Merge branch 'develop' into java-8

Manual merge of supressions.xml and pom.xml

Author: jeremiahjstacey

README.md

@@ -39,10 +39,10 @@ Note however that work on ESAPI 3 has not yet become in earnest and is only in i
 # ESAPI release notes
 The ESAPI release notes may be found in ESAPI's "documentation" directory. They are generally named "esapi4java-core-*2.#.#.#*-release-notes.txt", where "*2.#.#.#*" refers to the ESAPI release number (which uses semantic versioning).
 ## IMPORTANT
-Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the release notes for the 2.2.3.0 release (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!
+Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the [release notes for the 2.2.3.0 release](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt) (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!
 
 # Locating ESAPI Jar files
-The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.1. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.1-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar) and [esapi-2.2.3.1-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.0-configuration.jar.asc) respectively.
+The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.1. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.1-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar) and [esapi-2.2.3.1-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar.asc) respectively.
 
 The latest *regular* ESAPI jars can are available from Maven Central.
 

pom.xml

@@ -132,9 +132,10 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-	<version.jmh>1.35</version.jmh>
+	    <version.jmh>1.35</version.jmh>
         <version.powermock>2.0.9</version.powermock>
         <version.spotbugs>4.6.0</version.spotbugs>
+        <version.findsecbugs>1.12.0</version.findsecbugs>
         <version.spotbugs.maven>4.6.0.0</version.spotbugs.maven>
         <version.surefire>3.0.0-M5</version.surefire>
         <project.java.target>1.8</project.java.target>
@@ -203,9 +204,9 @@
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
-                 <exclusion>
-                <groupId>xml-apis</groupId>
-                <artifactId>xml-apis</artifactId>
+                <exclusion>
+                    <groupId>xml-apis</groupId>
+                    <artifactId>xml-apis</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
@@ -273,7 +274,6 @@
             <version>2.11.0</version>
         </dependency>
 
-
         <!-- SpotBugs dependencies -->
         <dependency>
             <groupId>com.github.spotbugs</groupId>
@@ -442,6 +442,12 @@
                 </dependencies>
             </plugin>
 
+            <plugin>
+                <groupId>com.h3xstream.findsecbugs</groupId>
+                <artifactId>findsecbugs-plugin</artifactId>
+                <version>${version.findsecbugs}</version>
+            </plugin>
+
             <plugin>
                 <groupId>net.sourceforge.maven-taglib</groupId>
                 <artifactId>maven-taglib-plugin</artifactId>
@@ -457,7 +463,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-clean-plugin</artifactId>
-                <version>3.1.0</version>
+                <version>3.2.0</version>
             </plugin>
 
             <plugin>
@@ -704,9 +710,9 @@
             </plugin>
 
             <plugin>
-                <groupId>org.codehaus.mojo</groupId>
+                <groupId>io.github.jiangxincode</groupId>
                 <artifactId>jdepend-maven-plugin</artifactId>
-                <version>2.0</version>
+                <version>2.1</version>
             </plugin>
             <plugin>
                 <groupId>org.eluder.coveralls</groupId>
@@ -783,6 +789,7 @@
                <reportSets>
                  <reportSet>
                    <reports>
+                     <report>index</report>
                      <report>dependency-convergence</report>
                    </reports>
                  </reportSet>
@@ -803,7 +810,7 @@
             <plugin>
                 <!--  Using this introduces these errors: Skipped "JDepend" report (jdepend-maven-plugin:2.0:generate), file "jdepend-report.html" already exists.
                       but don't know how to eliminate them, without disabling this plugin. -->
-                <groupId>org.codehaus.mojo</groupId>
+                <groupId>io.github.jiangxincode</groupId>
                 <artifactId>jdepend-maven-plugin</artifactId>
             </plugin>
             <!-- Check for available updates to dependencies and report on them. -->
@@ -845,7 +852,6 @@
 
                     <plugin>
                         <artifactId>maven-jar-plugin</artifactId>
-
 <!--
                         <executions>
                             <execution>
@@ -859,7 +865,7 @@
                         <configuration>
 <!--
                             <keystore>codesign.keystore</keystore>
-                            <alias>owasp foundation, inc.'s godaddy.com, inc. id</alias>
+                            <alias>OWASP Foundation, Inc.'s GoDaddy.com ID</alias>
                             <verify>true</verify>
 -->
                             <archive>
@@ -902,7 +908,6 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-release-plugin</artifactId>
-                        <version>2.5.3</version>
                         <configuration>
                             <tagBase>https://github.com/ESAPI/esapi-java-legacy/tags</tagBase>
                         </configuration>

src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java

@@ -114,7 +114,8 @@ protected User getUserFromSession() {
      */
     protected DefaultUser getUserFromRememberToken() {
         try {
-            String token = ESAPI.httpUtilities().getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
+        	HTTPUtilities utils =ESAPI.httpUtilities();
+            String token = utils.getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
             if (token == null) return null;
 
             // See Google Issue 144 regarding first URLDecode the token and THEN unsealing.

