Merge branch 'develop' into misc-cleanup

Author: kwwall

configuration/esapi/ESAPI.properties

@@ -535,3 +535,10 @@ Validator.AcceptLenientDates=false
 #
 #Validator.HtmlValidationAction=clean
 Validator.HtmlValidationAction=throw
+
+# With the fix for #310 to enable loading antisamy-esapi.xml from the classpath
+# also an enhancement was made to be able to use a different filename for the configuration.
+# You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml.
+# This is the default behaviour of ESAPI.
+#
+#Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml

documentation/esapi4java-core-2.2.1.0-release-notes.txt

@@ -48,6 +48,8 @@ Issue #         GitHub Issue Title
 530             Log Bridge Tests
 536             Various fixes
 538             Addressing log4j 1.x CVE-2019-17571
+552             Rewrite implementation of some ESAPI classes to remove Java 8 dependencies
+
 
 -----------------------------------------------------------------------------
 
@@ -95,7 +97,7 @@ Developer       Total       Total Number
 (GitHub ID)     commits   of Files Changed
 =====================================================
 jeremiahjstacey 11              68
-kwwall          15              26
+kwwall          16              26
 wiitek          3               6
 xeno6696        8               9
 Michael-Ziluck  2               3
@@ -104,8 +106,10 @@ sempf           1               1
 
 -----------------------------------------------------------------------------
 
-53 Closed PRs since 2.2.0.0 release
-===================================
+
+53 Closed PRs since 2.2.0.0 release (those rejected not listed)
+===============================================================
+
 504 New scripts to suppress noise for 'mvn test'
 510 Resolve #509 - Properly throw exception when HTML fails
 513 Close issue #512 by updating to 1.9.4 of Commons Beans Util.\
@@ -126,7 +130,7 @@ Project co-leaders
 
 Special shout-outs to:
     Jeremiah Stacey (jeremiahjstacey) -- All around ESAPI support and JUnit test case developer extraordinaire
-    Dave Wichers (davewichers) - for Maven Central / Sonatype help
+    Dave Wichers (davewichers) - for pom.xml improvements
     Bill Sempf -- for these release notes. Awesome job, Bill. I owe you a brew.
 
 Thanks you all for your time and effort to ESAPI and making it a better project. And if I've missed any, my apologies; let me know and I will correct it.

src/main/java/org/owasp/esapi/SecurityConfiguration.java

@@ -640,7 +640,6 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      */
     InputStream getResourceStream( String filename ) throws IOException;
 
-    	
 	/**
 	 * Sets the ESAPI resource directory.
 	 * 

src/main/java/org/owasp/esapi/logging/appender/ClientInfoSupplier.java

@@ -15,7 +15,8 @@
 
 package org.owasp.esapi.logging.appender;
 
-import java.util.function.Supplier;
+// Uncomment and use once ESAPI supports Java 8 as the minimal baseline.
+// import java.util.function.Supplier;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -27,7 +28,8 @@
  * Supplier which can provide a String representing the client-side connection
  * information.
  */
-public class ClientInfoSupplier implements Supplier<String> {
+public class ClientInfoSupplier // implements Supplier<String>
+{
     /** Default Last Host string if the Authenticated user is null.*/
     private static final String DEFAULT_LAST_HOST = "#UNKNOWN_HOST#";
     /** Session Attribute containing the ESAPI Session id. */
@@ -47,7 +49,7 @@ public class ClientInfoSupplier implements Supplier<String> {
     /** Whether to log the user info from this instance. */
     private boolean logClientInfo = true;
 
-    @Override
+    // @Override    -- Uncomment when we switch to Java 8 as minimal baseline.
     public String get() {
         String clientInfo = "";
 

src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java

@@ -15,7 +15,8 @@
 
 package org.owasp.esapi.logging.appender;
 
-import java.util.function.Supplier;
+// Uncomment and use once ESAPI supports Java 8 as the minimal baseline.
+// import java.util.function.Supplier;
 
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.Logger.EventType;
@@ -25,7 +26,8 @@
  * an EventType for logging
  *
  */
-public class EventTypeLogSupplier implements Supplier<String> {
+public class EventTypeLogSupplier // implements Supplier<String>
+{
     /** EventType reference to supply log representation of. */
     private final EventType eventType;
 
@@ -38,7 +40,7 @@ public EventTypeLogSupplier(EventType evtyp) {
         this.eventType = evtyp == null ? Logger.EVENT_UNSPECIFIED : evtyp;
     }
 
-    @Override
+    // @Override    -- Uncomment when we switch to Java 8 as minimal baseline.
     public String get() {
         return eventType.toString();
     }

src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java

@@ -15,7 +15,8 @@
 
 package org.owasp.esapi.logging.appender;
 
-import java.util.function.Supplier;
+// Uncomment and use once ESAPI supports Java 8 as the minimal baseline.
+// import java.util.function.Supplier;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -25,7 +26,8 @@
  * Supplier which can provide a String representing the server-side connection
  * information.
  */
-public class ServerInfoSupplier implements Supplier<String> {
+public class ServerInfoSupplier     // implements Supplier<String>
+{
     /** Whether to log the server connection info. */
     private boolean logServerIP = true;
     /** Whether to log the application name. */
@@ -45,7 +47,7 @@ public ServerInfoSupplier(String logName) {
         this.logName = logName;
     }
 
-    @Override
+    // @Override    -- Uncomment when we switch to Java 8 as minimal baseline.
     public String get() {
         // log server, port, app name, module name -- server:80/app/module
         StringBuilder appInfo = new StringBuilder();

src/main/java/org/owasp/esapi/logging/appender/UserInfoSupplier.java

@@ -15,7 +15,8 @@
 
 package org.owasp.esapi.logging.appender;
 
