diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index 723666891..b263fddf9 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -19,7 +19,7 @@ jobs: # Runs the Super-Linter action and ignore errors - name: Run Super-Linter - uses: github/super-linter@v3 + uses: github/super-linter@v4 env: DEFAULT_BRANCH: develop DISABLE_ERRORS: true diff --git a/.snyk b/.snyk new file mode 100644 index 000000000..3d8444e95 --- /dev/null +++ b/.snyk @@ -0,0 +1,7 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.14.0 +ignore: + SNYK-JAVA-COMMONSIO-1277109: + - commons-io:commons-io: + reason: ESAPI cannot upgrade past the current commons-io version and still maintain Java 7 compatibility + expires: '2025-12-30T00:00:00.000Z' diff --git a/README.md b/README.md index 338e697a0..71515ff56 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Enterprise Security API for Java (Legacy) [![Build Status](https://travis-ci.org/bkimminich/esapi-java-legacy.svg?branch=master)](https://travis-ci.org/bkimminich/esapi-java-legacy) [![Coverage Status](https://coveralls.io/repos/github/bkimminich/esapi-java-legacy/badge.svg?branch=develop)](https://coveralls.io/github/bkimminich/esapi-java-legacy?branch=develop) [![Coverity Status](https://scan.coverity.com/projects/8517/badge.svg)](https://scan.coverity.com/projects/bkimminich-esapi-java-legacy) -[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/137/badge)](https://bestpractices.coreinfrastructure.org/projects/137) +[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/137/badge)](https://bestpractices.coreinfrastructure.org/projects/137) @@ -14,6 +14,11 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
+# A word about ESAPI and Log4J vulnerabilities +This is way too detailed to litter the README file with, but several of you have +been asking about this, so I wrote up something on it and posted it to the ESAPI +Users Google group. You can find it at [A word about Log4J vulnerabilities in ESAPI - the TL;DR version](https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU). + # Where is the OWASP ESAPI wiki page? You can find the OWASP ESAPI wiki pages at [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/). The ESAPI legacy GitHub repo also has a few useful wiki pages. @@ -34,10 +39,10 @@ Note however that work on ESAPI 3 has not yet become in earnest and is only in i # ESAPI release notes The ESAPI release notes may be found in ESAPI's "documentation" directory. They are generally named "esapi4java-core-*2.#.#.#*-release-notes.txt", where "*2.#.#.#*" refers to the ESAPI release number (which uses semantic versioning). ## IMPORTANT -Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the release notes for the 2.2.3.0 release (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!! +Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the [release notes for the 2.2.3.0 release](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt) (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!! # Locating ESAPI Jar files -The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.0. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.0-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.0/esapi-2.2.3.0-configuration.jar) and [esapi-2.2.3.0-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.0/esapi-2.2.3.0-configuration.jar.asc) respectively. +The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.1. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.1-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar) and [esapi-2.2.3.1-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar.asc) respectively. The latest *regular* ESAPI jars can are available from Maven Central. diff --git a/SECURITY.md b/SECURITY.md index f23c9566e..afed85464 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,8 +4,8 @@ | Version | Supported | | ------- | ------------------ | -| 2.2.0.0 | :white_check_mark: | -| 2.1.0.1 | :x:, upgrade to 2.2.0.0| +| 2.2.3.1 (latest) | :white_check_mark: | +| 2.1.0.1-2.2.3.0 | :x:, upgrade to latest release | | <= 1.4.x | :x:, no longer supported AT ALL | ## Reporting a Vulnerability diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties index 828144b45..bbb7531cd 100644 --- a/configuration/esapi/ESAPI.properties +++ b/configuration/esapi/ESAPI.properties @@ -194,9 +194,6 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). # DISCUSS: Better name? Encryptor.cipher_modes.additional_allowed=CBC @@ -223,37 +220,27 @@ Encryptor.EncryptionKeyLength=128 Encryptor.MinEncryptionKeyLength=128 # Because 2.x uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.3 -# 'fixed' is deprecated as of 2.2 -# and will be removed in 2.3. +# (All cipher modes except ECB require an IV.) Previously there were two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. The +# former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure +# because the Encryptor (as are all the other major ESAPI components) is a +# singleton and thus the same IV would get reused each time. It was not a +# well-thought out plan. (To do it correctly means we need to add a setIV() method +# and get rid of the Encryptor singleton, thus it will not happen until 3.0.) +# However, while the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. +# Originally there was plans to allow a developer to provide a class and method +# name to define a custom static method to generate an IV, but that is just +# trouble waiting to happen. Thus in effect, the ONLY acceptable property value +# for this property is "random". In the not too distant future (possibly the +# next release), I will be removing it, but for now I am leaving this and +# checking for it so a ConfigurationException can be thrown if anyone using +# ESAPI ignored the deprecation warning message and still has it set to "fixed". +# +# Valid values: random Encryptor.ChooseIVMethod=random -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an *example* for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -# @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support -# will be removed in the next release (tentatively, 2.3). -# If you MUST use this, at least replace this IV with one -# that your legacy application was using. -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f - # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more # fool-proof way of determining the decryption failed because of an incorrect @@ -469,7 +456,7 @@ Validator.Redirect=^\\/test.*$ Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ # Note that headerName and Value length is also configured in the HTTPUtilities section Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ diff --git a/configuration/esapi/antisamy-esapi.xml b/configuration/esapi/antisamy-esapi.xml index c45fee06e..b6edfb3cd 100644 --- a/configuration/esapi/antisamy-esapi.xml +++ b/configuration/esapi/antisamy-esapi.xml @@ -31,9 +31,9 @@ Slashdot allowed tags taken from "Reply" page: space characters. --> - - - + + + diff --git a/documentation/ESAPI-release-steps.odt b/documentation/ESAPI-release-steps.odt index 0e55259ae..b076b2152 100644 Binary files a/documentation/ESAPI-release-steps.odt and b/documentation/ESAPI-release-steps.odt differ diff --git a/documentation/ESAPI-release-steps.pdf b/documentation/ESAPI-release-steps.pdf index 1b2a03d06..04a9c1027 100644 Binary files a/documentation/ESAPI-release-steps.pdf and b/documentation/ESAPI-release-steps.pdf differ diff --git a/documentation/ESAPI-security-bulletin5.odt b/documentation/ESAPI-security-bulletin5.odt new file mode 100644 index 000000000..9edbd72d1 Binary files /dev/null and b/documentation/ESAPI-security-bulletin5.odt differ diff --git a/documentation/ESAPI-security-bulletin5.pdf b/documentation/ESAPI-security-bulletin5.pdf new file mode 100644 index 000000000..b3a215f05 Binary files /dev/null and b/documentation/ESAPI-security-bulletin5.pdf differ diff --git a/documentation/ESAPI-security-bulletin6.odt b/documentation/ESAPI-security-bulletin6.odt new file mode 100644 index 000000000..d49bdce4d Binary files /dev/null and b/documentation/ESAPI-security-bulletin6.odt differ diff --git a/documentation/ESAPI-security-bulletin6.pdf b/documentation/ESAPI-security-bulletin6.pdf new file mode 100644 index 000000000..1655acbb6 Binary files /dev/null and b/documentation/ESAPI-security-bulletin6.pdf differ diff --git a/documentation/ESAPI-security-bulletin7.odt b/documentation/ESAPI-security-bulletin7.odt new file mode 100644 index 000000000..433ac5177 Binary files /dev/null and b/documentation/ESAPI-security-bulletin7.odt differ diff --git a/documentation/ESAPI-security-bulletin7.pdf b/documentation/ESAPI-security-bulletin7.pdf new file mode 100644 index 000000000..2ca233e3f Binary files /dev/null and b/documentation/ESAPI-security-bulletin7.pdf differ diff --git a/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md b/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md new file mode 100644 index 000000000..bc4956ab0 --- /dev/null +++ b/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md @@ -0,0 +1,108 @@ +# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2022-008` + +The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [The OWASP Enterprise Security API](https://github.com/ESAPI/esapi-java-legacy). + +We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team. + +If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2022-008` as a reference). + +If you are _NOT_ the correct point of contact for this report, please let us know! + +## Summary + +`getValidDirectoryPath` incorrectly treats sibling of a root directory as a child. + +## Product + +The OWASP Enterprise Security API + +## Tested Version + +v2.2.3.1 (The latest version of ["Legacy" 2.x branch](https://github.com/ESAPI/esapi-java-legacy#what-does-legacy-mean) as [ESAPI 3.x](https://github.com/ESAPI/esapi-java) is in early development and has no releases yet.) + +## Details + +### Issue: `getValidDirectoryPath` bypass (`GHSL-2022-008`) + +`parent` [1] - the third parameter in [`getValidDirectoryPath`](https://github.com/ESAPI/esapi-java-legacy/blob/07dd60a8cc9edf0c872d68ae8ae84c70f008d3d8/src/main/java/org/owasp/esapi/reference/DefaultValidator.java#L447-L483) is used to validate that the `input` [2] path is "inside specified parent" directory [3]. + +```java +public String getValidDirectoryPath(String context, String input /* [2] */, File parent /* [1] */, boolean allowNull) throws ValidationException, IntrusionException { + try { + if (isEmpty(input)) { + if (allowNull) return null; + throw new ValidationException( context + ": Input directory path required", "Input directory path required: context=" + context + ", input=" + input, context ); + } + + File dir = new File( input ); + + // check dir exists and parent exists and dir is inside parent + if ( !dir.exists() ) { + throw new ValidationException( context + ": Invalid directory name", "Invalid directory, does not exist: context=" + context + ", input=" + input ); + } + if ( !dir.isDirectory() ) { + throw new ValidationException( context + ": Invalid directory name", "Invalid directory, not a directory: context=" + context + ", input=" + input ); + } + if ( !parent.exists() ) { + throw new ValidationException( context + ": Invalid directory name", "Invalid directory, specified parent does not exist: context=" + context + ", input=" + input + ", parent=" + parent ); + } + if ( !parent.isDirectory() ) { + throw new ValidationException( context + ": Invalid directory name", "Invalid directory, specified parent is not a directory: context=" + context + ", input=" + input + ", parent=" + parent ); + } + if ( !dir.getCanonicalPath().startsWith(parent.getCanonicalPath() ) ) { // <---------- [3] + throw new ValidationException( context + ": Invalid directory name", "Invalid directory, not inside specified parent: context=" + context + ", input=" + input + ", parent=" + parent ); + } + + // check canonical form matches input + String canonicalPath = dir.getCanonicalPath(); + String canonical = fileValidator.getValidInput( context, canonicalPath, "DirectoryName", 255, false); + if ( !canonical.equals( input ) ) { + throw new ValidationException( context + ": Invalid directory name", "Invalid directory name does not match the canonical path: context=" + context + ", input=" + input + ", canonical=" + canonical, context ); + } + return canonical; + } catch (Exception e) { + throw new ValidationException( context + ": Invalid directory name", "Failure to validate directory path: context=" + context + ", input=" + input, e, context ); + } +} +``` + +If the result of `parent.getCanonicalPath()` is not slash terminated it allows for partial path traversal. + +Consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `outnot` is not under the `out` directory. +The terminating slash may be removed in various places. On Linux `println(new File("/var/"))` returns `/var`, but `println(new File("/var", "/"))` - `/var/`, however `println(new File("/var", "/").getCanonicalPath())` - `/var`. + +PoC (based on a unittest): +```java +Validator instance = ESAPI.validator(); +ValidationErrorList errors = new ValidationErrorList(); +assertTrue(instance.isValidDirectoryPath("poc", "/tmp/test2", new File("/tmp/test/"), false, errors)); +assertEquals(0, errors.size()); +``` + +#### Impact + +This issue allows to break out of expected directory. + +#### Remediation + +Consider using `getCanonicalFile().toPath().startsWith` to compare `Path`: + +```java +if ( !dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath() ) ) +``` + +## GitHub Security Advisories + +We recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory). + +## Credit + +This issue was discovered and reported by GHSL team member [@JarLob (Jaroslav Lobačevski)](https://github.com/JarLob). + +## Contact + +You can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2022-008` in any communication regarding this issue. + +## Disclosure Policy + +This report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). diff --git a/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.pdf b/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.pdf new file mode 100644 index 000000000..c77efef05 Binary files /dev/null and b/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.pdf differ diff --git a/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html b/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html index b0c8bf945..d0ecfb2f9 100644 --- a/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +++ b/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html @@ -149,8 +149,9 @@

ESAPI.properties Properties Relevant to Symmetric Encryption

compatibility with legacy or third party software. If set to “fixed”, then the property Encryptor.fixedIV must also be set to hex-encoded specific IV that you need to use. - NOTE: "fixed" is deprecated and will be removed by - release 2.3. + NOTE: "fixed" had been deprecated since 2.2.0.0 and finally + was removed for release 2.3.0.0. Using it in versions 2.3.0.0 or + later will result in a ConfigurationException being thrown.

