -
src/main/java/org/owasp/esapi/Logger.java | 4 +-
.../esapi/logging/log4j/Log4JLogBridge.java | 43 -
.../logging/log4j/Log4JLogBridgeImpl.java | 76 --
.../esapi/logging/log4j/Log4JLogFactory.java | 125 ---
.../logging/log4j/Log4JLogLevelHandler.java | 43 -
.../logging/log4j/Log4JLogLevelHandlers.java | 56 --
.../esapi/logging/log4j/Log4JLogger.java | 168 ----
.../logging/log4j/Log4JLoggerFactory.java | 90 --
.../ESAPIWebApplicationFirewallFilter.java | 876 +++++++++---------
.../AppGuardianConfiguration.java | 28 -
.../logging/log4j/Log4JLogBridgeImplTest.java | 152 ---
.../logging/log4j/Log4JLogFactoryTest.java | 108 ---
.../log4j/Log4JLogLevelHandlersTest.java | 102 --
.../logging/log4j/Log4JLoggerFactoryTest.java | 97 --
.../esapi/logging/log4j/Log4JLoggerTest.java | 287 ------
...ESAPI-CommaValidatorFileChecker.properties | 5 +-
.../ESAPI-DualValidatorFileChecker.properties | 5 +-
...SAPI-QuotedValidatorFileChecker.properties | 5 +-
...SAPI-SingleValidatorFileChecker.properties | 5 +-
src/test/resources/esapi/ESAPI.properties | 3 -
src/test/resources/log4j.dtd | 227 -----
src/test/resources/log4j.xml | 70 --
suppressions.xml | 102 --
29 files changed, 444 insertions(+), 2555 deletions(-)
delete mode 100644 ant-javadoc.xml
delete mode 100644 configuration/log4j.dtd
delete mode 100644 configuration/log4j.xml
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridge.java
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImpl.java
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandler.java
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlers.java
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java
delete mode 100644 src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java
delete mode 100644 src/test/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImplTest.java
delete mode 100644 src/test/java/org/owasp/esapi/logging/log4j/Log4JLogFactoryTest.java
delete mode 100644 src/test/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlersTest.java
delete mode 100644 src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactoryTest.java
delete mode 100644 src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java
delete mode 100644 src/test/resources/log4j.dtd
delete mode 100644 src/test/resources/log4j.xml
diff --git a/ant-javadoc.xml b/ant-javadoc.xml
deleted file mode 100644
index 2995a75b0..000000000
--- a/ant-javadoc.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
index bbb7531cd..19c34b729 100644
--- a/configuration/esapi/ESAPI.properties
+++ b/configuration/esapi/ESAPI.properties
@@ -66,9 +66,6 @@ ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
-# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-# Note that this is now considered deprecated!
-#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set
# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
diff --git a/configuration/log4j.dtd b/configuration/log4j.dtd
deleted file mode 100644
index 1aabd96c3..000000000
--- a/configuration/log4j.dtd
+++ /dev/null
@@ -1,227 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/configuration/log4j.xml b/configuration/log4j.xml
deleted file mode 100644
index 47c064004..000000000
--- a/configuration/log4j.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/pom.xml b/pom.xml
index d9dde1dda..317d5c189 100644
--- a/pom.xml
+++ b/pom.xml
@@ -138,10 +138,10 @@
UTF-81.352.0.9
- 4.7.0
+ 4.7.11.12.04.7.0.0
- 3.0.0-M6
+ 3.0.0-M71.8
@@ -235,11 +235,6 @@
-
- log4j
- log4j
- 1.2.17
- org.apache.commonscommons-collections4
@@ -411,7 +406,7 @@
org.apache.maven.pluginsmaven-assembly-plugin
- 3.3.0
+ 3.4.0org.apache.maven.plugins
@@ -421,7 +416,7 @@
org.apache.maven.pluginsmaven-release-plugin
- 3.0.0-M5
+ 3.0.0-M6org.codehaus.mojo
@@ -538,7 +533,7 @@
org.apache.maven.pluginsmaven-enforcer-plugin
- 3.0.0
+ 3.1.0org.codehaus.mojo
@@ -671,7 +666,7 @@
org.apache.maven.pluginsmaven-pmd-plugin
- 3.16.0
+ 3.17.0
@@ -689,7 +684,7 @@
org.apache.maven.pluginsmaven-site-plugin
- 4.0.0-M1
+ 4.0.0-M2
@@ -743,7 +738,7 @@
org.owaspdependency-check-maven
- 7.1.0
+ 7.1.11.0./suppressions.xml
diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
index 5caad5c37..b55fd969c 100644
--- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt
+++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
@@ -58,7 +58,6 @@ However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will noti
To use ESAPI logging in ESAPI 2.2.1.0 (and later), you will need to set the ESAPI.Logger property to
org.owasp.esapi.logging.java.JavaLogFactory - To use the new default, java.util.logging (JUL)
- org.owasp.esapi.logging.log4j.Log4JLogFactory - To use the end-of-life Log4J 1.x logger
org.owasp.esapi.logging.slf4j.Slf4JLogFactory - To use the new (to release 2.2.0.0) SLF4J logger
In addition, if you wish to use JUL for logging, you *MUST* supply an "esapi-java-logging.properties" file in your classpath. This file is included in the 'esapi-2.2.2.0-configuration.jar' file provided under the 'Assets' section of the GitHub Release at
diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java
index 0f41e7376..c73e27ab2 100644
--- a/src/main/java/org/owasp/esapi/Logger.java
+++ b/src/main/java/org/owasp/esapi/Logger.java
@@ -205,9 +205,7 @@ public String toString() {
*/
void setLevel(int level);
- /** Retrieve the current ESAPI logging level for this logger. See
- * {@link org.owasp.esapi.logging.log4j.Log4JLogger} for an explanation of
- * why this method is not simply called {@code getLevel()}.
+ /** Retrieve the current ESAPI logging level for this logger.
*
* @return The current logging level.
*/
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridge.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridge.java
deleted file mode 100644
index b89acb81e..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridge.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import org.apache.log4j.Logger;
-import org.owasp.esapi.Logger.EventType;
-/**
- * Contract for translating an ESAPI log event into an Log4J log event.
- *
- */
-@Deprecated
-public interface Log4JLogBridge {
- /**
- * Translation for the provided ESAPI level, type, and message to the specified Log4J Logger.
- * @param logger Logger to receive the translated message.
- * @param esapiLevel ESAPI level of event.
- * @param type ESAPI event type
- * @param message ESAPI event message content.
- */
- void log(Logger logger, int esapiLevel, EventType type, String message) ;
- /**
- * Translation for the provided ESAPI level, type, message, and Throwable to the specified Log4J Logger.
- * @param logger Logger to receive the translated message.
- * @param esapiLevel ESAPI level of event.
- * @param type ESAPI event type
- * @param message ESAPI event message content.
- * @param throwable ESAPI event Throwable content
- */
- void log(Logger logger, int esapiLevel, EventType type, String message, Throwable throwable) ;
-
-}
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImpl.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImpl.java
deleted file mode 100644
index 58be15beb..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImpl.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-
-package org.owasp.esapi.logging.log4j;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.log4j.Logger;
-import org.owasp.esapi.Logger.EventType;
-import org.owasp.esapi.logging.appender.LogAppender;
-import org.owasp.esapi.logging.cleaning.LogScrubber;
-
-/**
- * Implementation which is intended to bridge the ESAPI Logging API into LOG4J supported Object structures.
- *
- */
-@Deprecated
-public class Log4JLogBridgeImpl implements Log4JLogBridge {
- /** Configuration providing associations between esapi log levels and LOG4J levels.*/
- private final Map esapiSlfLevelMap;
- /** Cleaner used for log content.*/
- private final LogScrubber scrubber;
- /** Appender used for assembling default message content for all logs.*/
- private final LogAppender appender;
-
- /**
- * Constructor.
- * @param logScrubber Log message cleaner.
- * @param esapiSlfHandlerMap Map identifying ESAPI -> LOG4J log level associations.
- */
- public Log4JLogBridgeImpl(LogAppender messageAppender, LogScrubber logScrubber, Map esapiSlfHandlerMap) {
- //Defensive copy to prevent external mutations.
- this.esapiSlfLevelMap = new HashMap<>(esapiSlfHandlerMap);
- this.scrubber = logScrubber;
- this.appender = messageAppender;
- }
- @Override
- public void log(Logger logger, int esapiLevel, EventType type, String message) {
- Log4JLogLevelHandler handler = esapiSlfLevelMap.get(esapiLevel);
- if (handler == null) {
- throw new IllegalArgumentException("Unable to lookup LOG4J level mapping for esapi value of " + esapiLevel);
- }
- if (handler.isEnabled(logger)) {
- String fullMessage = appender.appendTo(logger.getName(), type, message);
- String cleanString = scrubber.cleanMessage(fullMessage);
-
- handler.log(logger, cleanString);
- }
- }
- @Override
- public void log(Logger logger, int esapiLevel, EventType type, String message, Throwable throwable) {
- Log4JLogLevelHandler handler = esapiSlfLevelMap.get(esapiLevel);
- if (handler == null) {
- throw new IllegalArgumentException("Unable to lookup LOG4J level mapping for esapi value of " + esapiLevel);
- }
- if (handler.isEnabled(logger)) {
- String fullMessage = appender.appendTo(logger.getName(), type, message);
- String cleanString = scrubber.cleanMessage(fullMessage);
-
- handler.log(logger, cleanString, throwable);
- }
- }
-}
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java
deleted file mode 100644
index a71cf3141..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.LogFactory;
-import org.owasp.esapi.Logger;
-import org.owasp.esapi.codecs.HTMLEntityCodec;
-import org.owasp.esapi.logging.appender.LogAppender;
-import org.owasp.esapi.logging.appender.LogPrefixAppender;
-import org.owasp.esapi.logging.cleaning.CodecLogScrubber;
-import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
-import org.owasp.esapi.logging.cleaning.LogScrubber;
-import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-
-import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
-import static org.owasp.esapi.PropNames.LOG_USER_INFO;
-import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
-import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
-import static org.owasp.esapi.PropNames.APPLICATION_NAME;
-import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
-
-/**
- * LogFactory implementation which creates Log4J supporting Loggers.
- *
- */
-@Deprecated
-public class Log4JLogFactory implements LogFactory {
- /** Immune characters for the codec log scrubber for JAVA context.*/
- private static final char[] IMMUNE_LOG4J_HTML = {',', '.', '-', '_', ' ' };
- /** Codec being used to clean messages for logging.*/
- private static final HTMLEntityCodec HTML_CODEC = new HTMLEntityCodec();
- /** Log appender instance.*/
- private static LogAppender Log4J_LOG_APPENDER;
- /** Log cleaner instance.*/
- private static LogScrubber Log4J_LOG_SCRUBBER;
- /** Bridge class for mapping esapi -> log4j log levels.*/
- private static Log4JLogBridge LOG_BRIDGE;
-
- static {
- boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
- Log4J_LOG_SCRUBBER = createLogScrubber(encodeLog);
-
-
- boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
- boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
- boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
- String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
- boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
- Log4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
-
- Map levelLookup = new HashMap<>();
- levelLookup.put(Logger.ALL, Log4JLogLevelHandlers.TRACE);
- levelLookup.put(Logger.TRACE, Log4JLogLevelHandlers.TRACE);
- levelLookup.put(Logger.DEBUG, Log4JLogLevelHandlers.DEBUG);
- levelLookup.put(Logger.INFO, Log4JLogLevelHandlers.INFO);
- levelLookup.put(Logger.ERROR, Log4JLogLevelHandlers.ERROR);
- levelLookup.put(Logger.WARNING, Log4JLogLevelHandlers.WARN);
- levelLookup.put(Logger.FATAL, Log4JLogLevelHandlers.FATAL);
- //LEVEL.OFF not used. If it's off why would we try to log it?
-
- LOG_BRIDGE = new Log4JLogBridgeImpl(Log4J_LOG_APPENDER, Log4J_LOG_SCRUBBER, levelLookup);
- }
-
- /**
- * Populates the default log scrubber for use in factory-created loggers.
- * @param requiresEncoding {@code true} if encoding is required for log content.
- * @return LogScrubber instance.
- */
- /*package*/ static LogScrubber createLogScrubber(boolean requiresEncoding) {
- List messageScrubber = new ArrayList<>();
- messageScrubber.add(new NewlineLogScrubber());
-
- if (requiresEncoding) {
- messageScrubber.add(new CodecLogScrubber(HTML_CODEC, IMMUNE_LOG4J_HTML));
- }
-
- return new CompositeLogScrubber(messageScrubber);
-
- }
-
- /**
- * Populates the default log appender for use in factory-created loggers.
- * @param appName
- * @param logApplicationName
- * @param logServerIp
- * @param logClientInfo
- *
- * @return LogAppender instance.
- */
- /*package*/ static LogAppender createLogAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) {
- return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
- }
-
-
- @Override
- public Logger getLogger(String moduleName) {
- org.apache.log4j.Logger log4JLogger = org.apache.log4j.Logger.getLogger(moduleName);
- return new Log4JLogger(log4JLogger, LOG_BRIDGE, Logger.ALL);
- }
-
- @Override
- public Logger getLogger(@SuppressWarnings("rawtypes") Class clazz) {
- org.apache.log4j.Logger log4JLogger = org.apache.log4j.Logger.getLogger(clazz);
- return new Log4JLogger(log4JLogger, LOG_BRIDGE, Logger.ALL);
- }
-
-}
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandler.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandler.java
deleted file mode 100644
index 7b6b57ee9..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandler.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import org.apache.log4j.Logger;
-
-/**
- * Contract used to isolate translations for each SLF4J Logging Level.
- *
- * @see Log4JLogLevelHandlers
- * @see Log4JLogBridgeImpl
- *
- */
-@Deprecated
-interface Log4JLogLevelHandler {
- /** Check if the logging level is enabled for the specified logger.*/
- boolean isEnabled(Logger logger);
- /**
- * Calls the appropriate log level event on the specified logger.
- * @param logger Logger to invoke.
- * @param msg Message to log.
- */
- void log(Logger logger, String msg);
- /**
- * Calls the appropriate log level event on the specified logger.
- * @param logger Logger to invoke
- * @param msg Message to log
- * @param th Throwable to log.
- */
- void log(Logger logger, String msg, Throwable th);
-}
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlers.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlers.java
deleted file mode 100644
index e6ee6a48c..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlers.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-
-package org.owasp.esapi.logging.log4j;
-
-
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-
-/**
- * Enumeration capturing the propagation of Log4J level events.
- *
- */
-@Deprecated
-public enum Log4JLogLevelHandlers implements Log4JLogLevelHandler {
- FATAL(Level.FATAL),
- ERROR(Level.ERROR),
- WARN(Level.WARN),
- INFO(Level.INFO),
- DEBUG(Level.DEBUG),
- TRACE(Level.TRACE),
- ALL(Level.ALL);
-
- private final Level level;
-
- private Log4JLogLevelHandlers(Level lvl) {
- this.level = lvl;
- }
-
- @Override
- public boolean isEnabled(Logger logger) {
- return logger.isEnabledFor(level);
- }
-
- @Override
- public void log(Logger logger, String msg) {
- logger.log(level, msg);
- }
-
- @Override
- public void log(Logger logger, String msg, Throwable th) {
- logger.log(level, msg, th);
- }
-}
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java
deleted file mode 100644
index cbbda2140..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java
+++ /dev/null
@@ -1,168 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import org.owasp.esapi.Logger;
-/**
- * ESAPI Logger implementation which relays events to an Log4j delegate.
- */
-@Deprecated
-public class Log4JLogger implements org.owasp.esapi.Logger {
- /** Delegate Logger.*/
- private final org.apache.log4j.Logger delegate;
- /** Handler for translating events from ESAPI context for SLF4J processing.*/
- private final Log4JLogBridge logBridge;
- /** Maximum log level that will be forwarded to SLF4J from the ESAPI context.*/
- private int loggingLevel;
-
- /**
- * Constructs a new instance.
- * @param slf4JLogger Delegate SLF4J logger.
- * @param bridge Translator for ESAPI -> SLF4J logging events.
- * @param defaultEsapiLevel Maximum ESAPI log level events to propagate.
- */
- public Log4JLogger(org.apache.log4j.Logger slf4JLogger, Log4JLogBridge bridge, int defaultEsapiLevel) {
- delegate = slf4JLogger;
- this.logBridge = bridge;
- loggingLevel = defaultEsapiLevel;
- }
-
- private void log(int esapiLevel, EventType type, String message) {
- if (isEnabled(esapiLevel)) {
- logBridge.log(delegate, esapiLevel, type, message);
- }
- }
-
- private void log(int esapiLevel, EventType type, String message, Throwable throwable) {
- if (isEnabled(esapiLevel)) {
- logBridge.log(delegate, esapiLevel, type, message, throwable);
- }
- }
-
-
- private boolean isEnabled(int esapiLevel) {
- return esapiLevel >= loggingLevel;
- }
-
- @Override
- public void always(EventType type, String message) {
- log (Logger.ALL, type, message);
- }
-
- @Override
- public void always(EventType type, String message, Throwable throwable) {
- log (Logger.ALL, type, message, throwable);
- }
-
- @Override
- public void trace(EventType type, String message) {
- log (Logger.TRACE, type, message);
- }
-
- @Override
- public void trace(EventType type, String message, Throwable throwable) {
- log (Logger.TRACE, type, message, throwable);
- }
-
- @Override
- public void debug(EventType type, String message) {
- log (Logger.DEBUG, type, message);
- }
-
- @Override
- public void debug(EventType type, String message, Throwable throwable) {
- log (Logger.DEBUG, type, message, throwable);
- }
-
- @Override
- public void info(EventType type, String message) {
- log (Logger.INFO, type, message);
- }
-
- @Override
- public void info(EventType type, String message, Throwable throwable) {
- log (Logger.INFO, type, message, throwable);
- }
-
- @Override
- public void warning(EventType type, String message) {
- log (Logger.WARNING, type, message);
- }
-
- @Override
- public void warning(EventType type, String message, Throwable throwable) {
- log (Logger.WARNING, type, message, throwable);
- }
-
- @Override
- public void error(EventType type, String message) {
- log (Logger.ERROR, type, message);
- }
-
- @Override
- public void error(EventType type, String message, Throwable throwable) {
- log (Logger.ERROR, type, message, throwable);
- }
-
- @Override
- public void fatal(EventType type, String message) {
- log (Logger.FATAL, type, message);
- }
-
- @Override
- public void fatal(EventType type, String message, Throwable throwable) {
- log (Logger.FATAL, type, message, throwable);
- }
-
- @Override
- public int getESAPILevel() {
- return loggingLevel;
- }
-
- @Override
- public boolean isTraceEnabled() {
- return isEnabled(Logger.TRACE);
- }
-
- @Override
- public boolean isDebugEnabled() {
- return isEnabled(Logger.DEBUG);
- }
- @Override
- public boolean isInfoEnabled() {
- return isEnabled(Logger.INFO);
- }
- @Override
- public boolean isWarningEnabled() {
- return isEnabled(Logger.WARNING);
- }
-
- @Override
- public boolean isErrorEnabled() {
- return isEnabled(Logger.ERROR);
- }
-
- @Override
- public boolean isFatalEnabled() {
- return isEnabled(Logger.FATAL);
- }
-
-
- @Override
- public void setLevel(int level) {
- loggingLevel = level;
- }
-
-}
diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java
deleted file mode 100644
index 91dd0da4f..000000000
--- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @author Jeff Williams Aspect Security
- * @created 2007
- */
-package org.owasp.esapi.logging.log4j;
-
-import org.apache.log4j.Priority;
-import org.apache.log4j.spi.LoggerFactory;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.logging.appender.LogAppender;
-import org.owasp.esapi.logging.cleaning.LogScrubber;
-
-import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
-import static org.owasp.esapi.PropNames.LOG_USER_INFO;
-import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
-import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
-import static org.owasp.esapi.PropNames.APPLICATION_NAME;
-import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
-
-/**
- * Service Provider Interface implementation that can be provided as the org.apache.log4j.spi.LoggerFactory reference in a Log4J configuration.
- *
- *
- * <loggerFactory class="org.owasp.esapi.logging.log4j.Log4JLoggerFactory"/>
- *
- */
-@Deprecated
-public class Log4JLoggerFactory implements LoggerFactory {
- /** Log appender instance.*/
- private static LogAppender LOG4J_LOG_APPENDER;
- /** Log cleaner instance.*/
- private static LogScrubber LOG4J_LOG_SCRUBBER;
-
- static {
- boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
- LOG4J_LOG_SCRUBBER = Log4JLogFactory.createLogScrubber(encodeLog);
-
- boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
- boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
- boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
- String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
- boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
- LOG4J_LOG_APPENDER = Log4JLogFactory.createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
- }
-
- /**
- * This constructor must be public so it can be accessed from within log4j
- */
- public Log4JLoggerFactory() {}
-
- /**
- * Overridden to return instances of org.owasp.esapi.reference.Log4JLogger.
- *
- * @param name The class name to return a logger for.
- * @return org.owasp.esapi.reference.Log4JLogger
- */
- public org.apache.log4j.Logger makeNewLoggerInstance(String name) {
- return new EsapiLog4JWrapper(name);
- }
-
-
- public static class EsapiLog4JWrapper extends org.apache.log4j.Logger {
-
- protected EsapiLog4JWrapper(String name) {
- super(name);
- }
-
- @Override
- protected void forcedLog(String fqcn, Priority level, Object message, Throwable t) {
- String toClean = message.toString();
-
- String fullMessage = LOG4J_LOG_APPENDER.appendTo(getName(), null, toClean);
- String cleanMsg = LOG4J_LOG_SCRUBBER.cleanMessage(fullMessage);
-
- super.forcedLog(fqcn, level, cleanMsg, t);
- }
-
- }
-}
diff --git a/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java b/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
index 3bf56cab4..0879ac516 100644
--- a/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
+++ b/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
@@ -16,7 +16,6 @@
package org.owasp.esapi.waf;
import java.io.File;
-
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
@@ -32,7 +31,6 @@
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.FileUploadException;
-import org.apache.log4j.xml.DOMConfigurator;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Logger;
import org.owasp.esapi.waf.actions.Action;
@@ -60,448 +58,436 @@
*/
public class ESAPIWebApplicationFirewallFilter implements Filter {
- private AppGuardianConfiguration appGuardConfig;
-
- private static final String CONFIGURATION_FILE_PARAM = "configuration";
- private static final String LOGGING_FILE_PARAM = "log_settings";
- private static final String POLLING_TIME_PARAM = "polling_time";
-
- private static final int DEFAULT_POLLING_TIME = 30000;
-
- private String configurationFilename = null;
-
- private long pollingTime;
-
- private long lastConfigReadTime;
-
- // private static final String FAUX_SESSION_COOKIE = "FAUXSC";
- // private static final String SESSION_COOKIE_CANARY =
- // "org.owasp.esapi.waf.canary";
-
- private FilterConfig fc;
-
- private final Logger logger = ESAPI.getLogger(ESAPIWebApplicationFirewallFilter.class);
-
- /**
- * This function is used in testing to dynamically alter the configuration.
- *
- * @param policyFilePath
- * The path to the policy file
- * @param webRootDir
- * The root directory of the web application.
- * @throws FileNotFoundException
- * if the policy file cannot be located
- */
- public void setConfiguration(String policyFilePath, String webRootDir) throws FileNotFoundException {
-
- FileInputStream inputStream = null;
-
- try {
- inputStream = new FileInputStream(new File(policyFilePath));
- appGuardConfig = ConfigurationParser.readConfigurationFile(inputStream, webRootDir);
- lastConfigReadTime = System.currentTimeMillis();
- configurationFilename = policyFilePath;
- } catch (ConfigurationException e) {
- // TODO: It would be ideal if this method through the
- // ConfigurationException rather than catching it and
- // writing the error to the console.
- e.printStackTrace();
- } finally {
- if (inputStream != null) {
- try {
- inputStream.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
- }
-
- public AppGuardianConfiguration getConfiguration() {
- return appGuardConfig;
- }
-
- /**
- *
- * This function is invoked at application startup and when the
- * configuration file polling period has elapsed and a change in the
- * configuration file has been detected.
- *
- * It's main purpose is to read the configuration file and establish the
- * configuration object model for use at runtime during the
- * doFilter() method.
- */
- public void init(FilterConfig fc) throws ServletException {
-
- /*
- * This variable is saved so that we can retrieve it later to re-invoke
- * this function.
- */
- this.fc = fc;
-
- logger.debug(Logger.EVENT_SUCCESS, ">> Initializing WAF");
- /*
- * Pull logging file.
- */
-
- // Demoted scope to a local since this is the only place it is
- // referenced
- String logSettingsFilename = fc.getInitParameter(LOGGING_FILE_PARAM);
-
- String realLogSettingsFilename = fc.getServletContext().getRealPath(logSettingsFilename);
-
- if (realLogSettingsFilename == null || (!new File(realLogSettingsFilename).exists())) {
- throw new ServletException(
- "[ESAPI WAF] Could not find log file at resolved path: " + realLogSettingsFilename);
- }
-
- /*
- * Pull main configuration file.
- */
-
- configurationFilename = fc.getInitParameter(CONFIGURATION_FILE_PARAM);
-
- configurationFilename = fc.getServletContext().getRealPath(configurationFilename);
-
- if (configurationFilename == null || !new File(configurationFilename).exists()) {
- throw new ServletException(
- "[ESAPI WAF] Could not find configuration file at resolved path: " + configurationFilename);
- }
-
- /*
- * Find out polling time from a parameter. If none is provided, use the
- * default (10 seconds).
- */
-
- String sPollingTime = fc.getInitParameter(POLLING_TIME_PARAM);
-
- if (sPollingTime != null) {
- pollingTime = Long.parseLong(sPollingTime);
- } else {
- pollingTime = DEFAULT_POLLING_TIME;
- }
-
- /*
- * Open up configuration file and populate the AppGuardian configuration
- * object.
- */
-
- FileInputStream inputStream = null;
-
- try {
- String webRootDir = fc.getServletContext().getRealPath("/");
- inputStream = new FileInputStream(configurationFilename);
- appGuardConfig = ConfigurationParser.readConfigurationFile(inputStream, webRootDir);
- DOMConfigurator.configure(realLogSettingsFilename);
- lastConfigReadTime = System.currentTimeMillis();
- } catch (FileNotFoundException e) {
- throw new ServletException(e);
- } catch (ConfigurationException e) {
- throw new ServletException(e);
- } finally {
- if (inputStream != null) {
- try {
- inputStream.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
- }
-
- /**
- * This is the where the main interception and rule-checking logic of the
- * WAF resides.
- */
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
- throws IOException, ServletException {
-
- /*
- * Check to see if polling time has elapsed. If it has, that means we
- * should check to see if the config file has been changed. If it has,
- * then re-read it.
- *
- * // TODO: Any reason this logic shouldn't be moved into a polling
- * thread class?
- */
-
- if ((System.currentTimeMillis() - lastConfigReadTime) > pollingTime) {
- File f = new File(configurationFilename);
- long lastModified = f.lastModified();
- if (lastModified > lastConfigReadTime) {
- /*
- * The file has been altered since it was read in the last time.
- * Must re-read it.
- */
- logger.debug(Logger.EVENT_SUCCESS, ">> Re-reading WAF policy");
- init(fc);
- }
- }
-
- logger.debug(Logger.EVENT_SUCCESS, ">>In WAF doFilter");
-
- HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
- HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
-
- InterceptingHTTPServletRequest request = null;
- InterceptingHTTPServletResponse response = null;
-
- /*
- * First thing to do is create the InterceptingHTTPServletResponse,
- * since we'll need that possibly before the
- * InterceptingHTTPServletRequest.
- *
- * The normal HttpRequest-type objects will suffice us until we get to
- * stage 2.
- *
- * 1st argument = the response to base the instance on 2nd argument =
- * should we bother intercepting the egress response? 3rd argument =
- * cookie rules because thats where they mostly get acted on
- */
-
- if (appGuardConfig.getCookieRules().size() + appGuardConfig.getBeforeResponseRules().size() > 0) {
- response = new InterceptingHTTPServletResponse(httpResponse, true, appGuardConfig.getCookieRules());
- }
-
- /*
- * Stage 1: Rules that do not need the request body.
- */
- logger.debug(Logger.EVENT_SUCCESS, ">> Starting stage 1");
-
- List rules = this.appGuardConfig.getBeforeBodyRules();
-
- for (int i = 0; i < rules.size(); i++) {
-
- Rule rule = rules.get(i);
- logger.debug(Logger.EVENT_SUCCESS, " Applying BEFORE rule: " + rule.getClass().getName());
-
- /*
- * The rules execute in check(). The check() method will also log.
- * All we have to do is decide what other actions to take.
- */
- Action action = rule.check(httpRequest, response, httpResponse);
-
- if (action.isActionNecessary()) {
-
- if (action instanceof BlockAction) {
- if (response != null) {
- response.setStatus(appGuardConfig.getDefaultResponseCode());
- } else {
- httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
- }
- return;
-
- } else if (action instanceof RedirectAction) {
- sendRedirect(response, httpResponse, ((RedirectAction) action).getRedirectURL());
- return;
-
- } else if (action instanceof DefaultAction) {
-
- switch (AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
- case AppGuardianConfiguration.BLOCK:
- if (response != null) {
- response.setStatus(appGuardConfig.getDefaultResponseCode());
- } else {
- httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
- }
- return;
-
- case AppGuardianConfiguration.REDIRECT:
- sendRedirect(response, httpResponse);
- return;
- }
- }
- }
- }
-
- /*
- * Create the InterceptingHTTPServletRequest.
- */
-
- try {
- request = new InterceptingHTTPServletRequest((HttpServletRequest) servletRequest);
- } catch (FileUploadException fue) {
- logger.error(Logger.EVENT_SUCCESS, "Error Wrapping Request", fue);
- }
-
- /*
- * Stage 2: After the body has been read, but before the the application
- * has gotten it.
- */
- logger.debug(Logger.EVENT_SUCCESS, ">> Starting Stage 2");
-
- rules = this.appGuardConfig.getAfterBodyRules();
-
- for (int i = 0; i < rules.size(); i++) {
-
- Rule rule = rules.get(i);
- logger.debug(Logger.EVENT_SUCCESS, " Applying BEFORE CHAIN rule: " + rule.getClass().getName());
-
- /*
- * The rules execute in check(). The check() method will take care
- * of logging. All we have to do is decide what other actions to
- * take.
- */
- Action action = rule.check(request, response, httpResponse);
-
- if (action.isActionNecessary()) {
-
- if (action instanceof BlockAction) {
- if (response != null) {
- response.setStatus(appGuardConfig.getDefaultResponseCode());
- } else {
- httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
- }
- return;
-
- } else if (action instanceof RedirectAction) {
- sendRedirect(response, httpResponse, ((RedirectAction) action).getRedirectURL());
- return;
-
- } else if (action instanceof DefaultAction) {
-
- switch (AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
- case AppGuardianConfiguration.BLOCK:
- if (response != null) {
- response.setStatus(appGuardConfig.getDefaultResponseCode());
- } else {
- httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
- }
- return;
-
- case AppGuardianConfiguration.REDIRECT:
- sendRedirect(response, httpResponse);
- return;
- }
- }
- }
- }
-
- /*
- * In between stages 2 and 3 is the application's processing of the
- * input.
- */
- logger.debug(Logger.EVENT_SUCCESS, ">> Calling the FilterChain: " + chain);
- chain.doFilter(request, response != null ? response : httpResponse);
-
- /*
- * Stage 3: Before the response has been sent back to the user.
- */
- logger.debug(Logger.EVENT_SUCCESS, ">> Starting Stage 3");
-
- rules = this.appGuardConfig.getBeforeResponseRules();
-
- for (int i = 0; i < rules.size(); i++) {
-
- Rule rule = rules.get(i);
- logger.debug(Logger.EVENT_SUCCESS, " Applying AFTER CHAIN rule: " + rule.getClass().getName());
-
- /*
- * The rules execute in check(). The check() method will also log.
- * All we have to do is decide what other actions to take.
- */
- Action action = rule.check(request, response, httpResponse);
-
- if (action.isActionNecessary()) {
-
- if (action instanceof BlockAction) {
- if (response != null) {
- response.setStatus(appGuardConfig.getDefaultResponseCode());
- } else {
- httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
- }
- return;
-
- } else if (action instanceof RedirectAction) {
- sendRedirect(response, httpResponse, ((RedirectAction) action).getRedirectURL());
- return;
-
- } else if (action instanceof DefaultAction) {
-
- switch (AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
- case AppGuardianConfiguration.BLOCK:
- if (response != null) {
- response.setStatus(appGuardConfig.getDefaultResponseCode());
- } else {
- httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
- }
- return;
-
- case AppGuardianConfiguration.REDIRECT:
- sendRedirect(response, httpResponse);
- return;
- }
- }
- }
- }
-
- /*
- * Now that we've run our last set of rules we can allow the response to
- * go through if we were intercepting.
- */
-
- if (response != null) {
- logger.debug(Logger.EVENT_SUCCESS, ">>> committing reponse");
- response.commit();
- }
- }
-
- /*
- * Utility method to send HTTP redirects that automatically determines which
- * response class to use.
- */
- private void sendRedirect(InterceptingHTTPServletResponse response, HttpServletResponse httpResponse,
- String redirectURL) throws IOException {
-
- if (response != null) { // if we've been buffering everything we clean
- // it all out before sending back.
- response.reset();
- response.resetBuffer();
- response.sendRedirect(redirectURL);
- response.commit();
- } else {
- httpResponse.sendRedirect(redirectURL);
- }
-
- }
-
- public void destroy() {
- /*
- * Any cleanup necessary?
- */
- }
-
- private void sendRedirect(InterceptingHTTPServletResponse response, HttpServletResponse httpResponse)
- throws IOException {
- /*
- * [chrisisbeef] - commented out as this is not currently used. Minor
- * performance tweak. String finalJavaScript =
- * AppGuardianConfiguration.JAVASCRIPT_REDIRECT; finalJavaScript =
- * finalJavaScript.replaceAll(AppGuardianConfiguration.
- * JAVASCRIPT_TARGET_TOKEN, appGuardConfig.getDefaultErrorPage());
- */
-
- if (response != null) {
- response.reset();
- response.resetBuffer();
- /*
- * response.setStatus(appGuardConfig.getDefaultResponseCode());
- * response.getOutputStream().write(finalJavaScript.getBytes());
- */
- response.sendRedirect(appGuardConfig.getDefaultErrorPage());
-
- } else {
- if (!httpResponse.isCommitted()) {
- httpResponse.sendRedirect(appGuardConfig.getDefaultErrorPage());
- } else {
- /*
- * Can't send redirect because response is already committed.
- * I'm not sure how this could happen, but I didn't want to
- * cause IOExceptions in case if it ever does.
- */
- }
-
- }
- }
+ private AppGuardianConfiguration appGuardConfig;
+
+ private static final String CONFIGURATION_FILE_PARAM = "configuration";
+ private static final String LOGGING_FILE_PARAM = "log_settings";
+ private static final String POLLING_TIME_PARAM = "polling_time";
+
+ private static final int DEFAULT_POLLING_TIME = 30000;
+
+ private String configurationFilename = null;
+
+ private long pollingTime;
+
+ private long lastConfigReadTime;
+
+ // private static final String FAUX_SESSION_COOKIE = "FAUXSC";
+ // private static final String SESSION_COOKIE_CANARY =
+ // "org.owasp.esapi.waf.canary";
+
+ private FilterConfig fc;
+
+ private final Logger logger = ESAPI.getLogger(ESAPIWebApplicationFirewallFilter.class);
+
+ /**
+ * This function is used in testing to dynamically alter the configuration.
+ *
+ * @param policyFilePath
+ * The path to the policy file
+ * @param webRootDir
+ * The root directory of the web application.
