尝试记录警告时 ESAPI 抛出 org.owasp.esapi.errors.ConfigurationException
ESAPI throwing org.owasp.esapi.errors.ConfigurationException when trying to log a warning
我们在 spring 网络应用程序中添加了一个过滤器,用于检查所有传入请求是否存在可能导致 XSS 漏洞的任何内容。但是,当它尝试写入日志时,我们得到以下堆栈跟踪:
com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)
我在 class 路径上有 ESAPI.properties,它似乎可以正常工作,它确实配置了 "missing" class:
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
DefaultHTTPUtilities 也在 class路径上。
跟进 Suresh 的评论...为此,请查看您捕获 stdout 的任何位置并查找 "Attempting to load ESAPI.properties" 并追踪该路径。它应该看起来像这样:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
并且他们确保它从您预期的加载位置加载ESAPI.properties。
事实证明我还导入了一个名为 opensaml 的库(作为其他依赖项的依赖项)。这个库有自己的 SecurityConfiguration 实现,这是 ESAPI 用来加载配置的接口。出于某种原因,opensaml 将几乎所有方法实现为 return null 或 0:
package org.opensaml;
/**
* Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
*/
public class ESAPISecurityConfig implements SecurityConfiguration {
/** Constructor. */
public ESAPISecurityConfig() {
}
// snip...
/** {@inheritDoc} */
public String getHTTPUtilitiesImplementation() {
return null;
}
// snip....
}
在名为 DefaultBootstrap 的 class 中,它在我的应用程序启动期间的某处执行,它覆盖了 ESAPI 的默认实现:
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
我无法摆脱 opensaml 库,所以我不得不更改我的代码,以便在我调用 ESAPI 之前,我将它重写回默认实现:
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
我们在 spring 网络应用程序中添加了一个过滤器,用于检查所有传入请求是否存在可能导致 XSS 漏洞的任何内容。但是,当它尝试写入日志时,我们得到以下堆栈跟踪:
com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)
我在 class 路径上有 ESAPI.properties,它似乎可以正常工作,它确实配置了 "missing" class:
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
DefaultHTTPUtilities 也在 class路径上。
跟进 Suresh 的评论...为此,请查看您捕获 stdout 的任何位置并查找 "Attempting to load ESAPI.properties" 并追踪该路径。它应该看起来像这样:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
并且他们确保它从您预期的加载位置加载ESAPI.properties。
事实证明我还导入了一个名为 opensaml 的库(作为其他依赖项的依赖项)。这个库有自己的 SecurityConfiguration 实现,这是 ESAPI 用来加载配置的接口。出于某种原因,opensaml 将几乎所有方法实现为 return null 或 0:
package org.opensaml;
/**
* Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
*/
public class ESAPISecurityConfig implements SecurityConfiguration {
/** Constructor. */
public ESAPISecurityConfig() {
}
// snip...
/** {@inheritDoc} */
public String getHTTPUtilitiesImplementation() {
return null;
}
// snip....
}
在名为 DefaultBootstrap 的 class 中,它在我的应用程序启动期间的某处执行,它覆盖了 ESAPI 的默认实现:
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
我无法摆脱 opensaml 库,所以我不得不更改我的代码,以便在我调用 ESAPI 之前,我将它重写回默认实现:
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);