Skip to content

Commit 0b0da0c

Browse files
Merge branch 'develop' into java-8
Manual merge of supressions.xml and pom.xml
2 parents 77c5f26 + 6452cc9 commit 0b0da0c

File tree

9 files changed

+144
-37
lines changed

9 files changed

+144
-37
lines changed

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,10 +39,10 @@ Note however that work on ESAPI 3 has not yet become in earnest and is only in i
3939
# ESAPI release notes
4040
The ESAPI release notes may be found in ESAPI's "documentation" directory. They are generally named "esapi4java-core-*2.#.#.#*-release-notes.txt", where "*2.#.#.#*" refers to the ESAPI release number (which uses semantic versioning).
4141
## IMPORTANT
42-
Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the release notes for the 2.2.3.0 release (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!
42+
Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the [release notes for the 2.2.3.0 release](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt) (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!
4343

4444
# Locating ESAPI Jar files
45-
The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.1. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.1-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar) and [esapi-2.2.3.1-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.0-configuration.jar.asc) respectively.
45+
The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.1. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.1-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar) and [esapi-2.2.3.1-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar.asc) respectively.
4646

4747
The latest *regular* ESAPI jars can are available from Maven Central.
4848

pom.xml

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -132,9 +132,10 @@
132132

133133
<properties>
134134
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
135-
<version.jmh>1.35</version.jmh>
135+
<version.jmh>1.35</version.jmh>
136136
<version.powermock>2.0.9</version.powermock>
137137
<version.spotbugs>4.6.0</version.spotbugs>
138+
<version.findsecbugs>1.12.0</version.findsecbugs>
138139
<version.spotbugs.maven>4.6.0.0</version.spotbugs.maven>
139140
<version.surefire>3.0.0-M5</version.surefire>
140141
<project.java.target>1.8</project.java.target>
@@ -203,9 +204,9 @@
203204
<groupId>commons-logging</groupId>
204205
<artifactId>commons-logging</artifactId>
205206
</exclusion>
206-
<exclusion>
207-
<groupId>xml-apis</groupId>
208-
<artifactId>xml-apis</artifactId>
207+
<exclusion>
208+
<groupId>xml-apis</groupId>
209+
<artifactId>xml-apis</artifactId>
209210
</exclusion>
210211
</exclusions>
211212
</dependency>
@@ -273,7 +274,6 @@
273274
<version>2.11.0</version>
274275
</dependency>
275276

276-
277277
<!-- SpotBugs dependencies -->
278278
<dependency>
279279
<groupId>com.github.spotbugs</groupId>
@@ -442,6 +442,12 @@
442442
</dependencies>
443443
</plugin>
444444

445+
<plugin>
446+
<groupId>com.h3xstream.findsecbugs</groupId>
447+
<artifactId>findsecbugs-plugin</artifactId>
448+
<version>${version.findsecbugs}</version>
449+
</plugin>
450+
445451
<plugin>
446452
<groupId>net.sourceforge.maven-taglib</groupId>
447453
<artifactId>maven-taglib-plugin</artifactId>
@@ -457,7 +463,7 @@
457463
<plugin>
458464
<groupId>org.apache.maven.plugins</groupId>
459465
<artifactId>maven-clean-plugin</artifactId>
460-
<version>3.1.0</version>
466+
<version>3.2.0</version>
461467
</plugin>
462468

463469
<plugin>
@@ -704,9 +710,9 @@
704710
</plugin>
705711

706712
<plugin>
707-
<groupId>org.codehaus.mojo</groupId>
713+
<groupId>io.github.jiangxincode</groupId>
708714
<artifactId>jdepend-maven-plugin</artifactId>
709-
<version>2.0</version>
715+
<version>2.1</version>
710716
</plugin>
711717
<plugin>
712718
<groupId>org.eluder.coveralls</groupId>
@@ -783,6 +789,7 @@
783789
<reportSets>
784790
<reportSet>
785791
<reports>
792+
<report>index</report>
786793
<report>dependency-convergence</report>
787794
</reports>
788795
</reportSet>
@@ -803,7 +810,7 @@
803810
<plugin>
804811
<!-- Using this introduces these errors: Skipped "JDepend" report (jdepend-maven-plugin:2.0:generate), file "jdepend-report.html" already exists.
805812
but don't know how to eliminate them, without disabling this plugin. -->
806-
<groupId>org.codehaus.mojo</groupId>
813+
<groupId>io.github.jiangxincode</groupId>
807814
<artifactId>jdepend-maven-plugin</artifactId>
808815
</plugin>
809816
<!-- Check for available updates to dependencies and report on them. -->
@@ -845,7 +852,6 @@
845852