src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java

@@ -235,11 +235,12 @@ public void addHeader(String name, String value) {
 	 * {@inheritDoc}
      */
     public void addHeader(HttpServletResponse response, String name, String value) {
+    	SecurityConfiguration sc = ESAPI.securityConfiguration();
         try {
             String strippedName = StringUtilities.replaceLinearWhiteSpace(name);
             String strippedValue = StringUtilities.replaceLinearWhiteSpace(value);
-            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
-            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", 500, false);
+            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
+            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
             response.addHeader(safeName, safeValue);
         } catch (ValidationException e) {
             logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
@@ -464,9 +465,10 @@ public void encryptStateInCookie( Map<String,String> cleartext ) throws Encrypti
 	 */
 	public String getCookie( HttpServletRequest request, String name ) throws ValidationException {
         Cookie c = getFirstCookie( request, name );
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
         if ( c == null ) return null;
 		String value = c.getValue();
-		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", 1000, false);
+		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
 	}
 
 	/**
@@ -657,8 +659,9 @@ private Cookie getFirstCookie(HttpServletRequest request, String name) {
 	 * {@inheritDoc}
 	 */
 	public String getHeader( HttpServletRequest request, String name ) throws ValidationException {
+		SecurityConfiguration sc = ESAPI.securityConfiguration();
         String value = request.getHeader(name);
-        return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", 150, false);
+        return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
 	}
 
 

src/test/java/org/owasp/esapi/reference/EncoderTest.java

@@ -212,6 +212,8 @@ public void testCanonicalize() throws EncodingException {
         assertEquals( "<", instance.canonicalize("&lT;"));
         assertEquals( "<", instance.canonicalize("&Lt;"));
         assertEquals( "<", instance.canonicalize("&LT;"));
+        assertEquals( "&", instance.canonicalize("&amp"));
+        assertEquals( "〈", instance.canonicalize("&lang"));
 
         assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") );
         assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E", false) );
@@ -912,11 +914,28 @@ public void testHtmlEncodeStrSurrogatePair()
 
     public void testHtmlDecodeHexEntititesSurrogatePair()
     {
-    	HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
+        HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
         String expected = new String (new int[]{0x2f804}, 0, 1);
         assertEquals( expected, htmlCodec.decode("&#194564;") );
         assertEquals( expected, htmlCodec.decode("&#x2f804;") );
     }
 
+    public void testUnicodeCanonicalize() {
+        Encoder e = ESAPI.encoder();
+        String input = "测试";
+        String expected = "测试";
+        String output = e.canonicalize(input);
+        assertEquals(expected, output);
+    }
+    
+    public void testUnicodeCanonicalizePercentEncoding() {
+        //TODO:  We need to find a way to specify the encoding type for percent encoding.  
+        //I believe by default we're doing Latin-1 and we really should be doing UTF-8
+        Encoder e = ESAPI.encoder();
+        String input = "%E6%B5%8B%E8%AF%95";
+        String expected = "测试";
+        String output = e.canonicalize(input);
+        assertNotSame(expected, output);
+    }
 }
 

src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java

@@ -45,6 +45,7 @@
 import org.owasp.esapi.http.MockHttpServletResponse;
 import org.owasp.esapi.http.MockHttpSession;
 import org.owasp.esapi.util.FileTestUtils;
+import org.owasp.esapi.util.TestUtils;
 
 import junit.framework.Test;
 import junit.framework.TestCase;
@@ -372,6 +373,27 @@ public void testSetCookie() {
 		instance.addCookie( response, new Cookie( "test3", "tes<t3" ) );
 		assertTrue(response.getHeaderNames().size() == 2);
 	}
+	
+	/**
+	 * Test of setCookie method, of class org.owasp.esapi.HTTPUtilities.
+	 * Validation failures should prevent cookies being added.  
+	 */
+	public void testSetCookieExceedingMaxValueAndName() {
+		HTTPUtilities instance = ESAPI.httpUtilities(); 
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		assertTrue(response.getHeaderNames().isEmpty());
+		//request.addParameter(TestUtils.generateStringOfLength(32), "pass");
+		instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(32), "pass" ) );
+		assertTrue(response.getHeaderNames().size() == 1);
+
+		instance.addCookie( response, new Cookie( "pass", TestUtils.generateStringOfLength(32) ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+		instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(5000), "fail" ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+		instance.addCookie( response, new Cookie( "fail", TestUtils.generateStringOfLength(5001) ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+	}
+
 
