diff --git a/README.md b/README.md index 707624be2..b37f350cb 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Development for the "next generation" of ESAPI (starting with ESAPI 3.0), will b GitHub repository at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java). **IMPORTANT NOTES:** -* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.5.2.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make. +* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.5.3.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make. * Also, the *minimal* baseline Java version to use ESAPI is now Java 8. (This was changed from Java 7 during the 2.4.0.0 release.) * Support was dropped for Log4J 1 during ESAPI 2.5.0.0 release. If you need it, configure it via SLF4J. See the [2.5.0.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt) @@ -79,7 +79,7 @@ link to the specific release notes. Starting with release 2.4.0.0, Java 8 or later is required. # Locating ESAPI Jar files -The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.2.0. +The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.3.0. All the *regular* ESAPI jars, with the exception of the ESAPI configuration jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached GPG signature, are available from Maven Central. The ESAPI configuration @@ -101,6 +101,15 @@ to be using such classes directly in your code. At the ESAPI team's discretion, it will also not apply for any known exploitable vulnerabilities for which no available workaround exists. +## Exceptions to Deprecation Policy +We will make some exceptions to the normal 2 year period. In particular, in the +cases were we believe that keeping a specific deprecated class or method around +can introduce security issues (generally because many of you have a habit of +completely ignoring deprecation warnings), we sometimes will shorten that 2 year +period. When we decide to do that, we will announce that as part of the +deprecation message. + +## Log4J 1.x Removal **IMPORTANT NOTES:** As of ESAPI 2.5.0.0, all the Log4J 1.x related code has been removed from the ESAPI code base (with the exception of some references in documentation). If you must, you still should be able to diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties index 030f61588..d489cdce8 100644 --- a/configuration/esapi/ESAPI.properties +++ b/configuration/esapi/ESAPI.properties @@ -1,7 +1,7 @@ # # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version # -# This file is part of the Open Web Application Security Project (OWASP) +# This file is part of the Open Worldwide Application Security Project (OWASP) # Enterprise Security API (ESAPI) project. For details, please see # https://owasp.org/www-project-enterprise-security-api/ # @@ -275,8 +275,14 @@ Encryptor.PlainText.overwrite=true Encryptor.HashAlgorithm=SHA-512 Encryptor.HashIterations=1024 -Encryptor.DigitalSignatureAlgorithm=SHA1withDSA -Encryptor.DigitalSignatureKeyLength=1024 + +# Was 'SHA1withDSA', but that won't support 2048 key sizes. Change back for +# backward compatibility. +Encryptor.DigitalSignatureAlgorithm=SHA256withDSA + +# Was 1024. Change this back if you require backward compatibility. +Encryptor.DigitalSignatureKeyLength=2048 +# SHA1 is fine as a CSRNG; no need to use anything else. Encryptor.RandomAlgorithm=SHA1PRNG Encryptor.CharacterEncoding=UTF-8 diff --git a/configuration/esapi/antisamy-esapi.xml b/configuration/esapi/antisamy-esapi.xml index b6edfb3cd..bcb53aed1 100644 --- a/configuration/esapi/antisamy-esapi.xml +++ b/configuration/esapi/antisamy-esapi.xml @@ -18,6 +18,7 @@ Slashdot allowed tags taken from "Reply" page: + diff --git a/documentation/esapi4java-core-2.5.3.0-release-notes.txt b/documentation/esapi4java-core-2.5.3.0-release-notes.txt new file mode 100644 index 000000000..f4414e318 --- /dev/null +++ b/documentation/esapi4java-core-2.5.3.0-release-notes.txt @@ -0,0 +1,173 @@ +@@@@ IMPORTANT: Be sure to 1) save in DOS text format, and 2) Delete this line and others starting with @@@@ +@@@@ Edit this file in vim with :set tw=0 +@@@@ Meant to be used with scripts/newReleaseNotes.sh and the 'vars.*' scripts there. +@@@@ There are specific references to ESAPI 2.5.0.0 and other old releases in this file. Do NOT change the version #s. They are there for a reason. +Release notes for ESAPI 2.5.3.0 + Release date: 2023-11-22 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.5.2.0, 2023-04-12 + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ +@@@@ View previous release notes to see examples of what to put here. This is typical. YMMV. +@@@@ Obviously, you should summarize any major changes / new features here. +This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Details follow. +@@@@ Provide a sentence or to +* This is a patch release, with the primary intent of updating ESAPI's AntiSamy dependency from 1.7.3 to 1.7.4. AntiSamy 1.7.4 was released to address an XSS vulnerability in AntiSamy (CVE-2023-43643). Testing ESAPI's use of AntiSamy along with ESAPI's default antsamy-esapi.xml AntiSamy policy file, shows there is no exploitable path of this CVE via ESAPI. This is because ESAPI's AntiSamy policy file is ultra-strict. (Of course, YMMV if you are not using the default AntiSamy policy file or are customized it to disable the 'preserveComments' directive.) +* We have deprecated both of ESAPI's Validator.isValidSafeHTML interfaces, as we discovered that they cannot be guaranteed safe. Note that we intend to REMOVE both of these interfaces one year after the ESAPI 2.5.3.0 release. For more details, see GitHub Security Advisory https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm. There is also an accompanying "ESAPI Security Bulletin 12" (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin12.pdf). The Security Bulletin explains why we did not submit this as a CVE as well as explains some potential workarounds that may work for you. +* Changed ESAPI so that the default RSA modulus length (sometimes referred to as the key size) from 1024-bits to 2048-bits. Note that if you are using an old version of ESAPI.properties file prior to 2.5.3.0 and are using any of the Encryptor interfaces that directly or indirectly use digital signatures (i.e., sign, verifySignature, seal, unseal, verifySeal), you may wish to consider updating properties: + Encryptor.DigitalSignatureAlgorithm=SHA256withDSA # The old SHA1withDSA doesn't support 2048-bit RSA modulus length + Encryptor.DigitalSignatureKeyLength=2048 + Note that if you have persisted previous digital signatures that you must continue to verify, you will have to regenerate them. +@@@@ NOTE: This might be reserved for a 2.6.0.0 release, in which case the next line should be removed. +* Thanks to a PR by @jcputney (PR #799), I have attempted to upload additional artifacts to Maven Central that will be a transformed jar suitable for use with the new 'jakarata.servlet' changes for