Java 尝试记录警告时ESAPI抛出org.owasp.ESAPI.errors.ConfigurationException
我们在SpringWebApp中添加了一个过滤器,用于检查所有传入的请求是否存在任何可能导致XSS漏洞的内容。但是,当它尝试写入日志时,我们会得到以下堆栈跟踪:Java 尝试记录警告时ESAPI抛出org.owasp.ESAPI.errors.ConfigurationException,java,spring,esapi,Java,Spring,Esapi,我们在SpringWebApp中添加了一个过滤器,用于检查所有传入的请求是否存在任何可能导致XSS漏洞的内容。但是,当它尝试写入日志时,我们会得到以下堆栈跟踪: com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException
com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
DefaultHTTPUtilities也在类路径上。跟进Suresh的评论……为此,请查看捕获stdout的位置,并查看是否尝试加载ESAPI.properties并跟踪该轨迹。它应该是这样的:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
他们确保它正在从您预期的加载位置加载ESAPI.properties。跟进Suresh的评论…为此,请查看捕获stdout的位置,并查找尝试加载ESAPI.properties的位置,然后跟踪该轨迹。它应该是这样的:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
它们确保它正在从您期望的加载位置加载ESAPI.properties。事实证明,我还导入了一个名为opensaml的库,作为其他依赖项的依赖项。该库有自己的SecurityConfiguration实现,这是ESAPI用于加载配置的接口。出于某种原因,opensaml实现了几乎所有只返回null或0的方法:
package org.opensaml;
/**
* Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
*/
public class ESAPISecurityConfig implements SecurityConfiguration {
/** Constructor. */
public ESAPISecurityConfig() {
}
// snip...
/** {@inheritDoc} */
public String getHTTPUtilitiesImplementation() {
return null;
}
// snip....
}
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
原来我还导入了一个名为opensaml的库,作为其他依赖项的依赖项。该库有自己的SecurityConfiguration实现,这是ESAPI用于加载配置的接口。出于某种原因,opensaml实现了几乎所有只返回null或0的方法:
package org.opensaml;
/**
* Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
*/
public class ESAPISecurityConfig implements SecurityConfiguration {
/** Constructor. */
public ESAPISecurityConfig() {
}
// snip...
/** {@inheritDoc} */
public String getHTTPUtilitiesImplementation() {
return null;
}
// snip....
}
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
可能ESAPI.properties位于多个位置。您是否可以删除一个您知道正在工作的属性,并查看它是否检查您的更改是否由ESAPI库获取。您是否可以在本地计算机上运行该应用程序?可能ESAPI.properties位于多个位置。您是否可以删除您知道正在运行的属性,并查看它是否检查您的更改是否由ESAPI库获取。您是否可以在本地计算机上运行该应用程序?如果您对ESAPI.properties文件的位置有疑问,您可以在此处找到一些详细信息:如果您对ESAPI.properties文件的位置有疑问,您可以在此处找到一些详细信息: