ESAPI throwing org.owasp.esapi.errors.ConfigurationException when trying to log a warning
Question
We've added a filter to our spring webapp that checks all incoming requests for anything that could cause an XSS vulnerability. However, when it tries to write to the log, we get the following stack trace:
com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)
I have ESAPI.properties on the classpath, that seems to be otherwise working, that does have the "missing" class configured:
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
And DefaultHTTPUtilities is on the classpath as well.
2 answers
solution1
2 ACCPTED 2016-04-18 22:05:44
It turns out I was also importing a library called opensaml (as a dependency of some other dependency). This library has its own implementation of SecurityConfiguration, which is the interface ESAPI uses to load configuration. For some reason the opensaml implements nearly all the methods to just return null or 0:
package org.opensaml;
/**
* Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
*/
public class ESAPISecurityConfig implements SecurityConfiguration {
/** Constructor. */
public ESAPISecurityConfig() {
}
// snip...
/** {@inheritDoc} */
public String getHTTPUtilitiesImplementation() {
return null;
}
// snip....
}
In a class called DefaultBootstrap, this was getting executed somewhere during the startup of my application, which overrides ESAPI's default implementation:
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
I couldn't get rid of the opensaml library, so I had to change my code so that before I invoke ESAPI, I override it back to the default implementation:
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
solution2
0 2016-04-16 04:44:10
Following up on Suresh's comment...Toward that end, look at wherever you captured stdout and look for "Attempting to load ESAPI.properties" and follow that trail. It should look something like this:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
And them make sure that it is loading ESAPI.properties from where you expected it to be loaded.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.