846853
<plugin>
847854
<artifactId>maven-jar-plugin</artifactId>
848-
849855
<!--
850856
<executions>
851857
<execution>
@@ -859,7 +865,7 @@
859865
<configuration>
860866
<!--
861867
<keystore>codesign.keystore</keystore>
862-
<alias>owasp foundation, inc.'s godaddy.com, inc. id</alias>
868+
<alias>OWASP Foundation, Inc.'s GoDaddy.com ID</alias>
863869
<verify>true</verify>
864870
-->
865871
<archive>
@@ -902,7 +908,6 @@
902908
<plugin>
903909
<groupId>org.apache.maven.plugins</groupId>
904910
<artifactId>maven-release-plugin</artifactId>
905-
<version>2.5.3</version>
906911
<configuration>
907912
<tagBase>https://github.com/ESAPI/esapi-java-legacy/tags</tagBase>
908913
</configuration>

src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,8 @@ protected User getUserFromSession() {
114114
*/
115115
protected DefaultUser getUserFromRememberToken() {
116116
try {
117-
String token = ESAPI.httpUtilities().getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
117+
HTTPUtilities utils =ESAPI.httpUtilities();
118+
String token = utils.getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
118119
if (token == null) return null;
119120

120121
// See Google Issue 144 regarding first URLDecode the token and THEN unsealing.

src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -235,11 +235,12 @@ public void addHeader(String name, String value) {
235235
* {@inheritDoc}
236236
*/
237237
public void addHeader(HttpServletResponse response, String name, String value) {
238+
SecurityConfiguration sc = ESAPI.securityConfiguration();
238239
try {
239240
String strippedName = StringUtilities.replaceLinearWhiteSpace(name);
240241
String strippedValue = StringUtilities.replaceLinearWhiteSpace(value);
241-
String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
242-
String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", 500, false);
242+
String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
243+
String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
243244
response.addHeader(safeName, safeValue);
244245
} catch (ValidationException e) {
245246
logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
@@ -464,9 +465,10 @@ public void encryptStateInCookie( Map<String,String> cleartext ) throws Encrypti
464465
*/
465466
public String getCookie( HttpServletRequest request, String name ) throws ValidationException {
466467
Cookie c = getFirstCookie( request, name );
468+
SecurityConfiguration sc = ESAPI.securityConfiguration();
467469
if ( c == null ) return null;
468470
String value = c.getValue();
469-
return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", 1000, false);
471+
return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
470472
}
471473

472474
/**
@@ -657,8 +659,9 @@ private Cookie getFirstCookie(HttpServletRequest request, String name) {
657659
* {@inheritDoc}
658660
*/
659661
public String getHeader( HttpServletRequest request, String name ) throws ValidationException {
662+
SecurityConfiguration sc = ESAPI.securityConfiguration();
660663
String value = request.getHeader(name);
661-
return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", 150, false);
664+
return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
662665
}
663666

664667

src/test/java/org/owasp/esapi/reference/EncoderTest.java

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -212,6 +212,8 @@ public void testCanonicalize() throws EncodingException {
212212
assertEquals( "<", instance.canonicalize("&lT;"));
213213
assertEquals( "<", instance.canonicalize("&Lt;"));
214214
assertEquals( "<", instance.canonicalize("&LT;"));
215+
assertEquals( "&", instance.canonicalize("&amp"));
216+
assertEquals( "〈", instance.canonicalize("&lang"));
215217

216218
assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") );
217219
assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E", false) );
@@ -912,11 +914,28 @@ public void testHtmlEncodeStrSurrogatePair()
912914

913915
public void testHtmlDecodeHexEntititesSurrogatePair()
914916
{
915-
HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
917+
HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
916918
String expected = new String (new int[]{0x2f804}, 0, 1);
917919
assertEquals( expected, htmlCodec.decode("&#194564;") );
918920
assertEquals( expected, htmlCodec.decode("&#x2f804;") );
919921
}
920922