CAUTION: While it is not required that the IV be kept secret, encryption relying on fixed IVs can lead to a known diff --git a/documentation/esapi4java-core-2.3.0.0-release-notes.txt b/documentation/esapi4java-core-2.3.0.0-release-notes.txt new file mode 100644 index 000000000..5d2a5b4d6 --- /dev/null +++ b/documentation/esapi4java-core-2.3.0.0-release-notes.txt @@ -0,0 +1,210 @@ +Release notes for ESAPI 2.3.0.0 + Release date: 2022-04-17 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.2.3.1, 2021-05-07 + +Important Announcement +---------------------- +Do NOT: Do NOT use GitHub Issues to ask questions about this of future releases. That is what the ESAPI Google groups are for. (See our GitHub README.md for further details.) If you can't do the ESAPI Google groups, then drop and email to either one or both of the project leaders (email addresses provided above). We will NOT respond to questions posted in GitHub Issues. + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ +This is a very important ESAPI release, as it remediates several potentially exploitable vulnerabilities. Part of the remediation may include reviewing and updating your antisamy-esapi.xml configuration file, so be sure to read through ALL the details thoroughly or you may not be fully protected even though you have installed the new ESAPI 2.3.0.0 jar. This will also certainly be the last ESAPI release to support Java 7, so you would do well to prepare to move to Java 8 or later if you have not already done so. + +The primary intent of this release is to patch several potentially exploitable vulnerabilities in ESAPI. Many of these are related to AntiSamy and were introduced by vulnerable transitive dependencies. All but one those (a DoS vulnerability in an AntiSamy dependency) is believed to have been fixed with an update to use the new AntiSamy 1.6.7 release. There are also two vulnerabilities within ESAPI itself which have been remediated as part of this release, one of which dates back to at least ESAPI 1.4. + +In addition to these patches (discussed in a bit more detail later under the section 'Changes Requiring Special Attention'), there were other updates to dependencies made in this release done to simply to keep them as up-to-date as possible. We have also added the generation of an SBOM (Software Bill of Materials) generated via the cyclonedx:cyclonedx-maven-plugin. + +Lastly, support for the deprecated value of "fixed" for the ESAPI property "Encryptor.ChooseIVMethod" has been completely removed from this release. It had been deprecated since 2.2.0.0 and it's removal long scheduled for the 2.3.0.0 release. See the GitHub issue 679 for further details. + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.2.3.1 release (previous release): + 212 Java source files + 4316 JUnit tests in 136 Java source files + +ESAPI 2.3.0.0 release (current / new release): + 212 Java source files + 4325 JUnit tests in 136 Java source files (1 test ignored) + +24 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). +[Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2021-05-07] + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +163 Limit max size of entire cookies Component-Validator enhancement good first issue help wanted imported Priority-High +198 Uninitialized esapi logging assumes logging to System.out/System.err - Make configurable/extensible bug imported wontfix +324 ClassCastException during web application redeploy due to the grift logging classes enhancement imported +564 Create release notes for 2.2.1.1 patch release Component-Docs +567 Release 2.2.1.1 Not Loading Properties in dependent JARs +574 Multiple encoding issue for Google Chrome wontfix +608 Move HTMLValidationRule static Classpath handling into DefaultSecurityConfiguration +624 Update pom.xml to use AntiSamy 1.6.3 and Apache Commons IO 2.6 Build-Maven +629 Define .snyk ignore content +630 Incorrect result for isEnabled() in Slf4JLogger +631 Create Default Logging level configuration for ESAPI library wontfix +634 Removing \ from JSON string by ESAPI.encoder().canonicalize(value) +640 Decouple from AntiSamy slf4j-api dependency & Update dependency +648 Log4J CVE-2021-4104 +652 Fix code scanning alert - tracker 3 duplicate +653 java.io.FileNotFoundException Error in Logs When ESAPI.properties and validation.properties are in resources. +657 Need to update Xerces transitive dependency to fix CVE-2022-23437 +658 Vulnerability issue on dependency commons-io +664 ValidationException exposing potentially sensitive user supplied input to log wontfix +669 JavaEncryptor.java HARDCODED_CREDENTIALS +671 Version 2.2.3.1 contains 5 vulnerabilities in ESAPI dependencies +672 HTMLEntityCodec Bug Decoding "Left Angular Bracket" Symbol +673 Validator.HTTPHeaderValue changed automatically +679 Completely remove support for fixed IVs and throw a ConfigurationException if encountered + +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- + +1) This likely will be the LAST ESAPI release supporting Java 7. There are just some vulnerabilities (notably a DoS one in Neko HtmlUnit that does not yet have an assigned CVE) that because they are transitive dependencies, that we simply cannot remediate without at least moving on to Java 8 as the minimally supported JDK. Please plan accordingly. + +2) If you are not upgrading to ESAPI release 2.3.0.0 from 2.2.3.1 (the previous release), then you NEED to read at least the release notes in 2.2.3.1 and ideally, all the ones in all the previous ESAPI release notes from where you are updating to 2.3.0.0. In particular, if you were using ESAPI 2.2.1.0 or earlier, you need to see those ESAPI release notes in regards to changes in the ESAPI.Logger property. + + !!!!! VULNERABILITY ALERTS !!!!! + +3) There is one VERY SERIOUS (as in easy to exploit) vulnerability in ESAPI's default antisamy-esapi.xml configuration file. This problem seems to date back to at least ESAPI release 1.4. If you do nothing else, you should update your antisamy-esapi.xml to the one provided in the esapi-2.3.0.0-configuration.jar that can be found on GitHub under "https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.3.0.0". The ESAPI team will be submitting an official CVE for this, but the bottom line is that the default ESAPI antisamy-esapi.xml configuration file does not properly sanitize 'javascript:' URLs in most cases, but instead accepts the input as "safe". A few more details regarding the configuration is provided in the section "Important checks you take as a developer using ESAPI" given below. + +4) Several other vulnerabilities associated with AntiSamy have been patched via the AntiSamy 1.6.7 (or prior) release. See the AntiSamy release notes for 1.6.7, 1.6.6.1, 1.6.6, 1.6.5 and 1.6.4 at https://github.com/nahsra/antisamy/releases for further details on what has been remediated. Note that the default ESAPI.properties and ESAPI AntiSamy configuration did not really leave ESAPI vulnerable to CVE-2021-35043 which was fixed in AntiSamy 1.6.4, but that was a moot point because of #3, above. + +5) A vulnerability found by GitHub Security Lab that is an example of CWE-22 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')], was discovered by GHSL security researcher Jaroslav Lobačevski. You can find details of it under "documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md" or "documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.pdf" on ESAPI's GitHub repo or from the ESAPI source zip or tarball files associated with this (or later) release. This currently does not have a CVE associated with it. We likely will leave it to GHSL to determine if they want to file a CVE for it or not. + +6) There remains one known unpatched, potentially exploitable vulnerability (a DoS vulnerability in the transitive dependency Neko HtmlUnit) in ESAPI 2.3.0.0. To our knowledge, that vulnerability has not yet been assigned a CVE, but it is fixed in certain versions of Neko HtmlUnit after release 2.24.0. However, release 2.24.0 is the last Neko HtmlUnit release that supports Java 7 and thus is the latest one that we can use. That vulnerability is patched only fixed in a version of Neko HtmlUnit that was compiled with Java 8. Since ESAPI (as of release 2.3.0.0) only supports Java 7, we are currently unable to patch to remediate this DoS vulnerability. (This is why we are currently committed for this 2.3.0.0 release to be last release at least to support Java 7). The ESAPI team plans to release a 2.4.0.0 release that will require Java 8 or later as the minimal JDK, and with that release, we will update to AntiSamy 1.7.0 (which requires Java 8) and which uses Neko HtmlUnit 2.60.0 (which also requires Java 8 or later) and that addresses the DoS vulnerability. For further information, see the JUnit test testNekoDOSWithAnHTMLComment in "src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java". (Note that currently, this JUnit test is annotated as '@Ignore' since it would not pass under Java 7 and using Neko HtmlUnit 2.24.0.) + + +NOTE: We plan on issuing an updated README.md and updated security bulletins on #3 and #4 soon, but we wanted to focus on getting the patches out rather than getting the documentation out. This probably will not be in a separate release, but we will announce in on the ESAPI Users and ESAPI Dev Google lists once we drop them on our GitHub repo under the "documentation" folder. + + +FALSE POSITIVE ALERT ==> A final word on vulnerabilities -- CVE-2020-5529 is a False Positive + +Dependency Check picks up a false positive CVE in ESAPI 2.3.0.0. Other SCA tools may as well. Specifically, Dependency Check flags CVE-2020-5529 in a different (the original) Neko HtmlUnit then the one that AntiSamy is using. In Dependency Check, this is a False Positive caused by a mismatch of the CPE (i.e., Common Platform Enumeration) identifier. If you follow the "Hyperlink" section referenced on https://nvd.nist.gov/vuln/detail/CVE-2020-5529 page, you will see that it ultimately references https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0, which is the old, unmaintained version of Neko that AntiSamy had been using up until recently. Dependency Check is incorrectly matching "net.sourceforge.htmlunit:htmlunit" rather than matching "net.sourceforge.htmlunit:neko-htmlunit", which it what if should be matching. This CPE matching confusion is a common problem with Dependency Check, but it's by design. Understandably, Jeremy Long and other Dependency Check contributors have deliberately tweaked Dependency Check to fall more on the side of False Positives so as to avoid False Negatives, because False Positives are a lot easier to vet and rule out, and one can--if so desired--create a suppressions.xml entry for it to ignore them. (I've decided against suppressing it in Dependency Check--at least for the time being--because there are likely other SCA tools that will also flag this as a False Positive.) For now, it's easier to just acknowledge it in the release notes. (Especially since we'll be releasing a 2.4.0.0 version soon after the 2.3.0.0 version that will support Java 8 as the minimal SDK so this problem will disappear.) Note however that Snyk does not flag ESAPI as being vulnerable to CVE-2020-5529. + +----------------------------------------------------------------------------e + +Important security checks you SHOULD take as a developer using ESAPI + +Simply upgrading to the esapi-2.3.0.0.jar may not be enough. This 2.3.0.0 release patches a bypass around some AntiSamy related sanitization that has been present since at least the ESAPI 1.4 release. It is specifically fixed in the esapi-2.3.0.0-configuration.jar, which you may download from