+ * @throws FileNotFoundException
+ * if the policy file cannot be located
+ */
+ public void setConfiguration(String policyFilePath, String webRootDir) throws FileNotFoundException {
+
+ FileInputStream inputStream = null;
+
+ try {
+ inputStream = new FileInputStream(new File(policyFilePath));
+ appGuardConfig = ConfigurationParser.readConfigurationFile(inputStream, webRootDir);
+ lastConfigReadTime = System.currentTimeMillis();
+ configurationFilename = policyFilePath;
+ } catch (ConfigurationException e) {
+ // TODO: It would be ideal if this method threw the
+ // ConfigurationException rather than catching it and
+ // writing the error to the console.
+ e.printStackTrace();
+ } finally {
+ if (inputStream != null) {
+ try {
+ inputStream.close();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ }
+
+ public AppGuardianConfiguration getConfiguration() {
+ return appGuardConfig;
+ }
+
+ /**
+ *
+ * This function is invoked at application startup and when the
+ * configuration file polling period has elapsed and a change in the
+ * configuration file has been detected.
+ *
+ * It's main purpose is to read the configuration file and establish the
+ * configuration object model for use at runtime during the
+ * doFilter() method.
+ */
+ public void init(FilterConfig fc) throws ServletException {
+
+ /*
+ * This variable is saved so that we can retrieve it later to re-invoke
+ * this function.
+ */
+ this.fc = fc;
+
+ logger.debug(Logger.EVENT_SUCCESS, ">> Initializing WAF");
+ /*
+ * Pull logging file.
+ */
+
+ /*
+ * Pull main configuration file.
+ */
+
+ configurationFilename = fc.getInitParameter(CONFIGURATION_FILE_PARAM);
+
+ configurationFilename = fc.getServletContext().getRealPath(configurationFilename);
+
+ if (configurationFilename == null || !new File(configurationFilename).exists()) {
+ throw new ServletException(
+ "[ESAPI WAF] Could not find configuration file at resolved path: " + configurationFilename);
+ }
+
+ /*
+ * Find out polling time from a parameter. If none is provided, use the
+ * default (10 seconds).
+ */
+
+ String sPollingTime = fc.getInitParameter(POLLING_TIME_PARAM);
+
+ if (sPollingTime != null) {
+ pollingTime = Long.parseLong(sPollingTime);
+ } else {
+ pollingTime = DEFAULT_POLLING_TIME;
+ }
+
+ /*
+ * Open up configuration file and populate the AppGuardian configuration
+ * object.
+ */
+
+ FileInputStream inputStream = null;
+
+ try {
+ String webRootDir = fc.getServletContext().getRealPath("/");
+ inputStream = new FileInputStream(configurationFilename);
+ appGuardConfig = ConfigurationParser.readConfigurationFile(inputStream, webRootDir);
+ lastConfigReadTime = System.currentTimeMillis();
+ } catch (FileNotFoundException e) {
+ throw new ServletException(e);
+ } catch (ConfigurationException e) {
+ throw new ServletException(e);
+ } finally {
+ if (inputStream != null) {
+ try {
+ inputStream.close();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ }
+
+ /**
+ * This is the where the main interception and rule-checking logic of the
+ * WAF resides.
+ */
+ public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
+ throws IOException, ServletException {
+
+ /*
+ * Check to see if polling time has elapsed. If it has, that means we
+ * should check to see if the config file has been changed. If it has,
+ * then re-read it.
+ *
+ * // TODO: Any reason this logic shouldn't be moved into a polling
+ * thread class?
+ */
+
+ if ((System.currentTimeMillis() - lastConfigReadTime) > pollingTime) {
+ File f = new File(configurationFilename);
+ long lastModified = f.lastModified();
+ if (lastModified > lastConfigReadTime) {
+ /*
+ * The file has been altered since it was read in the last time.
+ * Must re-read it.
+ */
+ logger.debug(Logger.EVENT_SUCCESS, ">> Re-reading WAF policy");
+ init(fc);
+ }
+ }
+
+ logger.debug(Logger.EVENT_SUCCESS, ">>In WAF doFilter");
+
+ HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
+ HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
+
+ InterceptingHTTPServletRequest request = null;
+ InterceptingHTTPServletResponse response = null;
+
+ /*
+ * First thing to do is create the InterceptingHTTPServletResponse,
+ * since we'll need that possibly before the
+ * InterceptingHTTPServletRequest.
+ *
+ * The normal HttpRequest-type objects will suffice us until we get to
+ * stage 2.
+ *
+ * 1st argument = the response to base the instance on 2nd argument =
+ * should we bother intercepting the egress response? 3rd argument =
+ * cookie rules because thats where they mostly get acted on
+ */
+
+ if (appGuardConfig.getCookieRules().size() + appGuardConfig.getBeforeResponseRules().size() > 0) {
+ response = new InterceptingHTTPServletResponse(httpResponse, true, appGuardConfig.getCookieRules());
+ }
+
+ /*
+ * Stage 1: Rules that do not need the request body.
+ */
+ logger.debug(Logger.EVENT_SUCCESS, ">> Starting stage 1");
+
+ List rules = this.appGuardConfig.getBeforeBodyRules();
+
+ for (int i = 0; i < rules.size(); i++) {
+
+ Rule rule = rules.get(i);
+ logger.debug(Logger.EVENT_SUCCESS, " Applying BEFORE rule: " + rule.getClass().getName());
+
+ /*
+ * The rules execute in check(). The check() method will also log.
+ * All we have to do is decide what other actions to take.
+ */
+ Action action = rule.check(httpRequest, response, httpResponse);
+
+ if (action.isActionNecessary()) {
+
+ if (action instanceof BlockAction) {
+ if (response != null) {
+ response.setStatus(appGuardConfig.getDefaultResponseCode());
+ } else {
+ httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
+ }
+ return;
+
+ } else if (action instanceof RedirectAction) {
+ sendRedirect(response, httpResponse, ((RedirectAction) action).getRedirectURL());
+ return;
+
+ } else if (action instanceof DefaultAction) {
+
+ switch (AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
+ case AppGuardianConfiguration.BLOCK:
+ if (response != null) {
+ response.setStatus(appGuardConfig.getDefaultResponseCode());
+ } else {
+ httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
+ }
+ return;
+
+ case AppGuardianConfiguration.REDIRECT:
+ sendRedirect(response, httpResponse);
+ return;
+ }
+ }
+ }
+ }
+
+ /*
+ * Create the InterceptingHTTPServletRequest.
+ */
+
+ try {
+ request = new InterceptingHTTPServletRequest((HttpServletRequest) servletRequest);
+ } catch (FileUploadException fue) {
+ logger.error(Logger.EVENT_SUCCESS, "Error Wrapping Request", fue);
+ }
+
+ /*
+ * Stage 2: After the body has been read, but before the the application
+ * has gotten it.
+ */
+ logger.debug(Logger.EVENT_SUCCESS, ">> Starting Stage 2");
+
+ rules = this.appGuardConfig.getAfterBodyRules();
+
+ for (int i = 0; i < rules.size(); i++) {
+
+ Rule rule = rules.get(i);
+ logger.debug(Logger.EVENT_SUCCESS, " Applying BEFORE CHAIN rule: " + rule.getClass().getName());
+
+ /*
+ * The rules execute in check(). The check() method will take care
+ * of logging. All we have to do is decide what other actions to
+ * take.
+ */
+ Action action = rule.check(request, response, httpResponse);
+
+ if (action.isActionNecessary()) {
+
+ if (action instanceof BlockAction) {
+ if (response != null) {
+ response.setStatus(appGuardConfig.getDefaultResponseCode());
+ } else {
+ httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
+ }
+ return;
+
+ } else if (action instanceof RedirectAction) {
+ sendRedirect(response, httpResponse, ((RedirectAction) action).getRedirectURL());
+ return;
+
+ } else if (action instanceof DefaultAction) {
+
+ switch (AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
+ case AppGuardianConfiguration.BLOCK:
+ if (response != null) {
+ response.setStatus(appGuardConfig.getDefaultResponseCode());
+ } else {
+ httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
+ }
+ return;
+
+ case AppGuardianConfiguration.REDIRECT:
+ sendRedirect(response, httpResponse);
+ return;
+ }
+ }
+ }
+ }
+
+ /*
+ * In between stages 2 and 3 is the application's processing of the
+ * input.
+ */
+ logger.debug(Logger.EVENT_SUCCESS, ">> Calling the FilterChain: " + chain);
+ chain.doFilter(request, response != null ? response : httpResponse);
+
+ /*
+ * Stage 3: Before the response has been sent back to the user.
+ */
+ logger.debug(Logger.EVENT_SUCCESS, ">> Starting Stage 3");
+
+ rules = this.appGuardConfig.getBeforeResponseRules();
+
+ for (int i = 0; i < rules.size(); i++) {
+
+ Rule rule = rules.get(i);
+ logger.debug(Logger.EVENT_SUCCESS, " Applying AFTER CHAIN rule: " + rule.getClass().getName());
+
+ /*
+ * The rules execute in check(). The check() method will also log.
+ * All we have to do is decide what other actions to take.
+ */
+ Action action = rule.check(request, response, httpResponse);
+
+ if (action.isActionNecessary()) {
+
+ if (action instanceof BlockAction) {
+ if (response != null) {
+ response.setStatus(appGuardConfig.getDefaultResponseCode());
+ } else {
+ httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
+ }
+ return;
+
+ } else if (action instanceof RedirectAction) {
+ sendRedirect(response, httpResponse, ((RedirectAction) action).getRedirectURL());
+ return;
+
+ } else if (action instanceof DefaultAction) {
+
+ switch (AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
+ case AppGuardianConfiguration.BLOCK:
+ if (response != null) {
+ response.setStatus(appGuardConfig.getDefaultResponseCode());
+ } else {
+ httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
+ }
+ return;
+
+ case AppGuardianConfiguration.REDIRECT:
+ sendRedirect(response, httpResponse);
+ return;
+ }
+ }
+ }
+ }
+
+ /*
+ * Now that we've run our last set of rules we can allow the response to
+ * go through if we were intercepting.
+ */
+
+ if (response != null) {
+ logger.debug(Logger.EVENT_SUCCESS, ">>> committing reponse");
+ response.commit();
+ }
+ }
+
+ /*
+ * Utility method to send HTTP redirects that automatically determines which
+ * response class to use.
+ */
+ private void sendRedirect(InterceptingHTTPServletResponse response, HttpServletResponse httpResponse,
+ String redirectURL) throws IOException {
+
+ if (response != null) { // if we've been buffering everything we clean
+ // it all out before sending back.
+ response.reset();
+ response.resetBuffer();
+ response.sendRedirect(redirectURL);
+ response.commit();
+ } else {
+ httpResponse.sendRedirect(redirectURL);
+ }
+
+ }
+
+ public void destroy() {
+ /*
+ * Any cleanup necessary?
+ */
+ }
+
+ private void sendRedirect(InterceptingHTTPServletResponse response, HttpServletResponse httpResponse)
+ throws IOException {
+ /*
+ * [chrisisbeef] - commented out as this is not currently used. Minor
+ * performance tweak. String finalJavaScript =
+ * AppGuardianConfiguration.JAVASCRIPT_REDIRECT; finalJavaScript =
+ * finalJavaScript.replaceAll(AppGuardianConfiguration.
+ * JAVASCRIPT_TARGET_TOKEN, appGuardConfig.getDefaultErrorPage());
+ */
+
+ if (response != null) {
+ response.reset();
+ response.resetBuffer();
+ /*
+ * response.setStatus(appGuardConfig.getDefaultResponseCode());
+ * response.getOutputStream().write(finalJavaScript.getBytes());
+ */
+ response.sendRedirect(appGuardConfig.getDefaultErrorPage());
+
+ } else {
+ if (!httpResponse.isCommitted()) {
+ httpResponse.sendRedirect(appGuardConfig.getDefaultErrorPage());
+ } else {
+ /*
+ * Can't send redirect because response is already committed.
+ * I'm not sure how this could happen, but I didn't want to
+ * cause IOExceptions in case if it ever does.
+ */
+ }
+
+ }
+ }
}
diff --git a/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java b/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
index 8523c2ceb..aeeebb1e8 100644
--- a/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
+++ b/src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
@@ -16,10 +16,8 @@
package org.owasp.esapi.waf.configuration;
import java.util.ArrayList;
-import java.util.HashMap;
import java.util.List;
-import org.apache.log4j.Level;
import org.owasp.esapi.waf.rules.Rule;
/**
@@ -46,32 +44,6 @@ public class AppGuardianConfiguration {
public static final int OPERATOR_IN_LIST = 2;
public static final int OPERATOR_EXISTS = 3;
- //// TODO - Delete these comments and the next 2 declarations on log4j clean-up.
- /*
- * We have static copies of the log settings so that the Rule objects
- * can access them, because they don't have access to the instance of
- * the configuration object.
- */
- /**
- * @deprecated This {@code LOG_LEVEL} has never actually been used
- * internally and this will be deleted when we remove all Log4J 1.x
- * references.
- */
- @Deprecated
- public static Level LOG_LEVEL = Level.INFO;
- /**
- * @deprecated This {@code LOG_DIRECTORY} has never actually been used
- * internally and this will be deleted when we remove all Log4J 1.x
- * references.
- */
- @Deprecated
- public static String LOG_DIRECTORY = "/WEB-INF/logs";
-
- /*
- * Logging settings.
- */
- private Level logLevel = Level.INFO;
- private String logDirectory = "/WEB-INF/logs";
/*
* Default settings.
diff --git a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImplTest.java b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImplTest.java
deleted file mode 100644
index f3bf41582..000000000
--- a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImplTest.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.ExpectedException;
-import org.junit.rules.TestName;
-import org.mockito.ArgumentMatchers;
-import org.mockito.Mockito;
-import org.owasp.esapi.Logger;
-import org.owasp.esapi.Logger.EventType;
-import org.owasp.esapi.logging.appender.LogAppender;
-import org.owasp.esapi.logging.cleaning.LogScrubber;
-
-public class Log4JLogBridgeImplTest {
-
- @Rule
- public TestName testName = new TestName();
- @Rule
- public ExpectedException exEx = ExpectedException.none();
-
- private LogScrubber mockScrubber = Mockito.mock(LogScrubber.class);
- private LogAppender mockAppender = Mockito.mock(LogAppender.class);
- private Log4JLogLevelHandler mockHandler = Mockito.mock(Log4JLogLevelHandler.class);
- private org.apache.log4j.Logger log4JSpy;
- private Throwable testEx = new Throwable(testName.getMethodName());
- private Log4JLogBridge bridge;
-
- @Before
- public void setup() {
- Map levelLookup = new HashMap<>();
- levelLookup.put(Logger.ALL, mockHandler);
-
- org.apache.log4j.Logger wrappedLogger =org.apache.log4j.Logger.getLogger(testName.getMethodName());
- log4JSpy = Mockito.spy(wrappedLogger);
- bridge = new Log4JLogBridgeImpl(mockAppender, mockScrubber, levelLookup);
- }
-
- @Test
- public void testLogMessageWithUnmappedEsapiLevelThrowsException() {
- exEx.expect(IllegalArgumentException.class);
- exEx.expectMessage("Unable to lookup LOG4J level mapping");
- Map emptyMap = Collections.emptyMap();
- new Log4JLogBridgeImpl(mockAppender, mockScrubber, emptyMap).log(log4JSpy, 0, Logger.EVENT_UNSPECIFIED, "This Should fail");
- }
-
- @Test
- public void testLogMessageAndExceptionWithUnmappedEsapiLevelThrowsException() {
- exEx.expect(IllegalArgumentException.class);
- exEx.expectMessage("Unable to lookup LOG4J level mapping");
- Map emptyMap = Collections.emptyMap();
- new Log4JLogBridgeImpl(mockAppender, mockScrubber, emptyMap).log(log4JSpy, 0, Logger.EVENT_UNSPECIFIED, "This Should fail", testEx);
- }
-
- @Test
- public void testLogMessage() {
- EventType eventType = Logger.EVENT_UNSPECIFIED;
- String loggerName = testName.getMethodName();
- String orignMsg = testName.getMethodName();
- String appendMsg = "[APPEND] " + orignMsg;
- String cleanMsg = appendMsg + " [CLEANED]";
-
- //Setup for Appender
- Mockito.when(mockAppender.appendTo(loggerName, eventType, orignMsg)).thenReturn(appendMsg);
- //Setup for Scrubber
- Mockito.when(mockScrubber.cleanMessage(appendMsg)).thenReturn(cleanMsg);
- //Setup for Delegate Handler
- Mockito.when(mockHandler.isEnabled(log4JSpy)).thenReturn(true);
-
- bridge.log(log4JSpy, Logger.ALL, eventType, testName.getMethodName());
-
- Mockito.verify(mockAppender, Mockito.times(1)).appendTo(loggerName, eventType, testName.getMethodName());
- Mockito.verify(mockScrubber, Mockito.times(1)).cleanMessage(appendMsg);
- Mockito.verify(mockHandler, Mockito.times(1)).isEnabled(log4JSpy);
- Mockito.verify(mockHandler, Mockito.times(0)).log(ArgumentMatchers.any(org.apache.log4j.Logger.class), ArgumentMatchers.any(String.class), ArgumentMatchers.any(Throwable.class));
- Mockito.verify(mockHandler, Mockito.times(1)).log(ArgumentMatchers.same(log4JSpy), ArgumentMatchers.eq(cleanMsg));
-
- Mockito.verifyNoMoreInteractions(log4JSpy, mockAppender, mockScrubber,mockHandler);
- }
-
- @Test
- public void testLogErrorMessageWithException() {
- EventType eventType = Logger.EVENT_UNSPECIFIED;
- String loggerName = testName.getMethodName();
- String orignMsg = testName.getMethodName();
- String appendMsg = "[APPEND] " + orignMsg;
- String cleanMsg = appendMsg + " [CLEANED]";
-
- //Setup for Appender
- Mockito.when(mockAppender.appendTo(loggerName, eventType, orignMsg)).thenReturn(appendMsg);
- //Setup for Scrubber
- Mockito.when(mockScrubber.cleanMessage(appendMsg)).thenReturn(cleanMsg);
- //Setup for Delegate Handler
- Mockito.when(mockHandler.isEnabled(log4JSpy)).thenReturn(true);
-
- bridge.log(log4JSpy, Logger.ALL, eventType, testName.getMethodName(), testEx);
-
- Mockito.verify(mockAppender, Mockito.times(1)).appendTo(loggerName, eventType, testName.getMethodName());
- Mockito.verify(mockScrubber, Mockito.times(1)).cleanMessage(appendMsg);
- Mockito.verify(mockHandler, Mockito.times(1)).isEnabled(log4JSpy);
- Mockito.verify(mockHandler, Mockito.times(0)).log(ArgumentMatchers.any(org.apache.log4j.Logger.class), ArgumentMatchers.any(String.class));
-
- Mockito.verify(mockHandler, Mockito.times(1)).log(ArgumentMatchers.same(log4JSpy), ArgumentMatchers.eq(cleanMsg), ArgumentMatchers.same(testEx));
-
- Mockito.verifyNoMoreInteractions(log4JSpy, mockAppender, mockScrubber,mockHandler);
- }
-
-
- @Test
- public void testDisabledLogMessage() {
- Mockito.when(mockHandler.isEnabled(log4JSpy)).thenReturn(false);
-
- bridge.log(log4JSpy, Logger.ALL, Logger.EVENT_UNSPECIFIED, testName.getMethodName());
-
- Mockito.verify(mockHandler, Mockito.times(1)).isEnabled(log4JSpy);
- Mockito.verify(mockScrubber, Mockito.times(0)).cleanMessage(ArgumentMatchers.anyString());
- Mockito.verify(mockHandler, Mockito.times(0)).log(ArgumentMatchers.any(org.apache.log4j.Logger.class), ArgumentMatchers.any(String.class));
- Mockito.verify(mockHandler, Mockito.times(0)).log(ArgumentMatchers.any(org.apache.log4j.Logger.class), ArgumentMatchers.any(String.class), ArgumentMatchers.any(Throwable.class));
- }
-
- @Test
- public void testDisabledErrorLogWithException() {
- Mockito.when(mockHandler.isEnabled(log4JSpy)).thenReturn(false);
-
- bridge.log(log4JSpy, Logger.ALL, Logger.EVENT_UNSPECIFIED, testName.getMethodName(), testEx);
-
- Mockito.verify(mockHandler, Mockito.times(1)).isEnabled(log4JSpy);
- Mockito.verify(mockScrubber, Mockito.times(0)).cleanMessage(ArgumentMatchers.anyString());
- Mockito.verify(mockHandler, Mockito.times(0)).log(ArgumentMatchers.any(org.apache.log4j.Logger.class), ArgumentMatchers.any(String.class));
- Mockito.verify(mockHandler, Mockito.times(0)).log(ArgumentMatchers.any(org.apache.log4j.Logger.class), ArgumentMatchers.any(String.class), ArgumentMatchers.any(Throwable.class));
-
- }
-
-}
diff --git a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogFactoryTest.java b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogFactoryTest.java
deleted file mode 100644
index 3e186480d..000000000
--- a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogFactoryTest.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import java.util.List;
-
-import org.junit.Assert;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.TestName;
-import org.junit.runner.RunWith;
-import org.mockito.ArgumentCaptor;
-import org.owasp.esapi.Logger;
-import org.owasp.esapi.logging.appender.LogAppender;
-import org.owasp.esapi.logging.appender.LogPrefixAppender;
-import org.owasp.esapi.logging.cleaning.CodecLogScrubber;
-import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
-import org.owasp.esapi.logging.cleaning.LogScrubber;
-import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
-
-@RunWith(PowerMockRunner.class)
-@PrepareForTest (Log4JLogFactory.class)
-public class Log4JLogFactoryTest {
- @Rule
- public TestName testName = new TestName();
-
- @Test
- public void testCreateLoggerByString() {
- Logger logger = new Log4JLogFactory().getLogger("test");
- Assert.assertTrue(logger instanceof Log4JLogger);
- }
-
- @Test public void testCreateLoggerByClass() {
- Logger logger = new Log4JLogFactory().getLogger(Log4JLogBridgeImplTest.class);
- Assert.assertTrue(logger instanceof Log4JLogger);
- }
-
- @Test
- public void checkScrubberWithEncoding() throws Exception {
- ArgumentCaptor delegates = ArgumentCaptor.forClass(List.class);
- PowerMockito.whenNew(CompositeLogScrubber.class).withArguments(delegates.capture()).thenReturn(null);
-
- //Call to invoke the constructor capture
- Log4JLogFactory.createLogScrubber(true);
-
- List scrubbers = delegates.getValue();
- Assert.assertEquals(2, scrubbers.size());
- Assert.assertTrue(scrubbers.get(0) instanceof NewlineLogScrubber);
- Assert.assertTrue(scrubbers.get(1) instanceof CodecLogScrubber);
- }
-
- @Test
- public void checkScrubberWithoutEncoding() throws Exception {
- ArgumentCaptor delegates = ArgumentCaptor.forClass(List.class);
- PowerMockito.whenNew(CompositeLogScrubber.class).withArguments(delegates.capture()).thenReturn(null);
-
- //Call to invoke the constructor capture
- Log4JLogFactory.createLogScrubber(false);
-
- List scrubbers = delegates.getValue();
- Assert.assertEquals(1, scrubbers.size());
- Assert.assertTrue(scrubbers.get(0) instanceof NewlineLogScrubber);
- }
-
- /**
- * At this time there are no special considerations or handling for the appender
- * creation in this scope. It is expected that the arguments to the internal
- * creation method are passed directly to the constructor of the
- * LogPrefixAppender with no mutation or additional validation.
- */
- @Test
- public void checkPassthroughAppenderConstruct() throws Exception {
- LogPrefixAppender stubAppender = new LogPrefixAppender(true, true, true, true, "");
- ArgumentCaptor userInfoCapture = ArgumentCaptor.forClass(Boolean.class);
- ArgumentCaptor clientInfoCapture = ArgumentCaptor.forClass(Boolean.class);
- ArgumentCaptor serverInfoCapture = ArgumentCaptor.forClass(Boolean.class);
- ArgumentCaptor logAppNameCapture = ArgumentCaptor.forClass(Boolean.class);
- ArgumentCaptor appNameCapture = ArgumentCaptor.forClass(String.class);
-
- PowerMockito.whenNew(LogPrefixAppender.class).withArguments(userInfoCapture.capture(), clientInfoCapture.capture(), serverInfoCapture.capture(), logAppNameCapture.capture(), appNameCapture.capture()).thenReturn(stubAppender);
-
- LogAppender appender = Log4JLogFactory.createLogAppender(true, true, false, true, testName.getMethodName());
-
- Assert.assertEquals(stubAppender, appender);
- Assert.assertTrue(userInfoCapture.getValue());
- Assert.assertTrue(clientInfoCapture.getValue());
- Assert.assertFalse(serverInfoCapture.getValue());
- Assert.assertTrue(logAppNameCapture.getValue());
- Assert.assertEquals(testName.getMethodName(), appNameCapture.getValue());
- }
-
-
-}
diff --git a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlersTest.java b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlersTest.java
deleted file mode 100644
index 149617f91..000000000
--- a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlersTest.java
+++ /dev/null
@@ -1,102 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.TestName;
-import org.mockito.Mockito;
-import org.owasp.esapi.logging.log4j.Log4JLogLevelHandlers;
-
-public class Log4JLogLevelHandlersTest {
-
- private Logger mockLogger = Mockito.mock(Logger.class);
- @Rule
- public TestName testName = new TestName();
-
- private Throwable testException = new Throwable("Expected for testing");
-
- @Test
- public void testFatalDelegation() {
- Log4JLogLevelHandlers.FATAL.isEnabled(mockLogger);
- Log4JLogLevelHandlers.FATAL.log(mockLogger, testName.getMethodName());
- Log4JLogLevelHandlers.FATAL.log(mockLogger, testName.getMethodName(), testException);
-
- Mockito.verify(mockLogger, Mockito.times(1)).isEnabledFor(Level.FATAL);
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.FATAL, testName.getMethodName());
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.FATAL, testName.getMethodName(), testException);
- Mockito.verifyNoMoreInteractions(mockLogger);
- }
-
-
- @Test
- public void testErrorDelegation() {
- Log4JLogLevelHandlers.ERROR.isEnabled(mockLogger);
- Log4JLogLevelHandlers.ERROR.log(mockLogger, testName.getMethodName());
- Log4JLogLevelHandlers.ERROR.log(mockLogger, testName.getMethodName(), testException);
-
- Mockito.verify(mockLogger, Mockito.times(1)).isEnabledFor(Level.ERROR);
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.ERROR, testName.getMethodName());
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.ERROR, testName.getMethodName(), testException);
- Mockito.verifyNoMoreInteractions(mockLogger);
- }
-
- @Test
- public void testWarnDelegation() {
- Log4JLogLevelHandlers.WARN.isEnabled(mockLogger);
- Log4JLogLevelHandlers.WARN.log(mockLogger, testName.getMethodName());
- Log4JLogLevelHandlers.WARN.log(mockLogger, testName.getMethodName(), testException);
-
- Mockito.verify(mockLogger, Mockito.times(1)).isEnabledFor(Level.WARN);
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.WARN, testName.getMethodName());
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.WARN, testName.getMethodName(), testException);
- Mockito.verifyNoMoreInteractions(mockLogger);
- }
- @Test
- public void testInfoDelegation() {
- Log4JLogLevelHandlers.INFO.isEnabled(mockLogger);
- Log4JLogLevelHandlers.INFO.log(mockLogger, testName.getMethodName());
- Log4JLogLevelHandlers.INFO.log(mockLogger, testName.getMethodName(), testException);
-
- Mockito.verify(mockLogger, Mockito.times(1)).isEnabledFor(Level.INFO);
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.INFO, testName.getMethodName());
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.INFO, testName.getMethodName(), testException);
- Mockito.verifyNoMoreInteractions(mockLogger);
- }
- @Test
- public void testDebugDelegation() {
- Log4JLogLevelHandlers.DEBUG.isEnabled(mockLogger);
- Log4JLogLevelHandlers.DEBUG.log(mockLogger, testName.getMethodName());
- Log4JLogLevelHandlers.DEBUG.log(mockLogger, testName.getMethodName(), testException);
-
- Mockito.verify(mockLogger, Mockito.times(1)).isEnabledFor(Level.DEBUG);
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.DEBUG, testName.getMethodName());
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.DEBUG, testName.getMethodName(), testException);
- Mockito.verifyNoMoreInteractions(mockLogger);
- }
- @Test
- public void testTraceDelegation() {
- Log4JLogLevelHandlers.TRACE.isEnabled(mockLogger);
- Log4JLogLevelHandlers.TRACE.log(mockLogger, testName.getMethodName());
- Log4JLogLevelHandlers.TRACE.log(mockLogger, testName.getMethodName(), testException);
-
- Mockito.verify(mockLogger, Mockito.times(1)).isEnabledFor(Level.TRACE);
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.TRACE, testName.getMethodName());
- Mockito.verify(mockLogger, Mockito.times(1)).log(Level.TRACE, testName.getMethodName(), testException);
- Mockito.verifyNoMoreInteractions(mockLogger);
- }
-}
diff --git a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactoryTest.java b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactoryTest.java
deleted file mode 100644
index 5d73047d3..000000000
--- a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactoryTest.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @author Jeff Williams Aspect Security
- * @created 2019
- */
-package org.owasp.esapi.logging.log4j;
-
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.apache.log4j.spi.LoggerRepository;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.TestName;
-import org.junit.runner.RunWith;
-import org.mockito.ArgumentMatchers;
-import org.mockito.Mock;
-import org.mockito.Mockito;
-import org.mockito.junit.MockitoJUnitRunner;
-import org.owasp.esapi.logging.appender.LogAppender;
-import org.owasp.esapi.logging.cleaning.LogScrubber;
-import org.powermock.reflect.Whitebox;
-
-/**
- * Basic test implementation that verifies that the {@link LogAppender} and
- * {@link LogScrubber} references are applied by the {@link Logger} instances
- * created by the {@link Log4JLoggerFactory}.
- *
- */
-@RunWith(MockitoJUnitRunner.class)
-public class Log4JLoggerFactoryTest {
- @Mock
- private LogScrubber scrubber;
- @Mock
- private LogAppender appender;
- @Rule
- public TestName testName = new TestName();
-
- private String logMsg = testName.getMethodName() + "-MESSAGE";
- private Logger logger;
-
- @Before
- public void configureStaticFactoryState() {
- Log4JLoggerFactory factory = new Log4JLoggerFactory();
- Whitebox.setInternalState(Log4JLoggerFactory.class, "LOG4J_LOG_SCRUBBER", scrubber);
- Whitebox.setInternalState(Log4JLoggerFactory.class, "LOG4J_LOG_APPENDER", appender);
-
- Mockito.when(scrubber.cleanMessage(logMsg)).thenReturn(logMsg);
- Mockito.when(appender.appendTo(testName.getMethodName(), null, logMsg)).thenReturn(logMsg);
-
- LoggerRepository mockRepo = Mockito.mock(LoggerRepository.class);
- Mockito.when(mockRepo.isDisabled(ArgumentMatchers.anyInt())).thenReturn(false);
-
- logger = factory.makeNewLoggerInstance(testName.getMethodName());
- Whitebox.setInternalState(logger, "repository", mockRepo);
- logger.setLevel(Level.ALL);
- }
-
- @Test
- public void testLogDebug() {
- logger.debug(logMsg);
- Mockito.verify(scrubber, Mockito.times(1)).cleanMessage(logMsg);
- Mockito.verify(appender, Mockito.times(1)).appendTo(testName.getMethodName(), null, logMsg);
- }
-
- @Test
- public void testLogInfo() {
- logger.info(logMsg);
- Mockito.verify(scrubber, Mockito.times(1)).cleanMessage(logMsg);
- Mockito.verify(appender, Mockito.times(1)).appendTo(testName.getMethodName(), null, logMsg);
- }
-
- @Test
- public void testLogWarn() {
- logger.warn(logMsg);
- Mockito.verify(scrubber, Mockito.times(1)).cleanMessage(logMsg);
- Mockito.verify(appender, Mockito.times(1)).appendTo(testName.getMethodName(), null, logMsg);
- }
-
- @Test
- public void testLogError() {
- logger.error(logMsg);
- Mockito.verify(scrubber, Mockito.times(1)).cleanMessage(logMsg);
- Mockito.verify(appender, Mockito.times(1)).appendTo(testName.getMethodName(), null, logMsg);
- }
-
-}
diff --git a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java
deleted file mode 100644
index 16834f288..000000000
--- a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java
+++ /dev/null
@@ -1,287 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- *
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * http://www.owasp.org/index.php/ESAPI.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- *
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- *
- * @created 2019
- */
-
-package org.owasp.esapi.logging.log4j;
-
-import org.junit.Assert;
-import org.junit.Test;
-import org.mockito.Mockito;
-import org.owasp.esapi.Logger;
-import org.owasp.esapi.logging.log4j.Log4JLogBridge;
-import org.owasp.esapi.logging.log4j.Log4JLogger;
-
-public class Log4JLoggerTest {
-
- private static final String MSG = Log4JLoggerTest.class.getSimpleName();
-
- private Log4JLogBridge mockBridge = Mockito.mock(Log4JLogBridge.class);
- private org.apache.log4j.Logger mockLogDelegate = Mockito.mock(org.apache.log4j.Logger.class);
-
- private Throwable testEx = new Throwable(MSG + "_Exception");
- private Logger testLogger = new Log4JLogger(mockLogDelegate, mockBridge, Logger.ALL);
-
- @Test
- public void testLevelEnablement() {
- testLogger.setLevel(Logger.INFO);
-
- Assert.assertTrue(testLogger.isFatalEnabled());
- Assert.assertTrue(testLogger.isErrorEnabled());
- Assert.assertTrue(testLogger.isWarningEnabled());
- Assert.assertTrue(testLogger.isInfoEnabled());
- Assert.assertFalse(testLogger.isDebugEnabled());
- Assert.assertFalse(testLogger.isTraceEnabled());
-
- Assert.assertEquals(Logger.INFO, testLogger.getESAPILevel());
- }
-
- @Test
- public void testAllLevelEnablement() {
- testLogger.setLevel(Logger.ALL);
-
- Assert.assertTrue(testLogger.isFatalEnabled());
- Assert.assertTrue(testLogger.isErrorEnabled());
- Assert.assertTrue(testLogger.isWarningEnabled());
- Assert.assertTrue(testLogger.isInfoEnabled());
- Assert.assertTrue(testLogger.isDebugEnabled());
- Assert.assertTrue(testLogger.isTraceEnabled());
- }
-
- @Test
- public void testOffLevelEnablement() {
- testLogger.setLevel(Logger.OFF);
-
- Assert.assertFalse(testLogger.isFatalEnabled());
- Assert.assertFalse(testLogger.isErrorEnabled());
- Assert.assertFalse(testLogger.isWarningEnabled());
- Assert.assertFalse(testLogger.isInfoEnabled());
- Assert.assertFalse(testLogger.isDebugEnabled());
- Assert.assertFalse(testLogger.isTraceEnabled());
- }
- @Test
- public void testFatalWithMessage() {
- testLogger.fatal(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.FATAL, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testFatalWithMessageAndThrowable() {
- testLogger.fatal(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.FATAL, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testFatalWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.fatal(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.FATAL, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testFatalWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.fatal(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.FATAL, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testErrorWithMessage() {
- testLogger.error(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.ERROR, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testErrorWithMessageAndThrowable() {
- testLogger.error(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.ERROR, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testErrorWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.error(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.ERROR, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testErrorWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.error(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.ERROR, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testWarnWithMessage() {
- testLogger.warning(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.WARNING, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testWarnWithMessageAndThrowable() {
- testLogger.warning(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.WARNING, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testWarnWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.warning(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.WARNING, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testWarnWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.warning(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.WARNING, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testInfoWithMessage() {
- testLogger.info(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.INFO, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testInfoWithMessageAndThrowable() {
- testLogger.info(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.INFO, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testInfoWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.info(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.INFO, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testInfoWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.info(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.INFO, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testDebugWithMessage() {
- testLogger.debug(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.DEBUG, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testDebugWithMessageAndThrowable() {
- testLogger.debug(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.DEBUG, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testDebugWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.debug(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.DEBUG, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testDebugWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.debug(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.DEBUG, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testTraceWithMessage() {
- testLogger.trace(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.TRACE, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testTraceWithMessageAndThrowable() {
- testLogger.trace(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.TRACE, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testTraceWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.trace(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.TRACE, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testTraceWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.trace(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.TRACE, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testAlwaysWithMessage() {
- testLogger.always(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.ALL, Logger.EVENT_UNSPECIFIED, MSG);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testAlwaysWithMessageAndThrowable() {
- testLogger.always(Logger.EVENT_UNSPECIFIED, MSG, testEx);
-
- Mockito.verify(mockBridge, Mockito.times(1)).log(mockLogDelegate, Logger.ALL, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-
- @Test
- public void testAlwaysWithMessageDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.always(Logger.EVENT_UNSPECIFIED, MSG);
-
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.ALL, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
- @Test
- public void testAlwaysWithMessageAndThrowableDisabled() {
- testLogger.setLevel(Logger.OFF);
- testLogger.always(Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verify(mockBridge, Mockito.times(0)).log(mockLogDelegate, Logger.ALL, Logger.EVENT_UNSPECIFIED, MSG, testEx);
- Mockito.verifyNoMoreInteractions(mockBridge, mockLogDelegate);
- }
-}
diff --git a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
index 5f10329c6..9e6d67616 100644
--- a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
@@ -104,10 +104,7 @@ ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
-# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory
+ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
diff --git a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
index 74e645a20..625071607 100644
--- a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
@@ -104,10 +104,7 @@ ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
-# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory
+ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
diff --git a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
index 4b0a8a33d..46784ceff 100644
--- a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
@@ -103,10 +103,7 @@ ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
-# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory
+ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
diff --git a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
index 462d04721..f3742cee8 100644
--- a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
@@ -103,10 +103,7 @@ ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
-# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
-#ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory
+ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties
index 29bc7b3dd..d9e12ce9c 100644
--- a/src/test/resources/esapi/ESAPI.properties
+++ b/src/test/resources/esapi/ESAPI.properties
@@ -96,9 +96,6 @@ ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
-# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-# Note that this is now considered deprecated!