Jakarata EE 9 and later. (Previously, 'javax.servlet' was the name space). Because we are still supporting JDK 8 at this point, we still need to support the 'javax.servlet' namespace as well. In addition to the standard jar artifacts, there should be a new esapi--jakarta.jar (which uses 'jakarta.servlet' instead of 'javax.servlet' namespace) as well as corresponding *-javadoc.jar and *-sources.jar files. I am not sure it will work as we have no tests for it, but looing at the binaries, it seems like it should. + For additional details, see: + https://github.com/ESAPI/esapi-java-legacy/pull/799 + https://github.com/ESAPI/esapi-java-legacy/discussions/768 + +Notes if you are not updating from the immediate previous release. release 2.5.2.0: + * You need to read through the series of release notes FIRST, going in order. + * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read: + + esapi4java-core-2.4.0.0-release-notes.txt + esapi4java-core-2.5.0.0-release-notes.txt + esapi4java-core-2.5.1.0-release-notes.txt + esapi4java-core-2.5.2.0-release-notes.txt + ...etc., up through the current set of release notes... + esapi4java-core-2.x.y.z-release-notes.txt + +in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.) + +If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI. + +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. + + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.5.2.0 release: + 207 Java source files + 4293 JUnit tests in 131 Java source files (0 tests skipped, 1 commented out) + +ESAPI 2.5.3.0 release: + 207 Java source files + 4293 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped) + +8 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2023-04-12) + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +@@@@ Capture issue #s and 1 line desription from above GitHub url +@@@@ Insert here and massage until it looks pretty. Recommend alignment with spaces instead of tabs. +560 Could not initialize class org.owasp.esapi.logging.java.JavaLogFactory (ESAPI 2.2.1.0) +760 Could not initialize class org. Owasp. Esapi. Reference. DefaultValidator +775 Add documenttion to CONTRIBUTING-TO-ESAPI.txt to mention signed commits are now required. +792 хз +796 Logs printed using println() are always printed and no option to disable them. +798 Insecure default signature key length +805 Does esapi-java-legacy support jDK17 +808 Fix typo in comment in validation.properties files +812 Fix Encoder.encodeForLDAP and Encoder.encodeForDN so they are strictly conformant with Section 3 of RFC 4515 + +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- +@@@@ NOTE any special notes here. Probably leave this one, but I would suggest noting additions BEFORE this. + +Important JDK Support Announcement +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. + +Important ESAPI Logging Changes + +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implemmentation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 + +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x + +----------------------------------------------------------------------------- + + Remaining Known Issues / Problems + +----------------------------------------------------------------------------- +The effect of upgrade to AntiSamy 1.7.4 in ESAPI 2.5.3.0 can result in ESAPI's Validator.getValidSafeHTML returning a different cleansed (i.e., sanitized) string than previous versions of ESAPI which used earlier versions of AntiSamy did. There presently is no concern for alarm as all these observed different sanitized strings returned by AntiSamy 1.7.4 still all appear to be "safe"; they are just different than before. However, as a result, this could break any regression tests that you previously had that involved ESAPI's Validator.getValidSafeHTML. See https://github.com/nahsra/antisamy/issues/389 and https://github.com/nahsra/antisamy/pull/388 for additional details. + +----------------------------------------------------------------------------- + + Other changes in this release, some of which not tracked via GitHub issues + +----------------------------------------------------------------------------- + +* Minor updates to README.md file with respect to version information. + +----------------------------------------------------------------------------- + +Developer Activity Report (Changes between release 2.5.2.0 and 2.5.3.0, i.e., between 2023-04-12 and 2023-11-22) +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. + +@@@@ +@@@@ This section needs to be manually updated. +@@@@ See file:///home/wallk/work/esapi-work/kww-2.5.3.0-prep/target/site/dev-activity.html for assistance. +@@@@ +Developer Total Total Number # Merged +(GitHub ID) commits of Files Changed PRs +======================================================== +kwwall 36 37 2 +noloader 6 12 3 +preetgami 1 1 1 +robstoll 2 2 1 +jcputney 1 1 1 +======================================================== + Total PRs: 8 + +----------------------------------------------------------------------------- + +CHANGELOG: Create your own. May I suggest: + + git log --stat --since=2023-04-12 --reverse --pretty=medium + + which will show all the commits since just after the previous (2.5.2.0) release. + + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree +@@@@ Include output from 'mvn -B dependency:tree' here +@@@@ TODO _after_ running: +@@@@ mvn -U versions:display-plugin-updates +@@@@ mvn -U versions:display-dependency-updates +@@@@ mvn -U versions:display-property-updates + +----------------------------------------------------------------------------- + +@@@@ Review these notes, especially the reference to the AntiSamy version information. +Acknowledgments: + Thanks to @noloader, @preetgami, and @jcputney for submitting PRs to help move ESAPI forward. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696) diff --git a/pom.xml b/pom.xml index 8607d8cf1..27773ddea 100644 --- a/pom.xml +++ b/pom.xml @@ -48,7 +48,7 @@ - The Open Web Application Security Project (OWASP) + The Open Worldwide Application Security Project (OWASP) https://owasp.org/ @@ -147,7 +147,7 @@ - 2022-11-27 00:00:00 + 2023-04-12 00:00:00 @@ -176,16 +176,12 @@ xom xom - 1.3.8 + 1.3.9 - - - xalan - xalan - xerces xercesImpl @@ -232,6 +228,13 @@ commons-fileupload commons-fileupload 1.5 + + + + commons-io + commons-io + + org.apache.commons @@ -246,7 +249,7 @@ org.owasp.antisamy antisamy - 1.7.3 + 1.7.4 @@ -277,9 +280,14 @@ This is to force patched versions of these libraries with known CVEs against them. --> + commons-io commons-io - 2.11.0 + 2.14.0 diff --git a/scripts/README.txt b/scripts/README.txt index 4c76a5f37..75735efd3 100644 --- a/scripts/README.txt +++ b/scripts/README.txt @@ -3,7 +3,6 @@ This directory is for utilities used for building / packaging / releasing ESAPI. ======================== README.txt -- This readme file. -esapi-release.sh -- Obsolete script to create new ESAPI release. Will be replaced soon. Do not use for now. mvnQuietTest.bat -- Run 'mvn test' from DOS cmd prompt with logSpecial output suppressed. mvnQuietTest.sh -- Run 'mvn test' from bash with logSpecial output suppressed. createVarsFile.sh -- Bash script to create a vars.2.x.y.z file that is 'sourced' by the 'newReleaseNotes.sh' script. diff --git a/scripts/esapi-release.sh b/scripts/esapi-release.sh deleted file mode 100755 index 14253ff22..000000000 --- a/scripts/esapi-release.sh +++ /dev/null @@ -1,220 +0,0 @@ -#!