尝试使用OWASP ESAPI时找不到antisamy-esapi.xml

Question

I have been trying to eval the OWASP ESAPI library, but have been having issues just getting it to initialize properly. I set up a resources folder for ESAPI.properties and validation.properties and those are loaded from the classpath without issue. However the antisamy-esapi.xml file is not loaded from classpath, and I found a bug from 2010 mentioning this. The errors I get are:

Attempting to load antisamy-esapi.xml as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\\Users\\mydir\\resin-pro-4.0.27\\antisamy-esapi.xml Not found in SystemResource Directory/resourceDirectory: .esapi\\antisamy-esapi.xml Not found in 'user.home' (C:\\Users\\mydir) directory: C:\\Users\\mydir\\esapi\\antisamy-esapi.xml

I am deploying the application using this library to resin. I have tried manually placing the xml file in all of the locations above, and the only one that finally worked was my home directory, which doesn't work very well for a production deploy.

I also followed a recommendation found elsewhere that says to set the -Dorg.owasp.esapi.resources property. This didn't work either, but more interestingly the error did not change, which makes me think that the setting was not picked up for some reason.

Any pointers on where this file needs to be located in my project so that it is loaded properly once deployed to the container?

Thanks in advance.

Update:

So from digging through the code it appears that there is specialized function for loading ESAPI.properties, which is why that file is able to be loaded from a standard resources (or any other src dir) directory which is deployed to the container. However the loading function for antisamy-esapi.xml just checks a particular directory under user.home, a configured custom directory, or via the result of ClassLoader.getSystemResource(). Not sure why these routines are separate. After hours of messing with this I lost patience and copied DefaultSecurityConfiguration.java and corrected the getResourceFile() method to use the same lookup code as loadConfigurationFromClasspath(). I then call ESAPI.override() with this class and it seems to work properly now.

Answer 1

I managed to make it work by adding the following line for esapi resources:

System.setProperty("org.owasp.esapi.resources", "src/main/resources");

DefaultSecurityConfiguration.java

At least now I am able to use instance.getValidSafeHTML

However, it wont work when one deploy to web server. I guess the patch is required to load the antisamy-esapi.xml to load from the class path.