-#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set
# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
diff --git a/src/test/resources/log4j.dtd b/src/test/resources/log4j.dtd
deleted file mode 100644
index 1aabd96c3..000000000
--- a/src/test/resources/log4j.dtd
+++ /dev/null
@@ -1,227 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/src/test/resources/log4j.xml b/src/test/resources/log4j.xml
deleted file mode 100644
index 9b06c2a23..000000000
--- a/src/test/resources/log4j.xml
+++ /dev/null
@@ -1,70 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/suppressions.xml b/suppressions.xml
index a67ad0522..b367558ce 100644
--- a/suppressions.xml
+++ b/suppressions.xml
@@ -1,108 +1,6 @@
-
-
- ^log4j:log4j:1\.2\.17$
- cpe:/a:apache:log4j
- CVE-2019-17571
-
-
-
- ^log4j:log4j:1\.2\.17$
- cpe:/a:apache:log4j
- CVE-2020-9488
-
-
-
- ^log4j:log4j:1\.2\.17$
- cpe:/a:apache:log4j
- CVE-2021-4104
-
-
-
- ^log4j:log4j:1\.2\.17$
- cpe:/a:apache:log4j
- CVE-2022-23305
-
-
-
- ^log4j:log4j:1\.2\.17$
- cpe:/a:apache:log4j
- CVE-2022-23307
-
-
-
- ^log4j:log4j:1\.2\.17$
- cpe:/a:apache:log4j
- CVE-2022-23302
-
Date: Sat, 9 Jul 2022 23:38:01 -0400
Subject: [PATCH 013/197] Remove obsolete references to Log4J.
---
scripts/esapi-release.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/esapi-release.sh b/scripts/esapi-release.sh
index 88c78e2fa..14253ff22 100755
--- a/scripts/esapi-release.sh
+++ b/scripts/esapi-release.sh
@@ -64,8 +64,8 @@ USAGE="Usage: $PROG esapi_svn_dir"
tmpdir="/tmp/$PROG.$RANDOM-$$"
esapi_release_dir="$tmpdir/esapi_release_dir"
- # This is the directory under esapi_svn_dir where the log4j and ESAPI
- # properties files are located as well as the $esapiConfig/* config files.
+ # This is the directory under esapi_svn_dir where ESAPI configuration files
+ # such as ESAPI.properties are located as well as the $esapiConfig/* config files.
# Note that formerly used to be under src/main/resources, but it since
# has been moved because where it was previously was causing problems with
# Sonatype's Nexus. That particular problem may have been resolved, but it
@@ -141,7 +141,7 @@ mkdir $jartmpdir
cd $jartmpdir || exit
jar xf "$jarfile"
rm -fr ${esapiConfig:?}
-rm -f properties/* log4j.*
+rm -f properties/*
rm -f settings.xml owasp-esapi-dev.jks
# TODO: This part would need some work if we sign or seal the ESAPI jar as
# that creates a special MANIFEST.MF file and other special files and
From 4cead176683b527e146d97debae9884ea666bcf8 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sat, 9 Jul 2022 23:38:43 -0400
Subject: [PATCH 014/197] Revised obsolete references to Log4J 1 and mentioned
it was removed in ESAPI 2.5.0.0.
---
scripts/esapi4java-core-TEMPLATE-release-notes.txt | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
index b55fd969c..b4a953bf9 100644
--- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt
+++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
@@ -51,7 +51,7 @@ Issue # GitHub Issue Title
@@@@ NOTE any special notes here. Probably leave this one, but I would suggest noting additions BEFORE this.
[If you have already successfully been using ESAPI 2.2.1.0 or later, you probably can skip this section.]
-Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we have deprecated the use of Log4J 1.x because we now support SLF4J and Log4J 1.x is way past its end-of-life. We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
+Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we had deprecated the use of Log4J 1.x because was way past its end-of-life. (Note: As of ESAPI 2.5.0.0, we have officially removed all Log4J 1 dependencies, after it had been deprecated for 2 years as per our deprecation policy.) We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will notice that you need to change ESAPI.Logger and also possibly provide some other properties as well to get the logging behavior that you desire.
@@ -87,11 +87,6 @@ If you are using JavaLogFactory, you will also want to ensure that you have the
See GitHub issue #560 for additional details.
-Related to that aforemented Log4J 1.x CVE and how it affects ESAPI, be sure to read
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
-which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is *NOT* affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
-
-
Finally, while ESAPI still supports JDK 7 (even though that too is way past end-of-life), the next ESAPI release will move to JDK 8 as the minimal baseline. (We already use Java 8 for development but still to Java 7 source and runtime compatibility.) We need to do this out of necessity because some of our dependencies are no longer doing updates that support Java 7.
-----------------------------------------------------------------------------
@@ -127,11 +122,6 @@ Another problem is if you run 'mvn test' from the 'cmd' prompt (and possibly Pow
We believe these failures is because the maven-surefire-plugin is by default not forking a new JVM process for each test class. We are looking into this. For now, we have only have observed this behavior on Windows 10. If you see this error, please do NOT report it as a GitHub issue unless you know a fix for it. (And yes, we are aware of 'false' in the pom for the maven-surefire-plugin, but that causes other tests to fail that we haven't had time to fix.)
-
-Lastly, some SCA services may continue to flag vulnerabilties in ESAPI ${VERSION} related to log4j 1.2.17 (e.g., CVE-2020-9488). We do not believe the way that ESAPI uses log4j in a manner that leads to any exploitable behavior. See the security bulletins
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
-for additional details.
-
-----------------------------------------------------------------------------
Other changes in this release, some of which not tracked via GitHub issues
From 740b6473aa56725e9c39308aa33a012bfe5c5151 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sat, 9 Jul 2022 23:41:35 -0400
Subject: [PATCH 015/197] Remove references to log4j.dtd & log4j.xml since
thev've been deleted.
---
src/main/assembly/dist.xml | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/main/assembly/dist.xml b/src/main/assembly/dist.xml
index 3b2ee8e57..676039c82 100644
--- a/src/main/assembly/dist.xml
+++ b/src/main/assembly/dist.xml
@@ -38,8 +38,6 @@
configurationesapi/**/*
- log4j.dtd
- log4j.xmlproperties/**/*
From c639ee665725ca72d954bd271b20f5c6d7dc0472 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 10 Jul 2022 00:09:48 -0400
Subject: [PATCH 016/197] 1) Remove obsolete references to Log4J. 2) Javadoc
clean-up.
---
src/main/java/org/owasp/esapi/Logger.java | 61 +++++++++++++----------
1 file changed, 34 insertions(+), 27 deletions(-)
diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java
index c73e27ab2..7c4ccef9e 100644
--- a/src/main/java/org/owasp/esapi/Logger.java
+++ b/src/main/java/org/owasp/esapi/Logger.java
@@ -16,12 +16,12 @@
package org.owasp.esapi;
/**
- * The Logger interface defines a set of methods that can be used to log
+ * The {@code Logger} interface defines a set of methods that can be used to log
* security events. It supports a hierarchy of logging levels which can be configured at runtime to determine
* the severity of events that are logged, and those below the current threshold that are discarded.
* Implementors should use a well established logging library
* as it is quite difficult to create a high-performance logger.
- *
+ *
* The logging levels defined by this interface (in descending order) are:
*
*
fatal (highest value)
@@ -33,9 +33,9 @@
*
* There are also several variations of {@code always()} methods that will always
* log a message regardless of the log level.
- *
+ *
* ESAPI also allows for the definition of the type of log event that is being generated.
- * The Logger interface predefines 6 types of Log events:
+ * The {@code Logger} interface predefines 6 types of Log events:
*
*
SECURITY_SUCCESS
*
SECURITY_FAILURE
@@ -44,47 +44,54 @@
*
EVENT_FAILURE
*
EVENT_UNSPECIFIED
*
- *
- * Your implementation can extend or change this list if desired.
- *
- * This Logger allows callers to determine which logging levels are enabled, and to submit events
+ *
+ * Your custom implementation can extend or change this list if desired.
+ *
+ * This {@code Logger} allows callers to determine which logging levels are enabled, and to submit events
* at different severity levels.
* Implementors of this interface should:
*
*
- *
provide a mechanism for setting the logging level threshold that is currently enabled. This usually works by logging all
+ *
Provide a mechanism for setting the logging level threshold that is currently enabled. This usually works by logging all
* events at and above that severity level, and discarding all events below that level.
* This is usually done via configuration, but can also be made accessible programmatically.
- *
ensure that dangerous HTML characters are encoded before they are logged to defend against malicious injection into logs
+ *
Ensure that dangerous HTML characters are encoded before they are logged to defend against malicious injection into logs
* that might be viewed in an HTML based log viewer.
- *
encode any CRLF characters included in log data in order to prevent log injection attacks.
- *
avoid logging the user's session ID. Rather, they should log something equivalent like a
+ *
Encode any CRLF characters included in log data in order to prevent log injection attacks.
+ *
Avoid logging the user's session ID. Rather, they should log something equivalent like a
* generated logging session ID, or a hashed value of the session ID so they can track session specific
* events without risking the exposure of a live session's ID.
- *
record the following information with each event:
+ *
Record the following information with each event:
*
- *
identity of the user that caused the event,
- *
a description of the event (supplied by the caller),
- *
whether the event succeeded or failed (indicated by the caller),
- *
severity level of the event (indicated by the caller),
- *
that this is a security relevant event (indicated by the caller),
- *
hostname or IP where the event occurred (and ideally the user's source IP as well),
- *
a time stamp
+ *
Identity of the user that caused the event.
+ *
A description of the event (supplied by the caller).
+ *
Whether the event succeeded or failed (indicated by the caller).
+ *
Severity level of the event (indicated by the caller).
+ *
That this is a security relevant event (indicated by the caller).
+ *
Hostname or IP where the event occurred (and ideally the user's source IP as well).
filter out any sensitive data specific to the current application or organization, such as credit cards,
+ *
Filter out any sensitive data specific to the current application or organization, such as credit cards,
* social security numbers, etc.
*
*
- * There are both Log4j and native Java Logging default implementations. JavaLogger uses the java.util.logging package as the basis for its logging
- * implementation. Both default implementations implements requirements #1 thru #5 above.
- *
- * Customization: It is expected that most organizations will implement their own custom Logger class in
- * order to integrate ESAPI logging with their logging infrastructure. The ESAPI Reference Implementation
- * is intended to provide a simple functional example of an implementation.
+ * There are both SLF4J and native Java Logging (i.e., {@code java.util.logging}, aka JUL) implementations
+ * of the ESAPI logger with JUL being our default logger for our stock ESAPI.properties file that
+ * is delivered along with ESAPI releases in a separate esapi-configuration jar available from the
+ * releases mentioned on
+ * ESAPI's GitHub Releases page.
+ *
+ * The {@code org.owasp.esapi.logging.java.JavaLogger} class uses the {@code java.util.logging} package as
+ * the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above.
+ *
+ * Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in
+ * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations
+ * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but
+ * they are also largely usuable out-of-the-box with some additional minimal log configuration.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
From 49983aa83ba0bcbc7be513f2f729889440d76d4e Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 10 Jul 2022 00:17:28 -0400
Subject: [PATCH 017/197] Change Javadoc link from Log4JLoggerTest to
JavaLoggerTest.
---
src/test/java/org/owasp/esapi/reference/TestDebug.java | 2 +-
src/test/java/org/owasp/esapi/reference/TestError.java | 2 +-
src/test/java/org/owasp/esapi/reference/TestFatal.java | 2 +-
src/test/java/org/owasp/esapi/reference/TestInfo.java | 2 +-
src/test/java/org/owasp/esapi/reference/TestTrace.java | 2 +-
src/test/java/org/owasp/esapi/reference/TestUnspecified.java | 2 +-
src/test/java/org/owasp/esapi/reference/TestWarning.java | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/test/java/org/owasp/esapi/reference/TestDebug.java b/src/test/java/org/owasp/esapi/reference/TestDebug.java
index 4be138f0c..53ffd77b3 100644
--- a/src/test/java/org/owasp/esapi/reference/TestDebug.java
+++ b/src/test/java/org/owasp/esapi/reference/TestDebug.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestDebug extends TestCase {
diff --git a/src/test/java/org/owasp/esapi/reference/TestError.java b/src/test/java/org/owasp/esapi/reference/TestError.java
index 323cbe11a..17e889fd7 100644
--- a/src/test/java/org/owasp/esapi/reference/TestError.java
+++ b/src/test/java/org/owasp/esapi/reference/TestError.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestError extends TestCase {
diff --git a/src/test/java/org/owasp/esapi/reference/TestFatal.java b/src/test/java/org/owasp/esapi/reference/TestFatal.java
index 9d7615048..a8176a2c1 100644
--- a/src/test/java/org/owasp/esapi/reference/TestFatal.java
+++ b/src/test/java/org/owasp/esapi/reference/TestFatal.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestFatal extends TestCase {
diff --git a/src/test/java/org/owasp/esapi/reference/TestInfo.java b/src/test/java/org/owasp/esapi/reference/TestInfo.java
index e4cb72599..f404ecbbb 100644
--- a/src/test/java/org/owasp/esapi/reference/TestInfo.java
+++ b/src/test/java/org/owasp/esapi/reference/TestInfo.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestInfo extends TestCase {
diff --git a/src/test/java/org/owasp/esapi/reference/TestTrace.java b/src/test/java/org/owasp/esapi/reference/TestTrace.java
index d6516fbeb..3e7b841ea 100644
--- a/src/test/java/org/owasp/esapi/reference/TestTrace.java
+++ b/src/test/java/org/owasp/esapi/reference/TestTrace.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestTrace extends TestCase {
diff --git a/src/test/java/org/owasp/esapi/reference/TestUnspecified.java b/src/test/java/org/owasp/esapi/reference/TestUnspecified.java
index d8138d550..c8c9c2651 100644
--- a/src/test/java/org/owasp/esapi/reference/TestUnspecified.java
+++ b/src/test/java/org/owasp/esapi/reference/TestUnspecified.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestUnspecified extends TestCase {
diff --git a/src/test/java/org/owasp/esapi/reference/TestWarning.java b/src/test/java/org/owasp/esapi/reference/TestWarning.java
index eb28c9ad4..0d80c1c7e 100644
--- a/src/test/java/org/owasp/esapi/reference/TestWarning.java
+++ b/src/test/java/org/owasp/esapi/reference/TestWarning.java
@@ -8,7 +8,7 @@
* @author August Detlefsen (augustd at codemagi dot com)
* CodeMagi, Inc.
* @since October 15, 2010
- * @see org.owasp.esapi.logging.log4j.Log4JLoggerTest
+ * @see org.owasp.esapi.logging.java.JavaLoggerTest
*/
public class TestWarning extends TestCase {
From 84ab63c78b2a419a12c94e03f68822a271deac04 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 10 Jul 2022 00:21:51 -0400
Subject: [PATCH 018/197] Remove reference to log4j.jar since we no longer
need/use it.
---
src/examples/java/DisplayEncryptedProperties.java | 2 +-
src/examples/java/ESAPILogging.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/examples/java/DisplayEncryptedProperties.java b/src/examples/java/DisplayEncryptedProperties.java
index d71ac7d83..ba0ce15ef 100644
--- a/src/examples/java/DisplayEncryptedProperties.java
+++ b/src/examples/java/DisplayEncryptedProperties.java
@@ -8,7 +8,7 @@
// that were encrypted using ESAPI's EncryptedProperties class.
//
// Usage: java -classpath DisplayEncryptedProperties encryptedPropFileName
-// where is proper classpath, which minimally include esapi.jar & log4j.jar
+// where is proper classpath, which minimally includes the esapi.jar.
public class DisplayEncryptedProperties {
public DisplayEncryptedProperties() {
diff --git a/src/examples/java/ESAPILogging.java b/src/examples/java/ESAPILogging.java
index 338e77e89..b085c66d2 100644
--- a/src/examples/java/ESAPILogging.java
+++ b/src/examples/java/ESAPILogging.java
@@ -4,7 +4,7 @@
// Purpose: Short code snippet to show how ESAPI logging works.
//
// Usage: java -classpath ESAPILogging
-// where is proper classpath, which minimally include esapi.jar & log4j.jar
+// where is proper classpath, which minimally includes the esapi.jar.
public class ESAPILogging {
public static void main(String[] args) {
From 040dfbb55afabd05e9b8962c2e6de697019535c7 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 10 Jul 2022 00:25:54 -0400
Subject: [PATCH 019/197] Delete obsolete reference to log4j.
---
documentation/LoggerDesignAndTesting.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/documentation/LoggerDesignAndTesting.md b/documentation/LoggerDesignAndTesting.md
index 259488a65..d3542a48a 100644
--- a/documentation/LoggerDesignAndTesting.md
+++ b/documentation/LoggerDesignAndTesting.md
@@ -22,6 +22,6 @@ The general workflow is:
Logger.info/warn/etc(message) -> forwards to LogBridgelog(logger, esapiLevel, type, message) -> forwards to LogHandler.log(...) -> forwards to slf4j Logger implementation with appropriate level and composed message.
-So each of the tests for each of the classes verifies data in -> data out based on the Logging API. The structure for JUL, Log4J, and SLF4J are almost identical. There are a few differences in the interaction with the underlying Logger interactions and expectations. As a result, the tests are also almost full duplications (again accounting for differences in the underlying logging API).
+So each of the tests for each of the classes verifies data in -> data out based on the Logging API. The structure for JUL and SLF4J are almost identical. There are a few differences in the interaction with the underlying Logger interactions and expectations. As a result, the tests are also almost full duplications (again accounting for differences in the underlying logging API).
-J
From 40564a41c212198765557c5ca3f8f260dbb97c2c Mon Sep 17 00:00:00 2001
From: kwwall
Date: Mon, 11 Jul 2022 00:11:33 -0400
Subject: [PATCH 020/197] Remove log4j references and update dependencies where
needed.
---
src/examples/scripts/encryptProperties.sh | 6 ++----
src/examples/scripts/persistEncryptedData.sh | 7 +++----
src/examples/scripts/runClass.sh | 4 +---
src/examples/scripts/setMasterKey.sh | 3 +--
src/examples/scripts/setenv-svn.sh | 22 +++++---------------
src/examples/scripts/setenv-zip.sh | 12 ++---------
6 files changed, 14 insertions(+), 40 deletions(-)
diff --git a/src/examples/scripts/encryptProperties.sh b/src/examples/scripts/encryptProperties.sh
index bc606830b..4ee001d59 100755
--- a/src/examples/scripts/encryptProperties.sh
+++ b/src/examples/scripts/encryptProperties.sh
@@ -49,8 +49,7 @@ cd ../java
if [[ "$action" == "-display" ]]
then
set -x
- java -Dlog4j.configuration="file:$log4j_properties" \
- -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+ java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
-classpath "$esapi_classpath" \
DisplayEncryptedProperties "$filename"
else
@@ -65,8 +64,7 @@ else
echo
echo "Hit to continue..."; read GO
set -x
- java -Dlog4j.configuration="file:$log4j_properties" \
- -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+ java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
-classpath "$esapi_classpath" \
org.owasp.esapi.reference.crypto.DefaultEncryptedProperties "$filename" &&
echo "Output of encrypted properties in file: $filename"
diff --git a/src/examples/scripts/persistEncryptedData.sh b/src/examples/scripts/persistEncryptedData.sh
index e7dbbe42b..fc4a5ed46 100755
--- a/src/examples/scripts/persistEncryptedData.sh
+++ b/src/examples/scripts/persistEncryptedData.sh
@@ -23,7 +23,6 @@ set -x
# Since this is just an illustration, we will use the test ESAPI.properties in
# $esapi_resources_test. That way, it won't matter if the user has neglected
# to run the 'setMasterKey.sh' example before running this one.
-java -Dlog4j.configuration="file:$log4j_properties" \
- -Dorg.owasp.esapi.resources="$esapi_resources_test" \
- -ea -classpath "$esapi_classpath" \
- PersistedEncryptedData "$@"
+java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+ -ea -classpath "$esapi_classpath" \
+ PersistedEncryptedData "$@"
diff --git a/src/examples/scripts/runClass.sh b/src/examples/scripts/runClass.sh
index 1c79082c9..2b28a4a4c 100755
--- a/src/examples/scripts/runClass.sh
+++ b/src/examples/scripts/runClass.sh
@@ -19,10 +19,8 @@ then echo >2&1 "Can't find class file: ${className}.class"
exit 1
fi
echo "Your ESAPI.properties file: ${esapi_resources_test:?}/ESAPI.properties"
-echo "Your log4j properties file: ${log4j_properties:?}"
echo
set -x
-java -Dlog4j.configuration="file:$log4j_properties" \
- -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
-classpath "$esapi_classpath" \
${className} "$@"
diff --git a/src/examples/scripts/setMasterKey.sh b/src/examples/scripts/setMasterKey.sh
index 7075532bc..ecd0937f7 100755
--- a/src/examples/scripts/setMasterKey.sh
+++ b/src/examples/scripts/setMasterKey.sh
@@ -16,7 +16,6 @@ echo
# set -x
# This should use the real ESAPI.properties in $esapi_resources that does
# not yet have Encryptor.MasterKey and Encryptor.MasterSalt yet set.
-java -Dlog4j.configuration="file:$log4j_properties" \
- -Dorg.owasp.esapi.resources="$esapi_resources" \
+java -Dorg.owasp.esapi.resources="$esapi_resources" \
-classpath "$esapi_classpath" \
org.owasp.esapi.reference.crypto.JavaEncryptor "$@"
diff --git a/src/examples/scripts/setenv-svn.sh b/src/examples/scripts/setenv-svn.sh
index db4846e7c..d8ab6d727 100755
--- a/src/examples/scripts/setenv-svn.sh
+++ b/src/examples/scripts/setenv-svn.sh
@@ -9,23 +9,17 @@
# where '$' represents the shell command line prompt.
###########################################################################
-# IMPORTANT NOTE: Since you may have multiple (say) log4j jars under
-# your Maven2 repository under $HOME/.m2/respository, we
-# look for the specific versions that ESAPI was using as of
-# ESAPI 2.0_RC10 release on 2010/10/18. If these versions
-# changed, they will have to be reflected here.
-#
+# IMPORTANT NOTE: These dependency versions may need updated. Should match
+# what is in ESAPI's pom.xml.
esapi_classpath=".:\
../../../target/classes:\
$(ls ../../../target/esapi-*.jar 2>&- || echo .):\
-$(./findjar.sh log4j-1.2.17.jar):\
-$(./findjar.sh commons-fileupload-1.3.1.jar):\
-$(./findjar.sh servlet-api-2.5.jar)"
+$(./findjar.sh commons-fileupload-1.4.jar):\
+$(./findjar.sh servlet-api-3.1.0.jar)"
esapi_resources="$(\cd ../../../configuration/esapi >&- 2>&- && pwd)"
esapi_resources_test="$(\cd ../../../src/test/resources/esapi >&- 2>&- && pwd)"
-log4j_properties="../../../src/test/resources/log4j.xml"
if [[ ! -r "$esapi_resources"/ESAPI.properties ]]
then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources"
@@ -37,16 +31,10 @@ then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources_t
return 1 # Don't use 'exit' here or it will kill their current shell.
fi
-if [[ ! -r "$log4j_properties" ]]
-then echo 2>&1 "setenv-svn.sh: Can't read log4j.xml: $log4j_properties"
- return 1 # Don't use 'exit' here or it will kill their current shell.
-fi
-
echo ############################################################
echo "esapi_resources=$esapi_resources"
echo "esapi_resources_test=$esapi_resources_test"
-echo "log4j_properties=$log4j_properties"
echo "esapi_classpath=$esapi_classpath"
echo ############################################################
-export esapi_classpath esapi_resources esapi_resources_test log4j_properties
+export esapi_classpath esapi_resources esapi_resources_test
diff --git a/src/examples/scripts/setenv-zip.sh b/src/examples/scripts/setenv-zip.sh
index 310864ac0..199d9c055 100755
--- a/src/examples/scripts/setenv-zip.sh
+++ b/src/examples/scripts/setenv-zip.sh
@@ -12,18 +12,15 @@
# Here we don't look for the specific versions of the dependent libraries
# since the specific version of the library is delivered as part of the
# ESAPI zip file. In this manner, we do not have to update this if these
-# versions change. For the record, at the time of this writing, these were
-# log4j-1.2.17.jar, commons-fileupload-1.3.1.jar, and servlet-api-2.5.jar.
+# versions change.
esapi_classpath=".:\
$(ls ../../../esapi*.jar):\
-$(./findjar.sh -start ../../../libs log4j-*.jar):\
$(./findjar.sh -start ../../../libs commons-fileupload-*.jar):\
$(./findjar.sh -start ../../../libs servlet-api-*.jar)"
esapi_resources="$(\cd ../../../configuration/esapi >&- 2>&- && pwd)"
esapi_resources_test="$(\cd ../../../src/test/resources/esapi >&- 2>&- && pwd)"
-log4j_properties="../../../src/test/resources/log4j.xml"
if [[ ! -r "$esapi_resources"/ESAPI.properties ]]
then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources"
@@ -35,16 +32,11 @@ then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources_t
return 1 # Don't use 'exit' here or it will kill their current shell.
fi
-if [[ ! -r "$log4j_properties" ]]
-then echo 2>&1 "setenv-svn.sh: Can't read log4j.xml: $log4j_properties"
- return 1 # Don't use 'exit' here or it will kill their current shell.
-fi
echo ############################################################
echo "esapi_resources=$esapi_resources"
echo "esapi_resources_test=$esapi_resources_test"
-echo "log4j_properties=$log4j_properties"
echo "esapi_classpath=$esapi_classpath"
echo ############################################################
-export esapi_classpath esapi_resources esapi_resources_test log4j_properties
+export esapi_classpath esapi_resources esapi_resources_test
From 6630df5f51d2cbf054dfa0327501c876d003bbcb Mon Sep 17 00:00:00 2001
From: kwwall
Date: Mon, 11 Jul 2022 00:34:47 -0400
Subject: [PATCH 021/197] Add warning if log_settings init parameter is
specified as it is now ignored.
---
.../esapi/waf/ESAPIWebApplicationFirewallFilter.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java b/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
index 0879ac516..7f47ae43e 100644
--- a/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
+++ b/src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
@@ -139,8 +139,18 @@ public void init(FilterConfig fc) throws ServletException {
logger.debug(Logger.EVENT_SUCCESS, ">> Initializing WAF");
/*
- * Pull logging file.
+ * Pull logging file. -- We now ignore this arg, but will log something
+ * letting users know we are ignoring it, because many of them never
+ * seem to read the release notes. And this is probably better than
+ * throwing an exception.
*/
+ String logSettingsFilename = fc.getInitParameter(LOGGING_FILE_PARAM);
+ if ( logSettingsFilename != null ) {
+ logger.warning(Logger.EVENT_FAILURE, ">> Since ESAPI 2.5.0.0, ESAPI WAF ignoring parameter '" +
+ LOGGING_FILE_PARAM + "; for further details, see " +
+ "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt");
+
+ }
/*
* Pull main configuration file.
From 51c5a3a25d4667e9e6d704dfeff3a3d06797d23e Mon Sep 17 00:00:00 2001
From: kwwall
Date: Mon, 11 Jul 2022 00:36:16 -0400
Subject: [PATCH 022/197] Change log4j.xml to prop value that's obviously
ignored. Also added explanatory comment.
---
.../java/org/owasp/esapi/waf/WAFTestUtility.java | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/test/java/org/owasp/esapi/waf/WAFTestUtility.java b/src/test/java/org/owasp/esapi/waf/WAFTestUtility.java
index 284efb9c0..ca1d524cd 100644
--- a/src/test/java/org/owasp/esapi/waf/WAFTestUtility.java
+++ b/src/test/java/org/owasp/esapi/waf/WAFTestUtility.java
@@ -39,7 +39,19 @@ public class WAFTestUtility {
public static void setWAFPolicy( ESAPIWebApplicationFirewallFilter waf, String policyFile ) throws Exception {
Map map = new HashMap();
map.put( "configuration", policyFile );
- map.put( "log_settings", "../log4j.xml");
+
+ // As of ESAPI 2.5.0.0 (when Log4J 1 dependency was removed), thsi
+ // init parameter is not ignored. However, it will produce a warning
+ // log message that looks something like this:
+ //
+ // [2022-07-11 00:25:45] [org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter] [EVENT FAILURE Anonymous:90471@unknown -> 10.1.43.6:80/ExampleApplication/org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter] >> Since ESAPI 2.5.0.0, ESAPI WAF ignoring parameter 'log_settings; for further details, see https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt
+ //
+ // Without getting really fancy and making this test way more
+ // complicated than I want though, I am not sure how to test for
+ // some specicif log output. It's been manually verified (once).
+ // Hopefully, that is good enough. -kwwall
+ //
+ map.put( "log_settings", "parameter-now-ignored!!!");
FilterConfig mfc = new MockWafFilterConfig( map );
waf.init( mfc );
}
From 92239e8f87db96155e9aadec9217fa4e17f428a5 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Mon, 11 Jul 2022 21:35:43 -0400
Subject: [PATCH 023/197] Update Maven plugins and dependencies. Still waiting
for AntiSamy 1.7.0 to become official.
---
pom.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index 317d5c189..e8743c1a1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,7 +140,7 @@
2.0.94.7.11.12.0
- 4.7.0.0
+ 4.7.1.03.0.0-M71.8
@@ -406,7 +406,7 @@
org.apache.maven.pluginsmaven-assembly-plugin
- 3.4.0
+ 3.4.1org.apache.maven.plugins
@@ -538,7 +538,7 @@
org.codehaus.mojoextra-enforcer-rules
- 1.5.1
+ 1.6.0org.codehaus.mojo
From d6251b5e5ade0bfe312efbb1d798af266ec70e0d Mon Sep 17 00:00:00 2001
From: "Kevin W. Wall"
Date: Sun, 17 Jul 2022 14:35:52 -0400
Subject: [PATCH 024/197] Changes to prepare for 2.5.0.0 release. (#719)
* Changes to prepare for 2.5.0.0 release.
* More 2.5.0.0 release preparation:
* Fix typos in 2.5.0.0 release notes.
* Emblesh section in release notes about AntiSamy as well as 'Know Issues / Problems' section.
* Fix pom.xml to address dependency convergence issue caused by AntiSamy 1.7.0 and drop '-SNAPSHOT' on ESAPI version.
* Address previously deprecated and not deleted AntiSamy Policy method in HTMLValidationRuleAntisamyPropertyTest.java JUnit test.
---
README.md | 17 +-
.../esapi4java-core-2.5.0.0-release-notes.txt | 243 ++++++++++++++++++
pom.xml | 15 +-
scripts/README.txt | 1 +
...esapi4java-core-TEMPLATE-release-notes.txt | 103 +++-----
scripts/vars.2.4.0.0 | 14 +
scripts/vars.2.5.0.0 | 14 +
...TMLValidationRuleAntisamyPropertyTest.java | 22 +-
8 files changed, 332 insertions(+), 97 deletions(-)
create mode 100644 documentation/esapi4java-core-2.5.0.0-release-notes.txt
create mode 100644 scripts/vars.2.4.0.0
create mode 100644 scripts/vars.2.5.0.0
diff --git a/README.md b/README.md
index 43bb29711..8e4933f1e 100644
--- a/README.md
+++ b/README.md
@@ -32,8 +32,11 @@ Development for the "next generation" of ESAPI (starting with ESAPI 3.0), will b
GitHub repository at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java).
**IMPORTANT NOTES:**
-* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.4.0.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.
+* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.5.0.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.
* Also, the *minimal* baseline Java version to use ESAPI is now Java 8. (This was changed from Java 7 during the 2.4.0.0 release.)
+* Support was dropped for Log4J 1 during ESAPI 2.5.0.0 release. If you need it, configure it via SLF4J. See the
+ [2.5.0.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt)
+for details.
# Where can I find ESAPI 3.x?
As mentioned above, you can find it at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java).
@@ -63,7 +66,7 @@ link to the specific release notes.
Starting with release 2.4.0.0, Java 8 or later is required.
# Locating ESAPI Jar files
-The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.4.0.0.
+The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.0.0.
All the *regular* ESAPI jars, with the exception of the ESAPI configuration
jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached
GPG signature, are available from Maven Central. The ESAPI configuration
@@ -85,11 +88,11 @@ to be using such classes directly in your code. At the ESAPI team's discretion,
it will also not apply for any known exploitable vulnerabilities for which
no available workaround exists.
-**IMPORTANT NOTES:** The next planned removal of deprecated code is for us to
-remove all the Log4J 1.x related ESAPI Logger code. The Log4J 1 ESAPI Logger
-was first marked deprecated in ESAPI 2.2.1.0, which was released July 13, 2022.
-This means that on or shortly after, you can expect a new ESAPI release that
-will no longer have a dependency on Log4J 1. **YOU HAVE BEEN WARNED!!!**
+**IMPORTANT NOTES:** As of ESAPI 2.5.0.0, all the Log4J 1.x related code
+has been removed from the ESAPI code base (with the exception of some
+references in documentation). If you must, you still should be able to
+use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release
+notes for further details.
# Contributing to ESAPI legacy
### How can I contribute or help with fix bugs?
diff --git a/documentation/esapi4java-core-2.5.0.0-release-notes.txt b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
new file mode 100644
index 000000000..67186f17f
--- /dev/null
+++ b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
@@ -0,0 +1,243 @@
+Release notes for ESAPI 2.5.0.0
+ Release date: 2022-07-17
+ Project leaders:
+ -Kevin W. Wall
+ -Matt Seil
+
+Previous release: ESAPI 2.4.0.0, 2022-04-24
+
+
+Executive Summary: Important Things to Note for this Release
+------------------------------------------------------------
+
+In addition to this summary, please also be sure to thoroughly read the section "Changes Requiring Special Attention", below.
+
+Major changes:
+ Logging:
+ The major change in ESAPI 2.5.0.0 is the removal of the Log4J 1 dependency (specifically, log4j-1.2.17). It has been removed because in accordance with the ESAPI deprecation policy (see the README.md file), the Log4J supported logger has been deprecated for 2 years.