/bin/sh -# Purpose: Prepare an ESAPI release. -# -# Usage: esapi-release.sh esapi_svn_dir -# where, esapi_svn_dir is the directory where you retrieved the ESAPI -# SVN tree to and built ESAPI via Maven or Eclipse. -# This directory _must_ already exist. -# There should be a 'src' and 'target' directories -# under this directory and the 'target' directory -# is where we will build the ESAPI zip file that -# you then will be placed into the owasp-esapi-java -# project hosting on Google Code. -# -# Assumptions: Maven (mvn) is available in $PATH. If not, modify PATH -# in script (see 'Tunable Parameters') accordingly. -# -# The correct version has been set / updated in pom.xml for -# the 'esapi' and this has been committed to SVN. -# -# All tests pass. We skip the running of all the JUnit tests. -# (See the call to mvn and the -Dmaven.test.skip=true argument.) -# -# Bugs: This is going to be a bitch to write as a DOS .bat script. I should -# have my head examined for termites! What *was* I thinking??? -# -# Need to figure out how to create changelog.txt using 'svn log' command. -# -############################################################################# -# -# This file is part of the Open Web Application Security Project (OWASP) -# Enterprise Security API (ESAPI) project. For details, please see -# http://www.owasp.org/index.php/ESAPI. -# -# Copyright (c) 2010 - The OWASP Foundation -# -# ESAPI is published by OWASP under the BSD license. You should read and -# accept the LICENSE before you use, modify, and/or redistribute this software. -# -# Author: kevin.w.wall@gmail.com -############################################################################ - -echo $0: This script is obsolete and will be replaced soon. -echo In the meantime, read through the release instructions in: -echo " documentation/ESAPI-release-steps.odt" -exit 2 - -# -# Tunable parameters -# -#PATH=$PATH:/path/to/maven -zipcmd=zip # Is there something better for Linux? - # This doesn't seem to have very good compression. -unzipcmd=unzip -# clean=clean # Comment out if you don't Maven to do 'clean'. Will speed - # things up a little bit. -#esapiConfig=.esapi # Sub-directory where ESAPI.properties resides -esapiConfig=esapi # Sub-directory where ESAPI.properties resides - -# -# Non-tunable parameters -# -PROG="${0##*/}" -USAGE="Usage: $PROG esapi_svn_dir" -tmpdir="/tmp/$PROG.$RANDOM-$$" -esapi_release_dir="$tmpdir/esapi_release_dir" - - # This is the directory under esapi_svn_dir where ESAPI configuration files - # such as ESAPI.properties are located as well as the $esapiConfig/* config files. - # Note that formerly used to be under src/main/resources, but it since - # has been moved because where it was previously was causing problems with - # Sonatype's Nexus. That particular problem may have been resolved, but it - # it was, the ESAPI configuration stuff has never been moved back. -configDir="configuration" - -# Cause the 'echo' builtin to interpret backslash-escaped characters. -# If KornShell is installed as /bin/sh, this command won't be available, -# but for ksh, 'echo' already works the way we want it to anyhow. -shopt -s xpg_echo 2>/dev/null - -if [[ $# -eq 1 ]] -then - esapi_svn_dir="$1" -else - echo >&2 "$USAGE" - # Note: exit code '2' is standard for a simple usage error, w/ no other - # error message. Unfortunaely, no one (at least the GNU folks) - # seem to follow this convention any longer and all use 1. We're - # sticking with old school, 'cuz I'm an old guy. ;-) - exit 2 -fi - -# A few simple directory sanity checks. The 1st check is VERY unlikely to fail. -[[ $esapi_svn_dir == $esapi_release_dir ]] && - { echo >&2 "$PROG: ESAPI SVN directory same as tmp dir!\n$USAGE"; exit 1; } -[[ ! -d $esapi_svn_dir ]] && - { echo >&2 "$PROG: ESAPI SVN directory, $esapi_svn_dir, does not exist or not a directory."; exit 1; } -[[ ! -d $esapi_svn_dir/src/main ]] && - { echo >&2 "$PROG: Wrong directory specified??? Missing 'src/main' directory: $esapi_svn_dir/src/main - does not exist or not a directory."; exit 1; } -[[ -f "$esapi_svn_dir"/pom.xml ]] || - { echo 2>&1 "$PROG: missing pom.xml. Looks like $esapi_svn_dir is not the SVN dir."; - echo 2>&1 "USAGE"; exit 1; } - -mkdir $tmpdir || exit 1 # Exit if it already exists. -trap "rm -fr $tmpdir" EXIT # We probably want this skipped if the mkdir fails -umask 022 -mkdir $tmpdir/esapi_release_dir || exit 1 - -# Create an intermediate distribution zip file. The zip file will be -# left in the 'target' directory and named according to what -# is in the pom.xml file for the 'esapi' . For release -# candidates, it will be something like this: -# esapi-2.0_RC7-SNAPSHOT-dist.zip -# and inside of it, the ESAPI jar would be named 'esapi-2.0_RC7-SNAPSHOT.jar'. -cd "$esapi_svn_dir" -tmpout=$tmpdir/mvn.out -echo "Running mvn to create intermediate zip file.\nPlease wait; this probably will take awhile..." -rm -f target/esapi-*.zip target/esapi-*.jar -mvn $clean site -Pdist -Dmaven.test.skip=true >$tmpout 2>&1 -if [[ $? != 0 ]] -then echo >&2 "$PROG: Maven failed to build distribution zip file" - echo >&2 "\tSee results in: $tmpout" - trap - EXIT # Clear exit trap so stuff not removed. - exit 1 -else rm $tmpout - echo "Maven completed successfully." -fi - -jarfile=$(ls target/esapi-*.jar 2>&-) -if [[ -n "$jarfile" && -r $jarfile ]] -then jarfile=$PWD/$jarfile -else echo >&2 "$PROG: Can't find ESAPI jar file created by Maven." - exit 1 -fi -# OK, now we need to adjust the jar file. We don't want the properties in -# the ESAPI jar as too many people have complained about the ESAPI.properties -# and other stuff there. Also, we want to delete settings.xml and -# owasp-esapi-dev.jks. We might add the latter once we start signing the -# jar. -jartmpdir=$tmpdir/esapi-jar -mkdir $jartmpdir -cd $jartmpdir || exit -jar xf "$jarfile" -rm -fr ${esapiConfig:?} -rm -f properties/* -rm -f settings.xml owasp-esapi-dev.jks -# TODO: This part would need some work if we sign or seal the ESAPI jar as -# that creates a special MANIFEST.MF file and other special files and -# it's not clear they will be merely copied by the simply jar command -# below. -jar cf "$jarfile" . - -# Now work on the zip file. -cd "$esapi_svn_dir" -zipfile=$(ls target/esapi-*.zip 2>&-) -if [[ -n "$zipfile" && -r $zipfile ]] -then zipfile="$esapi_svn_dir"/$zipfile # 'target/' already included. -else echo >&2 "$PROG: Can't find ESAPI zip file created by Maven." - exit 1 -fi -[[ -s $zipfile ]] || - { echo 2>&1 "$PROG: zip file $zipfile has 0 size."; exit 1; } -$unzipcmd -q "$zipfile" -d "$esapi_release_dir" || exit 1 -cd "$esapi_release_dir" || exit 1 - -# 1) Combine the two license files into one and make it a DOS .txt -# file so those do don't have real editors (i.e., notepad newbs) can -# read it just by clicking on it. Generally reading DOS text files on *nix -# is never a problem. -( echo "\t\tESAPI Source Code:\n\n"; cat LICENSE; echo "\n\n=========================\n\n\t\tESAPI Documentation:\n\n"; cat LICENSE-CONTENT ) >LICENSE.txt -rm LICENSE LICENSE-CONTENT -unix2dos -q LICENSE.txt - -# 2) Patch up the 'configuration' directory. Need to copy owasp-esapi-dev.jks -# here as well as the $esapiConfig directory. Also need to populate the -# properties subdirectory. Not sure where the settings.xml file should -# go, or even if we should leave it here; will copy it to 'configuration' -# directory. - -# Note: Not sure why this is now needed. Something must have changed in the -# pom.xml that requires this, but have recently found that even the -# configuration directory does not exist. -if [[ ! -d "$configDir" ]] -then mkdir -p "$configDir"/properties || - { echo >&2 "$PROG: Missing '$configDir' directory and cannot create it!"; exit 1; } -fi -cp -p "$esapi_svn_dir"/resources/owasp-esapi-dev.jks configuration/ -cp -p "$esapi_svn_dir"/resources/settings.xml configuration/ -cp -r -p "$esapi_svn_dir"/"$configDir"/$esapiConfig configuration/$esapiConfig/ -cp -p "$esapi_svn_dir"/"$configDir"/properties/* configuration/properties/ - -# 3) Create the changelog.txt which should be the changes since the -# last release. -##TODO - Not sure how to do this, but their must be a way since the Subclipse -# Eclipse plugin is able to do it somehow. We can use 'svn log' if -# we can figure out the starting and ending SVN revisions. (See -# http://www.bernzilla.com/item.php?id=613 for details.) -echo "$PROG: Skipping creation of changelog.txt in zip file." -echo "\tManually create changelog.txt and add it to the final zip file." - -# 4) Copy the pom.xml there. It doesn't get created by the Maven goal. -cp -p "$esapi_svn_dir"/pom.xml . - -# 5) Update zip file w/ new, updated ESAPI jar file. -cp -p "$jarfile" . - -# 6) Fix up permissions so when zip is extracted, it comes out sane. -chmod -R a+r,go-w . - -# Now we take the contents of the ESAPI release directory and re-zip it. -# We can't use the 'freshen' option here because that has to be run -# from the same directory (which would be the ESAPI SVN directory). -rm "$zipfile" -cd "$esapi_release_dir" -$zipcmd -q -r $zipfile . - -cd / # In case some weird 'rm' command (from EXIT trap) prevents us from - # removing directory that we are under. I could see something like - # that happen with Cygwin and Windows. -echo "Zip file at: $zipfile\nPlease check it for accuracy before releasing." -exit 0 diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt index cdc6d2a18..280b85483 100644 --- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt +++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt @@ -136,6 +136,12 @@ Direct and Transitive Runtime and Test Dependencies: $ mvn -B dependency:tree @@@@ Include output from 'mvn -B dependency:tree' here +@@@@ RECOMMENDATION: Run the above only after ensuring you are using the latest +@@@@ plugins and dependencies so you only have to do this once. +@@@@ Check via: +@@@@ mvn -U versions:display-plugin-updates +@@@@ mvn -U versions:display-dependency-updates +@@@@ mvn -U versions:display-property-updates ----------------------------------------------------------------------------- diff --git a/scripts/vars.2.5.3.0 b/scripts/vars.2.5.3.0 new file mode 100644 index 000000000..94b89f6d4 --- /dev/null +++ b/scripts/vars.2.5.3.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.5.3.0 + +# Previous ESAPI version +PREV_VERSION=2.5.2.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2023-11-22 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2023-04-12 diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java index df7d035ad..81055ba8e 100644 --- a/src/main/java/org/owasp/esapi/Validator.java +++ b/src/main/java/org/owasp/esapi/Validator.java @@ -1,7 +1,7 @@ /** * OWASP Enterprise Security API (ESAPI) * - * This file is part of the Open Web Application Security Project (OWASP) + * This file is part of the Open Worldwide Application Security Project (OWASP) * Enterprise Security API (ESAPI) project. For details, please see * http://www.owasp.org/index.php/ESAPI. * @@ -36,11 +36,21 @@ * this interface returns boolean results because not all validation problems * are security issues. Boolean returns allow developers to handle both valid * and invalid results more cleanly than exceptions. - *

- * Implementations must adopt a "whitelist" approach to validation where a + *

+ * Implementations must adopt a "allow-list" approach to validation where a * specific pattern or character set is matched. "Blacklist" approaches that * attempt to identify the invalid or disallowed characters are much more likely * to allow a bypass with encoding or other tricks. + *

+ * CAUTION: There are many methods that take multiple (or only!) {@code String} + * arguments. Be careful that you do not mix up the order of these, because for + * some methods such as {@code isValidSafeHTML} if you were to confuse the order of + * {@code context} and {@code input} arguments, you would not be verifying what + * you thought you were and it could have serious security consequences as a + * result. When there are 2 these {@code String} parameters—{@code context} and + * {@code input} arguments—the * {@code context} argument is always first. + * See the individual method documentation for additional details. + *

* * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security @@ -50,11 +60,13 @@ public interface Validator { /** * Add a validation rule to the registry using the "type name" of the rule as the key. + * @param rule The {@link ValidationRule} to add. */ void addRule( ValidationRule rule ); /** * Get a validation rule from the registry with the "type name" of the rule as the key. + * @param name The "type" name of a {@link ValidationRule} to retrieve. */ ValidationRule getRule( String name ); @@ -64,6 +76,18 @@ public interface Validator { * Calls {@link #getValidInput(String, String, String, int, boolean, boolean)} with {@code canonicalize=true} * and returns true if no exceptions are thrown. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param type + * The regular expression name which maps to the actual regular expression from "ESAPI.properties". + * @param maxLength + * The maximum {@code String} length allowed for {@code input}. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. * @throws IntrusionException Input likely indicates an attack. */ boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws IntrusionException; @@ -75,6 +99,20 @@ public interface Validator { * Calls {@link #getValidInput(String, String, String, int, boolean, boolean)} with {@code canonicalize=true} * and returns true if no exceptions are thrown. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param type + * The regular expression name which maps to the actual regular expression from "ESAPI.properties". + * @param maxLength + * The maximum {@code String} length allowed for {@code input}. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * @param errorList The error list to which any {@code ValidationException} messages are added. + * * @throws IntrusionException Input likely indicates an attack. */ boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; @@ -85,28 +123,72 @@ public interface Validator { * Calls {@link #getValidInput(String, String, String, int, boolean, boolean)} * and returns true if no exceptions are thrown. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param type + * The regular expression name which maps to the actual regular expression from "ESAPI.properties". + * @param maxLength + * The maximum {@code String} length allowed for {@code input}. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * @param canonicalize + * If true, the {@code input} if first canonicalized before being validated. + * * @throws IntrusionException Input likely indicates an attack. */ boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws IntrusionException; /** - * Returns true if {@code input} is valid, + * Returns true if {@code input} is valid; * any validation exceptions are added to the supplied {@code errorList}. *

* Calls {@link #getValidInput(String, String, String, int, boolean, boolean)} * and returns true if no exceptions are thrown. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param type + * The regular expression name which maps to the actual regular expression from "ESAPI.properties". + * @param maxLength + * The maximum {@code String} length allowed for {@code input}. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * @param canonicalize + * If true, the {@code input} if first canonicalized before being validated. + * @param errorList The error list to which any {@code ValidationException} messages are added. + * * @throws IntrusionException Input likely indicates an attack. */ boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errorList) throws IntrusionException; /** - * Returns validated canonicalized {@code input} as a String. + * Returns the validated, canonicalized {@code input} as a String. *

* Calls {@link #getValidInput(String, String, String, int, boolean, boolean)} * with {@code canonicalize=true}. * - * @throws ValidationException Input is invalid. + * @param context + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param type + * The regular expression name which maps to the actual regular expression from "ESAPI.properties". + * @param maxLength + * The maximum {@code String} length allowed for {@code input}. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * + * @throws ValidationException Input is invalid, based on the regex associated with {@code type}. * @throws IntrusionException Input likely indicates an attack. */ String getValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws ValidationException, IntrusionException; @@ -134,7 +216,7 @@ public interface Validator { * * @return The canonicalized user input. * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid, based on the regex associated with {@code type}. * @throws IntrusionException Input likely indicates an attack. */ String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws ValidationException, IntrusionException; @@ -200,7 +282,7 @@ public interface Validator { * * @return A valid date as a {@link java.util.Date} * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid, based on the regex associated with {@code type}. * @throws IntrusionException Input likely indicates an attack. */ Date getValidDate(String context, String input, DateFormat format, boolean allowNull) throws ValidationException, IntrusionException; @@ -222,7 +304,13 @@ public interface Validator { * and returns true if no exceptions are thrown. * * @throws IntrusionException Input likely indicates an attack. + * + * @deprecated Deprecated as of ESAPI 2.5.3.0. This method will be removed in 1 year + * after this ESAPI 2.5.3.0 release. + * + * @see GitHub Security Advisory: Validator.isValidSafeHTML is being deprecated and will be deleted in 1 year */ + @Deprecated boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws IntrusionException; /** @@ -233,44 +321,73 @@ public interface Validator { * and returns true if no exceptions are thrown. * * @throws IntrusionException Input likely indicates an attack. + * + * @deprecated Deprecated as of ESAPI 2.5.3.0. This method will be removed in 1 year + * after this ESAPI 2.5.3.0 release. + * + * @see GitHub Security Advisory: Validator.isValidSafeHTML is being deprecated and will be deleted in 1 year */ + @Deprecated boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; /** - * Returns canonicalized and validated "safe" HTML that does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else. + * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that + * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting + * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input + * that gets HTML encoded (e.g., a single quote (') might get chaged to """). *

- * The default behavior of this check depends on the {@code antisamy-esapi.xml} configuration. - * Implementors should reference the OWASP AntiSamy project for ideas - * on how to do HTML validation in a whitelist way, as this is an extremely difficult problem. + * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file + * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your + * {@code ESAPI.properties} file. Implementors wishing to alter the AntiSamy policy configuration file should + * reference the OWASP AntiSamy project for ideas + * on how to do HTML validation in a allow-list way, as this is an extremely difficult problem. * * @param context - * A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). * This value is used by any logging or error handling that is done with respect to the value passed in. * @param input * The actual user input data to validate. * @param maxLength - * The maximum String length allowed. + * The maximum {@code String} length allowed for {@code input}. * @param allowNull * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. * - * @return Valid safe HTML + * @return A string representing the canonicalized and sanitized input that is safe for rendering in an HTML context. * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid, based on the regex associated with {@code type}. * @throws IntrusionException Input likely indicates an attack. */ String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException; /** - * Returns canonicalized and validated "safe" HTML that does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else, - * any validation exceptions are added to the supplied {@code errorList}. + * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that + * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting + * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input + * that gets HTML encoded (e.g., a single quote (') might get chaged to """). *