 	/**
 	 *

src/test/java/org/owasp/esapi/reference/ValidatorTest.java

@@ -1040,15 +1040,13 @@ public void testHeaderLengthChecks(){
 
     @Test
     public void testGetHeaderNames() {
-//testing Validator.HTTPHeaderName
         MockHttpServletRequest request = new MockHttpServletRequest();
         SecurityWrapperRequest safeRequest = new SecurityWrapperRequest(request);
         request.addHeader("d-49653-p", "pass");
         request.addHeader("<img ", "fail");
             // Note: Max length in ESAPI.properties as per
             // Validator.HTTPHeaderName regex is 256, but upper
             // bound is configurable by the property HttpUtilities.MaxHeaderNameSize
-        SecurityConfiguration sc = ESAPI.securityConfiguration();
         request.addHeader(TestUtils.generateStringOfLength(255), "pass");
         request.addHeader(TestUtils.generateStringOfLength(257), "fail");
         assertEquals(2, Collections.list(safeRequest.getHeaderNames()).size());
@@ -1130,5 +1128,13 @@ public void testavaloqLooseSafeString(){
     	boolean isValid = v.isValidInput("RegexString", "&quot;test&quot;", "avaloqLooseSafeString", 2147483647, true, true);
     	assertFalse(isValid);
     }
+    
+    @Test
+    public void testStandardHeader() {
+    	Validator v = ESAPI.validator();
+    	boolean expected = false;
+    	boolean result = v.isValidInput("HTTPHeaderValue ", "[email protected]", "HTTPHeaderValue", 2147483647, true, true);
+    	assertEquals(expected, result);
+    }
 }
 

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java

@@ -22,12 +22,14 @@
 import org.owasp.esapi.ValidationErrorList;
 import org.owasp.esapi.ValidationRule;
 import org.owasp.esapi.Validator;
+import org.owasp.esapi.errors.IntrusionException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.filters.SecurityWrapperRequest;
 import org.owasp.esapi.reference.validation.HTMLValidationRule;
 
 import org.junit.Test;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.After;
 import org.junit.Rule;
 import org.junit.rules.ExpectedException;
@@ -153,4 +155,46 @@ public void testIsValidSafeHTML() {
         assertTrue(errors.size() == 0);
 
     }
+    
+    @Test
+    public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception {
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+        String input = "<style/>b<![cdata[</style><a href=javascript:alert(1)>test";
+		assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
+		String expected = "b&lt;/style&gt;&lt;a href=javascript:alert(1)&gt;test";
+		String output = instance.getValidSafeHTML("javascript Link", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+
+    }
+    
+    @Test
+    public void testScriptTagAfterStyleClosing() throws Exception {
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+        String input = "<select<style/>W<xmp<script>alert(1)</script>";
+		assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
+		String expected = "W&lt;script&gt;alert(1)&lt;/script&gt;";
+		String output = instance.getValidSafeHTML("escaping style tag attack", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+
+    }
+    
+    @Test
+    @Ignore
+    public void testNekoDOSWithAnHTMLComment() throws Exception {
+    	/**
+    	 * FIXME:  This unit test needs to pass before the next ESAPI release.
+    	 */
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+        String input = "<!--><?a/";
+		assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
+		String expected = "&#x3C;!--&#x3E;&#x3C;?a/";
+		String output = instance.getValidSafeHTML("escaping style tag attack", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+    }
 }

suppressions.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- OWASP Dependency Check suppression file for ESAPI. -->
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <notes><![CDATA[
             This suppresses CVE-2019-17571 for the log4j-1.2.17.jar dependency. ESAPI does
@@ -36,22 +36,29 @@
         <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
         <cpe>cpe:/a:apache:log4j</cpe>
         <cve>CVE-2020-9488</cve>
-</suppress>
+    </suppress>
     <suppress>
-        <notes><![CDATA[
-            This suppresses CVE-2021-4104 for the log4j-1.2.17.jar dependency. ESAPI does
-            not use it in a manner that makes it exploitable and ESAPI is unable to
-            eliminate the dependency completely because our our deprecation policy. That specific
-            CVE is related to Log4J 1's JMSAppender class which ESAPI doesn't use.
+       <notes><![CDATA[file name: log4j-1.2.17.jar]]></notes>
+       <packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
+       <vulnerabilityName>CVE-2021-4104</vulnerabilityName>
+    </suppress>
+    <suppress>
+       <notes><![CDATA[
+           file name: neko-htmlunit-2.24.jar
 
-            For further details, please see:
-		https://access.redhat.com/security/cve/CVE-2021-4104,
-		See the ESAPI security advisory #6, "documentation/ESAPI-security-bulletin6.pdf", which
-		provides a detailed analysis of this issue in ESAPI.
+           CVE-2020-5529 is for net.sourceforge.htmlunit:htmlunit, not net.sourceforge.htmlunit:neko-htmlunit.
+           As such, this is a false positive.
         ]]></notes>
-        <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
-        <cpe>cpe:/a:apache:log4j</cpe>
-	<cve>CVE-2021-4104</cve>
+       <packageUrl regex="true">^pkg:maven/net\.sourceforge\.htmlunit/neko\-htmlunit@.*$</packageUrl>
+       <cve>CVE-2020-5529</cve>
     </suppress>
+    <suppress>
+       <notes><![CDATA[
+           file name: commons-io-2.6.jar
 
-    </suppressions>
+           TODO:FIXME: Not sure if you want this suppressed or not, but suppressing for now so mvn site can finish successfully.
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
+       <cve>CVE-2021-29425</cve>
+    </suppress>
+</suppressions>