esapi4java-core-2.5.4.0-release-notes.txt

Release notes for ESAPI 2.5.4.0
    Release date: 2024-05-29
    Project leaders:
        -Kevin W. Wall <kevin.w.wall@gmail.com>
        -Matt Seil <matt.seil@owasp.org>

Previous release: ESAPI 2.5.3.1, 2023-12-01


Executive Summary: Important Things to Note for this Release
------------------------------------------------------------
This is a patch release with a few bug fixes and dependency updates. While the AntiSamy 1.7.5 update was intended to address an XSS vulnerability (CVE-2024-23635), the ESAPI team verified that this vulnerability did not affect the default configuration of ESAPI and its strict AntiSamy policy file, antisamy-esapi.xml. (Our AntiSamy policy file has the 'preserveComments' directive disabled.)

There is one important issue that was patched (GitHub issue # 839) that has a side-effect. In particular, if you have ESAPI configured to use JUL (i.e., Java Util Logging) as your default logger (i.e., you have ESAPI.Logger set to 'org.owasp.esapi.logging.java.JavaLogFactory', then you MUST delete your 'esapi-java-logging.properties' to set some of the JUL properties. This file was conflicting with the other uses of JUL not used through ESAPI. If you start ESAPI 2.5.4.0 and this file is found as a resource, then a ConfigurationException will be thrown and the exception message will direct you to our GitHub wiki page, https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory

Notes if you are not updating from the immediate previous release. release 2.5.3.1:
    * You need to read through the series of release notes FIRST, going in order.
    * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read:

    esapi4java-core-2.4.0.0-release-notes.txt
    esapi4java-core-2.5.0.0-release-notes.txt
    esapi4java-core-2.5.1.0-release-notes.txt
    esapi4java-core-2.5.2.0-release-notes.txt
    ...etc., up through the current set of release notes...
    esapi4java-core-2.x.y.z-release-notes.txt

in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.)

If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI.

You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions.


=================================================================================================================

Basic ESAPI facts
-----------------

ESAPI 2.5.3.1 release:
     207 Java source files
    4293 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped)

ESAPI 2.5.4.0 release:
     207 Java source files
    4297 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped)

8 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2023-12-01)

Issue #         GitHub Issue Title
----------------------------------------------------------------------------------------------
824     DefaultEncoder / getCanonicalizedURI returns mix encoding for HTML special characters
826     Fix Encoder.getCanonicalizedURI(URI) for the test case of a double-ampersand in the HTML Query
827     HTMLEntityCodec Mysteriously decodes &or
831     java.io.FileNotFoundException Error in Logs When ESAPI.properties and validation.properties are in resources. and the application is up ,features are not working.
832     easpi .properties and validation properties are present but still it is throwing error and the application is failing do you have any solution for this
835     Validator.isValidSafeHTML() is vulnerable as per CVE-2023-4780
837     Validation does not work with esapi jakarta jar
839     ConcurrentModificationException


-----------------------------------------------------------------------------

        Changes Requiring Special Attention

-----------------------------------------------------------------------------
Important Note affecting ESAPI 2.5.4.0 and later:
* If you are using JUL for ESAPI logging, you will need to delete esapi-java-logging.properties file so it is not found as a resource stream. Failure to do so will result in a ConfigurationException being thrown. For details, see our GitHub wiki page, https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory

Important JDK Support Announcement
* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason.
    - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier.

Important ESAPI Logging Changes

* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are
    - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0.
        * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file.
    - SLF4J (with your choice of supported SLF4J logging implemmentation)
        * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file.
* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at:
    https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78

If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar.  If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here:
    https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x

-----------------------------------------------------------------------------

        Remaining Known Issues / Problems

-----------------------------------------------------------------------------
None known, other than the remaining open issues on GitHub.

-----------------------------------------------------------------------------

        Other changes in this release, some of which not tracked via GitHub issues

-----------------------------------------------------------------------------

* Minor updates to README.md file with respect to version information.

-----------------------------------------------------------------------------

Developer Activity Report (Changes between release 2.5.3.1 and 2.5.4.0, i.e., between 2023-12-01 and 2024-05-29)
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.

Developer       Total       Total Number        # Merged
(GitHub ID)     commits   of Files Changed        PRs
========================================================
xeno6696         5              4               1
jeremiahjstacey  2              4               1
dependabot       1              1               1
mpreziuso        1              2               1
kwwall          11              6               0 (direct merge)
========================================================
                                    Total PRs:  4

-----------------------------------------------------------------------------

CHANGELOG:      Create your own. May I suggest:

        git log --stat --since=2023-12-01 --reverse --pretty=medium

    which will show all the commits since just after the previous (2.5.3.1) release.