+
+ For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you will notice that the 4 Log4J 1.x related CVEs are no longer flagged. This is because of removal of the Log4J 1.2.17 dependency.
+
+ Any remaining flagged vulnerabilities (e.g., CVE-2020-7791 for transitive dependency batik-i18n-1.14) are believed to be false positives.
+
+ You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions.
+
+ AntiSamy 1.7.0 and potentially breaking changes
+ We have updated to AntiSamy 1.7.0. If you have a custom version of antisamy-esapi.xml,then be sure to read the section "Changes Requiring Special Attention", below.
+
+Minor changes:
+ Miscellaneous bug fixes, Javadoc enhancements, and minor dependency updates.
+
+=================================================================================================================
+
+Basic ESAPI facts
+-----------------
+
+ESAPI 2.4.0.0 release:
+ 212 Java source files
+ 4325 JUnit tests in 136 Java source files (1 test skipped)
+
+ESAPI 2.5.0.0 release:
+ 206 Java source files
+ 4274 JUnit tests in 131 Java source files (0 tests skipped)
+
+18 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
+(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2022-04-24)
+
+Issue # GitHub Issue Title
+----------------------------------------------------------------------------------------------
+717 Update to AntiSamy 1.7.0 once it is officially released
+715 ESAPI - Not working with Eclipse bug
+713 Should '/' be encoded for LDAP searches? bug
+705 Add more details to DefaultValidator class-level javadoc on ESAPI canonicalization properties Component-Docs Component-Validator javadoc
+702 ValidatorTest#testIsValidDirectoryPathGHSL_POC fails on Mac
+695 Esapi 2.3.0.0 does not supported in opensaml 2.6.6 bug
+692 Multiple (2x) encoding detected in from PercentCodec question
+690 Plugin/Dependency Version Updates
+689 Clean-up ESAPI Javadoc Component-Docs javadoc
+686 ESAPI canonicalization in DefaultEncoder ignoring Encoder.DefaultCodecList property bug Component-Encoder
+684 Hello world
+682 Update baseline to java 1.8
+674 Add the missing Javadoc for the Validator interface Component-Docs Component-Validator good first issue
+656 DefaultHTTPUtility uses hard coded Header name/value lengths (Note: Actually fixed in ESAPI 2.3.0.0, but just closed this release. - kww)
+644 Do not include a logging implementation as a dependency slf4j-simple
+620 Move the default property names and values out of a reference implementation class Component-SecurityConfiguration
+587 Drop Xerces dependency from pom.xml Build-Maven Vulnerable Dependencies
+534 Delete Deprecated Log4J implementation and Dependencies wait4future
+
+-----------------------------------------------------------------------------
+
+ Changes Requiring Special Attention
+
+-----------------------------------------------------------------------------
+
+Important ESAPI Logging Changes
+
+* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it having first been deprecated.) Thus, your only choice for ESAPI logging are:
+ - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0.
+ * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file.
+ - SLF4J (which your choice of supported SLF4J logging implementation)
+ * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file.
+ * Create your own custom logger.
+* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at:
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78
+
+If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here:
+ https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x
+
+Potentially Breaking Changes in AntiSamy 1.7.0
+
+* This version of ESAPI has upgraded to the latest version of AntiSamy (1.7.0 at the time of our release). AntiSamy 1.7.0 has some breaking changes to its SDK and the way that it processes AntiSamy policy files, of which the antisamy-esapi.xml file, included in our esapi-2.5.0.0-configuration.jar found at https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.5.0.0/esapi-2.4.0.0-configuration.jar, is the one we include.
+
+* None of the AntiSamy SDK changes affected how ESAPI, in its default configuration, uses it, but you may be affected if you have customized your AntiSamy policy file. If your regression tests fail when you upgrade to ESAPI 2.5.0.0 sand they seem to be related to AntiSamy, then please review https://github.com/nahsra/antisamy/blob/main/README.md#important---api-breaking-changes-in-170. Also, as a temporary workaround, you could do something like this (in Maven, but similar exclusion can be done with Gradle) to allow you time to correct your customized AntiSamy policy file:
+
+
+ org.owasp.esapi
+ esapi
+ 2.5.0.0
+
+
+
+ org.owasp.antisamy
+ antisamy
+
+
+
+
+ org.owasp.antisamy
+ antisamy
+ 1.6.8
+
+
+Indeed the only change that we had to make is to alter a JUnit test that was intended to ensure that invalid AntiSamy policy files could be disabled by setting
+ Policy.setSchemaValidation(false);
+before processing any AntiSamy policy file not conforming to its schema. This specific (previously deprecated) method was removed in AntiSamy 1.7.0 so the schema validation checks can no longer be ignored. (And hence the reason for the workaround noted above.)
+
+Instead, we simply changed the JUnit test to check that the expected AntiSamy org.owasp.validator.html.PolicyException class is thrown when the invalid policy file is loaded.
+
+-----------------------------------------------------------------------------
+
+ Remaining Known Issues / Problems
+
+-----------------------------------------------------------------------------
+'mvn site' fails to build these two reports:
+ "Tag reference" report --- maven-taglib-plugin:2.4:tagreference
+ "Taglibdoc documentation" report --- maven-taglib-plugin:2.4:taglibdoc
+
+Thus no tag library documentation will be generated. :-(
+
+We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
+
+No others problems are known, other than the remaining open issues on GitHub.
+
+-----------------------------------------------------------------------------
+
+ Other changes in this release, some of which not tracked via GitHub issues
+
+-----------------------------------------------------------------------------
+
+* Minor updates to README.md file with respect to version information.
+
+-----------------------------------------------------------------------------
+
+Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-17)
+Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
+
+#
+# 34 PRs merged since ESAPI 2.4.0.0 release
+#
+Developer Total Total Number # Merged
+(GitHub ID) commits of Files Changed PRs
+========================================================
+jeremiahjstacey 265 180 24
+kwwall 35 64 5
+xeno6696 1 267 1
+noloader 5 2 1
+stevebosman-oc 4 3 2
+VinodAnandan 1 1 1
+========================================================
+ Total PRs: 34
+
+-----------------------------------------------------------------------------
+
+CHANGELOG: Create your own. May I suggest:
+
+ git log --stat --since=2022-04-24 --reverse --pretty=medium
+
+ which will show all the commits since just after the previous (2.4.0.0) release.
+
+ Alternately, you can download the most recent ESAPI source and run
+
+ mvn site
+
+ which will create a CHANGELOG file named 'target/site/changelog.html'
+
+
+-----------------------------------------------------------------------------
+
+Direct and Transitive Runtime and Test Dependencies:
+
+ $ mvn -B dependency:tree
+ ...
+ [INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ esapi ---
+ [INFO] org.owasp.esapi:esapi:jar:2.5.0.0
+ [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
+ [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided
+ [INFO] +- xom:xom:jar:1.3.7:compile
+ [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
+ [INFO] | +- commons-logging:commons-logging:jar:1.2:compile
+ [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile
+ [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile
+ [INFO] +- commons-lang:commons-lang:jar:2.6:compile
+ [INFO] +- commons-fileupload:commons-fileupload:jar:1.4:compile
+ [INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile
+ [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
+ [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.0:compile
+ [INFO] | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.63.0:compile
+ [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
+ [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
+ [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.4:compile
+ [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
+ [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
+ [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
+ [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
+ [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
+ [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
+ [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile
+ [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
+ [INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile
+ [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
+ [INFO] +- commons-io:commons-io:jar:2.11.0:compile
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.7.1:compile
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
+ [INFO] +- commons-codec:commons-codec:jar:1.15:test
+ [INFO] +- junit:junit:jar:4.13.2:test
+ [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test
+ [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test
+ [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test
+ [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test
+ [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test
+ [INFO] +- org.mockito:mockito-core:jar:3.12.4:test
+ [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test
+ [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test
+ [INFO] | \- org.objenesis:objenesis:jar:3.2:test
+ [INFO] +- org.powermock:powermock-core:jar:2.0.9:test
+ [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test
+ [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test
+ [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test
+ [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test
+ [INFO] \- org.openjdk.jmh:jmh-core:jar:1.35:test
+ [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test
+ [INFO] \- org.apache.commons:commons-math3:jar:3.2:test
+ ...
+
+
+-----------------------------------------------------------------------------
+
+Acknowledgments:
+ A special shout-out our new contributors noloader, stevebosman-oc, and VinodAnandan.
+ Another hat tip to Dave Wichers, Sebastián Passaro, and the rest of the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you.
+
+A special thanks to the ESAPI community from the ESAPI project co-leaders:
+ Kevin W. Wall (kwwall) <== The irresponsible party for these release notes!
+ Matt Seil (xeno6696)
diff --git a/pom.xml b/pom.xml
index e8743c1a1..05bb55181 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
4.0.0org.owasp.esapiesapi
- 2.4.1.0-SNAPSHOT
+ 2.5.0.0jar
@@ -149,6 +149,17 @@
2021-05-07 00:00:00
+
+
+
+
+ org.apache.httpcomponents.core5
+ httpcore5
+ 5.1.4
+
+
+
+
javax.servlet
@@ -248,7 +259,7 @@
org.owasp.antisamyantisamy
- 1.6.8
+ 1.7.0org.slf4j
diff --git a/scripts/README.txt b/scripts/README.txt
index 61df78f20..b61b287da 100644
--- a/scripts/README.txt
+++ b/scripts/README.txt
@@ -12,4 +12,5 @@ newReleaseNotes.sh -- Bash script to create the release notes boillerplate from
vars.2.2.3.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh
vars.2.2.3.1 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh
vars.2.3.0.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh
+vars.2.4.0.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh
vars.template -- Template to construct the release specific vars files
diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
index b4a953bf9..1d7c8c460 100644
--- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt
+++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
@@ -1,6 +1,7 @@
@@@@ IMPORTANT: Be sure to 1) save in DOS text format, and 2) Delete this line and others starting with @@@@
@@@@ Edit this file in vim with :set tw=0
@@@@ Meant to be used with scripts/newReleaseNotes.sh and the 'vars.*' scripts there.
+@@@@ There are specific references to ESAPI 2.5.0.0 and other old releases in this file. Do NOT change the version #s. They are there for a reason.
Release notes for ESAPI ${VERSION}
Release date: ${YYYY_MM_DD_RELEASE_DATE}
Project leaders:
@@ -13,11 +14,14 @@ Previous release: ESAPI ${PREV_VERSION}, ${PREV_RELEASE_DATE}
Executive Summary: Important Things to Note for this Release
------------------------------------------------------------
@@@@ View previous release notes to see examples of what to put here. This is typical. YMMV.
+@@@@ Obviously, you should summarize any major changes / new features here.
This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Details follow.
-For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you might notice that there is vulnerability in xerces:xercesImpl:2.12.0 that ESAPI uses (also a transitive dependency) that is similar to CVE-2020-14621. Unfortunately there is no official patch for this in the regular Maven Central repository. Further details are described in Security Bulletin #3, which is viewable here
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf
-and associated with this release on GitHub. Manual workarounds possible. See the security bulletin for further details.
+For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you will notice that the 4 Log4J 1.x related CVEs are no longer flagged. This is because we have finally removed the Log4J 1.2.17 dependency in ESAPI 2.5.0.0.
+
+Any remaining flagged vulnerabilities (e.g., CVE-2020-7791 for transitive dependency batik-i18n-1.14) are believed to be false postives.
+
+You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions.
=================================================================================================================
@@ -49,78 +53,30 @@ Issue # GitHub Issue Title
-----------------------------------------------------------------------------
@@@@ NOTE any special notes here. Probably leave this one, but I would suggest noting additions BEFORE this.
-[If you have already successfully been using ESAPI 2.2.1.0 or later, you probably can skip this section.]
-
-Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we had deprecated the use of Log4J 1.x because was way past its end-of-life. (Note: As of ESAPI 2.5.0.0, we have officially removed all Log4J 1 dependencies, after it had been deprecated for 2 years as per our deprecation policy.) We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
-
-However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will notice that you need to change ESAPI.Logger and also possibly provide some other properties as well to get the logging behavior that you desire.
-
-To use ESAPI logging in ESAPI 2.2.1.0 (and later), you will need to set the ESAPI.Logger property to
- org.owasp.esapi.logging.java.JavaLogFactory - To use the new default, java.util.logging (JUL)
- org.owasp.esapi.logging.slf4j.Slf4JLogFactory - To use the new (to release 2.2.0.0) SLF4J logger
+Important JDK Support Announcement
+* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason.
+ - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier.
-In addition, if you wish to use JUL for logging, you *MUST* supply an "esapi-java-logging.properties" file in your classpath. This file is included in the 'esapi-2.2.2.0-configuration.jar' file provided under the 'Assets' section of the GitHub Release at
- https://github.com/ESAPI/esapi-java-legacy/releases/esapi-2.2.2.0
+Important ESAPI Logging Changes
-Unfortunately, there was a logic error in the static initializer of JavaLogFactory (now fixed in this release) that caused a NullPointerException to be thrown so that the message about the missing "esapi-java-logging.properties" file was never seen.
+* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are
+ - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0.
+ * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file.
+ - SLF4J (which your choice of supported SLF4J logging implemmentation)
+ * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file.
+* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at:
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78
-If you are using JavaLogFactory, you will also want to ensure that you have the following ESAPI logging properties set:
- # Set the application name if these logs are combined with other applications
- Logger.ApplicationName=ExampleApplication
- # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
- Logger.LogEncodingRequired=false
- # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
- Logger.LogApplicationName=true
- # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
- Logger.LogServerIP=true
- # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
- # want to place it in a specific directory.
- Logger.LogFileName=ESAPI_logging_file
- # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
- Logger.MaxLogFileSize=10000000
- # Determines whether ESAPI should log the user info.
- Logger.UserInfo=true
- # Determines whether ESAPI should log the session id and client IP.
- Logger.ClientInfo=true
-
-See GitHub issue #560 for additional details.
-
-
-Finally, while ESAPI still supports JDK 7 (even though that too is way past end-of-life), the next ESAPI release will move to JDK 8 as the minimal baseline. (We already use Java 8 for development but still to Java 7 source and runtime compatibility.) We need to do this out of necessity because some of our dependencies are no longer doing updates that support Java 7.
+If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here:
+ https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x
-----------------------------------------------------------------------------
Remaining Known Issues / Problems
-----------------------------------------------------------------------------
-If you use Java 7 (the minimal Java baseline supported by ESAPI) and try to run 'mvn test' there is one test that fails. This test passes with Java 8. The failing test is:
-
- [ERROR] Tests run: 5, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.203 s
- <<< FAILURE! - in org.owasp.esapi.crypto.SecurityProviderLoaderTest
- [ERROR] org.owasp.esapi.crypto.SecurityProviderLoaderTest.testWithBouncyCastle
- Time elapsed: 0.116 s <<< FAILURE!
- java.lang.AssertionError: Encryption w/ Bouncy Castle failed with
- EncryptionException for preferred cipher transformation; exception was:
- org.owasp.esapi.errors.EncryptionException: Encryption failure (unavailable
- cipher requested)
- at
- org.owasp.esapi.crypto.SecurityProviderLoaderTest.testWithBouncyCastle(Security
- ProviderLoaderTest.java:133)
-
-I will spare you all the details and tell you that this has to do with Java 7 not being able to correctly parse the signed Bouncy Castle JCE provider jar. More details are available at:
- https://www.bouncycastle.org/latest_releases.html
-and
- https://github.com/bcgit/bc-java/issues/477
-I am sure that there are ways of making Bouncy Castle work with Java 7, but since ESAPI does not rely on Bouncy Castle (it can use any compliant JCE provider), this should not be a problem. (It works fine with the default SunJCE provider.) If it is important to get the BC provider working with the ESAPI Encryptor and Java 7, then open a GitHub issue and we will take a deeper look at it and see if we can suggest something.
-
-
-
-Another problem is if you run 'mvn test' from the 'cmd' prompt (and possibly PowerShell as well), you will get intermittent failures (generally between 10-25% of the time) at arbitrary spots. If you run it again without any changes it will work fine without any failures. We have discovered that it doesn't seem to fail if you run the tests from an IDE like Eclipse or if you redirect both stdout and stderr to a file; e.g.,
-
- C:\code\esapi-java-legacy> mvn test >testoutput.txt 2>&1
-
-We believe these failures is because the maven-surefire-plugin is by default not forking a new JVM process for each test class. We are looking into this. For now, we have only have observed this behavior on Windows 10. If you see this error, please do NOT report it as a GitHub issue unless you know a fix for it. (And yes, we are aware of 'false' in the pom for the maven-surefire-plugin, but that causes other tests to fail that we haven't had time to fix.)
+None known, other than the remaining open issues on GitHub.
-----------------------------------------------------------------------------
@@ -128,13 +84,16 @@ We believe these failures is because the maven-surefire-plugin is by default not
-----------------------------------------------------------------------------
-* Minor updates to README.md file
+* Minor updates to README.md file with respect to version information.
-----------------------------------------------------------------------------
Developer Activity Report (Changes between release ${PREV_VERSION} and ${VERSION}, i.e., between ${PREV_RELEASE_DATE} and ${YYYY_MM_DD_RELEASE_DATE})
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
+@@@@
+@@@@ This section needs to be manually updated.
+@@@@
Developer Total Total Number # Merged
(GitHub ID) commits of Files Changed PRs
========================================================
@@ -144,8 +103,6 @@ kwwall 7 8 0
========================================================
Total PRs: 2
-There were also several snyk-bot PRs that were rejected for various reasons, mostly because 1) I was already making the proposed changes and preferred to do them in single commit or 2) there were other reasons for rejecting them (such as the dependency requiring Java 8). The proposed changes that were not outright rejected were included as part of commit a8a79bc5196653500ce664b7b063284e60bddaa0.
-
-----------------------------------------------------------------------------
CHANGELOG: Create your own. May I suggest:
@@ -154,6 +111,13 @@ CHANGELOG: Create your own. May I suggest:
which will show all the commits since just after the previous (${PREV_VERSION}) release.
+ Alternately, you can download the most recent ESAPI source and run
+
+ mvn site
+
+ which will create a CHANGELOG file named 'target/site/changelog.html'
+
+
-----------------------------------------------------------------------------
Direct and Transitive Runtime and Test Dependencies:
@@ -163,8 +127,9 @@ Direct and Transitive Runtime and Test Dependencies:
-----------------------------------------------------------------------------
+@@@@ Review these notes, especially the reference to the AntiSamy version information.
Acknowledgments:
- Another hat tip to Dave Wichers for promptly releasing AntiSamy 1.6.1. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you.
+ Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you.
A special thanks to the ESAPI community from the ESAPI project co-leaders:
Kevin W. Wall (kwwall) <== The irresponsible party for these release notes!
diff --git a/scripts/vars.2.4.0.0 b/scripts/vars.2.4.0.0
new file mode 100644
index 000000000..9e2f84ded
--- /dev/null
+++ b/scripts/vars.2.4.0.0
@@ -0,0 +1,14 @@
+# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script,
+# which should be run prior to the newReleaseNotes.sh script.
+
+# ESAPI (new / current) version
+VERSION=2.4.0.0
+
+# Previous ESAPI version
+PREV_VERSION=2.3.0.0
+
+# Release date of current version in yyyy-mm-dd format
+YYYY_MM_DD_RELEASE_DATE=2022-04-24
+
+# Previous ESAPI release date in same format
+PREV_RELEASE_DATE=2022-04-16
diff --git a/scripts/vars.2.5.0.0 b/scripts/vars.2.5.0.0
new file mode 100644
index 000000000..e01d7dd54
--- /dev/null
+++ b/scripts/vars.2.5.0.0
@@ -0,0 +1,14 @@
+# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script,
+# which should be run prior to the newReleaseNotes.sh script.
+
+# ESAPI (new / current) version
+VERSION=2.5.0.0
+
+# Previous ESAPI version
+PREV_VERSION=2.4.0.0
+
+# Release date of current version in yyyy-mm-dd format
+YYYY_MM_DD_RELEASE_DATE=2022-07-17
+
+# Previous ESAPI release date in same format
+PREV_RELEASE_DATE=2022-04-24
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java
index ccd2e1d6d..082bd626c 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java
@@ -15,12 +15,8 @@
*/
package org.owasp.esapi.reference.validation;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
import org.junit.Test;
-import org.owasp.validator.html.Policy;
+import org.owasp.validator.html.PolicyException;
/**
* Isolate scope test to assert the behavior of the HTMLValidationRule
@@ -32,21 +28,9 @@ public class HTMLValidationRuleAntisamyPropertyTest {
*/
private static final String INVALID_ANTISAMY_POLICY_FILE = "antisamy-InvalidPolicy.xml";
- @AfterClass
- public static void enableAntisamySchemaValidation() {
- Policy.setSchemaValidation(true);
- }
-
- @BeforeClass
- public static void disableAntisamySchemaValidation() {
- Policy.setSchemaValidation(false);
- //System property is read once, so we're preferring the static method for testing.
- //System.setProperty( "owasp.validator.validateschema", "false" );
- }
-
- @Test
+ @Test( expected = PolicyException.class )
public void checkAntisamySystemPropertyWorksAsAdvertised() throws Exception {
HTMLValidationRule.loadAntisamyPolicy(INVALID_ANTISAMY_POLICY_FILE);
}
-
+
}
From 1117006dc1e0746bac9ec1efdd0e16c694348669 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 17 Jul 2022 17:23:50 -0400
Subject: [PATCH 025/197] Final adjustments to pom.xml for 2.5.0.0 release.
---
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 05bb55181..9ffdc56a2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -146,7 +146,7 @@
- 2021-05-07 00:00:00
+ 2021-05-24 00:00:00
@@ -683,7 +683,7 @@
org.apache.maven.pluginsmaven-project-info-reports-plugin
- 3.3.0
+ 3.4.0
From 930e390c095020c26ac776459faff652c4a93460 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Sun, 17 Jul 2022 17:24:37 -0400
Subject: [PATCH 026/197] Added note regarding why PR figures different than
Change Log Report.
---
documentation/esapi4java-core-2.5.0.0-release-notes.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/documentation/esapi4java-core-2.5.0.0-release-notes.txt b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
index 67186f17f..2fd859f7c 100644
--- a/documentation/esapi4java-core-2.5.0.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
@@ -145,6 +145,8 @@ Generated manually (this time) -- all errors are the fault of kwwall and his ina
#
# 34 PRs merged since ESAPI 2.4.0.0 release
+# Note: Figures here may not agree with generated Change Log Report, which is date-based,
+# as some commits included in this release were prior to ESAPI 2.4.0.0.
#
Developer Total Total Number # Merged
(GitHub ID) commits of Files Changed PRs
From 84cceeff4e8f7601a0ff9fdbe05b8fd2aee04e47 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Tue, 19 Jul 2022 22:25:38 -0400
Subject: [PATCH 027/197] Add (multiple) suppression rules for CVE-2017-10355
as it's an FP.
---
suppressions.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/suppressions.xml b/suppressions.xml
index b367558ce..c0146386e 100644
--- a/suppressions.xml
+++ b/suppressions.xml
@@ -11,4 +11,50 @@
^pkg:maven/org\.apache\.xmlgraphics/batik\-i18n@.*$CVE-2020-7791
+
+
+
+
+
+ f051f988aa2c9b4d25d05f95742ab0cc3ed789e2
+ cpe:/a:apache:xerces-j
+
+
+
+ f051f988aa2c9b4d25d05f95742ab0cc3ed789e2
+ cpe:/a:apache:xerces2_java
+
+
+
+ ^pkg:maven/xerces/xercesImpl@.*$
+ CVE-2017-10355
+
+
+
+ CVE-2017-10355
+
+
From d3b40cf56d71681c9bfae3d32c4ee859c57bfecb Mon Sep 17 00:00:00 2001
From: kwwall
Date: Tue, 19 Jul 2022 22:40:53 -0400
Subject: [PATCH 028/197] Update the slipped release date.
---
scripts/vars.2.5.0.0 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/vars.2.5.0.0 b/scripts/vars.2.5.0.0
index e01d7dd54..4d33532ea 100644
--- a/scripts/vars.2.5.0.0
+++ b/scripts/vars.2.5.0.0
@@ -8,7 +8,7 @@ VERSION=2.5.0.0
PREV_VERSION=2.4.0.0
# Release date of current version in yyyy-mm-dd format
-YYYY_MM_DD_RELEASE_DATE=2022-07-17
+YYYY_MM_DD_RELEASE_DATE=2022-07-20
# Previous ESAPI release date in same format
PREV_RELEASE_DATE=2022-04-24
From 177b5168318a62d0fcbeb00679656c9a036c0952 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Tue, 19 Jul 2022 23:10:24 -0400
Subject: [PATCH 029/197] Update Maven plougins. maven-deploy-plugin
............................. 3.0.0-M2 -> 3.0.0 maven-install-plugin
............................ 3.0.0-M1 -> 3.0.0
---
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 9ffdc56a2..3a8f27819 100644
--- a/pom.xml
+++ b/pom.xml
@@ -529,7 +529,7 @@
org.apache.maven.pluginsmaven-deploy-plugin
- 3.0.0-M2
+ 3.0.0
@@ -633,7 +633,7 @@
org.apache.maven.pluginsmaven-install-plugin
- 3.0.0-M1
+ 3.0.0
From 8993a1ac07157e3207c342d915da6ee0cfc40c55 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Tue, 19 Jul 2022 23:14:32 -0400
Subject: [PATCH 030/197] Further updates needed for 2.5.0.0 release notes.
---
.../esapi4java-core-2.5.0.0-release-notes.txt | 29 ++++++++++++-------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/documentation/esapi4java-core-2.5.0.0-release-notes.txt b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
index 2fd859f7c..b47b084e0 100644
--- a/documentation/esapi4java-core-2.5.0.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
@@ -1,5 +1,5 @@
Release notes for ESAPI 2.5.0.0
- Release date: 2022-07-17
+ Release date: 2022-07-20
Project leaders:
-Kevin W. Wall
-Matt Seil
@@ -41,7 +41,7 @@ ESAPI 2.5.0.0 release:
206 Java source files
4274 JUnit tests in 131 Java source files (0 tests skipped)
-18 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
+19 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2022-04-24)
Issue # GitHub Issue Title
@@ -64,6 +64,7 @@ Issue # GitHub Issue Title
620 Move the default property names and values out of a reference implementation class Component-SecurityConfiguration
587 Drop Xerces dependency from pom.xml Build-Maven Vulnerable Dependencies
534 Delete Deprecated Log4J implementation and Dependencies wait4future
+507 LDAP encoding of slash character
-----------------------------------------------------------------------------
@@ -120,15 +121,19 @@ Instead, we simply changed the JUnit test to check that the expected AntiSamy or
Remaining Known Issues / Problems
-----------------------------------------------------------------------------
-'mvn site' fails to build these two reports:
+* 'mvn site' fails to build these two reports:
"Tag reference" report --- maven-taglib-plugin:2.4:tagreference
"Taglibdoc documentation" report --- maven-taglib-plugin:2.4:taglibdoc
-Thus no tag library documentation will be generated. :-(
+ Thus no tag library documentation will be generated. :-(
-We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
+ We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
-No others problems are known, other than the remaining open issues on GitHub.
+* We have had to suppress CVE-2017-10355, related to the transitive dependency xercesImpl-2.12.2.jar via antisamy-1.7.0.jar. It is the same jar that has been used for the past 2 years but the CVE just started popping up now, apparently because of changes to Sonatype's OSS Index. More details are available in the OWASP Dependency Check suppression rules contained in the 'suppressions.xml' file. Note that other SCA tools such as Snyk or GitHub Dependabot are not presently reporting it, but it bears watching.
+
+* Trying to run 'mvn test' with Java 11 or later results in multiple errors in maven-surefire-plugin, so for now, that should be avoided. We think we may have a solution, but at this point, it is too late to test for this release.
+
+* No others problems are known, other than the remaining open issues on GitHub.
-----------------------------------------------------------------------------
@@ -140,19 +145,23 @@ No others problems are known, other than the remaining open issues on GitHub.
-----------------------------------------------------------------------------
-Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-17)
+Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-20)
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
#
# 34 PRs merged since ESAPI 2.4.0.0 release
-# Note: Figures here may not agree with generated Change Log Report, which is date-based,
-# as some commits included in this release were prior to ESAPI 2.4.0.0.
+# Apparent disparement in the figures below may be explained by serveral things:
+# * My failure to do proper counting and basic arithmetic after 4 hours of tweak release notes.
+# * Different basis for calculations:
+# - Figures here may not agree with generated Change Log Report, which is date-based, as some commits included in this release were prior to ESAPI 2.4.0.0 and thus not included in the Change Log Report.
+# - Some commits are done without PRs. Generally, we don't require PRs when we don't require code reviews. That generally is restricted to documenation files, making simple config file changes, and correcting obvious typos. Commits without PRs are resricted to the 3 ESAPI core team members.
+# - Sometimes in a PR, multiple commits touch a file multiple times so we count those files once for each commit.
#
Developer Total Total Number # Merged
(GitHub ID) commits of Files Changed PRs
========================================================
jeremiahjstacey 265 180 24
-kwwall 35 64 5
+kwwall 39 69 5
xeno6696 1 267 1
noloader 5 2 1
stevebosman-oc 4 3 2
From 2042bf13b96359edff42354fced33da7acfc5b59 Mon Sep 17 00:00:00 2001
From: "Kevin W. Wall"
Date: Wed, 20 Jul 2022 20:52:39 -0400
Subject: [PATCH 031/197] Fixed botched 2.5.0.0 release date.
Started release on 7/17, but stopped because 'mvn deploy' failed due to Dependency Check issues. Once resolved, I forgot to adjust the official release date.
---
documentation/esapi4java-core-2.5.0.0-release-notes.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/documentation/esapi4java-core-2.5.0.0-release-notes.txt b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
index 67186f17f..1177b4820 100644
--- a/documentation/esapi4java-core-2.5.0.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
@@ -1,5 +1,5 @@
Release notes for ESAPI 2.5.0.0
- Release date: 2022-07-17
+ Release date: 2022-07-20
Project leaders:
-Kevin W. Wall
-Matt Seil
@@ -140,7 +140,7 @@ No others problems are known, other than the remaining open issues on GitHub.
-----------------------------------------------------------------------------
-Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-17)
+Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-20)
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
#
From 7f829a3885f453f1e9a10bbf1d9c771ec0d95383 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Wed, 20 Jul 2022 21:03:48 -0400
Subject: [PATCH 032/197] Bump ESAPI version for next planned release.
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 3a8f27819..e830a2f3d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
4.0.0org.owasp.esapiesapi
- 2.5.0.0
+ 2.5.1.0-SNAPSHOTjar
From a37e63b6fe1105709279e4976908068f2c2c81d2 Mon Sep 17 00:00:00 2001
From: kwwall
Date: Wed, 20 Jul 2022 21:06:43 -0400
Subject: [PATCH 033/197] Bump cyclonedx-maven-plugin version to 2.7.1.
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index e830a2f3d..80bf09583 100644
--- a/pom.xml
+++ b/pom.xml
@@ -445,7 +445,7 @@
org.cyclonedxcyclonedx-maven-plugin
- 2.7.0
+ 2.7.1package
From 0f4442d7432d2825799dde2b739099826cbf9fe0 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Tue, 26 Jul 2022 23:04:00 -0400
Subject: [PATCH 034/197] Fix typos (#724)
Future note: We need to address the 2 comments, but not wanting the perfect to become the enemy of the good, I'm merging this now.
---
CONTRIBUTING-TO-ESAPI.txt | 32 ++++++++++++++++----------------
README.md | 4 ++--
2 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/CONTRIBUTING-TO-ESAPI.txt b/CONTRIBUTING-TO-ESAPI.txt
index c6ad2bcfc..ee0df0eb3 100644
--- a/CONTRIBUTING-TO-ESAPI.txt
+++ b/CONTRIBUTING-TO-ESAPI.txt
@@ -3,12 +3,12 @@
Getting Started:
If you have not already done so, go back and read the section
"Contributing to ESAPI legacy" in ESAPI's README.md file. It
- make contain updates and advice not contained herein.
+ may contain updates and advice not contained herein.
A Special Note on GitHub Authentication:
- GitHub has announced that they are deprecating authentiation based on
- username / password and beginning 2021-08-13, you will no longer be able
- to your password to authenticate to 'git' operations on GitHub.com.
+ GitHub has announced that they are deprecating password based authentication
+ using username / password and beginning 2021-08-13, you will no longer be
+ able to your password to authenticate to 'git' operations on GitHub.com.
Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
for details and plan accordingly.
@@ -21,22 +21,23 @@ Finding Something Interesting to Work on:
or "help wanted", those are good places to start for someone not yet
familiar with the ESAPI code base.
- You will need a account on GitHub though. Once you create one, let me know
+ You will need a account on GitHub though. Once you create one, let us know
what it is. Then if you want to work on a particular issue, we can assign
it to you so someone else won't take it.
- If you have questions, email Kevin Wall (Kevin.W.Wall@gmail.com) or Matt Seil (xeno6696@gmail.com).
+ If you have questions, email Kevin Wall (Kevin.W.Wall@gmail.com) or Matt
+ Seil (xeno6696@gmail.com).
Overview:
We are following the branching model described in
https://nvie.com/posts/a-successful-git-branching-model
- If you are unfamiliar with it, you would be advised to give it a
- quick perusal. The major point is that the 'main' (formerly 'master') branch
- is reserved for official releases (which will be tagged), the 'develop' branch is
- used for ongoing development work and is the default branch, and we generally work
- off 'issue' branches named 'issue-#' where # is the GitHub issue number.
- (The last is not an absolute requirement, but rather a suggested
- approach.)
+ If you are unfamiliar with it, you would be advised to give it a quick
+ perusal. The major point is that the 'main' (formerly 'master') branch is
+ reserved for official releases (which will be tagged), the 'develop' branch
+ is used for ongoing development work and is the default branch, and we
+ generally work off 'issue' branches named 'issue-#' where # is the GitHub
+ issue number. (The last is not an absolute requirement, but rather a
+ suggested approach.)
Finally, we recommend setting the git property 'core.autocrlf' to 'input'
in your $HOME/.gitconfig file; e.g., that file should contain something
@@ -47,8 +48,7 @@ Overview:
Required Software:
We use Maven for building. Maven 3.3.9 or later is required. You also need
- JDK 8 or later.
- [Note: If you use JDK 9 or later, there will be multiple
+ JDK 8 or later. [Note: If you use JDK 9 or later, there will be multiple
failures when you try to run 'mvn test' as well as some general warnings.
See ESAPI GitHub issue #496 for details. We welcome volunteers to address
this.]
@@ -106,7 +106,7 @@ Steps to work with ESAPI:
9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a
'Pull Request' from your 'issue-#' branch.
10. Back on your local personal laptop / desktop, merge your issue branch with
- your local 'develop' branch. I.e.
+ your local 'develop' branch. I.e.,
$ git checkout develop
$ git merge issue-444
diff --git a/README.md b/README.md
index 8e4933f1e..1fac65501 100644
--- a/README.md
+++ b/README.md
@@ -134,7 +134,7 @@ before posting your issue.
If believe you have found a vulnerability in ESAPI legacy, for the sake of the
ESAPI community, please practice Responsible Disclosure. (Note: We will be sure
you get credit and will work with you to create a GitHub Security Advisory, and
-if you so choose, to persue filing a CVE via the GitHub CNA.)
+if you so choose, to pursue filing a CVE via the GitHub CNA.)
You are of course encouraged to first search our GitHub issues list (see above)
to see if it has already been reported. If it has not, then please contact
@@ -175,7 +175,7 @@ In mid-2014 ESAPI migrated all code and issues from Google Code to GitHub. This
### What about the issues still located on Google Code?
All issues from Google Code have been migrated to GitHub issues. We now
use GitHut Issues for reporting everything *except* security vulnerabilities.