https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.3.0.0/esapi-2.3.0.0-configuration.jar. From that, you will want to extract the configuration/esapi/antisamy-esapi.xml file and use it to replace your previous stock antisamy-esapi.xml file. However, if you have customized your antisamy-esapi.xml file, then to address the vulnerability, you MUST find the vulnerable configuration line where the "onsiteURL" attribute is defined and change the regular expression. + + The original (vulnerable) line will look like: + + + The corrected line should look like: + + +We have also updated the other regular expressions in the '' node for our antisamy-esapi.xml file to reflect the latest regex values from AntiSamy's antisamy.xml configuration file in their official AntiSamy 1.6.7 release. This was done as a precautionary measure only, as the regex pattern seemed to be malformed along the same lines of "onsiteURL" and thus potentially could allow unintended characters to be passed through as "safe". Note however that there are no vulnerabilities known to the ESAPI team regarding these other 2 regular expressions for "htmlTitle" and "offsiteURL". If these prove to be problematic with your applications using ESAPI, you may decide to change the probablematic ones to the original values. + + The original (possibly vulnerable???) regular expression values for htmlTitle and offsiteURL: + + + + The updated regular expression values for them: + + + +In future ESAPI releases, we may consider just replacing ESAPI's antisamy-esapi.xml file with AntiSamy's antisamy.xml, but we will not be doing that lightly. We tested with the latter and it broke some ESAPI JUnit tests so such a change now likely would break some client ESAPI code as well. However, the changes to the "" node did not break any of our ESAPI JUnit tests so we believe they are probably okay. (If not, we apologize in advance, but we prefer to error on the side of caution here.) + +----------------------------------------------------------------------------- + +Developer Activity Report (Changes between release 2.2.3.1 and 2.3.0.0, i.e., between 2021-05-07 and 2022-04-17) + +Normally, I (Kevin) write up lots of other details in the release notes, especially to credit those who have contributed PRs to address ESAPI issues. I apologize for not spending time on this right now, but I will try to update this set of release notes for 2.3.0.0 in the near future to add such things. + + +----------------------------------------------------------------------------- + +CHANGELOG: Create your own. May we suggest: + + git log --stat --since=2021-05-07 --reverse --pretty=medium + + or clone the ESAPI/esapi-java-legacy repo and then run + + mvn site + + and finally, point your browser at + + target/site/changelog.html + + Both approaches should show all the commits since just after the previous (2.2.3.1) release. [Note that the both approaches may include commits after the 2.3.0.0 release, but the first allows to to easily add an end date via '--until=2022-04-17'.] + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree + ... + [INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ esapi --- + [INFO] org.owasp.esapi:esapi:jar:2.3.0.0 + [INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided + [INFO] +- com.io7m.xom:xom:jar:1.2.10:compile + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile + [INFO] +- commons-lang:commons-lang:jar:2.6:compile + [INFO] +- commons-fileupload:commons-fileupload:jar:1.3.3:compile + [INFO] +- log4j:log4j:jar:1.2.17:compile + [INFO] +- org.apache.commons:commons-collections4:jar:4.2:compile + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile + [INFO] +- org.owasp.antisamy:antisamy:jar:1.6.7:compile + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.3:compile + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile + [INFO] +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.24:compile + [INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile + [INFO] +- commons-io:commons-io:jar:2.6:compile + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.6.0:compile + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile + [INFO] +- commons-codec:commons-codec:jar:1.15:test + [INFO] +- junit:junit:jar:4.13.2:test + [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test + [INFO] +- org.hamcrest:hamcrest-core:jar:1.3:test + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.7:test + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.7:test + [INFO] +- org.javassist:javassist:jar:3.25.0-GA:test + [INFO] +- org.mockito:mockito-core:jar:2.28.2:test + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.9.10:test + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.9.10:test + [INFO] | \- org.objenesis:objenesis:jar:2.6:test + [INFO] +- org.powermock:powermock-core:jar:2.0.7:test + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.7:test + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.7:test + [INFO] +- org.powermock:powermock-reflect:jar:2.0.7:test + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.35:test + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test + [INFO] \- org.apache.commons:commons-math3:jar:3.2:test + ... + +----------------------------------------------------------------------------- + +Acknowledgments: + * A special shout out to Jaroslav Lobačevski, a security researcher at GitHub Security Labs, who notified the ESAPI team via responsible disclosure and allowed us sufficient time to address GHSL-2022-008. + * A huge hat-tip to Dave Wichers and Sebastian Passaro for promptly addressing vulnerabilities in AntiSamy, many of which were caused by poorly maintained dependencies of AntiSamy. + * A special thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI contributors whom I've undoubtedly forgotten. + * Finally, to all the ESAPI users who make our efforts worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696) diff --git a/pom.xml b/pom.xml index b4808c13c..7820d04e3 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.2.3.1-SNAPSHOT + 2.3.0.0 jar @@ -132,12 +132,19 @@ UTF-8 - 1.28 + 1.7 + 1.12.0 + 1.35 2.0.7 - 4.2.2 - 4.2.2 - 3.0.0-M5 + 4.6.0 + 4.6.0.0 + 3.0.0-M6 + + + + + 2021-05-07 00:00:00 @@ -198,6 +205,10 @@ commons-logging commons-logging + + xml-apis + xml-apis + @@ -237,19 +248,39 @@ org.owasp.antisamy antisamy - 1.6.3 + 1.6.7 - + commons-io commons-io + + net.sourceforge.htmlunit + neko-htmlunit + + + + + net.sourceforge.htmlunit + neko-htmlunit + 2.24 + + + + xerces + xercesImpl + org.slf4j slf4j-api - 1.7.30 + 1.7.36 xml-apis @@ -269,7 +300,6 @@ 2.6 - com.github.spotbugs @@ -294,7 +324,7 @@ org.bouncycastle bcprov-jdk15on - 1.68 + 1.70 test @@ -400,17 +430,29 @@ org.apache.maven.plugins maven-dependency-plugin - 3.1.2 + 3.3.0 org.apache.maven.plugins maven-release-plugin - 3.0.0-M1 + 3.0.0-M5 + + + org.cyclonedx + cyclonedx-maven-plugin + 2.5.3 + + + package + makeBom + + + com.github.spotbugs spotbugs-maven-plugin @@ -426,6 +468,12 @@ + + com.h3xstream.findsecbugs + findsecbugs-plugin + ${version.findsecbugs} + + net.sourceforge.maven-taglib maven-taglib-plugin @@ -441,18 +489,18 @@ org.apache.maven.plugins maven-clean-plugin - 3.1.0 + 3.2.0 org.apache.maven.plugins maven-compiler-plugin - 3.8.1 + 3.10.1 - 1.7 - 1.7 - 1.7 - 1.7 + ${project.java.target} + ${project.java.target} + ${project.java.target} + ${project.java.target} true true false @@ -481,7 +529,7 @@ org.apache.maven.plugins maven-deploy-plugin - 3.0.0-M1 + 3.0.0-M2 @@ -496,18 +544,17 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.0.0-M3 + 3.0.0 org.codehaus.mojo extra-enforcer-rules - 1.3 + 1.5.1 org.codehaus.mojo animal-sniffer-enforcer-rule - - 1.17 + 1.21 @@ -519,7 +566,7 @@ - [3.2.5,) + [3.3.9,) Building ESAPI 2.x now requires Maven 3.2.5 or later. @@ -533,7 +580,7 @@ - 1.7 + ${project.java.target} ESAPI 2.x now uses the JDK1.7 for its baseline. Please make sure that your JAVA_HOME environment variable is pointed to a JDK1.7 or later distribution. @@ -572,7 +619,7 @@ org.apache.maven.plugins maven-gpg-plugin - 1.6 + 3.0.1 sign-artifacts @@ -591,7 +638,7 @@ org.apache.maven.plugins maven-jar-plugin - 3.2.0 + 3.2.2 @@ -605,7 +652,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 3.2.0 + 3.3.2 7 none @@ -621,21 +668,21 @@ - org.apache.maven.plugins - maven-jxr-plugin - 3.0.0 + org.apache.maven.plugins + maven-jxr-plugin + 3.2.0 - org.apache.maven.plugins - maven-pmd-plugin - 3.14.0 + org.apache.maven.plugins + maven-pmd-plugin + 3.16.0 org.apache.maven.plugins maven-project-info-reports-plugin - 3.1.1 + 3.2.2 @@ -647,7 +694,7 @@ org.apache.maven.plugins maven-site-plugin - 3.9.1 + 3.11.0 @@ -688,15 +735,15 @@ - org.codehaus.mojo + io.github.jiangxincode jdepend-maven-plugin - 2.0 + 2.1 org.codehaus.mojo versions-maven-plugin - 2.8.1 + 2.10.0 @@ -708,7 +755,7 @@ org.owasp dependency-check-maven - 6.1.6 + 7.0.4 1.0 ./suppressions.xml @@ -742,8 +789,9 @@ https://github.com/ESAPI/esapi-java-legacy/issues/%ISSUE% date - - 2015-02-05 00:00:00 + + + ${date.prev_release} @@ -753,6 +801,7 @@ maven-javadoc-plugin none + 7 @@ -777,6 +826,7 @@ + index dependency-convergence @@ -797,7 +847,7 @@ - org.codehaus.mojo + io.github.jiangxincode jdepend-maven-plugin @@ -841,7 +891,7 @@ com.h3xstream.findsecbugs findsecbugs-plugin - 1.10.1 + ${version.findsecbugs} Max @@ -873,7 +923,6 @@ maven-jar-plugin - @@ -930,7 +979,6 @@ org.apache.maven.plugins maven-release-plugin - 2.5.3 https://github.com/ESAPI/esapi-java-legacy/tags diff --git a/scripts/README.txt b/scripts/README.txt index 94aeeeffe..61df78f20 100644 --- a/scripts/README.txt +++ b/scripts/README.txt @@ -6,3 +6,10 @@ README.txt -- This readme file. esapi-release.sh -- Obsolete script to create new ESAPI release. Will be replaced soon. Do not use for now. mvnQuietTest.bat -- Run 'mvn test' from DOS cmd prompt with logSpecial output suppressed. mvnQuietTest.sh -- Run 'mvn test' from bash with logSpecial output suppressed. +createVarsFile.sh -- Bash script to create a vars.2.x.y.z file that is 'sourced' by the 'newReleaseNotes.sh' script. +esapi4java-core-TEMPLATE-release-notes.txt - Basic template used to create the new release notes file. +newReleaseNotes.sh -- Bash script to create the release notes boillerplate from the provided release argument and the TEMPLATE file. +vars.2.2.3.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh +vars.2.2.3.1 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh +vars.2.3.0.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh +vars.template -- Template to construct the release specific vars files diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt index af4f130bc..5caad5c37 100644 --- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt +++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt @@ -1,5 +1,5 @@ @@@@ IMPORTANT: Be sure to 1) save in DOS text format, and 2) Delete this line and others starting with @@@@ -@@@ Edit with :set tw=0 +@@@@ Edit this file in vim with :set tw=0 @@@@ Meant to be used with scripts/newReleaseNotes.sh and the 'vars.*' scripts there. Release notes for ESAPI ${VERSION} Release date: ${YYYY_MM_DD_RELEASE_DATE} @@ -30,12 +30,12 @@ ESAPI ${PREV_VERSION} release: #### Java source files #### JUnit tests in #### Java test files -ESAPI ${version} release: +ESAPI ${VERSION} release: @@@@ Count them and run 'mvn test' to get the # of tests. #### Java source files #### JUnit tests in #### Java source files -XXX GitHub Issues closed in this release, including those we've decided not to fix (marked '(wontfix)'). +XXX GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). (Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D${PREV_RELEASE_DATE}) Issue # GitHub Issue Title diff --git a/scripts/newReleaseNotes.sh b/scripts/newReleaseNotes.sh index 7e93da5d7..c9f3d351a 100755 --- a/scripts/newReleaseNotes.sh +++ b/scripts/newReleaseNotes.sh @@ -24,6 +24,7 @@ if [[ -r $template ]] then echo "#!