    Alternately, you can download the most recent ESAPI source and run

        mvn site

    which will create a CHANGELOG file named 'target/site/changelog.html'


-----------------------------------------------------------------------------

Direct and Transitive Runtime and Test Dependencies:

        $ mvn -B dependency:tree
        ...
        [INFO] --- maven-dependency-plugin:3.6.1:tree (default-cli) @ esapi ---
        [INFO] org.owasp.esapi:esapi:jar:2.5.4.0
        [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
        [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided
        [INFO] +- xom:xom:jar:1.3.9:compile
        [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
        [INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
        [INFO] |  \- commons-collections:commons-collections:jar:3.2.2:compile
        [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile
        [INFO] +- commons-lang:commons-lang:jar:2.6:compile
        [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile
        [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M1:compile
        [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
        [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.5:compile
        [INFO] |  +- org.apache.httpcomponents.client5:httpclient5:jar:5.3.1:compile
        [INFO] |  |  \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile
        [INFO] |  +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.4:compile
        [INFO] |  +- org.apache.xmlgraphics:batik-css:jar:1.17:compile
        [INFO] |  |  +- org.apache.xmlgraphics:batik-shared-resources:jar:1.17:compile
        [INFO] |  |  +- org.apache.xmlgraphics:batik-util:jar:1.17:compile
        [INFO] |  |  |  +- org.apache.xmlgraphics:batik-constants:jar:1.17:compile
        [INFO] |  |  |  \- org.apache.xmlgraphics:batik-i18n:jar:1.17:compile
        [INFO] |  |  \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.9:compile
        [INFO] |  +- org.htmlunit:neko-htmlunit:jar:3.11.1:compile
        [INFO] |  +- xerces:xercesImpl:jar:2.12.2:compile
        [INFO] |  \- xml-apis:xml-apis-ext:jar:1.3.04:compile
        [INFO] +- org.slf4j:slf4j-api:jar:2.0.13:compile
        [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
        [INFO] +- commons-io:commons-io:jar:2.15.1:compile
        [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.5:compile
        [INFO] |  \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
        [INFO] +- commons-codec:commons-codec:jar:1.17.0:test
        [INFO] +- junit:junit:jar:4.13.2:test
        [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test
        [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test
        [INFO] |  \- org.hamcrest:hamcrest:jar:2.2:test
        [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test
        [INFO] |  \- org.powermock:powermock-api-support:jar:2.0.9:test
        [INFO] +- org.mockito:mockito-core:jar:3.12.4:test
        [INFO] |  +- net.bytebuddy:byte-buddy:jar:1.11.13:test
        [INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test
        [INFO] |  \- org.objenesis:objenesis:jar:3.2:test
        [INFO] +- org.powermock:powermock-core:jar:2.0.9:test
        [INFO] |  \- org.javassist:javassist:jar:3.27.0-GA:test
        [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test
        [INFO] |  \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test
        [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test
        [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test
        [INFO]    +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test
        [INFO]    \- org.apache.commons:commons-math3:jar:3.6.1:test
        [INFO] ------------------------------------------------------------------------
        [INFO] BUILD SUCCESS
        [INFO] ------------------------------------------------------------------------
        [INFO] Total time:  0.903 s
        [INFO] Finished at: 2024-05-29T18:31:30-04:00
        [INFO] ------------------------------------------------------------------------

-----------------------------------------------------------------------------

Acknowledgments:
    A special hat tip to Arshan Dabirsiaghis, original creator of AntiSamy and the creator of the antisamy-esapi.xml file, the ultrastrict AntiSamy policy used by ESAPI. That avoided a vulnerability that affected AntiSamy itself, so kudos to that foresite.
    A shutout to Michele Preziuso for the PR that updated AntiSamy, added a test, and avoided the convergence issue that resulted in me having to reject the Snyk and Dependabot PRs. I appreciate you saving me having to do the work.
    And special kudos to Jerry Devis for one of the best bug reports (GitHub issue #839) that I've seen since I began working on ESAPI in 2009. I hope your bug report can be an example to all. Excellent work.

    Lastly, our usual special thanks to the ESAPI community from the ESAPI project co-leaders:
    Kevin W. Wall (kwwall) <== The irresponsible party for these release notes!
Matt Seil (xeno6696)