-Other bug tracking sites are undoubtably more advanced, but as developers,
+Other bug tracking sites are undoubtedly more advanced, but as developers,
we do not want to spent time having to close issues from multiple bug-tracking
systems. Therefore, until the synchronization happens with the Atlassian Jira
instance that we have (but are not using; see GitHub issue #371), please
From 952e3b1b0d1fb88c8c97d23afbc9a0a74aa2f793 Mon Sep 17 00:00:00 2001
From: Jeffrey Walton
Date: Tue, 26 Jul 2022 23:09:31 -0400
Subject: [PATCH 035/197] Whitespace check-in (#720)
@xeno6696 - Since @noloader touched all these files last, he owns them and is forever stuck doing bug fixes on them, right?
Seriously, thanks Jeff. This is one of those bookkeeping matters that I generally don't require a GitHub issue for, but feel free to create one, assign it to yourself, and reference this PR if you would like. Up to you.
---
README.md | 2 +-
.../ESAPI-configuration-user-guide.md | 8 +-
documentation/esapi4java-2.0-readme.txt | 2 +-
...va-2.0rc6-override-log4jloggingfactory.txt | 14 +-
...i4java-core-2.0-readme-crypto-changes.html | 26 +-
...-core-2.0-symmetric-crypto-user-guide.html | 18 +-
.../esapi4java-core-2.1-release-notes.txt | 4 +-
.../esapi4java-core-2.2.0.0-release-notes.txt | 16 +-
.../esapi4java-core-2.2.1.0-release-notes.txt | 42 +--
.../esapi4java-core-2.2.1.1-release-notes.txt | 14 +-
.../esapi4java-core-2.2.2.0-release-notes.txt | 18 +-
.../esapi4java-core-2.2.3.0-release-notes.txt | 18 +-
.../esapi4java-core-2.2.3.1-release-notes.txt | 14 +-
.../esapi4java-core-2.3.0.0-release-notes.txt | 4 +-
.../esapi4java-core-2.4.0.0-release-notes.txt | 16 +-
...esapi4java-core-TEMPLATE-release-notes.txt | 4 +-
src/examples/java/ESAPILogging.java | 2 +-
src/examples/java/PersistedEncryptedData.java | 2 +-
.../org/owasp/esapi/AccessController.java | 252 +++++++++---------
.../org/owasp/esapi/AccessReferenceMap.java | 58 ++--
.../java/org/owasp/esapi/Authenticator.java | 158 +++++------
src/main/java/org/owasp/esapi/ESAPI.java | 46 ++--
src/main/java/org/owasp/esapi/Encoder.java | 208 +++++++--------
.../org/owasp/esapi/EncoderConstants.java | 20 +-
.../org/owasp/esapi/EncryptedProperties.java | 54 ++--
src/main/java/org/owasp/esapi/Encryptor.java | 92 +++----
.../java/org/owasp/esapi/ExecuteResult.java | 4 +-
src/main/java/org/owasp/esapi/Executor.java | 16 +-
.../java/org/owasp/esapi/HTTPUtilities.java | 16 +-
.../org/owasp/esapi/IntrusionDetector.java | 28 +-
src/main/java/org/owasp/esapi/LogFactory.java | 34 +--
src/main/java/org/owasp/esapi/Logger.java | 226 ++++++++--------
.../java/org/owasp/esapi/PreparedString.java | 24 +-
src/main/java/org/owasp/esapi/PropNames.java | 2 +-
src/main/java/org/owasp/esapi/Randomizer.java | 4 +-
src/main/java/org/owasp/esapi/SafeFile.java | 18 +-
.../owasp/esapi/SecurityConfiguration.java | 180 ++++++-------
.../java/org/owasp/esapi/StringUtilities.java | 18 +-
src/main/java/org/owasp/esapi/User.java | 186 ++++++-------
.../org/owasp/esapi/ValidationErrorList.java | 48 ++--
.../java/org/owasp/esapi/ValidationRule.java | 10 +-
src/main/java/org/owasp/esapi/Validator.java | 18 +-
.../esapi/codecs/AbstractCharacterCodec.java | 14 +-
.../org/owasp/esapi/codecs/AbstractCodec.java | 28 +-
.../esapi/codecs/AbstractIntegerCodec.java | 12 +-
.../codecs/AbstractPushbackSequence.java | 14 +-
.../java/org/owasp/esapi/codecs/CSSCodec.java | 30 +--
.../java/org/owasp/esapi/codecs/Codec.java | 36 +--
.../java/org/owasp/esapi/codecs/DB2Codec.java | 2 +-
.../owasp/esapi/codecs/HTMLEntityCodec.java | 94 +++----
.../java/org/owasp/esapi/codecs/HashTrie.java | 6 +-
src/main/java/org/owasp/esapi/codecs/Hex.java | 12 +-
.../owasp/esapi/codecs/JavaScriptCodec.java | 32 +--
.../esapi/codecs/LegacyHTMLEntityCodec.java | 70 ++---
.../org/owasp/esapi/codecs/MySQLCodec.java | 68 ++---
.../org/owasp/esapi/codecs/OracleCodec.java | 12 +-
.../org/owasp/esapi/codecs/PercentCodec.java | 14 +-
.../esapi/codecs/PushBackSequenceImpl.java | 20 +-
.../owasp/esapi/codecs/PushbackSequence.java | 12 +-
.../owasp/esapi/codecs/PushbackString.java | 28 +-
.../org/owasp/esapi/codecs/UnixCodec.java | 24 +-
.../org/owasp/esapi/codecs/VBScriptCodec.java | 30 +--
.../org/owasp/esapi/codecs/WindowsCodec.java | 24 +-
.../owasp/esapi/codecs/XMLEntityCodec.java | 14 +-
.../java/org/owasp/esapi/codecs/package.html | 2 +-
.../ref/EncodingPatternPreservation.java | 12 +-
.../EsapiPropertyLoaderFactory.java | 2 +-
.../StandardEsapiPropertyLoader.java | 2 +-
.../configuration/XmlEsapiPropertyLoader.java | 2 +-
.../consts/EsapiConfiguration.java | 4 +-
.../org/owasp/esapi/crypto/CipherSpec.java | 48 ++--
.../org/owasp/esapi/crypto/CipherText.java | 112 ++++----
.../esapi/crypto/CipherTextSerializer.java | 46 ++--
.../owasp/esapi/crypto/CryptoDiscoverer.java | 2 +-
.../org/owasp/esapi/crypto/CryptoHelper.java | 36 +--
.../org/owasp/esapi/crypto/CryptoToken.java | 98 +++----
.../esapi/crypto/KeyDerivationFunction.java | 56 ++--
.../org/owasp/esapi/crypto/PlainText.java | 20 +-
.../esapi/crypto/SecurityProviderLoader.java | 12 +-
.../esapi/errors/AccessControlException.java | 10 +-
.../AuthenticationAccountsException.java | 16 +-
.../AuthenticationCredentialsException.java | 12 +-
.../esapi/errors/AuthenticationException.java | 12 +-
.../errors/AuthenticationHostException.java | 12 +-
.../errors/AuthenticationLoginException.java | 12 +-
.../esapi/errors/AvailabilityException.java | 12 +-
.../esapi/errors/CertificateException.java | 12 +-
.../esapi/errors/ConfigurationException.java | 4 +-
.../owasp/esapi/errors/EncodingException.java | 12 +-
.../esapi/errors/EncryptionException.java | 12 +-
.../errors/EncryptionRuntimeException.java | 10 +-
.../errors/EnterpriseSecurityException.java | 18 +-
.../EnterpriseSecurityRuntimeException.java | 18 +-
.../owasp/esapi/errors/ExecutorException.java | 12 +-
.../esapi/errors/IntegrityException.java | 12 +-
.../esapi/errors/IntrusionException.java | 18 +-
.../ValidationAvailabilityException.java | 8 +-
.../esapi/errors/ValidationException.java | 26 +-
.../errors/ValidationUploadException.java | 10 +-
.../owasp/esapi/filters/ClickjackFilter.java | 30 +--
.../org/owasp/esapi/filters/ESAPIFilter.java | 18 +-
.../filters/RequestRateThrottleFilter.java | 16 +-
.../owasp/esapi/filters/SecurityWrapper.java | 8 +-
.../esapi/filters/SecurityWrapperRequest.java | 16 +-
.../filters/SecurityWrapperResponse.java | 58 ++--
.../logging/appender/ClientInfoSupplier.java | 8 +-
.../appender/EventTypeLogSupplier.java | 8 +-
.../esapi/logging/appender/LogAppender.java | 6 +-
.../logging/appender/LogPrefixAppender.java | 20 +-
.../logging/appender/ServerInfoSupplier.java | 12 +-
.../logging/appender/UserInfoSupplier.java | 20 +-
.../logging/cleaning/CodecLogScrubber.java | 8 +-
.../cleaning/CompositeLogScrubber.java | 8 +-
.../esapi/logging/cleaning/LogScrubber.java | 8 +-
.../logging/cleaning/NewlineLogScrubber.java | 6 +-
.../logging/java/ESAPICustomJavaLevel.java | 10 +-
.../logging/java/ESAPIErrorJavaLevel.java | 8 +-
.../esapi/logging/java/JavaLogBridge.java | 8 +-
.../esapi/logging/java/JavaLogBridgeImpl.java | 6 +-
.../esapi/logging/java/JavaLogFactory.java | 24 +-
.../logging/java/JavaLogLevelHandler.java | 8 +-
.../logging/java/JavaLogLevelHandlers.java | 10 +-
.../owasp/esapi/logging/java/JavaLogger.java | 12 +-
.../esapi/logging/slf4j/Slf4JLogBridge.java | 10 +-
.../logging/slf4j/Slf4JLogBridgeImpl.java | 10 +-
.../esapi/logging/slf4j/Slf4JLogFactory.java | 40 +--
.../logging/slf4j/Slf4JLogLevelHandler.java | 8 +-
.../logging/slf4j/Slf4JLogLevelHandlers.java | 8 +-
.../esapi/logging/slf4j/Slf4JLogger.java | 46 ++--
src/main/java/org/owasp/esapi/package.html | 32 +--
.../reference/AbstractAccessReferenceMap.java | 20 +-
.../reference/AbstractAuthenticator.java | 26 +-
.../reference/DefaultAccessController.java | 22 +-
.../owasp/esapi/reference/DefaultEncoder.java | 122 ++++-----
.../esapi/reference/DefaultExecutor.java | 32 +--
.../esapi/reference/DefaultHTTPUtilities.java | 22 +-
.../reference/DefaultIntrusionDetector.java | 36 +--
.../esapi/reference/DefaultRandomizer.java | 22 +-
.../DefaultSecurityConfiguration.java | 2 +-
.../owasp/esapi/reference/DefaultUser.java | 76 +++---
.../esapi/reference/DefaultValidator.java | 26 +-
.../reference/FileBasedAuthenticator.java | 12 +-
.../reference/IntegerAccessReferenceMap.java | 8 +-
.../accesscontrol/AlwaysTrueACR.java | 2 +-
.../reference/accesscontrol/BaseACR.java | 4 +-
.../accesscontrol/DelegatingACR.java | 30 +--
.../accesscontrol/DynaBeanACRParameter.java | 36 +--
.../ExperimentalAccessController.java | 30 +--
.../accesscontrol/FileBasedACRs.java | 164 ++++++------
.../ACRParameterLoaderHelper.java | 30 +--
.../policyloader/ACRPolicyFileLoader.java | 30 +--
.../DynaBeanACRParameterLoader.java | 10 +-
.../EchoDynaBeanPolicyParameterACR.java | 2 +-
.../accesscontrol/policyloader/PolicyDTO.java | 10 +-
.../policyloader/PolicyParameters.java | 18 +-
.../crypto/DefaultEncryptedProperties.java | 22 +-
.../crypto/EncryptedPropertiesUtils.java | 4 +-
.../crypto/ReferenceEncryptedProperties.java | 4 +-
.../validation/BaseValidationRule.java | 42 +--
.../validation/CreditCardValidationRule.java | 38 +--
.../validation/DateValidationRule.java | 22 +-
.../validation/HTMLValidationRule.java | 46 ++--
.../validation/IntegerValidationRule.java | 22 +-
.../validation/NumberValidationRule.java | 38 +--
.../validation/StringValidationRule.java | 12 +-
.../esapi/reference/validation/package.html | 2 +-
.../owasp/esapi/util/ByteConversionUtil.java | 2 +-
.../org/owasp/esapi/util/CollectionsUtil.java | 10 +-
.../owasp/esapi/util/DefaultMessageUtil.java | 12 +-
.../java/org/owasp/esapi/util/ObjFactory.java | 4 +-
.../esapi/waf/ConfigurationException.java | 8 +-
.../ESAPIWebApplicationFirewallFilter.java | 16 +-
.../org/owasp/esapi/waf/actions/Action.java | 8 +-
.../owasp/esapi/waf/actions/BlockAction.java | 8 +-
.../esapi/waf/actions/DefaultAction.java | 8 +-
.../esapi/waf/actions/DoNothingAction.java | 8 +-
.../esapi/waf/actions/RedirectAction.java | 8 +-
.../org/owasp/esapi/waf/actions/package.html | 4 +-
.../AppGuardianConfiguration.java | 14 +-
.../configuration/ConfigurationParser.java | 80 +++---
.../esapi/waf/configuration/package.html | 6 +-
.../InterceptingHTTPServletRequest.java | 52 ++--
.../InterceptingHTTPServletResponse.java | 14 +-
.../waf/internal/InterceptingPrintWriter.java | 10 +-
.../InterceptingServletOutputStream.java | 52 ++--
.../owasp/esapi/waf/internal/Parameter.java | 8 +-
.../org/owasp/esapi/waf/internal/package.html | 4 +-
.../java/org/owasp/esapi/waf/package.html | 2 +-
.../esapi/waf/rules/AddHTTPOnlyFlagRule.java | 8 +-
.../owasp/esapi/waf/rules/AddHeaderRule.java | 12 +-
.../esapi/waf/rules/AddSecureFlagRule.java | 10 +-
.../esapi/waf/rules/AuthenticatedRule.java | 8 +-
.../owasp/esapi/waf/rules/BeanShellRule.java | 6 +-
.../waf/rules/DetectOutboundContentRule.java | 20 +-
.../esapi/waf/rules/EnforceHTTPSRule.java | 8 +-
.../waf/rules/GeneralAttackSignatureRule.java | 10 +-
.../owasp/esapi/waf/rules/HTTPMethodRule.java | 8 +-
.../org/owasp/esapi/waf/rules/IPRule.java | 14 +-
.../owasp/esapi/waf/rules/MustMatchRule.java | 6 +-
.../esapi/waf/rules/PathExtensionRule.java | 8 +-
.../esapi/waf/rules/ReplaceContentRule.java | 20 +-
.../waf/rules/RestrictContentTypeRule.java | 8 +-
.../waf/rules/RestrictUserAgentRule.java | 16 +-
.../java/org/owasp/esapi/waf/rules/Rule.java | 6 +-
.../org/owasp/esapi/waf/rules/RuleUtil.java | 6 +-
.../waf/rules/SimpleVirtualPatchRule.java | 10 +-
.../org/owasp/esapi/waf/rules/package.html | 6 +-
.../org/owasp/esapi/ESAPIContractAPITest.java | 18 +-
.../esapi/SecurityConfigurationWrapper.java | 50 ++--
.../org/owasp/esapi/StringUtilitiesTest.java | 6 +-
src/test/java/org/owasp/esapi/UserTest.java | 12 +-
.../owasp/esapi/ValidationErrorListTest.java | 6 +-
.../owasp/esapi/codecs/AbstractCodecTest.java | 26 +-
.../org/owasp/esapi/codecs/CSSCodecTest.java | 2 +-
.../owasp/esapi/codecs/CodecImmunityTest.java | 6 +-
.../esapi/codecs/HTMLEntityCodecTest.java | 10 +-
.../owasp/esapi/codecs/MySQLCodecTest.java | 68 ++---
.../owasp/esapi/codecs/PercentCodecTest.java | 4 +-
.../esapi/codecs/PushBackStringTest.java | 20 +-
.../esapi/codecs/XMLEntityCodecTest.java | 6 +-
.../AbstractCodecCharacterTest.java | 20 +-
.../abstraction/AbstractCodecStringTest.java | 14 +-
.../percent/PercentCodecCharacterTest.java | 2 +-
.../percent/PercentCodecKnownIssuesTest.java | 10 +-
.../percent/PercentCodecStringTest.java | 12 +-
.../ref/EncodingPatternPreservationTest.java | 28 +-
.../EsapiPropertyManagerTest.java | 4 +-
.../StandardEsapiPropertyLoaderTest.java | 28 +-
.../XmlEsapiPropertyLoaderTest.java | 2 +-
.../owasp/esapi/crypto/CipherSpecTest.java | 20 +-
.../owasp/esapi/crypto/CipherTextTest.java | 34 +--
.../owasp/esapi/crypto/CryptoHelperTest.java | 10 +-
.../owasp/esapi/crypto/CryptoTokenTest.java | 30 +--
.../crypto/ESAPICryptoMACByPassTest.java | 6 +-
.../org/owasp/esapi/crypto/PlainTextTest.java | 16 +-
.../crypto/SecurityProviderLoaderTest.java | 10 +-
.../EnterpriseSecurityExceptionTest.java | 22 +-
.../esapi/filters/ClickjackFilterTest.java | 18 +-
.../owasp/esapi/filters/SafeRequestTest.java | 14 +-
.../filters/SecurityWrapperRequestTest.java | 140 +++++-----
.../filters/SecurityWrapperResponseTest.java | 20 +-
.../org/owasp/esapi/http/MockFilterChain.java | 6 +-
.../owasp/esapi/http/MockFilterConfig.java | 8 +-
.../esapi/http/MockHttpServletRequest.java | 18 +-
.../esapi/http/MockHttpServletResponse.java | 18 +-
.../org/owasp/esapi/http/MockHttpSession.java | 32 +--
.../esapi/http/MockRequestDispatcher.java | 8 +-
.../owasp/esapi/http/MockServletContext.java | 6 +-
.../esapi/http/MockServletInputStream.java | 8 +-
.../appender/ClientInfoSupplierTest.java | 82 +++---
.../appender/EventTypeLogSupplierTest.java | 8 +-
.../appender/LogPrefixAppenderTest.java | 14 +-
.../appender/UserInfoSupplierTest.java | 40 +--
.../cleaning/CodecLogScrubberTest.java | 6 +-
.../cleaning/CompositeLogScrubberTest.java | 6 +-
.../cleaning/NewlineLogScrubberTest.java | 6 +-
.../logging/java/JavaLogBridgeImplTest.java | 6 +-
.../logging/java/JavaLogFactoryTest.java | 12 +-
.../java/JavaLogLevelHandlersTest.java | 8 +-
.../esapi/logging/java/JavaLoggerTest.java | 6 +-
.../logging/slf4j/Slf4JLogBridgeImplTest.java | 14 +-
.../logging/slf4j/Slf4JLogFactoryTest.java | 32 +--
.../slf4j/Slf4JLogLevelHandlersTest.java | 6 +-
.../esapi/logging/slf4j/Slf4JLoggerTest.java | 88 +++---
.../AbstractAccessReferenceMapTest.java | 24 +-
.../esapi/reference/AccessControllerTest.java | 46 ++--
.../reference/AccessReferenceMapTest.java | 62 ++---
.../esapi/reference/AuthenticatorTest.java | 88 +++---
.../DefaultSecurityConfigurationTest.java | 140 +++++-----
.../DefaultValidaterDateAPITest.java | 62 ++---
.../DefaultValidatorInputStringAPITest.java | 56 ++--
.../owasp/esapi/reference/EncoderTest.java | 200 +++++++-------
.../owasp/esapi/reference/ExecutorTest.java | 18 +-
.../reference/ExtensiveEncoderURITest.java | 6 +-
.../esapi/reference/HTTPUtilitiesTest.java | 40 +--
.../IntegerAccessReferenceMapTest.java | 62 ++---
.../reference/IntrusionDetectorTest.java | 24 +-
.../owasp/esapi/reference/RandomizerTest.java | 36 +--
.../owasp/esapi/reference/SafeFileTest.java | 22 +-
.../org/owasp/esapi/reference/TestDebug.java | 2 +-
.../org/owasp/esapi/reference/UserTest.java | 110 ++++----
.../owasp/esapi/reference/ValidatorTest.java | 20 +-
.../accesscontrol/AccessControllerTest.java | 72 ++---
.../policyloader/ACRPolicyFileLoaderTest.java | 2 +-
.../esapi/reference/crypto/CryptoPolicy.java | 4 +-
.../crypto/EncryptedPropertiesTest.java | 22 +-
.../crypto/EncryptedPropertiesUtilsTest.java | 26 +-
.../esapi/reference/crypto/EncryptorTest.java | 100 +++----
.../ReferenceEncryptedPropertiesTest.java | 20 +-
.../validation/BaseValidationRuleTest.java | 22 +-
.../DateValidationRulePowerMockTest.java | 74 ++---
.../validation/DateValidationRuleTest.java | 70 ++---
.../HTMLValidationRuleClasspathTest.java | 8 +-
.../HTMLValidationRuleCleanTest.java | 6 +-
.../validation/StringValidationRuleTest.java | 62 ++---
.../org/owasp/esapi/util/FileTestUtils.java | 4 +-
.../org/owasp/esapi/util/ObjFactoryTest.java | 34 +--
.../org/owasp/esapi/waf/AddHeaderTest.java | 26 +-
.../org/owasp/esapi/waf/BeanShellTest.java | 10 +-
.../owasp/esapi/waf/DetectOutboundTest.java | 34 +--
.../owasp/esapi/waf/DynamicInsertionTest.java | 30 +--
.../esapi/waf/EnforceAuthenticationTest.java | 12 +-
.../org/owasp/esapi/waf/EnforceHTTPSTest.java | 16 +-
.../org/owasp/esapi/waf/GoodRequestTest.java | 10 +-
.../org/owasp/esapi/waf/HttpOnlyTest.java | 40 +--
.../esapi/waf/MockWafServletContext.java | 6 +-
.../org/owasp/esapi/waf/MustMatchTest.java | 12 +-
.../esapi/waf/RestrictContentTypeTest.java | 22 +-
.../esapi/waf/RestrictExtensionTest.java | 20 +-
.../owasp/esapi/waf/RestrictMethodTest.java | 18 +-
.../esapi/waf/RestrictUserAgentTest.java | 26 +-
.../org/owasp/esapi/waf/VirtualPatchTest.java | 10 +-
.../org/owasp/esapi/waf/WAFFilterTest.java | 26 +-
.../java/org/owasp/esapi/waf/WAFTestCase.java | 24 +-
.../org/owasp/esapi/waf/WAFTestUtility.java | 34 +--
.../InterceptingHttpServletResponseTest.java | 14 +-
316 files changed, 4190 insertions(+), 4190 deletions(-)
diff --git a/README.md b/README.md
index 1fac65501..1a7b0c782 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ ONLY use GitHub Issues for reporting bugs.
# References: Where to Find More Information on ESAPI
**OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/
-**GitHub ESAPI Wiki:** https://github.com/ESAPI/esapi-java-legacy/wiki
+**GitHub ESAPI Wiki:** https://github.com/ESAPI/esapi-java-legacy/wiki
**General Documentation:** Under the '[documentation](https://github.com/ESAPI/esapi-java-legacy/tree/develop/documentation)' folder.
diff --git a/documentation/ESAPI-configuration-user-guide.md b/documentation/ESAPI-configuration-user-guide.md
index 72694bb05..420a4fb27 100644
--- a/documentation/ESAPI-configuration-user-guide.md
+++ b/documentation/ESAPI-configuration-user-guide.md
@@ -41,7 +41,7 @@ until these deprecated methods are removed, but it will be a minumum of 2 years
or 1 major release [e.g., 3.x], whichever comes first. Also, we may not
necessarily remove all of them at once, depending on community feedback.)
-DefaultSecurityConfiguration implements the new contract. New contract methods implementations work as described in
+DefaultSecurityConfiguration implements the new contract. New contract methods implementations work as described in
'Multiple configuration files support' paragraph.
## Multiple configuration files support
@@ -49,7 +49,7 @@ DefaultSecurityConfiguration implements the new contract. New contract methods i
EsapiPropertyManager is the new implementation for getting properties, which uses prioritized property loaders (each one associated with a specific configuration file). This allows to have multiple configuration files existing with priority connected to each one. At this moment, there
are two configuration files possible to use, the path to them is set through following Java
system properties:
-
+
* org.owasp.esapi.opsteam = (higher priority config)
* org.owasp.esapi.devteam = (lower priority config)
@@ -86,9 +86,9 @@ ESAPI.securityConfiguration().getBooleanProp("propertyXXX");
where "propertyXXX" is some property name relevant to ESAPI (and
in this case, one that would hold a boolean value). See ESAPI.properties
for a list of current property names known to ESAPI.
-
+
In above example, following happens:
-
+
1. org.owasp.esapi.opsteam configuration is used to get propertyXXX and return it as boolean.
2. If (1) fails to find property, org.owasp.esapi.devteam is used to get propertyXXX and return it as boolean.
3. If (2) fails to find property, ESAPI.properties is used to get propertyXXX and return it as boolean.
diff --git a/documentation/esapi4java-2.0-readme.txt b/documentation/esapi4java-2.0-readme.txt
index 7f568fb06..7fd25e068 100644
--- a/documentation/esapi4java-2.0-readme.txt
+++ b/documentation/esapi4java-2.0-readme.txt
@@ -7,7 +7,7 @@ Here are the most significant directories and files included the zip file for th
File / Directory Description
=========================================================================================
-/
+/
|
+---configuration/ Directory of ESAPI configuration files
| |
diff --git a/documentation/esapi4java-2.0rc6-override-log4jloggingfactory.txt b/documentation/esapi4java-2.0rc6-override-log4jloggingfactory.txt
index 49accdbfc..35290f5e6 100644
--- a/documentation/esapi4java-2.0rc6-override-log4jloggingfactory.txt
+++ b/documentation/esapi4java-2.0rc6-override-log4jloggingfactory.txt
@@ -1,4 +1,4 @@
-This release includes critical changes to the ESAPI Log4JLogger that will now allow you to over-ride the user specific
+This release includes critical changes to the ESAPI Log4JLogger that will now allow you to over-ride the user specific
message using your own User or java.security.Principal implementation.
There are a three critical steps that need to be taken to over-ride the ESAPI Log4JLogger:
@@ -23,8 +23,8 @@ ESAPI.Logger=com.yourcompany.logging.ExtendedLog4JFactory
And you should be all set!
-PS: The original ESAPI Log4JLogging class used a secure random number as a replacement to logging the session ID. This allowed
-us to tie log messages from the same session together, without exposing the actual session id in the log file. The code looks
+PS: The original ESAPI Log4JLogging class used a secure random number as a replacement to logging the session ID. This allowed
+us to tie log messages from the same session together, without exposing the actual session id in the log file. The code looks
like this, and you may wish to use it in your over-ridden version of getUserInfo.
HttpServletRequest request = ESAPI.httpUtilities().getCurrentRequest();
@@ -40,7 +40,7 @@ if ( request != null ) {
}
}
-In fact, here is the entire original getUserInfo() implementation (that was tied to the ESAPI request and user object) –
+In fact, here is the entire original getUserInfo() implementation (that was tied to the ESAPI request and user object) –
you may wish to emulate some of this.
public String getUserInfo() {
@@ -58,14 +58,14 @@ public String getUserInfo() {
}
}
}
-
+
// log user information - username:session@ipaddr
- User user = ESAPI.authenticator().getCurrentUser();
+ User user = ESAPI.authenticator().getCurrentUser();
String userInfo = "";
//TODO - make type logging configurable
if ( user != null) {
userInfo += user.getAccountName()+ ":" + sid + "@"+ user.getLastHostAddress();
}
-
+
return userInfo;
}
diff --git a/documentation/esapi4java-core-2.0-readme-crypto-changes.html b/documentation/esapi4java-core-2.0-readme-crypto-changes.html
index 8687f5ca6..db403b9c9 100644
--- a/documentation/esapi4java-core-2.0-readme-crypto-changes.html
+++ b/documentation/esapi4java-core-2.0-readme-crypto-changes.html
@@ -63,7 +63,7 @@
Symmetric Encryption in ESAPI 2.0rc1 and 2.0rc2
always encrypt to the same ciphertext block, thus revealing patterns
in the plaintext input. For example, these images from Wikipedia's
Block
-cipher modes of operation illustrate this point well:
+cipher modes of operation illustrate this point well:
In both ESAPI 2.0-rc1 and 2.0-rc2, one can choose other block
ciphers (e.g. Blowfish) or other key sizes (e.g., 512-bit AES), but
@@ -123,7 +123,7 @@
Problems with Symmetric Encryption in ESAPI 2.0-rc1 and 2.0-rc2
The Encryption Changes in ESAPI 2.0-rc3 and Later
Briefly speaking, the changes being implemented for ESAPI Java 2.0
-are:
+are:
Starting in ESAPI Java 2.0-rc3,
@@ -156,7 +156,7 @@
The Encryption Changes in ESAPI 2.0-rc3 and Later
response was deafening. There literally was but a single response
and that was to kill off LegacyJavaEncryptor.
(By this time, the two symmetric encryption interfaces in Encryptor
- had already been deprecated.)
+ had already been deprecated.)
The byte-encoding has been changed from native byte encoding
to UTF-8 byte-encoding throughout ESAPI 2.0 and not just for
@@ -167,7 +167,7 @@
The Encryption Changes in ESAPI 2.0-rc3 and Later
guaranteed.
The Good, the Bad, and the Ugly
-
Or put another way, there are always trade-offs to be made...
+
Or put another way, there are always trade-offs to be made...
The Good
We get improved security by encouraging the use of stronger cipher
@@ -205,9 +205,9 @@
The Bad
both to encrypt and decrypt. While it is not required that the IV be
kept secret from adversaries, there are some attacks that are
possible if the adversary is permitted to alter the IV at will and
-observe the results of the ensuing decryption attempt.
+observe the results of the ensuing decryption attempt.
-
So that leaves two choices for the IV:
+
So that leaves two choices for the IV:
Using a fixed IV:
@@ -223,7 +223,7 @@
The Bad
persisted (e.g., to a database) or transmitted to the recipient this
random IV must be stored / made known. Therefore, the raw ciphertext
can no longer suffice; whatever random IV that was chosen must be
- communicated.
+ communicated.
Likewise, the use of padding is going to add some overhead to the
@@ -360,7 +360,7 @@
The Bad
cipher block size is 128-bits, but more typically, a cipher's block
size is 64-bits so the padding would be between 1 to 16 bytes for AES
and 1 to 8 bytes for a 64-bit block size cipher and the IV would be
-IV would be 16 bytes for AES and 8 bytes for most other ciphers.
+IV would be 16 bytes for AES and 8 bytes for most other ciphers.
The Ugly
Well, so far, this "bad" news may be bad for you but
@@ -370,7 +370,7 @@
The Ugly
But wait Skippy, don't go running off just quite yet. As Robert
Heinlein wrote in his 1966 novel The Moon is a Harsh Mistress
"There ain't no such thing as a free lunch". (Some of us
-more hardened cynics know it more commonly as TANSTAAFL.)
+more hardened cynics know it more commonly as TANSTAAFL.)
As mentioned earlier, backward compatibility with ESAPI 1.4
(originally planned via LegacyJavaEncryptor) has been
@@ -395,11 +395,11 @@
The Ugly
complexity of handling the ciphertext result from encryption
operations. And then there are new encryption and decryption methods
for the Encryptor interface. Specifically, the encrypt
-and decrypt methods have been generalized as:
+and decrypt methods have been generalized as:
are still supported but have been deprecated, mainly because
diff --git a/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html b/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
index d0ecfb2f9..19298d4c2 100644
--- a/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
+++ b/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
@@ -353,7 +353,7 @@
ESAPI.properties Properties Relevant to Symmetric Encryption
How the Old (Deprecated) Methods Were Used
To encrypt / decrypt using the String-based, deprecated methods
carried over from ESAPI 1.4, code similar to the following would be
-used.
+used.
Encrypting / Decrypting with the New Methods -- The Simple Usage
Using the new encryption / decryption methods is somewhat more
complicated, but this is in part because they are more flexible and
that flexibility means that more information needs to be communicated
-as to the details of the encryption.
+as to the details of the encryption.
A code snippet using the new methods that use the master
-encryption key would look something like this:
+encryption key would look something like this:
Encrypting / Decrypting with the New Methods -- The Simple Usage
mode is chosen.
Also, these new methods allow a general byte array to be
encrypted, not just a Java String. If one needed to encrypt a byte
-array with the old deprecated method, one would first have to use
+array with the old deprecated method, one would first have to use
byte[] plaintextByteArray = { /* byte array to be encrypted */ };
String plaintext = new String(plaintextByteArray, "UTF-8");
@@ -541,7 +541,7 @@
Encrypting / Decrypting with the New Methods
encrypted bank account numbers are to be sent to one recipient and
the encrypted credit card numbers are to be sent to a different
recipient. Obviously in such cases, you do not want to share the same
-key for both recipients.
+key for both recipients.
In ESAPI 1.4 there was not much you can do, but in ESAPI 2.0 and
later, there are new encryption / decryption methods that allow you
@@ -553,14 +553,14 @@
Encrypting / Decrypting with the New Methods
distributed to the recipients out-of-band. On you could distribute
them dynamically via asymmetric encryption assuming that you've
previously exchanged public keys with the recipients.)
-
The following illustrates how these new methods might be used.
+
The following illustrates how these new methods might be used.
First, we would generate some appropriate secret keys and
distribute them securely (e.g., perhaps over SSL/TLS) or exchange
them earlier out-of-band to the intended recipients. (E.g., one could
put them on two separate thumb drives and use a trusted courier to
distribute them to the recipients or one could use PGP-mail or S/MIME
-to securely email them, etc.)
+to securely email them, etc.)
// Generate two random, 128-bit AES keys to be distributed out-of-band.
import javax.crypto.SecretKey;
@@ -587,10 +587,10 @@
Encrypting / Decrypting with the New Methods
Second, these keys would be printed out and stored somewhere secure
by our application, perhaps using something like ESAPI's
EncryptedProperties class, where they could later be
-retrieved and used.
+retrieved and used.
In the following code, we assume that the SecretKey
-values have already been initialized elsewhere.
+values have already been initialized elsewhere.
SecretKey bankAcctKey = ...; // These might be read from EncryptedProperties
SecretKey credCardKey = ...; // or from a restricted database, etc.
diff --git a/documentation/esapi4java-core-2.1-release-notes.txt b/documentation/esapi4java-core-2.1-release-notes.txt
index d84097d80..e97e56c93 100644
--- a/documentation/esapi4java-core-2.1-release-notes.txt
+++ b/documentation/esapi4java-core-2.1-release-notes.txt
@@ -8,7 +8,7 @@ ESAPI for Java - 2.1.0 Release Notes
deprecated more than 2 years ago and they are known to be insecure
(they are vulnerable to padding oracle attacks), the ESAPI team has
decided to remove them in accordance to their support policy.
-
+
See comments for issue #306 for further details, as well as additional
safety precautions that you may wish to take in the unlikely, but possible
event that this vulnerability resulted in an actual security breach.
@@ -64,5 +64,5 @@ NOTE: A follow-up patch release is scheduled within the next few months to
based on findings in Google Issue # 306. I will periodically try
to keep the ESAPI mailing lists updated with the progress so watch
there for emerging details and anticipated schedule.
-
+
-Kevin W. Wall , 2013-08-30
diff --git a/documentation/esapi4java-core-2.2.0.0-release-notes.txt b/documentation/esapi4java-core-2.2.0.0-release-notes.txt
index 8deafbb9d..b43efc743 100644
--- a/documentation/esapi4java-core-2.2.0.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.2.0.0-release-notes.txt
@@ -46,7 +46,7 @@ Issue # GitHub Issue Title
37 RandomAccessReferenceMap.update() can randomly corrupt the map
71 java.lang.ExceptionInInitializerError in 2.0 version
129 Add Logging support for SLF4J
-157 minimum-config deployment fails
+157 minimum-config deployment fails
188 SecurityWrapperRequest seems to mishandle/swallow allowNull argument
209 Build an encoding function specific to HTTP/Response Splitting (tactical remediation)
213 Provide a taglib descriptor (.tld file)
@@ -116,7 +116,7 @@ Issue # GitHub Issue Title
386 Avoid using System.err in EsapiPropertyManager
387 'mvn site' fails for FindBugs report, causing 'site' goal to fail
389 Provide an option for the encodeForLDAP method to not encode wildcard characters
-394 Refactor Validator.getCanonicalizedUri into Encoder.