923+
public void testUnicodeCanonicalize() {
924+
Encoder e = ESAPI.encoder();
925+
String input = "测试";
926+
String expected = "测试";
927+
String output = e.canonicalize(input);
928+
assertEquals(expected, output);
929+
}
930+
931+
public void testUnicodeCanonicalizePercentEncoding() {
932+
//TODO: We need to find a way to specify the encoding type for percent encoding.
933+
//I believe by default we're doing Latin-1 and we really should be doing UTF-8
934+
Encoder e = ESAPI.encoder();
935+
String input = "%E6%B5%8B%E8%AF%95";
936+
String expected = "测试";
937+
String output = e.canonicalize(input);
938+
assertNotSame(expected, output);
939+
}
921940
}
922941

src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@
4545
import org.owasp.esapi.http.MockHttpServletResponse;
4646
import org.owasp.esapi.http.MockHttpSession;
4747
import org.owasp.esapi.util.FileTestUtils;
48+
import org.owasp.esapi.util.TestUtils;
4849

4950
import junit.framework.Test;
5051
import junit.framework.TestCase;
@@ -372,6 +373,27 @@ public void testSetCookie() {
372373
instance.addCookie( response, new Cookie( "test3", "tes<t3" ) );
373374
assertTrue(response.getHeaderNames().size() == 2);
374375
}
376+
377+
/**
378+
* Test of setCookie method, of class org.owasp.esapi.HTTPUtilities.
379+
* Validation failures should prevent cookies being added.
380+
*/
381+
public void testSetCookieExceedingMaxValueAndName() {
382+
HTTPUtilities instance = ESAPI.httpUtilities();
383+
MockHttpServletResponse response = new MockHttpServletResponse();
384+
assertTrue(response.getHeaderNames().isEmpty());
385+
//request.addParameter(TestUtils.generateStringOfLength(32), "pass");
386+
instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(32), "pass" ) );
387+
assertTrue(response.getHeaderNames().size() == 1);
388+
389+
instance.addCookie( response, new Cookie( "pass", TestUtils.generateStringOfLength(32) ) );
390+
assertTrue(response.getHeaderNames().size() == 2);
391+
instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(5000), "fail" ) );
392+
assertTrue(response.getHeaderNames().size() == 2);
393+
instance.addCookie( response, new Cookie( "fail", TestUtils.generateStringOfLength(5001) ) );
394+
assertTrue(response.getHeaderNames().size() == 2);
395+
}
396+
375397

376398
/**
377399
*

src/test/java/org/owasp/esapi/reference/ValidatorTest.java

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1040,15 +1040,13 @@ public void testHeaderLengthChecks(){
10401040

10411041
@Test
10421042
public void testGetHeaderNames() {
1043-
//testing Validator.HTTPHeaderName
10441043
MockHttpServletRequest request = new MockHttpServletRequest();
10451044
SecurityWrapperRequest safeRequest = new SecurityWrapperRequest(request);
10461045
request.addHeader("d-49653-p", "pass");
10471046
request.addHeader("<img ", "fail");
10481047
// Note: Max length in ESAPI.properties as per
10491048
// Validator.HTTPHeaderName regex is 256, but upper
10501049
// bound is configurable by the property HttpUtilities.MaxHeaderNameSize
1051-
SecurityConfiguration sc = ESAPI.securityConfiguration();
10521050
request.addHeader(TestUtils.generateStringOfLength(255), "pass");
10531051
request.addHeader(TestUtils.generateStringOfLength(257), "fail");
10541052
assertEquals(2, Collections.list(safeRequest.getHeaderNames()).size());
@@ -1130,5 +1128,13 @@ public void testavaloqLooseSafeString(){
11301128
boolean isValid = v.isValidInput("RegexString", "&quot;test&quot;", "avaloqLooseSafeString", 2147483647, true, true);
11311129
assertFalse(isValid);
11321130
}
1131+
1132+
@Test
1133+
public void testStandardHeader() {
1134+
Validator v = ESAPI.validator();
1135+
boolean expected = false;
1136+
boolean result = v.isValidInput("HTTPHeaderValue ", "[email protected]", "HTTPHeaderValue", 2147483647, true, true);
1137+
assertEquals(expected, result);
1138+
}
11331139
}
11341140

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,12 +22,14 @@
2222
import org.owasp.esapi.ValidationErrorList;
2323
import org.owasp.esapi.ValidationRule;
2424
import org.owasp.esapi.Validator;
25+
import org.owasp.esapi.errors.IntrusionException;
2526
import org.owasp.esapi.errors.ValidationException;
2627
import org.owasp.esapi.filters.SecurityWrapperRequest;
2728
import org.owasp.esapi.reference.validation.HTMLValidationRule;
2829

2930
import org.junit.Test;
3031
import org.junit.Before;
32+
import org.junit.Ignore;
3133
import org.junit.After;
3234
import org.junit.Rule;
3335
import org.junit.rules.ExpectedException;
@@ -153,4 +155,46 @@ public void testIsValidSafeHTML() {
153155
assertTrue(errors.size() == 0);
154156