/bin/bash" > $tmpfile echo "source vars.${newVers}" >> $tmpfile + echo "set -o allexport" >> $tmpfile echo "cat >esapi4java-core-${VERSION}-release-notes.txt <<${hereDocBanner}" >> $tmpfile cat $template >> $tmpfile echo "${hereDocBanner}" >> $tmpfile diff --git a/scripts/vars.2.3.0.0 b/scripts/vars.2.3.0.0 new file mode 100644 index 000000000..4695f1f6f --- /dev/null +++ b/scripts/vars.2.3.0.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.3.0.0 + +# Previous ESAPI version +PREV_VERSION=2.2.3.1 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2022-04-16 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2021-05-07 diff --git a/scripts/vars.template b/scripts/vars.template index adae0e835..7e127c7a3 100644 --- a/scripts/vars.template +++ b/scripts/vars.template @@ -1,4 +1,5 @@ -# Do NOT edit this file directly. It will be created by the new newReleaseNotes.sh script. +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. # ESAPI (new / current) version VERSION diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java index d21a7eba4..27c4af964 100644 --- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java @@ -389,35 +389,22 @@ public interface SecurityConfiguration extends EsapiPropertyLoader { * fixed IVs, but the use of non-random IVs is inherently insecure, * especially for any supported cipher mode that is considered a streaming mode * (which is basically anything except CBC for modes that support require an IV). - * For this reason, 'fixed' is considered deprecated and will be - * removed during the next ESAPI point release (tentatively, 2.3). - * However, note that if a "fixed" IV is chosen, then the - * the value of this fixed IV must be specified as the property - * {@code Encryptor.fixedIV} and be of the appropriate length. + * For this reason, 'fixed' has now been removed (it was considered deprecated + * since release 2.2.0.0). An ESAPI.properties value of {@Code fixed} for the property + * {@Code Encryptor.ChooseIVMethod} will now result in a {@Code ConfigurationException} + * being thrown. * - * @return A string specifying the IV type. Should be "random" or "fixed" (dereprected). + * @return A string specifying the IV type. Should be "random". Anything + * else should fail with a {@Code ConfigurationException} being thrown. * * @see #getFixedIV() * @deprecated Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead. + * This method will be removed in a future release as it is now moot since + * it can only legitimately have the single value of "random". */ @Deprecated String getIVType(); - /** - * If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, - * this will return the IV value as a hex-encoded string. - * @return The fixed IV as a hex-encoded string. - * @deprecated Short term: use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") - * instead. Longer term: There will be a more general method in JavaEncryptor - * to explicitly set an IV. This whole concept of a single fixed IV has - * always been a kludge at best, as a concession to those who have used - * a single fixed IV in the past to support legacy applications. This method will be - * killed off in the next ESAPI point release (likely 2.3). It's time to put it to death - * as it was never intended for production in the first place. - */ - @Deprecated - String getFixedIV(); - /** * Return a {@code List} of strings of combined cipher modes that support * both confidentiality and authenticity. These would be preferred diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java index 1047116fa..a23aaedc5 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherText.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java @@ -320,11 +320,10 @@ public int getRawCipherTextByteLength() { * base64-encoding is performed. *

* If there is a need to store an encrypted value, say in a database, this - * is not the method you should use unless you are using a fixed - * IV or are planning on retrieving the IV and storing it somewhere separately - * (e.g., a different database column). If you are not using a fixed IV - * (which is highly discouraged), you should normally use - * {@link #getEncodedIVCipherText()} instead. + * is not the method you should use unless you are using are storing the + * IV separately (i.e., in a separate DB column), which doesn't make a lot of sense. + * Normally, you should prefer the method {@link #getEncodedIVCipherText()} instead as + * it will return the IV prepended to the ciphertext. *

* @see #getEncodedIVCipherText() */ @@ -338,11 +337,6 @@ public String getBase64EncodedRawCipherText() { * base64-encoding. If an IV is not used, then this method returns the same * value as {@link #getBase64EncodedRawCipherText()}. *

- * Generally, this is the method that you should use unless you only - * are using a fixed IV and a storing that IV separately, in which case - * using {@link #getBase64EncodedRawCipherText()} can reduce the storage - * overhead. - *

* @return The base64-encoded ciphertext or base64-encoded IV + ciphertext. * @see #getBase64EncodedRawCipherText() */ @@ -591,8 +585,8 @@ public void setIVandCiphertext(byte[] iv, byte[] ciphertext) // TODO: FIXME: As per email from Jeff Walton to Kevin Wall dated 12/03/2013, // this is not always true. E.g., for CCM, the IV length is supposed // to be 7, 8, 7, 8, 9, 10, 11, 12, or 13 octets because of -// it's formatting function, the restof the octets used by the -// nonce/counter. +// it's formatting function, the rest of the octets are used by the +// nonce/counter. E.g., see RFCs 4309, 8750, and related RFCs. throw new EncryptionException("Encryption failed -- bad parameters passed to encrypt", // DISCUSS - also log? See below. "IV length does not match cipher block size of " + getBlockSize()); } diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogger.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogger.java index 889d5f0bb..6e57c39e0 100644 --- a/src/main/java/org/owasp/esapi/logging/java/JavaLogger.java +++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogger.java @@ -24,7 +24,7 @@ public class JavaLogger implements org.owasp.esapi.Logger { /** Handler for translating events from ESAPI context for Java processing.*/ private final JavaLogBridge logBridge; /** Maximum log level that will be forwarded to Java from the ESAPI context.*/ - private int maxLogLevel; + private int loggingLevel; /** * Constructs a new instance. @@ -35,7 +35,7 @@ public class JavaLogger implements org.owasp.esapi.Logger { public JavaLogger(java.util.logging.Logger JavaLogger, JavaLogBridge bridge, int defaultEsapiLevel) { delegate = JavaLogger; this.logBridge = bridge; - maxLogLevel = defaultEsapiLevel; + loggingLevel = defaultEsapiLevel; } private void log(int esapiLevel, EventType type, String message) { @@ -52,8 +52,7 @@ private void log(int esapiLevel, EventType type, String message, Throwable throw private boolean isEnabled(int esapiLevel) { - //Are Logger.OFF and Logger.ALL reversed? This should be simply the less than or equal to check... - return (esapiLevel <= maxLogLevel && maxLogLevel != Logger.OFF) || maxLogLevel == Logger.ALL; + return esapiLevel >= loggingLevel; } @Override @@ -128,7 +127,7 @@ public void fatal(EventType type, String message, Throwable throwable) { @Override public int getESAPILevel() { - return maxLogLevel; + return loggingLevel; } @Override @@ -162,7 +161,7 @@ public boolean isFatalEnabled() { @Override public void setLevel(int level) { - maxLogLevel = level; + loggingLevel = level; } } diff --git a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java index b24a7448c..cbbda2140 100644 --- a/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java +++ b/src/main/java/org/owasp/esapi/logging/log4j/Log4JLogger.java @@ -25,7 +25,7 @@ public class Log4JLogger implements org.owasp.esapi.Logger { /** Handler for translating events from ESAPI context for SLF4J processing.*/ private final Log4JLogBridge logBridge; /** Maximum log level that will be forwarded to SLF4J from the ESAPI context.*/ - private int maxLogLevel; + private int loggingLevel; /** * Constructs a new instance. @@ -36,7 +36,7 @@ public class Log4JLogger implements org.owasp.esapi.Logger { public Log4JLogger(org.apache.log4j.Logger slf4JLogger, Log4JLogBridge bridge, int defaultEsapiLevel) { delegate = slf4JLogger; this.logBridge = bridge; - maxLogLevel = defaultEsapiLevel; + loggingLevel = defaultEsapiLevel; } private void log(int esapiLevel, EventType type, String message) { @@ -53,8 +53,7 @@ private void log(int esapiLevel, EventType type, String message, Throwable throw private boolean isEnabled(int esapiLevel) { - //Are Logger.OFF and Logger.ALL reversed? This should be simply the less than or equal to check... - return (esapiLevel <= maxLogLevel && maxLogLevel != Logger.OFF) || maxLogLevel == Logger.ALL; + return esapiLevel >= loggingLevel; } @Override @@ -129,7 +128,7 @@ public void fatal(EventType type, String message, Throwable throwable) { @Override public int getESAPILevel() { - return maxLogLevel; + return loggingLevel; } @Override @@ -163,7 +162,7 @@ public boolean isFatalEnabled() { @Override public void setLevel(int level) { - maxLogLevel = level; + loggingLevel = level; } } diff --git a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogger.java b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogger.java index 9a08ef3b4..62fead5d1 100644 --- a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogger.java +++ b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogger.java @@ -24,7 +24,7 @@ public class Slf4JLogger implements org.owasp.esapi.Logger { /** Handler for translating events from ESAPI context for SLF4J processing.*/ private final Slf4JLogBridge logBridge; /** Maximum log level that will be forwarded to SLF4J from the ESAPI context.