+394 Refactor Validator.getCanonicalizedUri into Encoder.
395 Issues when I am passing htttp://localhost:8080/user=admin&prodversion=no
396 Trust Boundary Violation - while triggering veracode
397 Update Resource path search to maintain legacy behavior in DefaultSecurityConfiguration.java
@@ -128,7 +128,7 @@ Issue # GitHub Issue Title
417 Add additional protection against CVE-2016-1000031
422 Inconsistent dependency structure and vulnerable xml (xerces, xalan, xml-apis ...) dependencies
424 issue with Filename encoding for executeSystemCommand
-425 Project build error: Non-resolvable parent POM for org.owasp.esapi:esapi:2.1.0.2-SNAPSHOT: Could not transfer artifact
+425 Project build error: Non-resolvable parent POM for org.owasp.esapi:esapi:2.1.0.2-SNAPSHOT: Could not transfer artifact
427 HTTP cookie validation rules too restrictive?
429 Miscellaneous updates to pom.xml
432 ESAPI.properties not found.
@@ -140,7 +140,7 @@ Issue # GitHub Issue Title
442 Remove deprecated fields in Encoder interface
444 Delete deprecated method Base64.decodeToObject() and related methods
445 A bunch of dependencies are out of date , I will list them below with the associated vulnerability
-447 can't generate MasterKey / MasterSalt
+447 can't generate MasterKey / MasterSalt
448 Clean up pom.xml
454 about code eclipse formatter template question
455 New release for mitigation of CVEs
@@ -194,7 +194,7 @@ Issue # GitHub Issue Title
Issue 483 More miscellaneous prep work for ESAPI 2.2.0.0 release
Specifically, CipherText.getSerialVersionUID() and DefaultSecurityConfiguration.MAX_FILE_NAME_LENGTH have actually been deleted from the ESAPI code base. For the former, use CipherText.cipherTextVersion() instead. For the latter, there is no replacement. (This wasn't being used, but it was set to 1000 in case you're wondering.)
-
+
* Various properties in ESAPI.properties were changed in a way that might affect your application:
Issue 439 Tighten ESAPI defaults to disallow dubious file suffixes
@@ -220,10 +220,10 @@ Issue # GitHub Issue Title
Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$
(Left as an exercise for the reader to figure out what exactly this means. ;-)
Validator.HTTPURI: Changed to be much more restrictive; i.e., changed from:
- Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
+ Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
to:
Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$
-
+
* Other changes:
Issue 500 Suppress noise from ESAPI searching for properties and stop ignoring important IOExceptions
@@ -241,7 +241,7 @@ Issue # GitHub Issue Title
Other changes in this release, some of which not tracked via GitHub issues
-* Updated minimal version of Maven from 3.0 to 3.1 required to build ESAPI.
+* Updated minimal version of Maven from 3.0 to 3.1 required to build ESAPI.
* Miscellaneous minor javadoc fixes and updates.
* Added the Maven plug-in for OWASP Dependency Check so 3rd party dependencies can be kept up-to-date.
* Updated .gitignore file with additional files to be ignored.
diff --git a/documentation/esapi4java-core-2.2.1.0-release-notes.txt b/documentation/esapi4java-core-2.2.1.0-release-notes.txt
index 6119a5c4c..e32e0ad8c 100644
--- a/documentation/esapi4java-core-2.2.1.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.2.1.0-release-notes.txt
@@ -80,7 +80,7 @@ Issue # GitHub Issue Title
The new default ESAPI logger is JUL (java.util.logging packages) and we have deprecated the use of Log4J 1.x because we now support SLF4J and Log4J 1.x is way past its end-of-life. We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
Related to that CVE and how it affects ESAPI, be sure to read
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is not affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
Notable dependency updates (excludes those only used with JUnit tests):
@@ -204,21 +204,21 @@ PR# GitHub ID Description
506 -- kwwall -- Closes Issue 245
508 -- Michael-Ziluck -- Resolves #226 - Corrected docs for the bounded, numeric, random methods
510 -- Michael-Ziluck -- Resolve #509 - Properly throw exception when HTML fails
-513 -- kwwall -- Close issue #512 by updating to 1.9.4 of Commons Beans Util.
-514 -- xeno6696 -- Fixed issues #503 by writing a new addReferer method, also temporarily…
-516 -- jeremiahjstacey -- Issue 515
-518 -- jeremiahjstacey -- Issue #511 Copying Docs from DefaultValidator
-519 -- jeremiahjstacey -- Issue 494 CSSCodec RGB Triplets
-520 -- jeremiahjstacey -- OS Name DefaultExecutorTests #143
-533 -- jeremiahjstacey -- #532 JUL and Log4J match SLF4J class structure and Workflow
-535 -- kwwall -- Issue 521
-537 -- jeremiahjstacey -- Issue 536
-539 -- wiiitek -- upgrade for convergence
-540 -- wiiitek -- Issue 382: Build Fails on path with space
-541 -- HJW8472 -- Fixed issue #310
-543 -- sempf -- Release notes for 2.2.1.0
-551 -- kwwall -- Misc cleanup
-553 -- kwwall -- Fix for GitHub Issue 552
+513 -- kwwall -- Close issue #512 by updating to 1.9.4 of Commons Beans Util.
+514 -- xeno6696 -- Fixed issues #503 by writing a new addReferer method, also temporarily…
+516 -- jeremiahjstacey -- Issue 515
+518 -- jeremiahjstacey -- Issue #511 Copying Docs from DefaultValidator
+519 -- jeremiahjstacey -- Issue 494 CSSCodec RGB Triplets
+520 -- jeremiahjstacey -- OS Name DefaultExecutorTests #143
+533 -- jeremiahjstacey -- #532 JUL and Log4J match SLF4J class structure and Workflow
+535 -- kwwall -- Issue 521
+537 -- jeremiahjstacey -- Issue 536
+539 -- wiiitek -- upgrade for convergence
+540 -- wiiitek -- Issue 382: Build Fails on path with space
+541 -- HJW8472 -- Fixed issue #310
+543 -- sempf -- Release notes for 2.2.1.0
+551 -- kwwall -- Misc cleanup
+553 -- kwwall -- Fix for GitHub Issue 552
557 -- kwwall -- Final prep for 2.2.1.0 release
@@ -234,11 +234,11 @@ Direct and Transitive Runtime and Test Dependencies:
$ mvn dependency:tree
[INFO] Scanning for projects...
- [INFO]
+ [INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.2.1.0
[INFO] --------------------------------[ jar ]---------------------------------
- [INFO]
+ [INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.2.1.0
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
@@ -271,9 +271,9 @@ Direct and Transitive Runtime and Test Dependencies:
[INFO] | \- xalan:serializer:jar:2.7.2:compile
[INFO] +- xerces:xercesImpl:jar:2.12.0:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
- [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.0.4:compile (optional)
- [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
- [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.0.4:compile (optional)
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
+ [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
[INFO] +- junit:junit:jar:4.13:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.65.01:test
diff --git a/documentation/esapi4java-core-2.2.1.1-release-notes.txt b/documentation/esapi4java-core-2.2.1.1-release-notes.txt
index 7fa3ffc35..4670706f7 100644
--- a/documentation/esapi4java-core-2.2.1.1-release-notes.txt
+++ b/documentation/esapi4java-core-2.2.1.1-release-notes.txt
@@ -79,7 +79,7 @@ See GitHub issue #560 for additional details.
Related to that aforemented Log4J 1.x CVE and how it affects ESAPI, be sure to read
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is *NOT* affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
@@ -150,7 +150,7 @@ kwwall 67 64 8
PR# GitHub ID Description
----------------------------------------------------------------------
559 -- synk-bot -- Upgrade com.github.spotbugs:spotbugs-annotations from 4.0.4 to 4.0.5
-562 -- jeremiahjstacey -- Issue #560 JUL fixes
+562 -- jeremiahjstacey -- Issue #560 JUL fixes
CHANGELOG: Create your own. May I suggest:
@@ -164,11 +164,11 @@ Direct and Transitive Runtime and Test Dependencies:
$ mvn dependency:tree
[INFO] Scanning for projects...
- [INFO]
+ [INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.2.1.1
[INFO] --------------------------------[ jar ]---------------------------------
- [INFO]
+ [INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.2.1.1
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
@@ -201,9 +201,9 @@ Direct and Transitive Runtime and Test Dependencies:
[INFO] | \- xalan:serializer:jar:2.7.2:compile
[INFO] +- xerces:xercesImpl:jar:2.12.0:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
- [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.0.5:compile (optional)
- [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
- [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.0.5:compile (optional)
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
+ [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
[INFO] +- junit:junit:jar:4.13:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.65.01:test
diff --git a/documentation/esapi4java-core-2.2.2.0-release-notes.txt b/documentation/esapi4java-core-2.2.2.0-release-notes.txt
index 4920a296f..833d1b94e 100644
--- a/documentation/esapi4java-core-2.2.2.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.2.2.0-release-notes.txt
@@ -13,7 +13,7 @@ Executive Summary: Important Things to Note for this Release
This is a patch release with the primary intent of updating some dependencies with known vulnerabilities. The main vulnerability that was remediated was CVE-2020-13956, which was a vulnerability introduced through the ESAPI transitive dependency org.apache.httpcomponents:httpclient:4.5.12, potentially exposed through org.owasp.antisamy:antisamy:1.5.10. Updating to AntiSamy 1.5.11 remediated that issue. In addition, that update to AntiSamy 1.5.11 also addressed AntiSamy issue #48 (https://github.com/nahsra/antisamy/issues/48), which was a low risk security issue that potentially could be exposed via phishing.
For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you might notice that there is vulnerability in xerces:xercesImpl:2.12.0 that ESAPI uses (also a transitive dependency) that is similar to CVE-2020-14621. Unfortunately there is no official patch for this in the regular Maven Central repository. Further details are described in Security Bulletin #3, which is viewable here
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf
and associated with this release on GitHub. Manual workarounds possible. See the security bulletin for further details.
@@ -91,7 +91,7 @@ See GitHub issue #560 for additional details.
Related to that aforemented Log4J 1.x CVE and how it affects ESAPI, be sure to read
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is *NOT* affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
@@ -132,9 +132,9 @@ We do not know the reason for these failures, but only that we have observed the
Lastly, some SCA services may continue to flag vulnerabilties in ESAPI 2.2.2.0 related to log4j 1.2.17 and xerces 2.12.0. We do not believe the way that ESAPI uses either of these in a manner that leads to any exploitable behavior. See the security bulletins
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
and
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf
respectively, for additional details.
-----------------------------------------------------------------------------
@@ -175,11 +175,11 @@ Direct and Transitive Runtime and Test Dependencies:
$ mvn dependency:tree
[INFO] Scanning for projects...
- [INFO]
+ [INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.2.2.0
[INFO] --------------------------------[ jar ]---------------------------------
- [INFO]
+ [INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.2.2.0-SNAPSHOT
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
@@ -212,9 +212,9 @@ Direct and Transitive Runtime and Test Dependencies:
[INFO] | \- xalan:serializer:jar:2.7.2:compile
[INFO] +- xerces:xercesImpl:jar:2.12.0:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
- [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.1.4:compile (optional)
- [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
- [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.1.4:compile (optional)
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
+ [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.65.01:test
diff --git a/documentation/esapi4java-core-2.2.3.0-release-notes.txt b/documentation/esapi4java-core-2.2.3.0-release-notes.txt
index df95a77fd..1b96a6657 100644
--- a/documentation/esapi4java-core-2.2.3.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.2.3.0-release-notes.txt
@@ -16,7 +16,7 @@ This is a patch release with the primary intent of updating some dependencies, s
-- AntiSamy, from 1.5.11 to 1.6.2.
-- As a result of the AntiSamy upgrade, the transitive dependency xercesImpl was updated from 2.12.0 to 2.12.1 which should address CVE-2020-14338.
-- Apache batik-css, updated from 1.13 to 1.14.
-
+
Details follow.
* IMPORTANT: Effects of updating to AntiSamy 1.6.2
@@ -30,7 +30,7 @@ Details follow.
in your dependency for ESAPI in your application's pom.xml. (You Gradle, Ivy, etc. other build tool users will have to figure out how to do this yourself.)
This is especially important if you are using SLF4J logging in ESAPI with some other SLF4J logger such as slf4j-log4j2, etc. If you don't do that, your logging may not come out as expected. See , under its section discussing Logging for more details.
-
+
o Previously, ESAPI shipped with a default AntiSamy policy file called 'antisamy-esapi.xml'. For 10 plus years, unbeknownst to anyone, that file contained an unused '' node that not only did ESAPI not directly used, but was also completely ignored by AntiSamy! However, starting with AntiSamy 1.6.0, AntiSamy does XML schema validation by default, so that causes any non-compliant AntiSamy policy file to be rejected. This may result in some rather obtuse error messages and you may want to set the AntiSamy system property 'owasp.validator.validateschema' to "false" temporarily until you have time to correct your AntiSamy policy file(s).
Old News
@@ -72,7 +72,7 @@ Issue # GitHub Issue Title
602 Update failing ValidatorTest in 'Java CI with Maven' GitHub workflow
606 Vulnerability in transitive dependency of esapi
609 Change log4j dependency scope to provided Build-Maven Component-Docs Component-Logger Configuration
-614 Potentlial XXE Injection vulnerability in loading XML version of ESAPI properties file
+614 Potentlial XXE Injection vulnerability in loading XML version of ESAPI properties file
-----------------------------------------------------------------------------
@@ -125,7 +125,7 @@ See GitHub issue #560 for additional details.
Related to that aforemented Log4J 1.x CVE and how it affects ESAPI, be sure to read
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is *NOT* affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
@@ -211,11 +211,11 @@ Direct and Transitive Runtime and Test Dependencies:
$ mvn -B dependency:tree
[INFO] Scanning for projects...
- [INFO]
+ [INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.2.3.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
- [INFO]
+ [INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.2.3.0-SNAPSHOT
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
@@ -249,9 +249,9 @@ Direct and Transitive Runtime and Test Dependencies:
[INFO] +- xalan:xalan:jar:2.7.2:compile
[INFO] | \- xalan:serializer:jar:2.7.2:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
- [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.2.0:compile (optional)
- [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
- [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.2.0:compile (optional)
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
+ [INFO] +- net.jcip:jcip-annotations:jar:1.0:compile (optional)
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.68:test
diff --git a/documentation/esapi4java-core-2.2.3.1-release-notes.txt b/documentation/esapi4java-core-2.2.3.1-release-notes.txt
index b76e9c695..f53aa8360 100644
--- a/documentation/esapi4java-core-2.2.3.1-release-notes.txt
+++ b/documentation/esapi4java-core-2.2.3.1-release-notes.txt
@@ -43,7 +43,7 @@ Issue # GitHub Issue Title
Changes Requiring Special Attention
-----------------------------------------------------------------------------
-See this section from the previous release notes at:
+See this section from the previous release notes at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt
-----------------------------------------------------------------------------
@@ -51,12 +51,12 @@ See this section from the previous release notes at:
Remaining Known Issues / Problems
-----------------------------------------------------------------------------
-See this section from the previous release notes at:
+See this section from the previous release notes at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt
NEW since last release (ESAPI 2.2.3.0) - CVE-2021-29425
https://nvd.nist.gov/vuln/detail/CVE-2021-29425
-
+
-----------------------------------------------------------------------------
@@ -93,11 +93,11 @@ Direct and Transitive Runtime and Test Dependencies:
$ mvn dependency:tree
[INFO] Scanning for projects...
- [INFO]
+ [INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.2.3.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
- [INFO]
+ [INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.2.3.1-SNAPSHOT
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
@@ -128,8 +128,8 @@ Direct and Transitive Runtime and Test Dependencies:
[INFO] +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- commons-io:commons-io:jar:2.6:compile
- [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.2.2:compile (optional)
- [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.2.2:compile (optional)
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
[INFO] +- commons-codec:commons-codec:jar:1.15:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.68:test
diff --git a/documentation/esapi4java-core-2.3.0.0-release-notes.txt b/documentation/esapi4java-core-2.3.0.0-release-notes.txt
index b21fafd7f..e4cdefb1d 100644
--- a/documentation/esapi4java-core-2.3.0.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.3.0.0-release-notes.txt
@@ -39,7 +39,7 @@ ESAPI 2.3.0.0 release (current / new release):
Issue # GitHub Issue Title
----------------------------------------------------------------------------------------------
-163 Limit max size of entire cookies Component-Validator enhancement good first issue help wanted imported Priority-High
+163 Limit max size of entire cookies Component-Validator enhancement good first issue help wanted imported Priority-High
198 Uninitialized esapi logging assumes logging to System.out/System.err - Make configurable/extensible bug imported wontfix
324 ClassCastException during web application redeploy due to the grift logging classes enhancement imported
564 Create release notes for 2.2.1.1 patch release Component-Docs
@@ -70,7 +70,7 @@ Issue # GitHub Issue Title
-----------------------------------------------------------------------------
-1) This likely will be the LAST ESAPI release supporting Java 7. There are just some vulnerabilities (notably a DoS one in Neko HtmlUnit that was assigned CVE-2022-28366 after the ESAPI 2.3.0.0 release) that because they are transitive dependencies, that we simply cannot remediate without at least moving on to Java 8 as the minimally supported JDK. Please plan accordingly.
+1) This likely will be the LAST ESAPI release supporting Java 7. There are just some vulnerabilities (notably a DoS one in Neko HtmlUnit that was assigned CVE-2022-28366 after the ESAPI 2.3.0.0 release) that because they are transitive dependencies, that we simply cannot remediate without at least moving on to Java 8 as the minimally supported JDK. Please plan accordingly.
2) If you are not upgrading to ESAPI release 2.3.0.0 from 2.2.3.1 (the previous release), then you NEED to read at least the release notes in 2.2.3.1 and ideally, all the ones in all the previous ESAPI release notes from where you are updating to 2.3.0.0. In particular, if you were using ESAPI 2.2.1.0 or earlier, you need to see those ESAPI release notes in regards to changes in the ESAPI.Logger property.
diff --git a/documentation/esapi4java-core-2.4.0.0-release-notes.txt b/documentation/esapi4java-core-2.4.0.0-release-notes.txt
index c5bf51173..bfc50362d 100644
--- a/documentation/esapi4java-core-2.4.0.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.4.0.0-release-notes.txt
@@ -13,7 +13,7 @@ Do NOT: Do NOT use GitHub Issues to ask questions about this of future releases
Executive Summary: Important Things to Note for this Release
------------------------------------------------------------
-This is a very important ESAPI release as it is the first release to be FULLY INCOMPATIBLE WITH JAVA 1.7! This was expedited in response to some dependencies to resolve prior CVEs (see release notes in 2.3.0.0) that could not be updated as those versions required a JDK > 1.7 which we were forced to. The slightly premature update to Java 1.8 is done to address CVE-2022-28366 that had to be fixed with a version of the transitive depenedency via AntiSamy of NekoHTML that was Java 1.8+ only. (Wrapped into issue #682) It is important to note that the solution to fix CVE-2022-28366 does not exist in ESAPI 2.3.0.0 and there is no intention to fix it for Java 1.7.
+This is a very important ESAPI release as it is the first release to be FULLY INCOMPATIBLE WITH JAVA 1.7! This was expedited in response to some dependencies to resolve prior CVEs (see release notes in 2.3.0.0) that could not be updated as those versions required a JDK > 1.7 which we were forced to. The slightly premature update to Java 1.8 is done to address CVE-2022-28366 that had to be fixed with a version of the transitive depenedency via AntiSamy of NekoHTML that was Java 1.8+ only. (Wrapped into issue #682) It is important to note that the solution to fix CVE-2022-28366 does not exist in ESAPI 2.3.0.0 and there is no intention to fix it for Java 1.7.
=================================================================================================================
@@ -33,10 +33,10 @@ ESAPI 2.4.0.0 release (current / new release):
Issue # GitHub Issue Title
----------------------------------------------------------------------------------------------
-644 Do not include a logging implementation as a dependency slf4j-simple
+644 Do not include a logging implementation as a dependency slf4j-simple
672 (wontfix) HTMLEntityCodec Bug Decoding "Left Angular Bracket" Symbol
679 Completely remove support for fixed IVs and throw a ConfigurationException if encountered.
-682 Update baseline to Java 1.8
+682 Update baseline to Java 1.8
-----------------------------------------------------------------------------
@@ -44,21 +44,21 @@ Issue # GitHub Issue Title
-----------------------------------------------------------------------------
-1) This is the first ESAPI release that does not support Java 1.7. This library will no longer work if your application is that old.
+1) This is the first ESAPI release that does not support Java 1.7. This library will no longer work if your application is that old.
!!!!! VULNERABILITY ALERTS !!!!!
-2) This release fixes the known vulnerability ESAPI 2.3.0.0 that had to wait until we supported Java 8 to be patched. The patch was in Neko-HtmlUntil and was fixed in version 2.27, which required Java 8 or later. It was a transitive dependency via AntiSamy and we picked it up by updating to AntiSamy 1.6.8. This was a DoS vulnerability discovered in HtmlUnit-Neko affecting all versions up to 2.26. Full details from MITRE are here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28366
+2) This release fixes the known vulnerability ESAPI 2.3.0.0 that had to wait until we supported Java 8 to be patched. The patch was in Neko-HtmlUntil and was fixed in version 2.27, which required Java 8 or later. It was a transitive dependency via AntiSamy and we picked it up by updating to AntiSamy 1.6.8. This was a DoS vulnerability discovered in HtmlUnit-Neko affecting all versions up to 2.26. Full details from MITRE are here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28366
-3) This release also patches the (known, but forgotten?) XSS vulnerability ESAPI 2.3.0.0 in AntiSamy 1.6.7 but was fixed in 1.6.8. (The 2.3.0.0 release notes have been updated to mention this.) Full details from MITRE are here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29577
+3) This release also patches the (known, but forgotten?) XSS vulnerability ESAPI 2.3.0.0 in AntiSamy 1.6.7 but was fixed in 1.6.8. (The 2.3.0.0 release notes have been updated to mention this.) Full details from MITRE are here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29577
-----------------------------------------------------------------------------
Developer Activity Report (Changes between release 2.3.0.0 and 2.4.0.0, i.e., between 2022-04-17 and 2022-04-24)
Special thanks to Dave Wichers and Sebastian Pessaro from AntiSamy for their work to provide version 1.6.8 which patched 2 CVEs.
-Special thanks to Jeremiah J. Stacey for his work to update and prep the library to support java 1.8. (He literally created the PR the day after 2.3.0.0's release.)
-Special thanks to Kevin Wall for support in pushing out this release.
+Special thanks to Jeremiah J. Stacey for his work to update and prep the library to support java 1.8. (He literally created the PR the day after 2.3.0.0's release.)
+Special thanks to Kevin Wall for support in pushing out this release.
-----------------------------------------------------------------------------
diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
index 1d7c8c460..0decbe0e7 100644
--- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt
+++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
@@ -91,9 +91,9 @@ None known, other than the remaining open issues on GitHub.
Developer Activity Report (Changes between release ${PREV_VERSION} and ${VERSION}, i.e., between ${PREV_RELEASE_DATE} and ${YYYY_MM_DD_RELEASE_DATE})
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
-@@@@
+@@@@
@@@@ This section needs to be manually updated.
-@@@@
+@@@@
Developer Total Total Number # Merged
(GitHub ID) commits of Files Changed PRs
========================================================
diff --git a/src/examples/java/ESAPILogging.java b/src/examples/java/ESAPILogging.java
index b085c66d2..e2b1fc85c 100644
--- a/src/examples/java/ESAPILogging.java
+++ b/src/examples/java/ESAPILogging.java
@@ -11,7 +11,7 @@ public static void main(String[] args) {
try {
Logger logger = ESAPI.getLogger("ESAPILogging");
-
+
logger.warning(Logger.SECURITY_FAILURE, "This is a warning.");
logger.always(Logger.SECURITY_AUDIT, "This is an audit log. It always logs.");
} catch(Throwable t) {
diff --git a/src/examples/java/PersistedEncryptedData.java b/src/examples/java/PersistedEncryptedData.java
index 06a0512eb..1cabc04bb 100644
--- a/src/examples/java/PersistedEncryptedData.java
+++ b/src/examples/java/PersistedEncryptedData.java
@@ -71,7 +71,7 @@ public static int persistEncryptedData(PlainText plaintext,
fos.close();
return serializedBytes.length;
}
-
+
/** Read the specified file name containing encoded encrypted data,
* and then decode it and decrypt it to retrieve the original plaintext.
*
diff --git a/src/main/java/org/owasp/esapi/AccessController.java b/src/main/java/org/owasp/esapi/AccessController.java
index 2aa8e84e0..ad23d14c7 100644
--- a/src/main/java/org/owasp/esapi/AccessController.java
+++ b/src/main/java/org/owasp/esapi/AccessController.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007-2019 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -26,18 +26,18 @@
* The implementation of this interface will need to access the current User object (from Authenticator.getCurrentUser())
* to determine roles or permissions. In addition, the implementation
* will also need information about the resources that are being accessed. Using the user information and the resource
- * information, the implementation should return an access control decision.
+ * information, the implementation should return an access control decision.
*
- * Implementers are encouraged to implement the ESAPI access control rules, like assertAuthorizedForFunction() using
- * existing access control mechanisms, such as methods like isUserInRole() or hasPrivilege(). While powerful,
- * methods like isUserInRole() can be confusing for developers, as users may be in multiple roles or possess multiple
- * overlapping privileges. Direct use of these finer grained access control methods encourages the use of complex boolean
+ * Implementers are encouraged to implement the ESAPI access control rules, like assertAuthorizedForFunction() using
+ * existing access control mechanisms, such as methods like isUserInRole() or hasPrivilege(). While powerful,
+ * methods like isUserInRole() can be confusing for developers, as users may be in multiple roles or possess multiple
+ * overlapping privileges. Direct use of these finer grained access control methods encourages the use of complex boolean
* tests throughout the code, which can easily lead to developer mistakes.
*
- * The point of the ESAPI access control interface is to centralize access control logic behind easy to use calls like
- * assertAuthorized() so that access control is easy to use and easy to verify. Here is an example of a very
- * straightforward to implement, understand, and verify ESAPI access control check:
- *
+ * The point of the ESAPI access control interface is to centralize access control logic behind easy to use calls like
+ * assertAuthorized() so that access control is easy to use and easy to verify. Here is an example of a very
+ * straightforward to implement, understand, and verify ESAPI access control check:
+ *
*
- *
+ *
* Note that in the user interface layer, access control checks can be used to control whether particular controls are
* rendered or not. These checks are supposed to fail when an unauthorized user is logged in, and do not represent
* attacks. Remember that regardless of how the user interface appears, an attacker can attempt to invoke any business
* function or access any data in your application. Therefore, access control checks in the user interface should be
* repeated in both the business logic and data layers.
- *
+ *
*
- *
+ *
* @author Mike H. Fauzy (mike.fauzy@aspectsecurity.com) ESAPI v1.6-
* @author Jeff Williams (jeff.williams@aspectsecurity.com) ESAPI v0-1.5
*/
public interface AccessController {
/**
- * isAuthorized executes the AccessControlRule
- * that is identified by key and listed in the
- * resources/ESAPI-AccessControlPolicy.xml file. It returns
- * true if the AccessControlRule decides that the operation
- * should be allowed. Otherwise, it returns false. Any exception thrown by
- * the AccessControlRule must result in false. If
- * key does not map to an AccessControlRule, then
- * false is returned.
- *
- * Developers should call isAuthorized to control execution flow. For
- * example, if you want to decide whether to display a UI widget in the
+ * isAuthorized executes the AccessControlRule
+ * that is identified by key and listed in the
+ * resources/ESAPI-AccessControlPolicy.xml file. It returns
+ * true if the AccessControlRule decides that the operation
+ * should be allowed. Otherwise, it returns false. Any exception thrown by
+ * the AccessControlRule must result in false. If
+ * key does not map to an AccessControlRule, then
+ * false is returned.
+ *
+ * Developers should call isAuthorized to control execution flow. For
+ * example, if you want to decide whether to display a UI widget in the
* browser using the same logic that you will use to enforce permissions
* on the server, then isAuthorized is the method that you want to use.
- *
- * Typically, assertAuthorized should be used to enforce permissions on the
+ *
+ * Typically, assertAuthorized should be used to enforce permissions on the
* server.
- *
- * @param key key maps to
+ *
+ * @param key key maps to
* <AccessControlPolicy><AccessControlRules>
* <AccessControlRule name="key"
- * @param runtimeParameter runtimeParameter can contain anything that
- * the AccessControlRule needs from the runtime system.
- * @return Returns true if and only if the AccessControlRule specified
- * by key exists and returned true.
- * Otherwise returns false
+ * @param runtimeParameter runtimeParameter can contain anything that
+ * the AccessControlRule needs from the runtime system.
+ * @return Returns true if and only if the AccessControlRule specified
+ * by key exists and returned true.
+ * Otherwise returns false
*/
boolean isAuthorized(Object key, Object runtimeParameter);
-
+
/**
- * assertAuthorized executes the AccessControlRule
- * that is identified by key and listed in the
- * resources/ESAPI-AccessControlPolicy.xml file. It does
- * nothing if the AccessControlRule decides that the operation
- * should be allowed. Otherwise, it throws an
+ * assertAuthorized executes the AccessControlRule
+ * that is identified by key and listed in the
+ * resources/ESAPI-AccessControlPolicy.xml file. It does
+ * nothing if the AccessControlRule decides that the operation
+ * should be allowed. Otherwise, it throws an
* org.owasp.esapi.errors.AccessControlException. Any exception
- * thrown by the AccessControlRule will also result in an
- * AccesControlException. If key does not map to
+ * thrown by the AccessControlRule will also result in an
+ * AccesControlException. If key does not map to
* an AccessControlRule, then an AccessControlException
- * is thrown.
- *
- * Developers should call {@code assertAuthorized} to enforce privileged access to
- * the system. It should be used to answer the question: "Should execution
+ * is thrown.
+ *
+ * Developers should call {@code assertAuthorized} to enforce privileged access to
+ * the system. It should be used to answer the question: "Should execution
* continue." Ideally, the call to assertAuthorized should
- * be integrated into the application framework so that it is called
- * automatically.
- *
- * @param key key maps to
+ * be integrated into the application framework so that it is called
+ * automatically.
+ *
+ * @param key key maps to
* <AccessControlPolicy><AccessControlRules>
* <AccessControlRule name="key"
- * @param runtimeParameter runtimeParameter can contain anything that
+ * @param runtimeParameter runtimeParameter can contain anything that
* the AccessControlRule needs from the runtime system.
*/
void assertAuthorized(Object key, Object runtimeParameter)
throws AccessControlException;
-
-
- /*** Below this line has been deprecated as of ESAPI 1.6 ***/
-
-
-
-
+
+
+ /*** Below this line has been deprecated as of ESAPI 1.6 ***/
+
+
+
+
/**
* Checks if the current user is authorized to access the referenced URL. Generally, this method should be invoked in the
* application's controller or a filter as follows:
*
- *
- * The implementation of this method should call assertAuthorizedForURL(String url), and if an AccessControlException is
- * not thrown, this method should return true. This way, if the user is not authorized, false would be returned, and the
+ *
+ * The implementation of this method should call assertAuthorizedForURL(String url), and if an AccessControlException is
+ * not thrown, this method should return true. This way, if the user is not authorized, false would be returned, and the
* exception would be logged.
- *
- * @param url
+ *
+ * @param url
* the URL as returned by request.getRequestURI().toString()
- *
- * @return
+ *
+ * @return
* true, if is authorized for URL
*/
@Deprecated
boolean isAuthorizedForURL(String url);
/**
- * Checks if the current user is authorized to access the referenced function.
- *
- * The implementation of this method should call assertAuthorizedForFunction(String functionName), and if an
+ * Checks if the current user is authorized to access the referenced function.
+ *
+ * The implementation of this method should call assertAuthorizedForFunction(String functionName), and if an
* AccessControlException is not thrown, this method should return true.
- *
- * @param functionName
+ *
+ * @param functionName
* the name of the function
- *
- * @return
+ *
+ * @return
* true, if is authorized for function
*/
@Deprecated
@@ -165,34 +165,34 @@ void assertAuthorized(Object key, Object runtimeParameter)
/**
- * Checks if the current user is authorized to access the referenced data, represented as an Object.
- *
- * The implementation of this method should call assertAuthorizedForData(String action, Object data), and if an
+ * Checks if the current user is authorized to access the referenced data, represented as an Object.
+ *
+ * The implementation of this method should call assertAuthorizedForData(String action, Object data), and if an
* AccessControlException is not thrown, this method should return true.
- *
+ *
* @param action
- * The action to verify for an access control decision, such as a role, or an action being performed on the object
+ * The action to verify for an access control decision, such as a role, or an action being performed on the object
* (e.g., Read, Write, etc.), or the name of the function the data is being passed to.
- *
+ *
* @param data
* The actual object or object identifier being accessed or a reference to the object being accessed.
- *
- * @return
+ *
+ * @return
* true, if is authorized for the data
*/
@Deprecated
boolean isAuthorizedForData(String action, Object data);
-
+
/**
- * Checks if the current user is authorized to access the referenced file.
- *
- * The implementation of this method should call assertAuthorizedForFile(String filepath), and if an AccessControlException
+ * Checks if the current user is authorized to access the referenced file.
+ *
+ * The implementation of this method should call assertAuthorizedForFile(String filepath), and if an AccessControlException
* is not thrown, this method should return true.
- *
- * @param filepath
+ *
+ * @param filepath
* the path of the file to be checked, including filename
- *
- * @return
+ *
+ * @return
* true, if is authorized for the file
*/
@Deprecated
@@ -201,14 +201,14 @@ void assertAuthorized(Object key, Object runtimeParameter)
/**
* Checks if the current user is authorized to access the referenced service. This can be used in applications that
* provide access to a variety of back end services.
- *
- * The implementation of this method should call assertAuthorizedForService(String serviceName), and if an
+ *
+ * The implementation of this method should call assertAuthorizedForService(String serviceName), and if an
* AccessControlException is not thrown, this method should return true.
- *
- * @param serviceName
+ *
+ * @param serviceName
* the service name
- *
- * @return
+ *
+ * @return
* true, if is authorized for the service
*/
@Deprecated
@@ -218,8 +218,8 @@ void assertAuthorized(Object key, Object runtimeParameter)
* Checks if the current user is authorized to access the referenced URL. The implementation should allow
* access to be granted to any part of the URL. Generally, this method should be invoked in the
* application's controller or a filter as follows:
- *
+ *
* This method throws an AccessControlException if access is not authorized, or if the referenced URL does not exist.
* If the User is authorized, this method simply returns.
*
If access is not permitted, throw an AccessControlException with details
- *
- * @param url
+ *
+ * @param url
* the URL as returned by request.getRequestURI().toString()
- *
- * @throws AccessControlException
+ *
+ * @throws AccessControlException
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForURL(String url) throws AccessControlException;
-
+
/**
* Checks if the current user is authorized to access the referenced function. The implementation should define the
* function "namespace" to be enforced. Choosing something simple like the class name of action classes or menu item
@@ -261,20 +261,20 @@ void assertAuthorized(Object key, Object runtimeParameter)
*
Access control decisions must deny by default
*
*
If access is not permitted, throw an AccessControlException with details
- *
- *
- * @param functionName
+ *
+ *
+ * @param functionName
* the function name
- *
- * @throws AccessControlException
+ *
+ * @throws AccessControlException
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForFunction(String functionName) throws AccessControlException;
-
+
/**
- * Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized.
+ * Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized.
* It throws an AccessControlException if access is not authorized, or if the referenced data does not exist.
*
* Specification: The implementation should do the following:
@@ -287,23 +287,23 @@ void assertAuthorized(Object key, Object runtimeParameter)
*
Access control decisions must deny by default
*
*
If access is not permitted, throw an AccessControlException with details
- *
- *
+ *
+ *
* @param action
- * The action to verify for an access control decision, such as a role, or an action being performed on the object
+ * The action to verify for an access control decision, such as a role, or an action being performed on the object
* (e.g., Read, Write, etc.), or the name of the function the data is being passed to.
- *
+ *
* @param data
* The actual object or object identifier being accessed or a reference to the object being accessed.
- *
- * @throws AccessControlException
+ *
+ * @throws AccessControlException
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForData(String action, Object data) throws AccessControlException;
-
+
/**
- * Checks if the current user is authorized to access the referenced file. The implementation should validate and canonicalize the
+ * Checks if the current user is authorized to access the referenced file. The implementation should validate and canonicalize the
* input to be sure the filepath is not malicious.
*
* This method throws an AccessControlException if access is not authorized, or if the referenced File does not exist.
@@ -319,15 +319,15 @@ void assertAuthorized(Object key, Object runtimeParameter)
*
Access control decisions must deny by default
*
*
If access is not permitted, throw an AccessControlException with details
- *
- *
+ *
+ *
* @param filepath
* Path to the file to be checked
* @throws AccessControlException if access is denied
*/
@Deprecated
void assertAuthorizedForFile(String filepath) throws AccessControlException;
-
+
/**
* Checks if the current user is authorized to access the referenced service. This can be used in applications that
* provide access to a variety of backend services.
@@ -345,15 +345,15 @@ void assertAuthorized(Object key, Object runtimeParameter)
*
Access control decisions must deny by default
*
*
If access is not permitted, throw an AccessControlException with details
- *
- *
- * @param serviceName
+ *
+ *
+ * @param serviceName
* the service name
- *
+ *
* @throws AccessControlException
* if access is not permitted
- */
+ */
@Deprecated
void assertAuthorizedForService(String serviceName) throws AccessControlException;
-
+
}
diff --git a/src/main/java/org/owasp/esapi/AccessReferenceMap.java b/src/main/java/org/owasp/esapi/AccessReferenceMap.java
index f9e8cdc83..5f7e4e73c 100644
--- a/src/main/java/org/owasp/esapi/AccessReferenceMap.java
+++ b/src/main/java/org/owasp/esapi/AccessReferenceMap.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -40,7 +40,7 @@
* references, as opposed to simple integers makes it impossible for an attacker to
* guess valid identifiers. So if per-user AccessReferenceMaps are used, then request
* forgery (CSRF) attacks will also be prevented.
- *
+ *
*
- *
+ *
* @author Jeff Williams (jeff.williams@aspectsecurity.com)
* @author Chris Schmidt (chrisisbeef@gmail.com)
*/
public interface AccessReferenceMap extends Serializable {
/**
- * Get an iterator through the direct object references. No guarantee is made as
+ * Get an iterator through the direct object references. No guarantee is made as
* to the order of items returned.
- *
+ *
* @return the iterator
*/
Iterator iterator();
@@ -76,11 +76,11 @@ public interface AccessReferenceMap extends Serializable {
* direct object reference. Developers should use this call when building
* URL's, form fields, hidden fields, etc... to help protect their private
* implementation information.
- *
+ *
* @param directReference
* the direct reference
- *
- * @return
+ *
+ * @return
* the indirect reference
*/
K getIndirectReference(T directReference);
@@ -122,14 +122,14 @@ public interface AccessReferenceMap extends Serializable {
* // ...
* }
*
- *
+ *
* @param indirectReference
* the indirect reference
- *
- * @return
+ *
+ * @return
* the direct reference
- *
- * @throws AccessControlException
+ *
+ * @throws AccessControlException
* if no direct reference exists for the specified indirect reference
* @throws ClassCastException
* if the implied type is not the same as the referenced object type
@@ -137,26 +137,26 @@ public interface AccessReferenceMap extends Serializable {
T getDirectReference(K indirectReference) throws AccessControlException;
/**
- * Adds a direct reference to the AccessReferenceMap, then generates and returns
+ * Adds a direct reference to the AccessReferenceMap, then generates and returns
* an associated indirect reference.
- *
- * @param direct
+ *
+ * @param direct
* the direct reference
- *
- * @return
+ *
+ * @return
* the corresponding indirect reference
*/
K addDirectReference(T direct);
-
+
/**
* Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
- *
- * @param direct
+ *
+ * @param direct
* the direct reference to remove
- *
- * @return
+ *
+ * @return
* the corresponding indirect reference
- *
+ *
* @throws AccessControlException
* if the reference does not exist.
*/
@@ -167,8 +167,8 @@ public interface AccessReferenceMap extends Serializable {
* any existing indirect references associated with items that are in the new list.
* New indirect references could be generated every time, but that
* might mess up anything that previously used an indirect reference, such
- * as a URL parameter.
- *
+ * as a URL parameter.
+ *
* @param directReferences
* a Set of direct references to add
*/
diff --git a/src/main/java/org/owasp/esapi/Authenticator.java b/src/main/java/org/owasp/esapi/Authenticator.java
index bbc07ab90..e113b0bdd 100644
--- a/src/main/java/org/owasp/esapi/Authenticator.java
+++ b/src/main/java/org/owasp/esapi/Authenticator.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -42,7 +42,7 @@
* current request and the name of the parameters containing the username and
* password. The implementation should verify the password if necessary, create
* a session if necessary, and set the user as the current user.
- *
+ *
*
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
@@ -61,10 +61,10 @@ public interface Authenticator {
/**
* Clears the current User. This allows the thread to be reused safely.
- *
+ *
* This clears all threadlocal variables from the thread. This should ONLY be called after
* all possible ESAPI operations have concluded. If you clear too early, many calls will
- * fail, including logging, which requires the user identity.
+ * fail, including logging, which requires the user identity.
*/
void clearCurrent();
@@ -74,36 +74,36 @@ public interface Authenticator {
* @see HTTPUtilities#setCurrentHTTP(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
User login() throws AuthenticationException;
-
+
/**
* This method should be called for every HTTP request, to login the current user either from the session of HTTP
- * request. This method will set the current user so that getCurrentUser() will work properly.
- *
+ * request. This method will set the current user so that getCurrentUser() will work properly.
+ *
* Authenticates the user's credentials from the HttpServletRequest if
* necessary, creates a session if necessary, and sets the user as the
* current user.
- *
+ *
* Specification: The implementation should do the following:
* 1) Check if the User is already stored in the session
* a. If so, check that session absolute and inactivity timeout have not expired
* b. Step 2 may not be required if 1a has been satisfied
* 2) Verify User credentials
- * a. It is recommended that you use
+ * a. It is recommended that you use
* loginWithUsernameAndPassword(HttpServletRequest, HttpServletResponse) to verify credentials
* 3) Set the last host of the User (ex. user.setLastHostAddress(address) )
* 4) Verify that the request is secure (ex. over SSL)
* 5) Verify the User account is allowed to be logged in
* a. Verify the User is not disabled, expired or locked
- * 6) Assign User to session variable
- *
+ * 6) Assign User to session variable
+ *
* @param request
* the current HTTP request
* @param response
* the HTTP response
- *
- * @return
+ *
+ * @return
* the User
- *
+ *
* @throws AuthenticationException
* if the credentials are not verified, or if the account is disabled, locked, expired, or timed out
*/
@@ -117,34 +117,34 @@ public interface Authenticator {
*
* This method is typically used for "reauthentication" for the most sensitive functions, such
* as transactions, changing email address, and changing other account information.
- *
- * @param user
+ *
+ * @param user
* the user who requires verification
- * @param password
+ * @param password
* the hashed user-supplied password
- *
- * @return
+ *
+ * @return
* true, if the password is correct for the specified user
*
* @see #hashPassword(String password, String accountName)
*/
boolean verifyPassword(User user, String password);
-
+
/**
* Logs out the current user.
- *
- * This is usually done by calling User.logout on the current User.
+ *
+ * This is usually done by calling User.logout on the current User.
*/
void logout();
/**
* Creates a new User with the information provided. Implementations should check
- * accountName and password for proper format and strength against brute force
+ * accountName and password for proper format and strength against brute force
* attacks ( verifyAccountNameStrength(String), verifyPasswordStrength(String, String) ).
- *
+ *
* Two copies of the new password are required to encourage user interface designers to
- * include a "re-type password" field in their forms. Implementations should verify that
- * both are the same.
+ * include a "re-type password" field in their forms. Implementations should verify that
+ * both are the same.
*
* WARNING: The implementation of this method as defined in the
* default reference implementation class, {@code FileBasedAuthenticator},
@@ -152,18 +152,18 @@ public interface Authenticator {
* to replace the default reference implementation class with your own custom
* implementation that uses a stronger password hashing algorithm.
* See class comments in * {@code FileBasedAuthenticator} for further details.
- *
- * @param accountName
+ *
+ * @param accountName
* the account name of the new user
- * @param password1
+ * @param password1
* the password of the new user
- * @param password2
+ * @param password2
* the password of the new user. This field is to encourage user interface designers to include two password fields in their forms.
- *
- * @return
- * the User that has been created
- *
- * @throws AuthenticationException
+ *
+ * @return
+ * the User that has been created
+ *
+ * @throws AuthenticationException
* if user creation fails due to any of the qualifications listed in this method's description
*/
User createUser(String accountName, String password1, String password2) throws AuthenticationException;
@@ -172,8 +172,8 @@ public interface Authenticator {
* Generate a strong password. Implementations should use a large character set that does not
* include confusing characters, such as i I 1 l 0 o and O. There are many algorithms to
* generate strong memorable passwords that have been studied in the past.
- *
- * @return
+ *
+ * @return
* a password with strong password strength
*/
String generateStrongPassword();
@@ -182,72 +182,72 @@ public interface Authenticator {
* Generate strong password that takes into account the user's information and old password. Implementations
* should verify that the new password does not include information such as the username, fragments of the
* old password, and other information that could be used to weaken the strength of the password.
- *
- * @param user
+ *
+ * @param user
* the user whose information to use when generating password
- * @param oldPassword
+ * @param oldPassword
* the old password to use when verifying strength of new password. The new password may be checked for fragments of oldPassword.
- *
- * @return
+ *
+ * @return
* a password with strong password strength
*/
String generateStrongPassword(User user, String oldPassword);
/**
- * Changes the password for the specified user. This requires the current password, as well as
+ * Changes the password for the specified user. This requires the current password, as well as
* the password to replace it with. The new password should be checked against old hashes to be sure the new password does not closely resemble or equal any recent passwords for that User.
* Password strength should also be verified. This new password must be repeated to ensure that the user has typed it in correctly.
- *
- * @param user
+ *
+ * @param user
* the user to change the password for
- * @param currentPassword
+ * @param currentPassword
* the current password for the specified user
- * @param newPassword
+ * @param newPassword
* the new password to use
- * @param newPassword2
+ * @param newPassword2
* a verification copy of the new password
- *
- * @throws AuthenticationException
+ *
+ * @throws AuthenticationException
* if any errors occur
*/
void changePassword(User user, String currentPassword, String newPassword, String newPassword2) throws AuthenticationException;
-
+
/**
* Returns the User matching the provided accountId. If the accoundId is not found, an Anonymous
* User or null may be returned.
- *
+ *
* @param accountId
* the account id
- *
- * @return
+ *
+ * @return
* the matching User object, or the Anonymous User if no match exists
*/
User getUser(long accountId);
-
+
/**
* Returns the User matching the provided accountName. If the accoundId is not found, an Anonymous
* User or null may be returned.
- *
+ *
* @param accountName
* the account name
- *
- * @return
+ *
+ * @return
* the matching User object, or the Anonymous User if no match exists
*/
User getUser(String accountName);
/**
* Gets a collection containing all the existing user names.
- *
- * @return
+ *
+ * @return
* a set of all user names
*/
Set getUserNames();
/**
* Returns the currently logged in User.
- *
- * @return
+ *
+ * @return
* the matching User object, or the Anonymous User if no match
* exists
*/
@@ -255,7 +255,7 @@ public interface Authenticator {
/**
* Sets the currently logged in User.
- *
+ *
* @param user
* the user to set as the current user
*/
@@ -275,13 +275,13 @@ public interface Authenticator {
* meant to be an example implementation and generally should be avoided
* and replaced with your own implementation. See class comments in
* {@code FileBasedAuthenticator} for further details.
- *
+ *
* @param password
* the password to hash
* @param accountName
* the account name to use as the salt
- *
- * @return
+ *
+ * @return
* the hashed password
* @throws EncryptionException
*
@@ -292,10 +292,10 @@ public interface Authenticator {
/**
* Removes the account of the specified accountName.
- *
+ *
* @param accountName
* the account name to remove
- *
+ *
* @throws AuthenticationException
* the authentication exception if user does not exist
*/
@@ -303,30 +303,30 @@ public interface Authenticator {
/**
* Ensures that the account name passes site-specific complexity requirements, like minimum length.
- *
+ *
* @param accountName
* the account name
- *
+ *
* @throws AuthenticationException
* if account name does not meet complexity requirements
*/
void verifyAccountNameStrength(String accountName) throws AuthenticationException;
/**
- * Ensures that the password meets site-specific complexity requirements, like length or number
- * of character sets. This method takes the old password so that the algorithm can analyze the
+ * Ensures that the password meets site-specific complexity requirements, like length or number
+ * of character sets. This method takes the old password so that the algorithm can analyze the
* new password to see if it is too similar to the old password. Note that this has to be
* invoked when the user has entered the old password, as the list of old
* credentials stored by ESAPI is all hashed.
* Additionally, the user object is taken in order to verify the password and account name differ.
- *
+ *
* @param oldPassword
* the old password
* @param newPassword
* the new password
* @param user
* the user
- *
+ *
* @throws AuthenticationException
* if newPassword is too similar to oldPassword or if newPassword does not meet complexity requirements
*/
@@ -334,10 +334,10 @@ public interface Authenticator {
/**
* Determine if the account exists.
- *
+ *
* @param accountName
* the account name
- *
+ *
* @return true, if the account exists
*/
boolean exists(String accountName);
diff --git a/src/main/java/org/owasp/esapi/ESAPI.java b/src/main/java/org/owasp/esapi/ESAPI.java
index 283156edf..ef389d020 100644
--- a/src/main/java/org/owasp/esapi/ESAPI.java
+++ b/src/main/java/org/owasp/esapi/ESAPI.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2008 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Mike Fauzy Aspect Security
* @author Rogan Dawes Aspect Security
* @created 2008
@@ -33,7 +33,7 @@ public final class ESAPI {
*/
private ESAPI() {
}
-
+
/**
* Clears the current User, HttpRequest, and HttpResponse associated with the current thread. This method
* MUST be called as some containers do not properly clear threadlocal variables when the execution of
@@ -69,7 +69,7 @@ public static void clearCurrent() {
public static HttpServletRequest currentRequest() {
return httpUtilities().getCurrentRequest();
}
-
+
/**
* Get the current HTTP Servlet Response being generated.
* @return the current HTTP Servlet Response.
@@ -77,16 +77,16 @@ public static HttpServletRequest currentRequest() {
public static HttpServletResponse currentResponse() {
return httpUtilities().getCurrentResponse();
}
-
+
/**
- * @return the current ESAPI AccessController object being used to maintain the access control rules for this application.
+ * @return the current ESAPI AccessController object being used to maintain the access control rules for this application.
*/
public static AccessController accessController() {
return ObjFactory.make( securityConfiguration().getAccessControlImplementation(), "AccessController" );
}
/**
- * @return the current ESAPI Authenticator object being used to authenticate users for this application.
+ * @return the current ESAPI Authenticator object being used to authenticate users for this application.
*/
public static Authenticator authenticator() {
return ObjFactory.make( securityConfiguration().getAuthenticationImplementation(), "Authenticator" );
@@ -95,50 +95,50 @@ public static Authenticator authenticator() {
/**
* The ESAPI Encoder is primarilly used to provide output encoding to
* prevent Cross-Site Scripting (XSS).
- * @return the current ESAPI Encoder object being used to encode and decode data for this application.
+ * @return the current ESAPI Encoder object being used to encode and decode data for this application.
*/
public static Encoder encoder() {
return ObjFactory.make( securityConfiguration().getEncoderImplementation(), "Encoder" );
}
/**
- * @return the current ESAPI Encryptor object being used to encrypt and decrypt data for this application.
+ * @return the current ESAPI Encryptor object being used to encrypt and decrypt data for this application.
*/
public static Encryptor encryptor() {
return ObjFactory.make( securityConfiguration().getEncryptionImplementation(), "Encryptor" );
}
/**
- * @return the current ESAPI Executor object being used to safely execute OS commands for this application.
+ * @return the current ESAPI Executor object being used to safely execute OS commands for this application.
*/
public static Executor executor() {
return ObjFactory.make( securityConfiguration().getExecutorImplementation(), "Executor" );
}
/**
- * @return the current ESAPI HTTPUtilities object being used to safely access HTTP requests and responses
- * for this application.
+ * @return the current ESAPI HTTPUtilities object being used to safely access HTTP requests and responses
+ * for this application.
*/
public static HTTPUtilities httpUtilities() {
return ObjFactory.make( securityConfiguration().getHTTPUtilitiesImplementation(), "HTTPUtilities" );
}
/**
- * @return the current ESAPI IntrusionDetector being used to monitor for intrusions in this application.
+ * @return the current ESAPI IntrusionDetector being used to monitor for intrusions in this application.
*/
public static IntrusionDetector intrusionDetector() {
return ObjFactory.make( securityConfiguration().getIntrusionDetectionImplementation(), "IntrusionDetector" );
}
/**
- * Get the current LogFactory being used by ESAPI. If there isn't one yet, it will create one, and then
+ * Get the current LogFactory being used by ESAPI. If there isn't one yet, it will create one, and then
* return this same LogFactory from then on.
* @return The current LogFactory being used by ESAPI.
*/
private static LogFactory logFactory() {
return ObjFactory.make( securityConfiguration().getLogImplementation(), "LogFactory" );
}
-
+
/**
* @param clazz The class to associate the logger with.
* @return The current Logger associated with the specified class.
@@ -146,7 +146,7 @@ private static LogFactory logFactory() {
public static Logger getLogger(Class clazz) {
return logFactory().getLogger(clazz);
}
-
+
/**
* @param moduleName The module to associate the logger with.
* @return The current Logger associated with the specified module.
@@ -154,16 +154,16 @@ public static Logger getLogger(Class clazz) {
public static Logger getLogger(String moduleName) {
return logFactory().getLogger(moduleName);
}
-
+
/**
* @return The default Logger.
*/
public static Logger log() {
return logFactory().getLogger("DefaultLogger");
}
-
+
/**
- * @return the current ESAPI Randomizer being used to generate random numbers in this application.
+ * @return the current ESAPI Randomizer being used to generate random numbers in this application.
*/
public static Randomizer randomizer() {
return ObjFactory.make( securityConfiguration().getRandomizerImplementation(), "Randomizer" );
@@ -172,8 +172,8 @@ public static Randomizer randomizer() {
private static volatile SecurityConfiguration overrideConfig = null;
/**
- * @return the current ESAPI SecurityConfiguration being used to manage the security configuration for
- * ESAPI for this application.
+ * @return the current ESAPI SecurityConfiguration being used to manage the security configuration for
+ * ESAPI for this application.
*/
public static SecurityConfiguration securityConfiguration() {
// copy the volatile into a non-volatile to prevent TOCTTOU race condition
@@ -186,7 +186,7 @@ public static SecurityConfiguration securityConfiguration() {
}
/**
- * @return the current ESAPI Validator being used to validate data in this application.
+ * @return the current ESAPI Validator being used to validate data in this application.
*/
public static Validator validator() {
return ObjFactory.make( securityConfiguration().getValidationImplementation(), "Validator" );
diff --git a/src/main/java/org/owasp/esapi/Encoder.java b/src/main/java/org/owasp/esapi/Encoder.java
index 9d08826be..1106882b7 100644
--- a/src/main/java/org/owasp/esapi/Encoder.java
+++ b/src/main/java/org/owasp/esapi/Encoder.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007-2019 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -148,7 +148,7 @@
* BeEF - The Browser Exploitation Framework Project.
*
*
- *
+ *
* @see OWASP Cross-Site Scripting Prevention Cheat Sheet
* @see OWASP Proactive Controls: C4: Encode and Escape Data
* @see Properly encoding and escaping for the web
@@ -156,7 +156,7 @@
* @since June 1, 2007
*/
public interface Encoder {
-
+
/**
* This method is equivalent to calling {@code Encoder.canonicalize(input, restrictMultiple, restrictMixed);}.
*
@@ -177,23 +177,23 @@ public interface Encoder {
*
* @see #canonicalize(String, boolean, boolean)
* @see W3C specifications
- *
+ *
* @param input the text to canonicalize
* @return a String containing the canonicalized text
*/
String canonicalize(String input);
-
+
/**
* This method is the equivalent to calling {@code Encoder.canonicalize(input, strict, strict);}.
*
* @see #canonicalize(String, boolean, boolean)
* @see W3C specifications
- *
- * @param input
+ *
+ * @param input
* the text to canonicalize
- * @param strict
+ * @param strict
* true if checking for multiple and mixed encoding is desired, false otherwise
- *
+ *
* @return a String containing the canonicalized text
*/
String canonicalize(String input, boolean strict);
@@ -281,7 +281,7 @@ public interface Encoder {
* String url = ESAPI.encoder().canonicalize( request.getParameter("url"), false, false);
*
* WARNING #1!!! Please note that this method is incompatible with URLs and if there exist any HTML Entities
- * that correspond with parameter values in a URL such as "¶" in a URL like
+ * that correspond with parameter values in a URL such as "¶" in a URL like
* "https://foo.com/?bar=foo¶meter=wrong" you will get a mixed encoding validation exception.
*
* If you wish to canonicalize a URL/URI use the method {@code Encoder.getCanonicalizedURI(URI dirtyUri);}
@@ -310,30 +310,30 @@ public interface Encoder {
/**
* Encode data for use in Cascading Style Sheets (CSS) content.
- *
+ *
* @see CSS Syntax [w3.org]
- *
- * @param untrustedData
+ *
+ * @param untrustedData
* the untrusted data to output encode for CSS
- *
+ *
* @return the untrusted data safely output encoded for use in a CSS
*/
String encodeForCSS(String untrustedData);
/**
* Encode data for use in HTML using HTML entity encoding
- *
+ *
* Note that the following characters:
* 00-08, 0B-0C, 0E-1F, and 7F-9F
- *
cannot be used in HTML.
+ *
+ * @see HTML Encodings [wikipedia.org]
* @see SGML Specification [w3.org]
* @see XML Specification [w3.org]
- *
- * @param untrustedData
+ *
+ * @param untrustedData
* the untrusted data to output encode for HTML
- *
+ *
* @return the untrusted data safely output encoded for use in a HTML
*/
String encodeForHTML(String untrustedData);
@@ -344,35 +344,35 @@ public interface Encoder {
* @return the newly decoded String
*/
String decodeForHTML(String input);
-
+
/**
* Encode data for use in HTML attributes.
- *
- * @param untrustedData
+ *
+ * @param untrustedData
* the untrusted data to output encode for an HTML attribute
- *
+ *
* @return the untrusted data safely output encoded for use in a use as an HTML attribute
*/
String encodeForHTMLAttribute(String untrustedData);
/**
- * Encode data for insertion inside a data value or function argument in JavaScript. Including user data
+ * Encode data for insertion inside a data value or function argument in JavaScript. Including user data
* directly inside a script is quite dangerous. Great care must be taken to prevent including user data
* directly into script code itself, as no amount of encoding will prevent attacks there.
- *
- * Please note there are some JavaScript functions that can never safely receive untrusted data
+ *
+ * Please note there are some JavaScript functions that can never safely receive untrusted data
* as input – even if the user input is encoded.
- *
+ *
* For example:
*
* <script>
* window.setInterval('<%= EVEN IF YOU ENCODE UNTRUSTED DATA YOU ARE XSSED HERE %>');
* </script>
*
Implementations should do as much as possible to minimize the risk of
* injection into either the command or parameters. In addition, implementations
* should timeout after a specified time period in order to help prevent denial
- * of service attacks.
- *
+ * of service attacks.
+ *
*
The class should perform logging and error handling as
* well. Finally, implementation should handle errors and generate an
* ExecutorException with all the necessary information.
*
*
The reference implementation does all of the above.
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
@@ -43,7 +43,7 @@ public interface Executor {
/**
* Invokes the specified executable with default workdir and codec and not logging parameters.
- *
+ *
* @param executable
* the command to execute
* @param params
diff --git a/src/main/java/org/owasp/esapi/HTTPUtilities.java b/src/main/java/org/owasp/esapi/HTTPUtilities.java
index a4091eda7..faa950dcc 100644
--- a/src/main/java/org/owasp/esapi/HTTPUtilities.java
+++ b/src/main/java/org/owasp/esapi/HTTPUtilities.java
@@ -51,7 +51,7 @@ public interface HTTPUtilities
* Calls addCookie with the *current* request.
*
* @param cookie The cookie to add
- *
+ *
* @see HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)
*/
void addCookie(Cookie cookie);
@@ -230,7 +230,7 @@ public interface HTTPUtilities
/**
* Calls getCookie with the *current* response.
- *
+ *
* @param name The cookie to get
* @return the requested cookie value
* @throws ValidationException
@@ -278,7 +278,7 @@ public interface HTTPUtilities
*
* @return List of new File objects from upload
* @throws ValidationException if the file fails validation
- *
+ *
* @see HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)
*/
List getFileUploads() throws ValidationException;
@@ -558,9 +558,9 @@ public interface HTTPUtilities
/**
* Calls setNoCacheHeaders with the *current* response.
- *
+ *
* ~DEPRECATED~ Per Kevin Wall, storing passwords with reversible encryption is contrary to *many*
- * company's stated security policies.
+ * company's stated security policies.
*
* @see HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)
*/
@@ -568,11 +568,11 @@ public interface HTTPUtilities
String setRememberToken(String password, int maxAge, String domain, String path);
/**
- *
+ *
*/
String setRememberToken(HttpServletRequest request, HttpServletResponse response, int maxAge, String domain, String path);
-
+
/**
* Set a cookie containing the current User's remember me token for automatic authentication. The use of remember me tokens
* is generally not recommended, but this method will help do it as safely as possible. The user interface should strongly warn
@@ -589,7 +589,7 @@ public interface HTTPUtilities
* The username can be retrieved with: User username = ESAPI.authenticator().getCurrentUser();
*
*~DEPRECATED~ Per Kevin Wall, storing passwords with reversible encryption is contrary to *many*
- * company's stated security policies.
+ * company's stated security policies.
*
* @param request
* @param password the user's password
diff --git a/src/main/java/org/owasp/esapi/IntrusionDetector.java b/src/main/java/org/owasp/esapi/IntrusionDetector.java
index 2a1388332..ccb2bc984 100644
--- a/src/main/java/org/owasp/esapi/IntrusionDetector.java
+++ b/src/main/java/org/owasp/esapi/IntrusionDetector.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -25,22 +25,22 @@
*
* The interface is currently designed to accept exceptions as well as custom events. Implementations can use this
* stream of information to detect both normal and abnormal behavior.
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
*/
public interface IntrusionDetector {
/**
- * Adds the exception to the IntrusionDetector. This method should immediately log the exception so that developers throwing an
+ * Adds the exception to the IntrusionDetector. This method should immediately log the exception so that developers throwing an
* IntrusionException do not have to remember to log every error. The implementation should store the exception somewhere for the current user
* in order to check if the User has reached the threshold for any Enterprise Security Exceptions. The User object is the recommended location for storing
* the current user's security exceptions. If the User has reached any security thresholds, the appropriate security action can be taken and logged.
- *
- * @param exception
+ *
+ * @param exception
* the exception thrown
- *
- * @throws IntrusionException
+ *
+ * @throws IntrusionException
* the intrusion exception
*/
void addException(Exception exception) throws IntrusionException;
@@ -49,13 +49,13 @@ public interface IntrusionDetector {
* Adds the event to the IntrusionDetector. This method should immediately log the event. The implementation should store the event somewhere for the current user
* in order to check if the User has reached the threshold for any Enterprise Security Exceptions. The User object is the recommended location for storing
* the current user's security event. If the User has reached any security thresholds, the appropriate security action can be taken and logged.
- *
- * @param eventName
+ *
+ * @param eventName
* the event to add
- * @param logMessage
+ * @param logMessage
* the message to log with the event
- *
- * @throws IntrusionException
+ *
+ * @throws IntrusionException
* the intrusion exception
*/
void addEvent(String eventName, String logMessage) throws IntrusionException;
diff --git a/src/main/java/org/owasp/esapi/LogFactory.java b/src/main/java/org/owasp/esapi/LogFactory.java
index edde286c2..7571ea460 100644
--- a/src/main/java/org/owasp/esapi/LogFactory.java
+++ b/src/main/java/org/owasp/esapi/LogFactory.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Rogan DawesAspect Security
* @created 2008
*/
@@ -18,43 +18,43 @@
/**
* The LogFactory interface is intended to allow substitution of various logging packages, while providing
* a common interface to access them.
- *
- * In the reference implementation, JavaLogFactory.java implements this interface. JavaLogFactory.java also contains an
- * inner class called JavaLogger which implements Logger.java and uses the Java logging package to log events.
- *
+ *
+ * In the reference implementation, JavaLogFactory.java implements this interface. JavaLogFactory.java also contains an
+ * inner class called JavaLogger which implements Logger.java and uses the Java logging package to log events.
+ *
* @see org.owasp.esapi.ESAPI
- *
+ *
* @author rdawes
*
*/
public interface LogFactory {
-
+
/**
- * Gets the logger associated with the specified module name. The module name is used by the logger to log which
- * module is generating the log events. The implementation of this method should return any preexisting Logger
+ * Gets the logger associated with the specified module name. The module name is used by the logger to log which
+ * module is generating the log events. The implementation of this method should return any preexisting Logger
* associated with this module name, rather than creating a new Logger.
*
* The JavaLogFactory reference implementation meets these requirements.
- *
+ *
* @param moduleName
* The name of the module requesting the logger.
* @return
* The Logger associated with this module.
*/
Logger getLogger(String moduleName);
-
+
/**
- * Gets the logger associated with the specified class. The class is used by the logger to log which
- * class is generating the log events. The implementation of this method should return any preexisting Logger
+ * Gets the logger associated with the specified class. The class is used by the logger to log which
+ * class is generating the log events. The implementation of this method should return any preexisting Logger
* associated with this class name, rather than creating a new Logger.
*
* The JavaLogFactory reference implementation meets these requirements.
- *
+ *
* @param clazz
* The name of the class requesting the logger.
* @return
* The Logger associated with this class.
*/
Logger getLogger(Class clazz);
-
+
}
diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java
index 7c4ccef9e..288509b92 100644
--- a/src/main/java/org/owasp/esapi/Logger.java
+++ b/src/main/java/org/owasp/esapi/Logger.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007-2019 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -45,22 +45,22 @@
*
EVENT_UNSPECIFIED
*
*
- * Your custom implementation can extend or change this list if desired.
+ * Your custom implementation can extend or change this list if desired.
*
- * This {@code Logger} allows callers to determine which logging levels are enabled, and to submit events
+ * This {@code Logger} allows callers to determine which logging levels are enabled, and to submit events
* at different severity levels.
* Implementors of this interface should:
- *
+ *
*
- *
Provide a mechanism for setting the logging level threshold that is currently enabled. This usually works by logging all
+ *
Provide a mechanism for setting the logging level threshold that is currently enabled. This usually works by logging all
* events at and above that severity level, and discarding all events below that level.
* This is usually done via configuration, but can also be made accessible programmatically.
- *
Ensure that dangerous HTML characters are encoded before they are logged to defend against malicious injection into logs
+ *
Ensure that dangerous HTML characters are encoded before they are logged to defend against malicious injection into logs
* that might be viewed in an HTML based log viewer.
*
Encode any CRLF characters included in log data in order to prevent log injection attacks.
- *
Avoid logging the user's session ID. Rather, they should log something equivalent like a
- * generated logging session ID, or a hashed value of the session ID so they can track session specific
- * events without risking the exposure of a live session's ID.
+ *
Avoid logging the user's session ID. Rather, they should log something equivalent like a
+ * generated logging session ID, or a hashed value of the session ID so they can track session specific
+ * events without risking the exposure of a live session's ID.
Filter out any sensitive data specific to the current application or organization, such as credit cards,
+ *
Filter out any sensitive data specific to the current application or organization, such as credit cards,
* social security numbers, etc.
*
- *
+ *
* There are both SLF4J and native Java Logging (i.e., {@code java.util.logging}, aka JUL) implementations
* of the ESAPI logger with JUL being our default logger for our stock ESAPI.properties file that
* is delivered along with ESAPI releases in a separate esapi-configuration jar available from the
@@ -88,11 +88,11 @@
* The {@code org.owasp.esapi.logging.java.JavaLogger} class uses the {@code java.util.logging} package as
* the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above.
*
- * Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in
+ * Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in
* order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations
* can serve as a useful starting point to intended to provide a simple functional example of an implementation, but
* they are also largely usuable out-of-the-box with some additional minimal log configuration.
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
@@ -100,7 +100,7 @@
public interface Logger {
// All implied static final as this is an interface
-
+
/**
* A security type of log event that has succeeded. This is one of 6 predefined
* ESAPI logging events. New events can be added.
@@ -126,7 +126,7 @@ public interface Logger {
* ESAPI logging events. New events can be added.
*/
EventType EVENT_SUCCESS = new EventType( "EVENT SUCCESS", true);
-
+
/**
* A non-security type of log event that has failed. This is one of 6 predefined
* ESAPI logging events. New events can be added.
@@ -142,22 +142,22 @@ public interface Logger {
/**
* Defines the type of log event that is being generated. The Logger interface defines 6 types of Log events:
* SECURITY_SUCCESS, SECURITY_FAILURE, EVENT_SUCCESS, EVENT_FAILURE, EVENT_UNSPECIFIED.
- * Your implementation can extend or change this list if desired.
+ * Your implementation can extend or change this list if desired.
*/
class EventType {
-
+
private String type;
private Boolean success = null;
-
+
public EventType (String name, Boolean newSuccess) {
this.type = name;
this.success = newSuccess;
}
-
+
public Boolean isSuccess() {
return success;
}
-
+
/**
* Convert the {@code EventType} to a string.
* @return The event type name.
@@ -167,76 +167,76 @@ public String toString() {
return this.type;
}
}
-
+
/*
- * The Logger interface defines 6 logging levels: FATAL, ERROR, WARNING, INFO, DEBUG, TRACE. It also
+ * The Logger interface defines 6 logging levels: FATAL, ERROR, WARNING, INFO, DEBUG, TRACE. It also
* supports ALL, which logs all events, and OFF, which disables all logging.
- * Your implementation can extend or change this list if desired.
+ * Your implementation can extend or change this list if desired.
*/
-
+
/** OFF indicates that no messages should be logged. This level is initialized to Integer.MAX_VALUE. */
int OFF = Integer.MAX_VALUE;
/** FATAL indicates that only FATAL messages should be logged. This level is initialized to 1000. */
int FATAL = 1000;
- /** ERROR indicates that ERROR messages and above should be logged.
+ /** ERROR indicates that ERROR messages and above should be logged.
* This level is initialized to 800. */
int ERROR = 800;
- /** WARNING indicates that WARNING messages and above should be logged.
+ /** WARNING indicates that WARNING messages and above should be logged.
* This level is initialized to 600. */
int WARNING = 600;
- /** INFO indicates that INFO messages and above should be logged.
+ /** INFO indicates that INFO messages and above should be logged.
* This level is initialized to 400. */
int INFO = 400;
- /** DEBUG indicates that DEBUG messages and above should be logged.
+ /** DEBUG indicates that DEBUG messages and above should be logged.