155157
}
158+
159+
@Test
160+
public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception {
161+
Validator instance = ESAPI.validator();
162+
ValidationErrorList errors = new ValidationErrorList();
163+
String input = "<style/>b<![cdata[</style><a href=javascript:alert(1)>test";
164+
assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
165+
String expected = "b&lt;/style&gt;&lt;a href=javascript:alert(1)&gt;test";
166+
String output = instance.getValidSafeHTML("javascript Link", input, 250, false);
167+
assertEquals(expected, output);
168+
assertTrue(errors.size() == 0);
169+
170+
}
171+
172+
@Test
173+
public void testScriptTagAfterStyleClosing() throws Exception {
174+
Validator instance = ESAPI.validator();
175+
ValidationErrorList errors = new ValidationErrorList();
176+
String input = "<select<style/>W<xmp<script>alert(1)</script>";
177+
assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
178+
String expected = "W&lt;script&gt;alert(1)&lt;/script&gt;";
179+
String output = instance.getValidSafeHTML("escaping style tag attack", input, 250, false);
180+
assertEquals(expected, output);
181+
assertTrue(errors.size() == 0);
182+
183+
}
184+
185+
@Test
186+
@Ignore
187+
public void testNekoDOSWithAnHTMLComment() throws Exception {
188+
/**
189+
* FIXME: This unit test needs to pass before the next ESAPI release.
190+
*/
191+
Validator instance = ESAPI.validator();
192+
ValidationErrorList errors = new ValidationErrorList();
193+
String input = "<!--><?a/";
194+
assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
195+
String expected = "&#x3C;!--&#x3E;&#x3C;?a/";
196+
String output = instance.getValidSafeHTML("escaping style tag attack", input, 250, false);
197+
assertEquals(expected, output);
198+
assertTrue(errors.size() == 0);
199+
}
156200
}

suppressions.xml

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?xml version="1.0" encoding="UTF-8"?>
22
<!-- OWASP Dependency Check suppression file for ESAPI. -->
3-
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
3+
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
44
<suppress>
55
<notes><![CDATA[
66
This suppresses CVE-2019-17571 for the log4j-1.2.17.jar dependency. ESAPI does
@@ -36,22 +36,29 @@
3636
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
3737
<cpe>cpe:/a:apache:log4j</cpe>
3838
<cve>CVE-2020-9488</cve>
39-
</suppress>
39+
</suppress>
4040
<suppress>
41-
<notes><![CDATA[
42-
This suppresses CVE-2021-4104 for the log4j-1.2.17.jar dependency. ESAPI does
43-
not use it in a manner that makes it exploitable and ESAPI is unable to
44-
eliminate the dependency completely because our our deprecation policy. That specific
45-
CVE is related to Log4J 1's JMSAppender class which ESAPI doesn't use.
41+
<notes><![CDATA[file name: log4j-1.2.17.jar]]></notes>
42+
<packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
43+
<vulnerabilityName>CVE-2021-4104</vulnerabilityName>
44+
</suppress>
45+
<suppress>
46+
<notes><![CDATA[
47+
file name: neko-htmlunit-2.24.jar
4648
47-
For further details, please see:
48-
https://access.redhat.com/security/cve/CVE-2021-4104,
49-
See the ESAPI security advisory #6, "documentation/ESAPI-security-bulletin6.pdf", which
50-
provides a detailed analysis of this issue in ESAPI.
49+
CVE-2020-5529 is for net.sourceforge.htmlunit:htmlunit, not net.sourceforge.htmlunit:neko-htmlunit.
50+
As such, this is a false positive.
5151
]]></notes>
52-
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
53-
<cpe>cpe:/a:apache:log4j</cpe>
54-
<cve>CVE-2021-4104</cve>
52+
<packageUrl regex="true">^pkg:maven/net\.sourceforge\.htmlunit/neko\-htmlunit@.*$</packageUrl>
53+
<cve>CVE-2020-5529</cve>
5554
</suppress>
55+
<suppress>
56+
<notes><![CDATA[
57+
file name: commons-io-2.6.jar
5658
57-
</suppressions>
59+
TODO:FIXME: Not sure if you want this suppressed or not, but suppressing for now so mvn site can finish successfully.
60+
]]></notes>
61+
<packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
62+
<cve>CVE-2021-29425</cve>
63+
</suppress>
64+
</suppressions>

0 commit comments

Comments
 (0)