- * The default behavior of this check depends on the {@code antisamy-esapi.xml} configuration. - * Implementors should reference the OWASP AntiSamy project for ideas - * on how to do HTML validation in a whitelist way, as this is an extremely difficult problem. + * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file + * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your + * {@code ESAPI.properties} file. Implementors wishing to alter the AntiSamy policy configuration file should + * reference the OWASP AntiSamy project for ideas + * on how to do HTML validation in a allow-list way, as this is an extremely difficult problem. *

* Calls {@link #getValidSafeHTML(String, String, int, boolean)}. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "LoginPage_UsernameField"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param maxLength + * The maximum {@code String} length allowed for {@code input}. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * @param errorList The error list to which any {@code ValidationException} messages are added. + * + * @return A string representing the canonicalized and sanitized input that is safe for rendering in an HTML context. + * * @throws IntrusionException Input likely indicates an attack. */ String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; @@ -303,7 +420,7 @@ public interface Validator { * and input that is clearly an attack will generate a descriptive IntrusionException. * * @param context - * A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). + * A descriptive name of the parameter that you are validating (e.g., PaymentPage_CreditCard). * This value is used by any logging or error handling that is done with respect to the value passed in. * @param input * The actual user input data to validate. @@ -313,7 +430,7 @@ public interface Validator { * * @return A valid credit card number * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid because it doesn't appear to be a valid credit card account number. * @throws IntrusionException Input likely indicates an attack. */ String getValidCreditCard(String context, String input, boolean allowNull) throws ValidationException, IntrusionException; @@ -367,7 +484,7 @@ public interface Validator { * * @return A valid directory path * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid (e.g., the provided input is not a directory). * @throws IntrusionException Input likely indicates an attack. */ String getValidDirectoryPath(String context, String input, File parent, boolean allowNull) throws ValidationException, IntrusionException; @@ -459,7 +576,9 @@ public interface Validator { * * @return A valid file name * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid (e.g., {@code input} refers to a non-existant file, does not have a + * valid file extension as per {@code allowedExtensions}, does not match the canonicalized path, + * exceeds a maximum length of 255 characters, etc. * @throws IntrusionException Input likely indicates an attack. */ String getValidFileName(String context, String input, List allowedExtensions, boolean allowNull) throws ValidationException, IntrusionException; @@ -516,17 +635,33 @@ public interface Validator { * * @return A validated number as a double. * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is invalid; that is, not a number in the range + * of [{@code minValue}, {@code maxValue}]. * @throws IntrusionException Input likely indicates an attack. */ Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull) throws ValidationException, IntrusionException; /** - * Returns a validated number as a double within the range of minValue to maxValue, - * any validation exceptions are added to the supplied {@code errorList}. + * Returns a validated number as a double within the range of + * [{@code minValue}, {@code maxValue}]; any validation + * exceptions are added to the supplied {@code errorList}. *

* Calls {@link #getValidNumber(String, String, long, long, boolean)}. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "OrderPage_Quantity"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param minValue + * Lowest legal value for input. + * @param maxValue + * Highest legal value for input. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * @param errorList The error list to which any {@code ValidationException} messages are added. + * * @throws IntrusionException Input likely indicates an attack. */ Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; @@ -537,6 +672,19 @@ public interface Validator { * Calls {@link #getValidInteger(String, String, int, int, boolean)}, * and returns true if no exceptions are thrown. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "OrderPage_Quantity"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param minValue + * Lowest legal value for input. + * @param maxValue + * Highest legal value for input. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * * @throws IntrusionException Input likely indicates an attack. */ boolean isValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull) throws IntrusionException; @@ -548,6 +696,20 @@ public interface Validator { * Calls {@link #getValidInteger(String, String, int, int, boolean)} * and returns true if no exceptions are thrown. * + * @param context + * A descriptive name of the parameter that you are validating (e.g., "OrderPage_Quantity"). + * This value is used by any logging or error handling that is done with respect to the value passed in. + * @param input + * The actual user input data to validate. + * @param minValue + * Lowest legal value for input. + * @param maxValue + * Highest legal value for input. + * @param allowNull + * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. + * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. + * @param errorList The error list to which any {@code ValidationException} messages are added. + * * @throws IntrusionException Input likely indicates an attack. */ boolean isValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; @@ -559,7 +721,7 @@ public interface Validator { * and input that is clearly an attack will generate a descriptive IntrusionException. * * @param context - * A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). + * A descriptive name of the parameter that you are validating (e.g., OrderPage_Quantity). * This value is used by any logging or error handling that is done with respect to the value passed