*/ - private int maxLogLevel; + private int loggingLevel; /** * Constructs a new instance. @@ -35,7 +35,7 @@ public class Slf4JLogger implements org.owasp.esapi.Logger { public Slf4JLogger(org.slf4j.Logger slf4JLogger, Slf4JLogBridge bridge, int defaultEsapiLevel) { delegate = slf4JLogger; this.logBridge = bridge; - maxLogLevel = defaultEsapiLevel; + loggingLevel = defaultEsapiLevel; } private void log(int esapiLevel, EventType type, String message) { @@ -52,8 +52,7 @@ private void log(int esapiLevel, EventType type, String message, Throwable throw private boolean isEnabled(int esapiLevel) { - //Are Logger.OFF and Logger.ALL reversed? This should be simply the less than or equal to check... - return (esapiLevel <= maxLogLevel && maxLogLevel != Logger.OFF) || maxLogLevel == Logger.ALL; + return esapiLevel >= loggingLevel; } @Override @@ -128,7 +127,7 @@ public void fatal(EventType type, String message, Throwable throwable) { @Override public int getESAPILevel() { - return maxLogLevel; + return loggingLevel; } @Override @@ -162,7 +161,7 @@ public boolean isFatalEnabled() { @Override public void setLevel(int level) { - maxLogLevel = level; + loggingLevel = level; } } diff --git a/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java b/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java index d7de99f04..e6976c7ac 100644 --- a/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java +++ b/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java @@ -114,7 +114,8 @@ protected User getUserFromSession() { */ protected DefaultUser getUserFromRememberToken() { try { - String token = ESAPI.httpUtilities().getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME); + HTTPUtilities utils =ESAPI.httpUtilities(); + String token = utils.getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME); if (token == null) return null; // See Google Issue 144 regarding first URLDecode the token and THEN unsealing. diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java index f690e26bd..ecce1a9ff 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java @@ -189,8 +189,9 @@ public void addCookie(HttpServletResponse response, Cookie cookie) { // validate the name and value ValidationErrorList errors = new ValidationErrorList(); - String cookieName = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", 50, false, errors); - String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", 5000, false, errors); + SecurityConfiguration sc = ESAPI.securityConfiguration(); + String cookieName = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false, errors); + String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false, errors); // if there are no errors, then set the cookie either with a header or normally if (errors.size() == 0) { @@ -234,11 +235,12 @@ public void addHeader(String name, String value) { * {@inheritDoc} */ public void addHeader(HttpServletResponse response, String name, String value) { + SecurityConfiguration sc = ESAPI.securityConfiguration(); try { String strippedName = StringUtilities.replaceLinearWhiteSpace(name); String strippedValue = StringUtilities.replaceLinearWhiteSpace(value); - String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false); - String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", 500, false); + String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false); + String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false); response.addHeader(safeName, safeValue); } catch (ValidationException e) { logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e); @@ -463,9 +465,10 @@ public void encryptStateInCookie( Map cleartext ) throws Encrypti */ public String getCookie( HttpServletRequest request, String name ) throws ValidationException { Cookie c = getFirstCookie( request, name ); + SecurityConfiguration sc = ESAPI.securityConfiguration(); if ( c == null ) return null; String value = c.getValue(); - return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", 1000, false); + return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false); } /** @@ -655,8 +658,9 @@ private Cookie getFirstCookie(HttpServletRequest request, String name) { * {@inheritDoc} */ public String getHeader( HttpServletRequest request, String name ) throws ValidationException { + SecurityConfiguration sc = ESAPI.securityConfiguration(); String value = request.getHeader(name); - return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", 150, false); + return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false); } diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index 5a96c76d8..3e80055d3 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -121,10 +121,9 @@ public static SecurityConfiguration getInstance() { public static final String CIPHER_TRANSFORMATION_IMPLEMENTATION = "Encryptor.CipherTransformation"; public static final String CIPHERTEXT_USE_MAC = "Encryptor.CipherText.useMAC"; public static final String PLAINTEXT_OVERWRITE = "Encryptor.PlainText.overwrite"; - public static final String IV_TYPE = "Encryptor.ChooseIVMethod"; @Deprecated - public static final String FIXED_IV = "Encryptor.fixedIV"; + public static final String IV_TYPE = "Encryptor.ChooseIVMethod"; // Will be removed in future release. public static final String COMBINED_CIPHER_MODES = "Encryptor.cipher_modes.combined_modes"; public static final String ADDITIONAL_ALLOWED_CIPHER_MODES = "Encryptor.cipher_modes.additional_allowed"; @@ -251,6 +250,13 @@ public static SecurityConfiguration getInstance() { */ public DefaultSecurityConfiguration(Properties properties) { resourceFile = DEFAULT_RESOURCE_FILE; + try { + this.esapiPropertyManager = new EsapiPropertyManager(); + // Do NOT call loadConfiguration() here! + } catch( IOException e ) { + logSpecial("Failed to load security configuration", e ); + throw new ConfigurationException("Failed to load security configuration", e); + } this.properties = properties; this.setCipherXProperties(); } @@ -265,7 +271,7 @@ private void setCipherXProperties() { // TODO: FUTURE: Replace by future CryptoControls class??? // See SecurityConfiguration.setCipherTransformation() for // explanation of this. - // (Propose this in 2.1 via future email to ESAPI-DEV list.) + // (Propose this in a future 2.x release via future email to ESAPI-DEV list.) cipherXformFromESAPIProp = getESAPIProperty(CIPHER_TRANSFORMATION_IMPLEMENTATION, "AES/CBC/PKCS5Padding"); @@ -832,49 +838,26 @@ public boolean overwritePlainText() { /** * {@inheritDoc} */ + @Deprecated public String getIVType() { String value = getESAPIProperty(IV_TYPE, "random"); if ( value.equalsIgnoreCase("random") ) { return value; } else if ( value.equalsIgnoreCase("fixed") ) { - logSpecial("WARNING: Property '" + IV_TYPE + "=fixed' is DEPRECATED. It was intended to support legacy applications, but is inherently insecure, especially with any streaming mode. Support for this will be completed dropped next ESAPI minor release (probably 2.3"); - return value; + logSpecial("WARNING: Property '" + IV_TYPE + "=fixed' is no longer supported AT ALL!!! It had been deprecated since 2.2.0.0 and back then, was announced it would be removed in release 2.3.0.0. It was originally intended to support legacy applications, but is inherently insecure, especially with any streaming mode."); + throw new ConfigurationException("'" + IV_TYPE + "=fixed' is no longer supported AT ALL. It has been deprecated since release 2.2 and has been removed since 2.3."); } else if ( value.equalsIgnoreCase("specified") ) { - // This is planned for future implementation where setting - // Encryptor.ChooseIVMethod=specified will require setting some - // other TBD property that will specify an implementation class that - // will generate appropriate IVs. The intent of this would be to use - // such a class with various feedback modes where it is imperative - // that for a given key, any particular IV is *NEVER* reused. For - // now, we will assume that generating a random IV is usually going - // to be sufficient to prevent this. - throw new ConfigurationException("'" + IV_TYPE + "=specified' is not yet implemented. Use 'random' for now."); - } else { - // TODO: Once 'specified' is legal, adjust exception msg, below. - // DISCUSS: Could just log this and then silently return "random" instead. - throw new ConfigurationException(value + " is illegal value for " + IV_TYPE + - ". Use 'random'."); - } - } - - /** - * {@inheritDoc} - */ - @Deprecated - public String getFixedIV() { - if ( getIVType().equalsIgnoreCase("fixed") ) { - String ivAsHex = getESAPIProperty(FIXED_IV, ""); // No default - if ( ivAsHex == null || ivAsHex.trim().equals("") ) { - throw new ConfigurationException("Fixed IV requires property " + - FIXED_IV + " to be set, but it is not."); - } - return ivAsHex; // We do no further checks here as we have no context. + // Originally, this was planned for future implementation where setting + // Encryptor.ChooseIVMethod=specified + // would have allowed a dev to write their own static method to be + // invoked in a future TBD property, but that is a recipe for + // disaster. So, it's not going to happen. Ever. + throw new ConfigurationException("Contrary to previous internal comments, '" + IV_TYPE + "=specified' is not going to be supported -- ever."); } else { - // DISCUSS: Should we just log a warning here and return null instead? - // If so, may cause NullPointException somewhere later. - throw new ConfigurationException("IV type not 'fixed' [which is DEPRECATED!] (set to '" + - getIVType() + "'), so no fixed IV applicable."); + logSpecial("WARNING: '" + value + "' is illegal value for " + IV_TYPE + + ". Using 'random' for the IV type."); } + return "random"; } /** diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index 530e2efa8..0699a5287 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -466,7 +466,7 @@ public String getValidDirectoryPath(String context, String input, File parent, b if ( !parent.isDirectory() ) { throw new ValidationException( context + ": Invalid directory name", "Invalid directory, specified parent is not a directory: context=" + context + ", input=" + input + ", parent=" + parent ); } - if ( !dir.getCanonicalPath().startsWith(parent.getCanonicalPath() ) ) { + if ( !dir.getCanonicalFile().toPath().startsWith( parent.getCanonicalFile().toPath() ) ) { // Fixes GHSL-2022-008 throw new ValidationException( context + ": Invalid directory name", "Invalid directory, not inside specified parent: context=" + context + ", input=" + input + ", parent=" + parent ); } diff --git a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java index 64d3e7561..63022925e 100644 --- a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java +++ b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java @@ -464,25 +464,10 @@ public CipherText encrypt(SecretKey key, PlainText plain) IvParameterSpec ivSpec = null; if ( ivType.equalsIgnoreCase("random") ) { ivBytes = ESAPI.randomizer().getRandomBytes(encrypter.getBlockSize()); - } else if ( ivType.equalsIgnoreCase("fixed") ) { - String fixedIVAsHex = ESAPI.securityConfiguration().getFixedIV(); - ivBytes = Hex.decode(fixedIVAsHex); - /* FUTURE } else if ( ivType.equalsIgnoreCase("specified")) { - // FUTURE - TODO - Create instance of specified class to use for IV generation and - // use it to create the ivBytes. (The intent is to make sure that - // 1) IVs are never repeated for cipher modes like OFB and CFB, and - // 2) to screen for weak IVs for the particular cipher algorithm. - // In meantime, use 'random' for block cipher in feedback mode. Unlikely they will - // be repeated unless you are salting SecureRandom with same value each time. Anything - // monotonically increasing should be suitable, like a counter, but need to remember - // it across JVM restarts. Was thinking of using System.currentTimeMillis(). While - // it's not perfect it probably is good enough. Could even all (advanced) developers - // to define their own class to create a unique IV to allow them some choice, but - // definitely need to provide a safe, default implementation. - */ } else { - // TODO: Update to add 'specified' once that is supported and added above. - throw new ConfigurationException("Property Encryptor.ChooseIVMethod must be set to 'random' or 'fixed'"); + // This really shouldn't happen here. Show catch it a few + // lines above. + throw new ConfigurationException("Property Encryptor.ChooseIVMethod must be set to 'random'."); } ivSpec = new IvParameterSpec(ivBytes); cipherSpec.setIV(ivBytes); diff --git a/src/test/java/org/owasp/esapi/SecurityConfigurationWrapper.java b/src/test/java/org/owasp/esapi/SecurityConfigurationWrapper.java index 2c54a93f5..a051d6f39 100644 --- a/src/test/java/org/owasp/esapi/SecurityConfigurationWrapper.java +++ b/src/test/java/org/owasp/esapi/SecurityConfigurationWrapper.java @@ -291,14 +291,6 @@ public String getIVType() return wrapped.getIVType(); } - /** - * {@inheritDoc} - */ - // @Override - public String getFixedIV() - { - return wrapped.getFixedIV(); - } /** * {@inheritDoc} diff --git a/src/test/java/org/owasp/esapi/crypto/CipherSpecTest.java b/src/test/java/org/owasp/esapi/crypto/CipherSpecTest.java index 8f808880f..81cde6a52 100644 --- a/src/test/java/org/owasp/esapi/crypto/CipherSpecTest.java +++ b/src/test/java/org/owasp/esapi/crypto/CipherSpecTest.java @@ -29,10 +29,7 @@ public class CipherSpecTest extends TestCase { private byte[] myIV = null; @Before public void setUp() throws Exception { - // This will throw ConfigurationException if IV type is not set to - // 'fixed', which it's not. (We have it set to 'random'.) - // myIV = Hex.decode( ESAPI.securityConfiguration().getFixedIV() ); - myIV = Hex.decode( "0x000102030405060708090a0b0c0d0e0f" ); + myIV = Hex.decode( "0x000102030405060708090a0b0c0d0e0f" ); // Any IV to test w/ will do. dfltAESCipher = Cipher.getInstance("AES"); dfltECBCipher = Cipher.getInstance("AES/ECB/NoPadding"); diff --git a/src/test/java/org/owasp/esapi/logging/java/JavaLoggerTest.java b/src/test/java/org/owasp/esapi/logging/java/JavaLoggerTest.java index 2d9c24347..c7258a8ba 100644 --- a/src/test/java/org/owasp/esapi/logging/java/JavaLoggerTest.java +++ b/src/test/java/org/owasp/esapi/logging/java/JavaLoggerTest.java @@ -46,12 +46,12 @@ public void setup() { public void testLevelEnablement() { testLogger.setLevel(Logger.INFO); - Assert.assertFalse(testLogger.isFatalEnabled()); - Assert.assertFalse(testLogger.isErrorEnabled()); - Assert.assertFalse(testLogger.isWarningEnabled()); + Assert.assertTrue(testLogger.isFatalEnabled()); + Assert.assertTrue(testLogger.isErrorEnabled()); + Assert.assertTrue(testLogger.isWarningEnabled()); Assert.assertTrue(testLogger.isInfoEnabled()); - Assert.assertTrue(testLogger.isDebugEnabled()); - Assert.assertTrue(testLogger.isTraceEnabled()); + Assert.assertFalse(testLogger.isDebugEnabled()); + Assert.assertFalse(testLogger.isTraceEnabled()); Assert.assertEquals(Logger.INFO, testLogger.getESAPILevel()); } diff --git a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java index ebea57ac2..16834f288 100644 --- a/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java +++ b/src/test/java/org/owasp/esapi/logging/log4j/Log4JLoggerTest.java @@ -36,12 +36,12 @@ public class Log4JLoggerTest { public void testLevelEnablement() { testLogger.setLevel(Logger.INFO); - Assert.assertFalse(testLogger.isFatalEnabled()); - Assert.assertFalse(testLogger.isErrorEnabled()); - Assert.assertFalse(testLogger.isWarningEnabled()); + Assert.assertTrue(testLogger.isFatalEnabled()); + Assert.assertTrue(testLogger.isErrorEnabled()); + Assert.assertTrue(testLogger.isWarningEnabled()); Assert.assertTrue(testLogger.isInfoEnabled()); - Assert.assertTrue(testLogger.isDebugEnabled()); - Assert.assertTrue(testLogger.isTraceEnabled()); + Assert.assertFalse(testLogger.isDebugEnabled()); + Assert.assertFalse(testLogger.isTraceEnabled()); Assert.assertEquals(Logger.INFO, testLogger.getESAPILevel()); } diff --git a/src/test/java/org/owasp/esapi/logging/slf4j/Slf4JLoggerTest.java b/src/test/java/org/owasp/esapi/logging/slf4j/Slf4JLoggerTest.java index e2d7a5a2f..70687f4f2 100644 --- a/src/test/java/org/owasp/esapi/logging/slf4j/Slf4JLoggerTest.java +++ b/src/test/java/org/owasp/esapi/logging/slf4j/Slf4JLoggerTest.java @@ -34,12 +34,12 @@ public class Slf4JLoggerTest { public void testLevelEnablement() { testLogger.setLevel(Logger.INFO); - Assert.assertFalse(testLogger.isFatalEnabled()); - Assert.assertFalse(testLogger.isErrorEnabled()); - Assert.assertFalse(testLogger.isWarningEnabled()); + Assert.assertTrue(testLogger.isFatalEnabled()); + Assert.assertTrue(testLogger.isErrorEnabled()); + Assert.assertTrue(testLogger.isWarningEnabled()); Assert.assertTrue(testLogger.isInfoEnabled()); - Assert.assertTrue(testLogger.isDebugEnabled()); - Assert.assertTrue(testLogger.isTraceEnabled()); + Assert.assertFalse(testLogger.isDebugEnabled()); + Assert.assertFalse(testLogger.isTraceEnabled()); Assert.assertEquals(Logger.INFO, testLogger.getESAPILevel()); } diff --git a/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java b/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java index 161b5ab69..d0c3e6dc2 100644 --- a/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java +++ b/src/test/java/org/owasp/esapi/reference/DefaultSecurityConfigurationTest.java @@ -8,8 +8,10 @@ import static org.junit.Assert.fail; import java.util.regex.Pattern; +import java.util.Properties; import org.junit.Test; + import org.owasp.esapi.ESAPI; import org.owasp.esapi.Logger; import org.owasp.esapi.SecurityConfiguration; @@ -19,7 +21,7 @@ public class DefaultSecurityConfigurationTest { private DefaultSecurityConfiguration createWithProperty(String key, String val) { - java.util.Properties properties = new java.util.Properties(); + Properties properties = new Properties(); properties.setProperty(key, val); return new DefaultSecurityConfiguration(properties); } @@ -34,7 +36,7 @@ public void testGetApplicationName() { @Test public void testGetLogImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_LOG_IMPLEMENTATION, secConf.getLogImplementation()); final String expected = "TestLogger"; @@ -45,7 +47,7 @@ public void testGetLogImplementation() { @Test public void testAuthenticationImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_AUTHENTICATION_IMPLEMENTATION, secConf.getAuthenticationImplementation()); final String expected = "TestAuthentication"; @@ -56,7 +58,7 @@ public void testAuthenticationImplementation() { @Test public void testEncoderImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_ENCODER_IMPLEMENTATION, secConf.getEncoderImplementation()); final String expected = "TestEncoder"; @@ -67,7 +69,7 @@ public void testEncoderImplementation() { @Test public void testAccessControlImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_ACCESS_CONTROL_IMPLEMENTATION, secConf.getAccessControlImplementation()); final String expected = "TestAccessControl"; @@ -78,7 +80,7 @@ public void testAccessControlImplementation() { @Test public void testEncryptionImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_ENCRYPTION_IMPLEMENTATION, secConf.getEncryptionImplementation()); final String expected = "TestEncryption"; @@ -89,7 +91,7 @@ public void testEncryptionImplementation() { @Test public void testIntrusionDetectionImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION, secConf.getIntrusionDetectionImplementation()); final String expected = "TestIntrusionDetection"; @@ -100,7 +102,7 @@ public void testIntrusionDetectionImplementation() { @Test public void testRandomizerImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_RANDOMIZER_IMPLEMENTATION, secConf.getRandomizerImplementation()); final String expected = "TestRandomizer"; @@ -111,7 +113,7 @@ public void testRandomizerImplementation() { @Test public void testExecutorImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_EXECUTOR_IMPLEMENTATION, secConf.getExecutorImplementation()); final String expected = "TestExecutor"; @@ -122,7 +124,7 @@ public void testExecutorImplementation() { @Test public void testHTTPUtilitiesImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_HTTP_UTILITIES_IMPLEMENTATION, secConf.getHTTPUtilitiesImplementation()); final String expected = "TestHTTPUtilities"; @@ -133,7 +135,7 @@ public void testHTTPUtilitiesImplementation() { @Test public void testValidationImplementation() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(DefaultSecurityConfiguration.DEFAULT_VALIDATOR_IMPLEMENTATION, secConf.getValidationImplementation()); final String expected = "TestValidation"; @@ -144,7 +146,7 @@ public void testValidationImplementation() { @Test public void testGetEncryptionKeyLength() { // test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals(128, secConf.getEncryptionKeyLength()); final int expected = 256; @@ -155,7 +157,7 @@ public void testGetEncryptionKeyLength() { @Test public void testGetKDFPseudoRandomFunction() { // test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals("HmacSHA256", secConf.getKDFPseudoRandomFunction()); final String expected = "HmacSHA1"; @@ -166,7 +168,7 @@ public void testGetKDFPseudoRandomFunction() { @Test public void testGetMasterSalt() { try { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); secConf.getMasterSalt(); fail("Expected Exception not thrown"); } @@ -176,7 +178,7 @@ public void testGetMasterSalt() { final String salt = "53081"; final String property = ESAPI.encoder().encodeForBase64(salt.getBytes(), false); - java.util.Properties properties = new java.util.Properties(); + Properties properties = new Properties(); properties.setProperty(DefaultSecurityConfiguration.MASTER_SALT, property); DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(properties); assertEquals(salt, new String(secConf.getMasterSalt())); @@ -184,7 +186,7 @@ public void testGetMasterSalt() { @Test public void testGetAllowedExecutables() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); java.util.List allowedExecutables = secConf.getAllowedExecutables(); //is this really what should be returned? what about an empty list? @@ -192,7 +194,7 @@ public void testGetAllowedExecutables() { assertEquals("", allowedExecutables.get(0)); - java.util.Properties properties = new java.util.Properties(); + Properties properties = new Properties(); properties.setProperty(DefaultSecurityConfiguration.APPROVED_EXECUTABLES, String.valueOf("/bin/bzip2,/bin/diff, /bin/cvs")); secConf = new DefaultSecurityConfiguration(properties); allowedExecutables = secConf.getAllowedExecutables(); @@ -208,12 +210,12 @@ public void testGetAllowedExecutables() { @Test public void testGetAllowedFileExtensions() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); java.util.List allowedFileExtensions = secConf.getAllowedFileExtensions(); assertFalse(allowedFileExtensions.isEmpty()); - java.util.Properties properties = new java.util.Properties(); + Properties properties = new Properties(); properties.setProperty(DefaultSecurityConfiguration.APPROVED_UPLOAD_EXTENSIONS, String.valueOf(".txt,.xml,.html,.png")); secConf = new DefaultSecurityConfiguration(properties); allowedFileExtensions = secConf.getAllowedFileExtensions(); @@ -223,7 +225,7 @@ public void testGetAllowedFileExtensions() { @Test public void testGetAllowedFileUploadSize() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); //assert that the default is of some reasonable size assertTrue(secConf.getAllowedFileUploadSize() > (1024 * 100)); @@ -235,11 +237,11 @@ public void testGetAllowedFileUploadSize() { @Test public void testGetParameterNames() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals("password", secConf.getPasswordParameterName()); assertEquals("username", secConf.getUsernameParameterName()); - java.util.Properties properties = new java.util.Properties(); + Properties properties = new Properties(); properties.setProperty(DefaultSecurityConfiguration.PASSWORD_PARAMETER_NAME, "j_password"); properties.setProperty(DefaultSecurityConfiguration.USERNAME_PARAMETER_NAME, "j_username"); secConf = new DefaultSecurityConfiguration(properties); @@ -250,7 +252,7 @@ public void testGetParameterNames() { @Test public void testGetEncryptionAlgorithm() { //test the default - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals("AES", secConf.getEncryptionAlgorithm()); secConf = this.createWithProperty(DefaultSecurityConfiguration.ENCRYPTION_ALGORITHM, "3DES"); @@ -259,11 +261,11 @@ public void testGetEncryptionAlgorithm() { @Test public void testGetCipherXProperties() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertEquals("AES/CBC/PKCS5Padding", secConf.getCipherTransformation()); //assertEquals("AES/CBC/PKCS5Padding", secConf.getC); - java.util.Properties properties = new java.util.Properties(); + Properties properties = new Properties(); properties.setProperty(DefaultSecurityConfiguration.CIPHER_TRANSFORMATION_IMPLEMENTATION, "Blowfish/CFB/ISO10126Padding"); secConf = new DefaultSecurityConfiguration(properties); assertEquals("Blowfish/CFB/ISO10126Padding", secConf.getCipherTransformation()); @@ -274,47 +276,35 @@ public void testGetCipherXProperties() { secConf.setCipherTransformation(null);//sets