* This level is initialized to 200. */
int DEBUG = 200;
- /** TRACE indicates that TRACE messages and above should be logged.
+ /** TRACE indicates that TRACE messages and above should be logged.
* This level is initialized to 100. */
int TRACE = 100;
/** ALL indicates that all messages should be logged. This level is initialized to Integer.MIN_VALUE. */
int ALL = Integer.MIN_VALUE;
-
+
/**
- * Dynamically set the ESAPI logging severity level. All events of this level and higher will be logged from
+ * Dynamically set the ESAPI logging severity level. All events of this level and higher will be logged from
* this point forward for all logs. All events below this level will be discarded.
- *
- * @param level The level to set the logging level to.
+ *
+ * @param level The level to set the logging level to.
*/
void setLevel(int level);
-
+
/** Retrieve the current ESAPI logging level for this logger.
- *
+ *
* @return The current logging level.
*/
int getESAPILevel();
-
+
/**
* Log a fatal event if 'fatal' level logging is enabled.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
*/
void fatal(EventType type, String message);
-
+
/**
- * Log a fatal level security event if 'fatal' level logging is enabled
+ * Log a fatal level security event if 'fatal' level logging is enabled
* and also record the stack trace associated with the event.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void fatal(EventType type, String message, Throwable throwable);
@@ -244,30 +244,30 @@ public String toString() {
/**
* Allows the caller to determine if messages logged at this level
* will be discarded, to avoid performing expensive processing.
- *
+ *
* @return true if fatal level messages will be output to the log
*/
boolean isFatalEnabled();
/**
* Log an error level security event if 'error' level logging is enabled.
- *
- * @param type
- * the type of event
- * @param message
+ *
+ * @param type
+ * the type of event
+ * @param message
* the message to log
*/
void error(EventType type, String message);
-
+
/**
- * Log an error level security event if 'error' level logging is enabled
+ * Log an error level security event if 'error' level logging is enabled
* and also record the stack trace associated with the event.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void error(EventType type, String message, Throwable throwable);
@@ -275,30 +275,30 @@ public String toString() {
/**
* Allows the caller to determine if messages logged at this level
* will be discarded, to avoid performing expensive processing.
- *
+ *
* @return true if error level messages will be output to the log
*/
boolean isErrorEnabled();
/**
* Log a warning level security event if 'warning' level logging is enabled.
- *
- * @param type
- * the type of event
- * @param message
+ *
+ * @param type
+ * the type of event
+ * @param message
* the message to log
*/
void warning(EventType type, String message);
-
+
/**
- * Log a warning level security event if 'warning' level logging is enabled
+ * Log a warning level security event if 'warning' level logging is enabled
* and also record the stack trace associated with the event.
- *
- * @param type
- * the type of event
- * @param message
+ *
+ * @param type
+ * the type of event
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void warning(EventType type, String message, Throwable throwable);
@@ -306,30 +306,30 @@ public String toString() {
/**
* Allows the caller to determine if messages logged at this level
* will be discarded, to avoid performing expensive processing.
- *
+ *
* @return true if warning level messages will be output to the log
*/
boolean isWarningEnabled();
/**
* Log an info level security event if 'info' level logging is enabled.
- *
- * @param type
- * the type of event
- * @param message
+ *
+ * @param type
+ * the type of event
+ * @param message
* the message to log
*/
void info(EventType type, String message);
-
+
/**
- * Log an info level security event if 'info' level logging is enabled
+ * Log an info level security event if 'info' level logging is enabled
* and also record the stack trace associated with the event.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void info(EventType type, String message, Throwable throwable);
@@ -337,30 +337,30 @@ public String toString() {
/**
* Allows the caller to determine if messages logged at this level
* will be discarded, to avoid performing expensive processing.
- *
+ *
* @return true if info level messages will be output to the log
*/
boolean isInfoEnabled();
/**
* Log a debug level security event if 'debug' level logging is enabled.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
*/
void debug(EventType type, String message);
-
+
/**
- * Log a debug level security event if 'debug' level logging is enabled
+ * Log a debug level security event if 'debug' level logging is enabled
* and also record the stack trace associated with the event.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void debug(EventType type, String message, Throwable throwable);
@@ -368,30 +368,30 @@ public String toString() {
/**
* Allows the caller to determine if messages logged at this level
* will be discarded, to avoid performing expensive processing.
- *
+ *
* @return true if debug level messages will be output to the log
*/
boolean isDebugEnabled();
/**
* Log a trace level security event if 'trace' level logging is enabled.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
*/
void trace(EventType type, String message);
-
+
/**
- * Log a trace level security event if 'trace' level logging is enabled
+ * Log a trace level security event if 'trace' level logging is enabled
* and also record the stack trace associated with the event.
- *
- * @param type
- * the type of event
- * @param message
+ *
+ * @param type
+ * the type of event
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void trace(EventType type, String message, Throwable throwable);
@@ -399,7 +399,7 @@ public String toString() {
/**
* Allows the caller to determine if messages logged at this level
* will be discarded, to avoid performing expensive processing.
- *
+ *
* @return true if trace level messages will be output to the log
*/
boolean isTraceEnabled();
@@ -408,25 +408,25 @@ public String toString() {
* Log an event regardless of what logging level is enabled.
*
* Note that logging will not occur if the underlying logging implementation has logging disabled.
- *
- * @param type
+ *
+ * @param type
* the type of event
- * @param message
+ * @param message
* the message to log
*/
void always(EventType type, String message);
-
+
/**
* Log an event regardless of what logging level is enabled
* and also record the stack trace associated with the event.
*
* Note that logging will not occur if the underlying logging implementation has logging disabled.
- *
- * @param type
- * the type of event
- * @param message
+ *
+ * @param type
+ * the type of event
+ * @param message
* the message to log
- * @param throwable
+ * @param throwable
* the exception to be logged
*/
void always(EventType type, String message, Throwable throwable);
diff --git a/src/main/java/org/owasp/esapi/PreparedString.java b/src/main/java/org/owasp/esapi/PreparedString.java
index d0695e4a5..5102a324c 100644
--- a/src/main/java/org/owasp/esapi/PreparedString.java
+++ b/src/main/java/org/owasp/esapi/PreparedString.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007-2019 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2009
*/
@@ -21,19 +21,19 @@
/**
* A parameterized string that uses escaping to make untrusted data safe before combining it with
* a command or query intended for use in an interpreter.
- *
+ *
* PreparedString div = new PreparedString( "<a href=\"http:\\\\example.com?id=?\" onmouseover=\"alert('?')\">test</a>", new HTMLEntityCodec() );
* div.setURL( 1, request.getParameter( "url" ), new PercentCodec() );
* div.set( 2, request.getParameter( "message" ), new JavaScriptCodec() );
* out.println( div.toString() );
- *
+ *
* // escaping for SQL
* PreparedString query = new PreparedString( "SELECT * FROM users WHERE name='?' AND password='?'", new OracleCodec() );
* query.set( 1, request.getParameter( "name" ) );
* query.set( 2, request.getParameter( "pass" ) );
* stmt.execute( query.toString() );
*
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
*/
@@ -45,7 +45,7 @@ public class PreparedString {
private final static char[] IMMUNE = {};
/**
- * Create a PreparedString with the supplied template and Codec. The template should use the
+ * Create a PreparedString with the supplied template and Codec. The template should use the
* default parameter placeholder character (?) in the place where actual parameters are to be inserted.
* The supplied Codec will be used to escape characters in calls to set, unless a specific Codec is
* provided to override it.
@@ -89,9 +89,9 @@ private void split( String str, char c ) {
parts.add( str.substring(index) );
parameters = new String[pcount];
}
-
+
/**
- * Set the parameter at index with supplied value using the default Codec to escape.
+ * Set the parameter at index with supplied value using the default Codec to escape.
* @param index
* @param value
*/
@@ -102,9 +102,9 @@ public void set( int index, String value ) {
String encoded = codec.encode( IMMUNE, value );
parameters[index-1] = encoded;
}
-
+
/**
- * Set the parameter at index with supplied value using the supplied Codec to escape.
+ * Set the parameter at index with supplied value using the supplied Codec to escape.
* @param index
* @param value
* @param codec
@@ -116,7 +116,7 @@ public void set( int index, String value, Codec codec ) {
String encoded = codec.encode( IMMUNE, value );
parameters[index-1] = encoded;
}
-
+
/**
* Render the PreparedString by combining the template with properly escaped parameters.
*/
diff --git a/src/main/java/org/owasp/esapi/PropNames.java b/src/main/java/org/owasp/esapi/PropNames.java
index 33a5eb4e1..59deb8991 100644
--- a/src/main/java/org/owasp/esapi/PropNames.java
+++ b/src/main/java/org/owasp/esapi/PropNames.java
@@ -67,7 +67,7 @@ public final class PropNames {
public static final String CANONICALIZATION_CODECS = "Encoder.DefaultCodecList";
public static final String DISABLE_INTRUSION_DETECTION = "IntrusionDetector.Disable";
-
+
public static final String MASTER_KEY = "Encryptor.MasterKey";
public static final String MASTER_SALT = "Encryptor.MasterSalt";
public static final String KEY_LENGTH = "Encryptor.EncryptionKeyLength";
diff --git a/src/main/java/org/owasp/esapi/Randomizer.java b/src/main/java/org/owasp/esapi/Randomizer.java
index 1d991b164..bef0c4a1b 100644
--- a/src/main/java/org/owasp/esapi/Randomizer.java
+++ b/src/main/java/org/owasp/esapi/Randomizer.java
@@ -92,7 +92,7 @@ public interface Randomizer {
/**
* Returns an unguessable random filename with the specified extension. This method could call
- * getRandomString(length, charset) from this Class with the desired length and alphanumerics as the charset
+ * getRandomString(length, charset) from this Class with the desired length and alphanumerics as the charset
* then merely append "." + extension.
*
* @param extension
@@ -123,7 +123,7 @@ public interface Randomizer {
/**
* Generates a random GUID. This method could use a hash of random Strings, the current time,
- * and any other random data available. The format is a well-defined sequence of 32 hex digits
+ * and any other random data available. The format is a well-defined sequence of 32 hex digits
* grouped into chunks of 8-4-4-4-12.
*
* For more information including algorithms used to create UUIDs,
diff --git a/src/main/java/org/owasp/esapi/SafeFile.java b/src/main/java/org/owasp/esapi/SafeFile.java
index fba5a94e7..e048e9419 100644
--- a/src/main/java/org/owasp/esapi/SafeFile.java
+++ b/src/main/java/org/owasp/esapi/SafeFile.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2008 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Arshan Dabirsiaghi Aspect Security
* @created 2008
*/
@@ -31,8 +31,8 @@
public class SafeFile extends File {
private static final long serialVersionUID = 1L;
- private static final Pattern PERCENTS_PAT = Pattern.compile("(%)([0-9a-fA-F])([0-9a-fA-F])");
- private static final Pattern FILE_BLACKLIST_PAT = Pattern.compile("([\\\\/:*?<>|^])");
+ private static final Pattern PERCENTS_PAT = Pattern.compile("(%)([0-9a-fA-F])([0-9a-fA-F])");
+ private static final Pattern FILE_BLACKLIST_PAT = Pattern.compile("([\\\\/:*?<>|^])");
private static final Pattern DIR_BLACKLIST_PAT = Pattern.compile("([*?<>|^])");
public SafeFile(String path) throws ValidationException {
@@ -59,7 +59,7 @@ public SafeFile(URI uri) throws ValidationException {
doFileCheck(this.getName());
}
-
+
private void doDirCheck(String path) throws ValidationException {
Matcher m1 = DIR_BLACKLIST_PAT.matcher( path );
if ( null != m1 && m1.find() ) {
@@ -70,13 +70,13 @@ private void doDirCheck(String path) throws ValidationException {
if (null != m2 && m2.find() ) {
throw new ValidationException( "Invalid directory", "Directory path (" + path + ") contains encoded characters: " + m2.group() );
}
-
+
int ch = containsUnprintableCharacters(path);
if (ch != -1) {
throw new ValidationException("Invalid directory", "Directory path (" + path + ") contains unprintable character: " + ch);
}
}
-
+
private void doFileCheck(String path) throws ValidationException {
Matcher m1 = FILE_BLACKLIST_PAT.matcher( path );
if ( m1.find() ) {
@@ -87,7 +87,7 @@ private void doFileCheck(String path) throws ValidationException {
if ( m2.find() ) {
throw new ValidationException( "Invalid file", "File path (" + path + ") contains encoded characters: " + m2.group() );
}
-
+
int ch = containsUnprintableCharacters(path);
if (ch != -1) {
throw new ValidationException("Invalid file", "File path (" + path + ") contains unprintable character: " + ch);
diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
index 11f6454d5..564206de0 100644
--- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Mike Fauzy Aspect Security
* @author Jeff Williams Aspect Security
* @created 2007
@@ -45,7 +45,7 @@
*
* The ESAPI reference implementation (DefaultSecurityConfiguration.java) does
* not encrypt its properties file.
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
@@ -54,107 +54,107 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the application name, used for logging
- *
+ *
* @return the name of the current application
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getApplicationName();
-
+
/**
* Returns the fully qualified classname of the ESAPI Logging implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getLogImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Authentication implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getAuthenticationImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Encoder implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getEncoderImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Access Control implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getAccessControlImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getIntrusionDetectionImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Randomizer implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getRandomizerImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Encryption implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getEncryptionImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI Validation implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getValidationImplementation();
-
+
/**
* Returns the validation pattern for a particular type
* @param typeName
* @return the validation pattern
*/
Pattern getValidationPattern( String typeName );
-
+
/**
* Determines whether ESAPI will accept "lenient" dates when attempt
* to parse dates. Controlled by ESAPI property
* {@code Validator.AcceptLenientDates}, which defaults to {@code false}
* if unset.
- *
+ *
* @return True if lenient dates are accepted; false otherwise.
* @see java.text.DateFormat#setLenient(boolean)
* @deprecated Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
boolean getLenientDatesAccepted();
-
+
/**
* Returns the fully qualified classname of the ESAPI OS Execution implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getExecutorImplementation();
-
+
/**
* Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getHTTPUtilitiesImplementation();
-
+
/**
* Gets the master key. This password is used to encrypt/decrypt other files or types
* of data that need to be protected by your application.
- *
+ *
* @return the current master key
* @deprecated Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
*/
@@ -166,7 +166,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* @return the upload directory
*/
File getUploadDirectory();
-
+
/**
* Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
* @return the temp directory
@@ -180,17 +180,17 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength,
* which is the minimum key size (in bits) that ESAPI will support
* for encryption. (There is no miminimum for decryption.)
- *
+ *
* @return the key length (in bits)
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
int getEncryptionKeyLength();
-
+
/**
- * Gets the master salt that is used to salt stored password hashes and any other location
+ * Gets the master salt that is used to salt stored password hashes and any other location
* where a salt is needed.
- *
+ *
* @return the current master salt
* @deprecated Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
*/
@@ -199,21 +199,21 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the allowed executables to run with the Executor.
- *
+ *
* @return a list of the current allowed file extensions
*/
List getAllowedExecutables();
/**
* Gets the allowed file extensions for files that are uploaded to this application.
- *
+ *
* @return a list of the current allowed file extensions
*/
List getAllowedFileExtensions();
/**
* Gets the maximum allowed file upload size.
- *
+ *
* @return the current allowed file upload size
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@@ -222,7 +222,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the name of the password parameter used during user authentication.
- *
+ *
* @return the name of the password parameter
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -231,7 +231,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the name of the username parameter used during user authentication.
- *
+ *
* @return the name of the username parameter
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -243,7 +243,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to
* use "cipher transformation" since it supports multiple cipher modes
* and padding schemes.
- *
+ *
* @return the current encryption algorithm
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -267,7 +267,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* actual block size. When requesting such a mode, you may optionally
* specify the number of bits to be processed at a time. This generally must
* be an integral multiple of 8-bits so that it can specify a whole number
- * of octets.
+ * of octets.
*
* Examples are:
*
@@ -293,13 +293,13 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
*/
@Deprecated
String getCipherTransformation();
-
+
/**
* Set the cipher transformation. This allows a different cipher transformation
* to be used without changing the {@code ESAPI.properties} file. For instance
* you may normally want to use AES/CBC/PKCS5Padding, but have some legacy
* encryption where you have ciphertext that was encrypted using 3DES.
- *
+ *
* @param cipherXform The new cipher transformation. See
* {@link #getCipherTransformation} for format. If
* {@code null} is passed as the parameter, the cipher
@@ -342,7 +342,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
*/
@Deprecated
String getPreferredJCEProvider();
-
+
// TODO - DISCUSS: Where should this web page (below) go? Maybe with the Javadoc? But where?
// Think it makes more sense as part of the release notes, but OTOH, I
// really don't want to rewrite this as a Wiki page either.
@@ -379,7 +379,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
*/
@Deprecated
boolean overwritePlainText();
-
+
/**
* Get a string indicating how to compute an Initialization Vector (IV).
* Currently supported modes are "random" to generate a random IV or
@@ -393,17 +393,17 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* since release 2.2.0.0). An ESAPI.properties value of {@code fixed} for the property
* {@code Encryptor.ChooseIVMethod} will now result in a {@code ConfigurationException}
* being thrown.
- *
+ *
* @return A string specifying the IV type. Should be "random". Anything
* else should fail with a {@code ConfigurationException} being thrown.
- *
+ *
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
* This method will be removed in a future release as it is now moot since
* it can only legitimately have the single value of "random".
*/
@Deprecated
String getIVType();
-
+
/**
* Return a {@code List} of strings of combined cipher modes that support
* both confidentiality and authenticity. These would be preferred
@@ -415,7 +415,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* The list is taken from the comma-separated list of cipher modes specified
* by the ESAPI property
* {@code Encryptor.cipher_modes.combined_modes}.
- *
+ *
* @return The parsed list of comma-separated cipher modes if the property
* was specified in {@code ESAPI.properties}; otherwise the empty list is
* returned.
@@ -431,7 +431,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* The list is taken from the comma-separated list of cipher modes specified
* by the ESAPI property
* {@code Encryptor.cipher_modes.additional_allowed}.
- *
+ *
* @return The parsed list of comma-separated cipher modes if the property
* was specified in {@code ESAPI.properties}; otherwise the empty list is
* returned.
@@ -442,7 +442,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the hashing algorithm used by ESAPI to hash data.
- *
+ *
* @return the current hashing algorithm
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -451,7 +451,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the hash iterations used by ESAPI to hash data.
- *
+ *
* @return the current hashing algorithm
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@@ -461,22 +461,22 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Retrieve the Pseudo Random Function (PRF) used by the ESAPI
* Key Derivation Function (KDF).
- *
+ *
* @return The KDF PRF algorithm name.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getKDFPseudoRandomFunction();
-
+
/**
* Gets the character encoding scheme supported by this application. This is used to set the
* character encoding scheme on requests and responses when setCharacterEncoding() is called
- * on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs
+ * on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs
* and any other place where the current encoding scheme needs to be known.
*
- * Note: This does not get the configured response content type. That is accessed by calling
+ * Note: This does not get the configured response content type. That is accessed by calling
* getResponseContentType().
- *
+ *
* @return the current character encoding scheme
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -503,14 +503,14 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Returns the List of Codecs to use when canonicalizing data
- *
+ *
* @return the codec list
*/
List getDefaultCanonicalizationCodecs();
/**
* Gets the digital signature algorithm used by ESAPI to generate and verify signatures.
- *
+ *
* @return the current digital signature algorithm
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -519,16 +519,16 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Gets the digital signature key length used by ESAPI to generate and verify signatures.
- *
+ *
* @return the current digital signature key length
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
int getDigitalSignatureKeyLength();
-
+
/**
* Gets the random number generation algorithm used to generate random numbers where needed.
- *
+ *
* @return the current random number generation algorithm
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -536,9 +536,9 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
String getRandomAlgorithm();
/**
- * Gets the number of login attempts allowed before the user's account is locked. If this
+ * Gets the number of login attempts allowed before the user's account is locked. If this
* many failures are detected within the alloted time period, the user's account will be locked.
- *
+ *
* @return the number of failed login attempts that cause an account to be locked
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@@ -546,10 +546,10 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
int getAllowedLoginAttempts();
/**
- * Gets the maximum number of old password hashes that should be retained. These hashes can
+ * Gets the maximum number of old password hashes that should be retained. These hashes can
* be used to ensure that the user doesn't reuse the specified number of previous passwords
* when they change their password.
- *
+ *
* @return the number of old hashed passwords to retain
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@@ -558,18 +558,18 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Allows for complete disabling of all intrusion detection mechanisms
- *
+ *
* @return true if intrusion detection should be disabled
* @deprecated Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
boolean getDisableIntrusionDetection();
-
+
/**
* Gets the intrusion detection quota for the specified event.
- *
+ *
* @param eventName the name of the event whose quota is desired
- *
+ *
* @return the Quota that has been configured for the specified type of event
*/
Threshold getQuota(String eventName);
@@ -581,7 +581,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* @return A {@code File} object representing the specified file name or null if not found.
*/
File getResourceFile( String filename );
-
+
/**
* Returns true if session cookies are required to have HttpOnly flag set.
* @deprecated Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
@@ -628,17 +628,17 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Sets the ESAPI resource directory.
- *
+ *
* @param dir The location of the resource directory.
*/
void setResourceDirectory(String dir);
-
+
/**
* Gets the content type for responses used when setSafeContentType() is called.
*
- * Note: This does not get the configured character encoding scheme. That is accessed by calling
+ * Note: This does not get the configured character encoding scheme. That is accessed by calling
* getCharacterEncoding().
- *
+ *
* @return The current content-type set for responses.
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@@ -646,60 +646,60 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
String getResponseContentType();
/**
- * This method returns the configured name of the session identifier,
+ * This method returns the configured name of the session identifier,
* likely "JSESSIONID" though this can be overridden.
- *
+ *
* @return The name of the session identifier, like "JSESSIONID"
* @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
String getHttpSessionIdName();
-
+
/**
* Gets the length of the time to live window for remember me tokens (in milliseconds).
- *
+ *
* @return The time to live length for generated "remember me" tokens.
*/
// OPEN ISSUE: Can we replace w/ SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead?
long getRememberTokenDuration();
-
+
/**
* Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session
* can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate
* function that enables a session to continue after reauthentication.
- *
+ *
* @return The session idle timeout length.
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
int getSessionIdleTimeoutLength();
-
+
/**
* Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session
- * can live before it expires regardless of the amount of user activity. Applications or frameworks could
+ * can live before it expires regardless of the amount of user activity. Applications or frameworks could
* provide a reauthenticate function that enables a session to continue after reauthentication.
- *
+ *
* @return The session absolute timeout length.
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
int getSessionAbsoluteTimeoutLength();
-
-
+
+
/**
* Returns whether HTML entity encoding should be applied to log entries.
- *
+ *
* @return True if log entries are to be HTML Entity encoded. False otherwise.
* @deprecated Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
*/
@Deprecated
boolean getLogEncodingRequired();
-
+
/**
* Returns whether ESAPI should log the application name. This might be clutter in some
* single-server/single-app environments.
- *
+ *
* @return True if ESAPI should log the application name, False otherwise
* @deprecated Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
*/
@@ -709,7 +709,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
/**
* Returns whether ESAPI should log the server IP. This might be clutter in some
* single-server environments.
- *
+ *
* @return True if ESAPI should log the server IP and port, False otherwise
* @deprecated Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
*/
@@ -717,35 +717,35 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
boolean getLogServerIP();
/**
- * Models a simple threshold as a count and an interval, along with a set of actions to take if
+ * Models a simple threshold as a count and an interval, along with a set of actions to take if
* the threshold is exceeded. These thresholds are used to define when the accumulation of a particular event
* has met a set number within the specified time period. Once a threshold value has been met, various
* actions can be taken at that point.
*/
class Threshold {
-
+
/** The name of this threshold. */
public String name = null;
-
+
/** The count at which this threshold is triggered. */
public int count = 0;
-
- /**
+
+ /**
* The time frame within which 'count' number of actions has to be detected in order to
* trigger this threshold.
*/
public long interval = 0;
-
+
/**
- * The list of actions to take if the threshold is met. It is expected that this is a list of Strings, but
- * your implementation could have this be a list of any type of 'actions' you wish to define.
+ * The list of actions to take if the threshold is met. It is expected that this is a list of Strings, but
+ * your implementation could have this be a list of any type of 'actions' you wish to define.
*/
public List actions = null;
/**
* Constructs a threshold that is composed of its name, its threshold count, the time window for
* the threshold, and the actions to take if the threshold is triggered.
- *
+ *
* @param name The name of this threshold.
* @param count The count at which this threshold is triggered.
* @param interval The time frame within which 'count' number of actions has to be detected in order to
diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java
index 19a29f7c9..55f8c55a3 100644
--- a/src/main/java/org/owasp/esapi/StringUtilities.java
+++ b/src/main/java/org/owasp/esapi/StringUtilities.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -20,7 +20,7 @@
/**
* String utilities used in various filters.
- *
+ *
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
@@ -31,9 +31,9 @@ public class StringUtilities {
public static String replaceLinearWhiteSpace( String input ) {
return p.matcher(input).replaceAll( " " );
}
-
+
/**
- * Removes all unprintable characters from a string
+ * Removes all unprintable characters from a string
* and replaces with a space.
* @param input
* @return the stripped value
@@ -51,16 +51,16 @@ public static String stripControls( String input ) {
return sb.toString();
}
-
+
/**
* Union multiple character arrays.
- *
+ *
* @param list the char[]s to union
* @return the union of the char[]s
*/
public static char[] union(char[]... list) {
StringBuilder sb = new StringBuilder();
-
+
for (char[] characters : list) {
for ( char c : characters ) {
if ( !contains( sb, c ) )
diff --git a/src/main/java/org/owasp/esapi/User.java b/src/main/java/org/owasp/esapi/User.java
index 8e46a97e2..fa30ca3ba 100644
--- a/src/main/java/org/owasp/esapi/User.java
+++ b/src/main/java/org/owasp/esapi/User.java
@@ -1,15 +1,15 @@
/**
* OWASP Enterprise Security API (ESAPI)
- *
+ *
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
- *
+ *
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
- *
+ *
* @author Jeff Williams Aspect Security
* @created 2007
*/
@@ -34,7 +34,7 @@
* number of reasons, most commonly because they have failed login for too many times. Finally, the account can expire
* after the expiration date has been reached. The User must be enabled, not expired, and unlocked in order to pass
* authentication.
- *
+ *
* @author Jeff Williams at Aspect Security
* @author Chris Schmidt (chrisisbeef .at. gmail.com) Digital Ritual Software
* @since June 1, 2007
@@ -53,22 +53,22 @@ public interface User extends Principal, Serializable {
/**
* Adds a role to this user's account.
- *
- * @param role
+ *
+ * @param role
* the role to add
- *
- * @throws AuthenticationException
+ *
+ * @throws AuthenticationException
* the authentication exception
*/
void addRole(String role) throws AuthenticationException;
/**
* Adds a set of roles to this user's account.
- *
- * @param newRoles
+ *
+ * @param newRoles
* the new roles to add
- *
- * @throws AuthenticationException
+ *
+ * @throws AuthenticationException
* the authentication exception
*/
void addRoles(Set newRoles) throws AuthenticationException;
@@ -76,17 +76,17 @@ public interface User extends Principal, Serializable {
/**
* Sets the user's password, performing a verification of the user's old password, the equality of the two new
* passwords, and the strength of the new password.
- *
- * @param oldPassword
+ *
+ * @param oldPassword
* the old password
- * @param newPassword1
+ * @param newPassword1
* the new password
- * @param newPassword2
+ * @param newPassword2
* the new password - used to verify that the new password was typed correctly
- *
- * @throws AuthenticationException
- * if newPassword1 does not match newPassword2, if oldPassword does not match the stored old password, or if the new password does not meet complexity requirements
- * @throws EncryptionException
+ *
+ * @throws AuthenticationException
+ * if newPassword1 does not match newPassword2, if oldPassword does not match the stored old password, or if the new password does not meet complexity requirements
+ * @throws EncryptionException
*/
void changePassword(String oldPassword, String newPassword1, String newPassword2) throws AuthenticationException, EncryptionException;
@@ -102,21 +102,21 @@ public interface User extends Principal, Serializable {
/**
* Gets this user's account id number.
- *
+ *
* @return the account id
*/
long getAccountId();
-
+
/**
* Gets this user's account name.
- *
+ *
* @return the account name
*/
String getAccountName();
/**
* Gets the CSRF token for this user's current sessions.
- *
+ *
* @return the CSRF token
*/
String getCSRFToken();
@@ -133,7 +133,7 @@ public interface User extends Principal, Serializable {
* intended to be used as a part of the account lockout feature, to help protect against brute force attacks.
* However, the implementor should be aware that lockouts can be used to prevent access to an application by a
* legitimate user, and should consider the risk of denial of service.
- *
+ *
* @return the number of failed login attempts since the last successful login
*/
int getFailedLoginCount();
@@ -141,7 +141,7 @@ public interface User extends Principal, Serializable {
/**
* Returns the last host address used by the user. This will be used in any log messages generated by the processing
* of this request.
- *
+ *
* @return the last host address used by the user
*/
String getLastHostAddress();
@@ -149,10 +149,10 @@ public interface User extends Principal, Serializable {
/**
* Returns the date of the last failed login time for a user. This date should be used in a message to users after a
* successful login, to notify them of potential attack activity on their account.
- *
+ *
* @return date of the last failed login
- *
- * @throws AuthenticationException
+ *
+ * @throws AuthenticationException
* the authentication exception
*/
Date getLastFailedLoginTime() throws AuthenticationException;
@@ -160,54 +160,54 @@ public interface User extends Principal, Serializable {
/**
* Returns the date of the last successful login time for a user. This date should be used in a message to users
* after a successful login, to notify them of potential attack activity on their account.
- *
+ *
* @return date of the last successful login
*/
Date getLastLoginTime();
/**
* Gets the date of user's last password change.
- *
+ *
* @return the date of last password change
*/
Date getLastPasswordChangeTime();
/**
* Gets the roles assigned to a particular account.
- *
+ *
* @return an immutable set of roles
*/
Set getRoles();
/**
* Gets the screen name (alias) for the current user.
- *
+ *
* @return the screen name
*/
String getScreenName();
/**
* Adds a session for this User.
- *
+ *
* @param s
* The session to associate with this user.
*/
void addSession( HttpSession s );
-
+
/**
* Removes a session for this User.
- *
+ *
* @param s
* The session to remove from being associated with this user.
*/
void removeSession( HttpSession s );
-
+
/**
* Returns a Set containing the sessions associated with this User.
* @return The Set of sessions for this User.
*/
Set getSessions();
-
+
/**
* Increment failed login count.
*/
@@ -215,70 +215,70 @@ public interface User extends Principal, Serializable {
/**
* Checks if user is anonymous.
- *
+ *
* @return true, if user is anonymous
*/
boolean isAnonymous();
/**
* Checks if this user's account is currently enabled.
- *
- * @return true, if account is enabled
+ *
+ * @return true, if account is enabled
*/
boolean isEnabled();
/**
* Checks if this user's account is expired.
- *
+ *
* @return true, if account is expired
*/
boolean isExpired();
/**
* Checks if this user's account is assigned a particular role.
- *
- * @param role
+ *
+ * @param role
* the role for which to check
- *
+ *
* @return true, if role has been assigned to user
*/
boolean isInRole(String role);
/**
* Checks if this user's account is locked.
- *
+ *
* @return true, if account is locked
*/
boolean isLocked();
/**
* Tests to see if the user is currently logged in.
- *
+ *
* @return true, if the user is logged in
*/
boolean isLoggedIn();
/**
- * Tests to see if this user's session has exceeded the absolute time out based
+ * Tests to see if this user's session has exceeded the absolute time out based
* on ESAPI's configuration settings.
- *
+ *
* @return true, if user's session has exceeded the absolute time out
*/
boolean isSessionAbsoluteTimeout();
/**
- * Tests to see if the user's session has timed out from inactivity based
+ * Tests to see if the user's session has timed out from inactivity based
* on ESAPI's configuration settings.
- *
- * A session may timeout prior to ESAPI's configuration setting due to
- * the servlet container setting for session-timeout in web.xml. The
- * following is an example of a web.xml session-timeout set for one hour.
+ *
+ * A session may timeout prior to ESAPI's configuration setting due to
+ * the servlet container setting for session-timeout in web.xml. The
+ * following is an example of a web.xml session-timeout set for one hour.
*
*
- * 60
+ * 60
*
- *
- * @return true, if user's session has timed out from inactivity based
+ *
+ * @return true, if user's session has timed out from inactivity based
* on ESAPI configuration
*/
boolean isSessionTimeout();
@@ -290,10 +290,10 @@ public interface User extends Principal, Serializable {
/**
* Login with password.
- *
- * @param password
+ *
+ * @param password
* the password
- * @throws AuthenticationException
+ * @throws AuthenticationException
* if login fails
*/
void loginWithPassword(String password) throws AuthenticationException;
@@ -305,10 +305,10 @@ public interface User extends Principal, Serializable {
/**
* Removes a role from this user's account.
- *
- * @param role
+ *
+ * @param role
* the role to remove
- * @throws AuthenticationException
+ * @throws AuthenticationException
* the authentication exception
*/
void removeRole(String role) throws AuthenticationException;
@@ -318,42 +318,42 @@ public interface User extends Principal, Serializable {
* forms. The application should verify that all requests contain the token, or they may have been generated by a
* CSRF attack. It is generally best to perform the check in a centralized location, either a filter or controller.
* See the verifyCSRFToken method.
- *
+ *
* @return the new CSRF token
- *
- * @throws AuthenticationException
+ *
+ * @throws AuthenticationException
* the authentication exception
*/
String resetCSRFToken() throws AuthenticationException;
/**
* Sets this user's account name.
- *
+ *
* @param accountName the new account name
*/
void setAccountName(String accountName);
/**
* Sets the date and time when this user's account will expire.
- *
+ *
* @param expirationTime the new expiration time
*/
void setExpirationTime(Date expirationTime);
/**
* Sets the roles for this account.
- *
- * @param roles
+ *
+ * @param roles
* the new roles
- *
- * @throws AuthenticationException
+ *
+ * @throws AuthenticationException
* the authentication exception
*/
void setRoles(Set roles) throws AuthenticationException;
/**
* Sets the screen name (username alias) for this user.
- *
+ *
* @param screenName the new screen name
*/
void setScreenName(String screenName);
@@ -367,40 +367,40 @@ public interface User extends Principal, Serializable {
* Verify that the supplied password matches the password for this user. This method
* is typically used for "reauthentication" for the most sensitive functions, such
* as transactions, changing email address, and changing other account information.
- *
- * @param password
+ *
+ * @param password
* the password that the user entered
- *
+ *
* @return true, if the password passed in matches the account's password
- *
- * @throws EncryptionException
+ *
+ * @throws EncryptionException
*/
boolean verifyPassword(String password) throws EncryptionException;
/**
* Set the time of the last failed login for this user.
- *
+ *
* @param lastFailedLoginTime the date and time when the user just failed to login correctly.
*/
void setLastFailedLoginTime(Date lastFailedLoginTime);
-
+
/**
* Set the last remote host address used by this user.
- *
+ *
* @param remoteHost The address of the user's current source host.
*/
void setLastHostAddress(String remoteHost) throws AuthenticationHostException;
-
+
/**
* Set the time of the last successful login for this user.
- *
+ *
* @param lastLoginTime the date and time when the user just successfully logged in.
*/
void setLastLoginTime(Date lastLoginTime);
-
+
/**
* Set the time of the last password change for this user.
- *
+ *
* @param lastPasswordChangeTime the date and time when the user just successfully changed his/her password.
*/
void setLastPasswordChangeTime(Date lastPasswordChangeTime);
@@ -410,7 +410,7 @@ public interface User extends Principal, Serializable {
* IntrusionDetector.
*/
HashMap getEventMap();
-
+
/**
* The ANONYMOUS user is used to represent an unidentified user. Since there is
@@ -424,7 +424,7 @@ public interface User extends Principal, Serializable {
private String csrfToken = "";
private Set