in. * @param input * The actual input data to validate. @@ -573,7 +735,7 @@ public interface Validator { * * @return A validated number as an integer. * - * @throws ValidationException Input is invalid. + * @throws ValidationException Input is not a valid integer in the range of [{@code minValue}, {@code maxValue}]. * @throws IntrusionException Input likely indicates an attack. */ Integer getValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull) throws ValidationException, IntrusionException; diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index 50c4ba4d5..8cba81982 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -1076,7 +1076,7 @@ public String getDigitalSignatureAlgorithm() { * {@inheritDoc} */ public int getDigitalSignatureKeyLength() { - return getESAPIProperty(DIGITAL_SIGNATURE_KEY_LENGTH, 1024); + return getESAPIProperty(DIGITAL_SIGNATURE_KEY_LENGTH, 2048); } /** diff --git a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java index 63022925e..81ff5b0e5 100644 --- a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java +++ b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java @@ -106,9 +106,9 @@ public static Encryptor getInstance() throws EncryptionException { // digital signatures private static PrivateKey privateKey = null; private static PublicKey publicKey = null; - private static String signatureAlgorithm = "SHA1withDSA"; - private static String randomAlgorithm = "SHA1PRNG"; - private static int signatureKeyLength = 1024; + private static String signatureAlgorithm = "SHA256withDSA"; + private static String randomAlgorithm = "SHA1PRNG"; // SHA1 is fine as a CSRNG. + private static int signatureKeyLength = 2048; // hashing private static String hashAlgorithm = "SHA-512"; diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java index 0170a9214..d7ac1ceff 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java @@ -36,28 +36,39 @@ import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE; /** - * The Class HTMLValidationRuleThrowsTest. - * - * Based on original test cases, testGetValidSafeHTML() and - * testIsValidSafeHTML() from ValidatorTest by + * The class {@code HTMLValidationRuleClasspathTest} is used to test ESAPI where + * the AntiSamy policy file is located in a non-standard place. It is based + * on te original test cases, testGetValidSafeHTML() and + * testIsValidSafeHTML() from the file {@code ValidatorTest} originally written + * by * Mike Fauzy (mike.fauzy@aspectsecurity.com) and * Jeff Williams (jeff.williams@aspectsecurity.com) - * that were originally part of src/test/java/org/owasp/esapi/reference/ValidatorTest.java. + * that were originally part of "src/test/java/org/owasp/esapi/reference/ValidatorTest.java". * - * This class tests the cases where the new ESAPI.property - * Validator.HtmlValidationAction + * This class tests the case of a non-standard AntiSamy policy file along with + * the case where the new ESAPI.property + * {@code Validator.HtmlValidationAction} * is set to "throw", which causes certain calls to * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML() * to throw a ValidationException rather than simply logging a warning and returning * the cleansed (sanitizied) output when certain unsafe input is encountered. + * + * It should be noted that several of the tests in this file are deprecated because + * they use {@code Validator.isValidSafeHTML} which is deprecated. See the + * deprecation warnings for those methods respective Javadoc for further + * details. */ public class HTMLValidationRuleClasspathTest { - /** The intentionally non-compliant AntiSamy policy file. We don't intend to - * actually use it for anything. + /** The intentionally non-compliant (to the AntiSamy XSD) AntiSamy policy file. We don't intend to + * actually use it for anything other than to test that we report + * non-compliant AntiSamy policy files in a sane manner. */ private static final String INVALID_ANTISAMY_POLICY_FILE = "antisamy-InvalidPolicy.xml"; - /** The intentionally non-compliant AntiSamy policy file. We don't intend to - * actually use it for anything. + + /** A compliant AntiSamy policy file that is just located in a non-standard + * place. We don't intend to * actually use it for anything other + * than testing. Otherwise, it's mostly identical to the AntiSamy policy + * file "src/test/resources/esapi/antisamy-esapi.xml". */ private static final String ANTISAMY_POLICY_FILE_NONSTANDARD_LOCATION = "antisamy-esapi-CP.xml"; @@ -131,6 +142,7 @@ public void testGetValidSafeHTML() throws Exception { String[] testInput = { // These first two don't cause AntiSamy to throw. + // They are only listed here for completeness. // "Test. Aspect Security", // "Test. <

load=alert()", "Test. ", @@ -165,6 +177,12 @@ public void testGetValidSafeHTML() throws Exception { } } + /** + * @deprecated because Validator.isValidSafeHTML is deprecated. + * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean) + * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean,org.owasp.esapi.ValidationErrorList) + */ + @Deprecated @Test public void testIsValidSafeHTML() { System.out.println("isValidSafeHTML"); diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java index 279573727..b5d516456 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java @@ -34,7 +34,17 @@ import org.junit.After; import org.junit.Rule; import org.junit.rules.ExpectedException; -import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.both; +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.not; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; /** * The Class HTMLValidationRuleCleanTest. @@ -49,11 +59,14 @@ * Validator.HtmlValidationAction * is set to "clean", which causes certain calls to * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML() - * to simply log a warning and return the cleansed (sanitizied) output rather + * to simply log a warning and return the cleansed (sanitized) output rather * than throwing a ValidationException when certain unsafe input is * encountered. + * + * @author kevin.w.wall@gmail.com */ public class HTMLValidationRuleCleanTest { + private static SecurityConfiguration origConfig = ESAPI.securityConfiguration(); private static class ConfOverride extends SecurityConfigurationWrapper { private String desiredReturn = "clean"; @@ -76,7 +89,7 @@ public String getStringProp(String propName) { /** - * Default construstor that instantiates a new {@code HTMLValidationRule} test. + * Default constructor that instantiates a new {@code HTMLValidationRule} test. */ public HTMLValidationRuleCleanTest() { } @@ -89,14 +102,14 @@ public void tearDown() throws Exception { @Before public void setUp() throws Exception { ESAPI.override( - new ConfOverride( ESAPI.securityConfiguration(), "clean" ) + new ConfOverride( origConfig, "clean" ) ); } @Test public void testGetValidSafeHTML() throws Exception { - System.out.println("getValidSafeHTML"); + System.out.println("testGetValidSafeHTML"); Validator