-import java.util.function.Supplier;
+// Uncomment and use once ESAPI supports Java 8 as the minimal baseline.
+// import java.util.function.Supplier;
 
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.User;
@@ -24,14 +25,15 @@
  * Supplier which can provide a String representing the client-side connection
  * information.
  */
-public class UserInfoSupplier implements Supplier<String> {
+public class UserInfoSupplier   // implements Supplier<String>
+{
     /** Default UserName string if the Authenticated user is null.*/
     private static final String DEFAULT_USERNAME = "#ANONYMOUS#";
 
     /** Whether to log the user info from this instance. */
     private boolean logUserInfo = true;
 
-        @Override
+    // @Override    -- Uncomment when we switch to Java 8 as minimal baseline.
     public String get() {
         // log user information - username:session@ipaddr
         User user = ESAPI.authenticator().getCurrentUser();

src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

@@ -159,6 +159,7 @@ public static SecurityConfiguration getInstance() {
     public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued";
     public static final String ACCEPT_LENIENT_DATES = "Validator.AcceptLenientDates";
     public static final String VALIDATOR_HTML_VALIDATION_ACTION = "Validator.HtmlValidationAction";
+	public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE = "Validator.HtmlValidationConfigurationFile";
 
     /**
      * Special {@code System} property that, if set to {@code true}, will

src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java

@@ -30,6 +30,7 @@
 import org.owasp.validator.html.Policy;
 import org.owasp.validator.html.PolicyException;
 import org.owasp.validator.html.ScanException;
+import org.owasp.esapi.reference.DefaultSecurityConfiguration;
 
 
 /**
@@ -46,22 +47,113 @@ public class HTMLValidationRule extends StringValidationRule {
 	/** OWASP AntiSamy markup verification policy */
 	private static Policy antiSamyPolicy = null;
 	private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" );
+	private static final String ANTISAMYPOLICY_FILENAME = "antisamy-esapi.xml";
+
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+	 * The classpath locations are the same classpath locations as used to load esapi.properties.
+	 * See DefaultSecurityConfiguration.DefaultSearchPath.
+     *
+     * @param fileName The resource file filename.
+     */
+	private static InputStream getResourceStreamFromClasspath(String fileName) {
+		InputStream resourceStream = null;
+		
+		ClassLoader[] loaders = new ClassLoader[] {
+				Thread.currentThread().getContextClassLoader(),
+				ClassLoader.getSystemClassLoader(),
+				ESAPI.securityConfiguration().getClass().getClassLoader()  
+						/* can't use just getClass.getClassLoader() in a static context, so using the DefaultSecurityConfiguration class. */
+		};
+		
+		String[] classLoaderNames = {
+				"current thread context class loader",
+				"system class loader",
+				"class loader for DefaultSecurityConfiguration class"
+		};
+		
+		int i = 0;
+        for (ClassLoader loader : loaders) {
+			// try root
+			String currentClasspathSearchLocation = "/ (root)";
+            resourceStream = loader.getResourceAsStream(DefaultSecurityConfiguration.DefaultSearchPath.ROOT.value() + fileName);
+			
+			// try resourceDirectory folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.RESOURCE_DIRECTORY.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+			
+			// try .esapi folder. Look here first for backward compatibility.
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.DOT_ESAPI.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try esapi folder (new directory)
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.ESAPI.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.RESOURCES.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try src/main/resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.SRC_MAIN_RESOURCES.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+            if (resourceStream != null) {
+				LOGGER.info(Logger.EVENT_FAILURE, "SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + 
+					currentClasspathSearchLocation + "' using " + classLoaderNames[i] + "!");
+                break; // Outta here since we've found and loaded it.
+            }
+			
+			i++;
+        }
+		
+		return resourceStream;
+	}
 
 	static {
         InputStream resourceStream = null;
+		String antisamyPolicyFilename = null;
+		
+		try {
+			antisamyPolicyFilename = ESAPI.securityConfiguration().getStringProp(
+                    // Future: This will be moved to a new PropNames class
+                org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE );
+		} catch (ConfigurationException cex) {
+			
+            LOGGER.info(Logger.EVENT_FAILURE, "ESAPI property " + 
+                           org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE +
+                           " not set, using default value: " + ANTISAMYPOLICY_FILENAME);
+			antisamyPolicyFilename = ANTISAMYPOLICY_FILENAME;
+		}
 		try {
-			resourceStream = ESAPI.securityConfiguration().getResourceStream("antisamy-esapi.xml");
+			resourceStream = ESAPI.securityConfiguration().getResourceStream(antisamyPolicyFilename);
 		} catch (IOException e) {
-			throw new ConfigurationException("Couldn't find antisamy-esapi.xml", e);
-	            }
+			
+			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + antisamyPolicyFilename + " from classpaths");
+
+			resourceStream = getResourceStreamFromClasspath(antisamyPolicyFilename);
+		}
         if (resourceStream != null) {
         	try {
 				antiSamyPolicy = Policy.getInstance(resourceStream);
 			} catch (PolicyException e) {
-				throw new ConfigurationException("Couldn't parse antisamy policy", e);
-		        }
-			}
+				throw new ConfigurationException("Couldn't parse " + antisamyPolicyFilename, e);
+	        }
 		}
+        else {
+            throw new ConfigurationException("Couldn't find " + antisamyPolicyFilename);
+		}
+	}
 
 	public HTMLValidationRule( String typeName ) {
 		super( typeName );