it back to default assertEquals("Blowfish/CFB/ISO10126Padding", secConf.getCipherTransformation()); } - + + // NOTE: When SecurityConfiguration.getIVType() is finally removed, this test can be as well. @Test public void testIV() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); - assertEquals("random", secConf.getIVType()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); + assertEquals("random", secConf.getIVType()); // Ensure that 'random' is the default type for getIVType(). + + Properties props = new Properties(); + String ivType = null; + props.setProperty(DefaultSecurityConfiguration.IV_TYPE, "fixed"); // No longer supported. + + secConf = new DefaultSecurityConfiguration( props ); try { - secConf.getFixedIV(); - fail(); + ivType = secConf.getIVType(); // This should now throw a Configuration Exception. + fail("Expected ConfigurationException to be thrown for " + DefaultSecurityConfiguration.IV_TYPE + "=" + ivType); } catch (ConfigurationException ce) { assertNotNull(ce.getMessage()); } - java.util.Properties properties = new java.util.Properties(); - properties.setProperty(DefaultSecurityConfiguration.IV_TYPE, "fixed"); - properties.setProperty(DefaultSecurityConfiguration.FIXED_IV, "ivValue"); - secConf = new DefaultSecurityConfiguration(properties); - assertEquals("fixed", secConf.getIVType()); - assertEquals("ivValue", secConf.getFixedIV()); - - properties.setProperty(DefaultSecurityConfiguration.IV_TYPE, "illegal"); - secConf = new DefaultSecurityConfiguration(properties); - try { - secConf.getIVType(); - fail(); - } - catch (ConfigurationException ce) { - assertNotNull(ce.getMessage()); - } - try { - secConf.getFixedIV(); - fail(); - } - catch (ConfigurationException ce) { - assertNotNull(ce.getMessage()); - } + props.setProperty(DefaultSecurityConfiguration.IV_TYPE, "illegal"); // This will just result in a logSpecial message & "random" is returned. + secConf = new DefaultSecurityConfiguration(props); + ivType = secConf.getIVType(); + assertEquals(ivType, "random"); } @Test public void testGetAllowMultipleEncoding() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertFalse(secConf.getAllowMultipleEncoding()); secConf = this.createWithProperty(DefaultSecurityConfiguration.ALLOW_MULTIPLE_ENCODING, "yes"); @@ -329,7 +319,7 @@ public void testGetAllowMultipleEncoding() { @Test public void testGetDefaultCanonicalizationCodecs() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertFalse(secConf.getDefaultCanonicalizationCodecs().isEmpty()); String property = "org.owasp.esapi.codecs.TestCodec1,org.owasp.esapi.codecs.TestCodec2"; @@ -339,7 +329,7 @@ public void testGetDefaultCanonicalizationCodecs() { @Test public void testGetDisableIntrusionDetection() { - DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new java.util.Properties()); + DefaultSecurityConfiguration secConf = new DefaultSecurityConfiguration(new Properties()); assertFalse(secConf.getDisableIntrusionDetection()); secConf = this.createWithProperty(DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION, "TRUE"); diff --git a/src/test/java/org/owasp/esapi/reference/EncoderTest.java b/src/test/java/org/owasp/esapi/reference/EncoderTest.java index 8f345e199..ed04b6d5b 100644 --- a/src/test/java/org/owasp/esapi/reference/EncoderTest.java +++ b/src/test/java/org/owasp/esapi/reference/EncoderTest.java @@ -212,6 +212,8 @@ public void testCanonicalize() throws EncodingException { assertEquals( "<", instance.canonicalize("&lT;")); assertEquals( "<", instance.canonicalize("≪")); assertEquals( "<", instance.canonicalize("<")); + assertEquals( "&", instance.canonicalize("&")); + assertEquals( "〈", instance.canonicalize("&lang")); assertEquals( "", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") ); assertEquals( "", instance.canonicalize("%3Cscript>alert%28%22hello"%29%3B%3C%2Fscript%3E", false) ); @@ -912,11 +914,28 @@ public void testHtmlEncodeStrSurrogatePair() public void testHtmlDecodeHexEntititesSurrogatePair() { - HTMLEntityCodec htmlCodec = new HTMLEntityCodec(); + HTMLEntityCodec htmlCodec = new HTMLEntityCodec(); String expected = new String (new int[]{0x2f804}, 0, 1); assertEquals( expected, htmlCodec.decode("你") ); assertEquals( expected, htmlCodec.decode("你") ); } + public void testUnicodeCanonicalize() { + Encoder e = ESAPI.encoder(); + String input = "测试"; + String expected = "测试"; + String output = e.canonicalize(input); + assertEquals(expected, output); + } + + public void testUnicodeCanonicalizePercentEncoding() { + //TODO: We need to find a way to specify the encoding type for percent encoding. + //I believe by default we're doing Latin-1 and we really should be doing UTF-8 + Encoder e = ESAPI.encoder(); + String input = "%E6%B5%8B%E8%AF%95"; + String expected = "测试"; + String output = e.canonicalize(input); + assertNotSame(expected, output); + } } diff --git a/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java b/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java index ba6715313..1f8701efd 100644 --- a/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java +++ b/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java @@ -45,6 +45,7 @@ import org.owasp.esapi.http.MockHttpServletResponse; import org.owasp.esapi.http.MockHttpSession; import org.owasp.esapi.util.FileTestUtils; +import org.owasp.esapi.util.TestUtils; import junit.framework.Test; import junit.framework.TestCase; @@ -372,6 +373,27 @@ public void testSetCookie() { instance.addCookie( response, new Cookie( "test3", "tes<()", 100, false, errors)); - assertTrue(errors.size()==0); + assertEquals(0, errors.size()); assertFalse(instance.isValidPrintable("name3", chars, 100, false, errors)); - assertTrue(errors.size()==1); + assertEquals(1, errors.size()); assertFalse(instance.isValidPrintable("name4", "%08", 100, false, errors)); - assertTrue(errors.size()==2); + assertEquals(2, errors.size()); } @Test public void testIsValidRedirectLocation() { - // isValidRedirectLocation(String, String, boolean) + // TODO - isValidRedirectLocation(String, String, boolean) } // Test split out and moved to HTMLValidationRuleLogsTest.java & HTMLValidationRuleThrowsTest.java @@ -1011,7 +1064,7 @@ public void testGetCookies() { Cookie[] cookies = safeRequest.getCookies(); assertEquals(cookies[0].getValue(), request.getCookies()[0].getValue()); assertEquals(cookies[1].getName(), request.getCookies()[2].getName()); - assertTrue(cookies.length == 2); + assertEquals(2, cookies.length); } @Test @@ -1131,4 +1184,3 @@ public void testavaloqLooseSafeString(){ assertFalse(isValid); } } - diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java index 2d489e793..87a2370c0 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java @@ -22,12 +22,14 @@ import org.owasp.esapi.ValidationErrorList; import org.owasp.esapi.ValidationRule; import org.owasp.esapi.Validator; +import org.owasp.esapi.errors.IntrusionException; import org.owasp.esapi.errors.ValidationException; import org.owasp.esapi.filters.SecurityWrapperRequest; import org.owasp.esapi.reference.validation.HTMLValidationRule; import org.junit.Test; import org.junit.Before; +import org.junit.Ignore; import org.junit.After; import org.junit.Rule; import org.junit.rules.ExpectedException; @@ -125,6 +127,45 @@ public void testGetValidSafeHTML() throws Exception { // assertEquals("", result4); } + // FIXME: Change the method name to reflect the CVE once we have a number for this. + // Test to confirm that CVE-2022-xxxxx (TBD) is fixed. The cause of this was + // from a subtle botched regex for 'onsiteURL' in all the versions of + // antsamy-esapi.xml that had been there as far back as ESAPI 1.4! + // + // This TBD CVE should arguably get the same CVSSv3 store as the AntiSamy + // CVE-2021-35043 as the are very similar. + @Test + public void testJavaScriptURL() throws Exception { + System.out.println("testJavaScriptURL"); + + String expectedSafeText = "This is safe from XSS. Trust us!"; + String badVoodoo = "" + expectedSafeText + ""; + Validator instance = ESAPI.validator(); + ValidationErrorList errorList = new ValidationErrorList(); + String result = instance.getValidSafeHTML("test", badVoodoo, 100, false, errorList); + assertEquals( expectedSafeText, result ); + } + + // To confirm fix for CVE-2021-35043 in AntiSamy 1.6.5 and later. Actually, + // it was never really "broken" in ESAPI's "default configuration" because it is + // triggers an Intrusion Detection when it is checking the canonicalization + // and the ':' trips it up, that that's pretty much irrelevant given + // the (TBD) CVE mented in the previous test case. + // + // Note: This test assumes a standard default ESAPI.properties file. In + // particular, the normal canonicalization has to be enabled. + public void testAntiSamyCVE_2021_35043Fixed() { + System.out.println("testAntiSamyCVE_2021_35043Fixed"); + + String expectedSafeText = "This is safe from XSS. Trust us!"; + + // Translates to '" + expectedSafeText + ""; + Validator instance = ESAPI.validator(); + // ValidationErrorList errorList = new ValidationErrorList(); + boolean result = instance.isValidSafeHTML("CVE-2021-35043", badVoodoo, 200, false); + assertTrue( result ); + } @Test public void testIsValidSafeHTML() { @@ -153,4 +194,61 @@ public void testIsValidSafeHTML() { assertTrue(errors.size() == 0); } + + @Test + public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception { + Validator instance = ESAPI.validator(); + ValidationErrorList errors = new ValidationErrorList(); + String input = "test"; + assertTrue(instance.isValidSafeHTML("test8", input, 100, false, errors)); + String expected = "b</style><a href=javascript:alert(1)>test"; + String output = instance.getValidSafeHTML("javascript Link", input, 250, false); + assertEquals(expected, output); + assertTrue(errors.size() == 0); + } + + @Test + public void testScriptTagAfterStyleClosing() throws Exception { + Validator instance = ESAPI.validator(); + ValidationErrorList errors = new ValidationErrorList(); + String input = "Walert(1)"; + assertTrue(instance.isValidSafeHTML("test9", input, 100, false, errors)); + String expected = "W<script>alert(1)</script>"; + String output = instance.getValidSafeHTML("escaping style tag attack with script tag", input, 250, false); + assertEquals(expected, output); + assertTrue(errors.size() == 0); + } + + @Test + public void testOnfocusAfterStyleClosing() throws Exception { + Validator instance = ESAPI.validator(); + ValidationErrorList errors = new ValidationErrorList(); + String input = "kinput/onfocus=alert(1)>"; + assertTrue(instance.isValidSafeHTML("test10", input, 100, false, errors)); + String expected = "k<input/onfocus=alert(1)>"; // Suspicious??? Doesn't agree w/ AntiSamy test. FIXME? + String output = instance.getValidSafeHTML("escaping style tag attack with onfocus attribute", input, 250, false); + assertEquals(expected, output); + assertTrue(errors.size() == 0); + } + + // FIXME: This problem is a DoS issue that lies within Neko that is only available for Java 8 and later. + // However, the latest version that is available for Java 7 is Neko 2.24. It is fixed in later versions + // that are not available for JDK 7 though. The fix will just start using the one the latest Java 8 version + // of AntiSamy is using and remove our and specific 2.24 dependency from our pom.xml and use whatever + // AntiSamy provides. All we should need to do is that and remove the @Ignore annotation here. + @Test + @Ignore + public void testNekoDOSWithAnHTMLComment() throws Exception { + /** + * FIXME: This unit test needs to pass before the next ESAPI release once ESAPI starts using JDK 8 as min JDK. + */ + Validator instance = ESAPI.validator(); + ValidationErrorList errors = new ValidationErrorList(); + String input = " - - - + + + diff --git a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties index 402ea806c..5f10329c6 100644 --- a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties +++ b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties @@ -259,9 +259,6 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). # # IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB # here as this is an extremely weak mode. However, we *must* @@ -284,29 +281,26 @@ Encryptor.EncryptionKeyLength=128 # Min key length - to support testing with 2TDEA Encryptor.MinEncryptionKeyLength=112 -# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 +# Because 2.x uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) Previously there were two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. The +# former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure +# because the Encryptor (as are all the other major ESAPI components) is a +# singleton and thus the same IV would get reused each time. It was not a +# well-thought out plan. (To do it correctly means we need to add a setIV() method +# and get rid of the Encryptor singleton, thus it will not happen until 3.0.) +# However, while the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. +# Originally there was plans to allow a developer to provide a class and method +# name to define a custom static method to generate an IV, but that is just +# trouble waiting to happen. Thus in effect, the ONLY acceptable property value +# for this property is "random". In the not too distant future (possibly the +# next release), I will be removing it, but for now I am leaving this and +# checking for it so a ConfigurationException can be thrown if anyone using +# ESAPI ignored the deprecation warning message and still has it set to "fixed". +# +# Valid values: random Encryptor.ChooseIVMethod=random -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an example for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more @@ -468,7 +462,7 @@ Validator.Redirect=^\\/test.*$ Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ diff --git a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties index 322b0f5f4..74e645a20 100644 --- a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties +++ b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties @@ -259,9 +259,6 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). # # IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB # here as this is an extremely weak mode. However, we *must* @@ -285,29 +282,26 @@ Encryptor.EncryptionKeyLength=128 # Min key length - to support testing with 2TDEA Encryptor.MinEncryptionKeyLength=112 -# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 +# Because 2.x uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) Previously there were two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. The +# former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure +# because the Encryptor (as are all the other major ESAPI components) is a +# singleton and thus the same IV would get reused each time. It was not a +# well-thought out plan. (To do it correctly means we need to add a setIV() method +# and get rid of the Encryptor singleton, thus it will not happen until 3.0.) +# However, while the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. +# Originally there was plans to allow a developer to provide a class and method +# name to define a custom static method to generate an IV, but that is just +# trouble waiting to happen. Thus in effect, the ONLY acceptable property value +# for this property is "random". In the not too distant future (possibly the +# next release), I will be removing it, but for now I am leaving this and +# checking for it so a ConfigurationException can be thrown if anyone using +# ESAPI ignored the deprecation warning message and still has it set to "fixed". +# +# Valid values: random Encryptor.ChooseIVMethod=random -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an example for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more @@ -469,7 +463,7 @@ Validator.Redirect=^\\/test.*$ Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ diff --git a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties index 1a565c41c..4b0a8a33d 100644 --- a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties +++ b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties @@ -258,9 +258,6 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). # # IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB # here as this is an extremely weak mode. However, we *must* @@ -283,29 +280,26 @@ Encryptor.EncryptionKeyLength=128 # Min key length - to support testing with 2TDEA Encryptor.MinEncryptionKeyLength=112 -# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 +# Because 2.x uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) Previously there were two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. The +# former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure +# because the Encryptor (as are all the other major ESAPI components) is a +# singleton and thus the same IV would get reused each time. It was not a +# well-thought out plan. (To do it correctly means we need to add a setIV() method +# and get rid of the Encryptor singleton, thus it will not happen until 3.0.) +# However, while the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. +# Originally there was plans to allow a developer to provide a class and method +# name to define a custom static method to generate an IV, but that is just +# trouble waiting to happen. Thus in effect, the ONLY acceptable property value +# for this property is "random". In the not too distant future (possibly the +# next release), I will be removing it, but for now I am leaving this and +# checking for it so a ConfigurationException can be thrown if anyone using +# ESAPI ignored the deprecation warning message and still has it set to "fixed". +# +# Valid values: random Encryptor.ChooseIVMethod=random -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an example for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more @@ -467,7 +461,7 @@ Validator.Redirect=^\\/test.*$ Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ diff --git a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties index bbf49c6d3..462d04721 100644 --- a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties +++ b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties @@ -258,9 +258,6 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). # # IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB # here as this is an extremely weak mode. However, we *must* @@ -283,29 +280,26 @@ Encryptor.EncryptionKeyLength=128 # Min key length - to support testing with 2TDEA Encryptor.MinEncryptionKeyLength=112 -# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 +# Because 2.x uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) Previously there were two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. The +# former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure +# because the Encryptor (as are all the other major ESAPI components) is a +# singleton and thus the same IV would get reused each time. It was not a +# well-thought out plan. (To do it correctly means we need to add a setIV() method +# and get rid of the Encryptor singleton, thus it will not happen until 3.0.) +# However, while the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. +# Originally there was plans to allow a developer to provide a class and method +# name to define a custom static method to generate an IV, but that is just +# trouble waiting to happen. Thus in effect, the ONLY acceptable property value +# for this property is "random". In the not too distant future (possibly the +# next release), I will be removing it, but for now I am leaving this and +# checking for it so a ConfigurationException can be thrown if anyone using +# ESAPI ignored the deprecation warning message and still has it set to "fixed". +# +# Valid values: random Encryptor.ChooseIVMethod=random -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an example for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more @@ -467,7 +461,7 @@ Validator.Redirect=^\\/test.*$ Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties index f3d7b46f1..29bc7b3dd 100644 --- a/src/test/resources/esapi/ESAPI.properties +++ b/src/test/resources/esapi/ESAPI.properties @@ -239,9 +239,6 @@ Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). # # IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB # here as this is an extremely weak mode. However, we *must* @@ -275,37 +272,26 @@ Encryptor.EncryptionKeyLength=128 Encryptor.MinEncryptionKeyLength=112 # Because 2.x uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.3 -# 'fixed' is deprecated as of 2.2 -# and will be removed in 2.3. +# (All cipher modes except ECB require an IV.) Previously there were two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. The +# former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure +# because the Encryptor (as are all the other major ESAPI components) is a +# singleton and thus the same IV would get reused each time. It was not a +# well-thought out plan. (To do it correctly means we need to add a setIV() method +# and get rid of the Encryptor singleton, thus it will not happen until 3.0.) +# However, while the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. +# Originally there was plans to allow a developer to provide a class and method +# name to define a custom static method to generate an IV, but that is just +# trouble waiting to happen. Thus in effect, the ONLY acceptable property value +# for this property is "random". In the not too distant future (possibly the +# next release), I will be removing it, but for now I am leaving this and +# checking for it so a ConfigurationException can be thrown if anyone using +# ESAPI ignored the deprecation warning message and still has it set to "fixed". +# +# Valid values: random Encryptor.ChooseIVMethod=random - -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an *example* for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -# @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support -# will be removed in the next release (tentatively, 2.3). -# If you MUST use this, at least replace this IV with one -# that your legacy application was using. -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f - # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more # fool-proof way of determining the decryption failed because of an incorrect @@ -498,7 +484,7 @@ Validator.Redirect=^\\/test.*$ Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ # Note that headerName and Value length is also configured in the HTTPUtilities section Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ diff --git a/src/test/resources/esapi/antisamy-esapi.xml b/src/test/resources/esapi/antisamy-esapi.xml index 4eb23cdfe..b6edfb3cd 100644 --- a/src/test/resources/esapi/antisamy-esapi.xml +++ b/src/test/resources/esapi/antisamy-esapi.xml @@ -31,9 +31,9 @@ Slashdot allowed tags taken from "Reply" page: space characters. --> - - - + + + @@ -168,6 +168,4 @@ Slashdot allowed tags taken from "Reply" page: - - diff --git a/suppressions.xml b/suppressions.xml index b99913788..c2e2b85f9 100644 --- a/suppressions.xml +++ b/suppressions.xml @@ -1,6 +1,6 @@ - + cpe:/a:apache:log4j CVE-2020-9488 + + + ^log4j:log4j:1\.2\.17$ + cpe:/a:apache:log4j + CVE-2021-4104 + + + + ^pkg:maven/commons\-io/commons\-io@.*$ + CVE-2021-29425 + + + + ^pkg:maven/org\.apache\.xmlgraphics/batik\-i18n@.*$ + CVE-2020-7791 +