instance = ESAPI.validator(); ValidationErrorList errors = new ValidationErrorList(); @@ -121,27 +134,20 @@ public void testGetValidSafeHTML() throws Exception { assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. alert(document.cookie)")); assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. alert(document.cookie)")); assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. alert(document.cookie)")); - // TODO: ENHANCE waiting for a way to validate text headed for an attribute for scripts - // This would be nice to catch, but just looks like text to AntiSamy - // assertFalse(instance.isValidSafeHTML("test", "\" onload=\"alert(document.cookie)\" ")); - // String result4 = instance.getValidSafeHTML("test", test4); - // assertEquals("", result4); } - // FIXME: Change the method name to reflect the CVE once we have a number for this. - // Test to confirm that CVE-2022-xxxxx (TBD) is fixed. The cause of this was - // from a subtle botched regex for 'onsiteURL' in all the versions of + // Test to confirm that CVE-2022-24891 is fixed in ESAPI. The cause of this was + // from a subtly botched regex for 'onsiteURL' in all the versions of // antsamy-esapi.xml that had been there as far back as ESAPI 1.4! // - // This TBD CVE should arguably get the same CVSSv3 store as the AntiSamy - // CVE-2021-35043 as the are very similar. + // This CVE should arguably get the same CVSSv3 score as the AntiSamy + // CVE-2021-35043 as they are very similar. // - // Updated: Requested CVE from GitHub CNA on 4/23/2022. See + // Updated: Requested CVE from GitHub CNA on 4/23/2022. See also // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q - // (Which may not be published yet, but is remediated. Waiting on CVE ID to publish.) @Test - public void testJavaScriptURL() throws Exception { - System.out.println("testJavaScriptURL"); + public void testESAPI_CVE_2022_24891() throws Exception { + System.out.println("testESAPI_CVE_2022_24891"); String expectedSafeText = "This is safe from XSS. Trust us!"; String badVoodoo = "" + expectedSafeText + ""; @@ -155,26 +161,129 @@ public void testJavaScriptURL() throws Exception { // it was never really "broken" in ESAPI's "default configuration" because it is // triggers an Intrusion Detection when it is checking the canonicalization // and the ':' trips it up, that that's pretty much irrelevant given - // the (TBD) CVE mented in the previous test case. + // the CVE mentioned in the previous test case. // // Note: This test assumes a standard default ESAPI.properties file. In // particular, the normal canonicalization has to be enabled. - public void testAntiSamyCVE_2021_35043Fixed() { - System.out.println("testAntiSamyCVE_2021_35043Fixed"); + // + public void testAntiSamy_CVE_2021_35043Fixed() throws Exception { + System.out.println("testAntiSamy_CVE_2021_35043Fixed"); String expectedSafeText = "This is safe from XSS. Trust us!"; // Translates to '" + expectedSafeText + ""; Validator instance = ESAPI.validator(); - // ValidationErrorList errorList = new ValidationErrorList(); - boolean result = instance.isValidSafeHTML("CVE-2021-35043", badVoodoo, 200, false); - assertTrue( result ); + String cleansed = instance.getValidSafeHTML("CVE-2021-35043", badVoodoo, 200, false); + assertEquals( "", cleansed ); + } + + ////////// New AntiSamy tests added to ESAPI 2.5.3.0 ////////// + // Some of these were with the new XSS discoveries in AntiSamy. + // Sebastian doesn't think thta ESAPI should be vulnerable to these 2. (They weren't.) + @Test + public void testQuotesInsideStyles() throws Exception { + System.out.println("testQuotesInsideStyles"); + Validator instance = ESAPI.validator(); + ValidationErrorList errors = new ValidationErrorList(); + + // Added this test because of a fix to AntiSamy that doesn't seem to have affected ESAPI because of our + // very restrictive default AntiSamy policy file. However, with some of AntiSamy policy files, this used + // to cause any quoted (double or single) string identifier in CSS was being enclosed in quotes. + // That resulted in quotes enclosed by more quotes in some cases without any kind of escape or + // transformation. It never did that for ESAPI, but it seemed like a good test to add. + String input = + "Safe Text"; + String expected = "Safe Text"; // We expect the span tag to be completely filtered out & only the tag contents to remain. + String output = instance.getValidSafeHTML("testQuotesInsideStyles-1", input, 250, false); + assertEquals(expected, output); + + input = "Safe Text"; // Slight variation + output = instance.getValidSafeHTML("testQuotesInsideStyle-2", input, 250, false); + assertEquals(expected, output); + + assertTrue(errors.size() == 0); } + @Test + public void testSmuggledTagsInStyleContentCase() throws Exception { + System.out.println("testSmuggledTagsInStyleContentCase"); + + Validator instance = ESAPI.validator(); + ValidationErrorList errors = new ValidationErrorList(); + + // Style tag processing was not handling correctly the value set to its child node that should + // be only text. On some mutation scenarios due to filtering tags by default, content was being + // smuggled and not properly sanitized by the output serializer. + // + // Not expected to affect ESAPI because our default AntiSamy policy file does NOT have: + // + // in it. + // + String input = "Safe stuff"; + String output = null; + String expected = null; + try { + expected = "Safe<listing/>]]><noembed> stuff"; + output = instance.getValidSafeHTML("testSmuggledTagsInStyleContentCase-1", input, 250, false, errors); + } catch (IntrusionException ex) { + fail("testSmuggledTagsInStyleContentCase-1 - should not happen."); + } + assertTrue(errors.size() == 0); + assertEquals(expected, output); + + input = "Safe' stuff"; + try { + expected = "Safe<math>'<noframes >' stuff"; + output = instance.getValidSafeHTML("testSmuggledTagsInStyleContentCase-2", input, 250, false, errors); + } catch (IntrusionException ex) { + fail("testSmuggledTagsInStyleContentCase-2 - should not happen."); + } + assertTrue(errors.size() == 0); + assertEquals(expected, output); + } + + @Test + public void testAntiSamy_CVE_2023_43643() { + System.out.println("testAntiSamy_CVE_2023_43643"); + // These are new tests are variations from AntiSamy 1.7.4 and were associted with CVE-2023-43643. (See + // https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2 for additional details.) + // The concern is that when preserving comments, certain tags would get their content badly parsed + // due to mutation XSS. Note that AntiSamy 1.7.3 and earlier had problems (depending on it's + // AntiSamy policy file) for all these constructs, but ESAPI using AntiSamy 1.7.3 had no vulnerabilities + // because our antisamy-esapi.xml AntiSamy policy file is much stricter. Regardless, these make good + // additions to our test suite. + String[] payloads = { + "