Missed a legal input case in DefaultSecurityConfiguration.java #488
Comments
|
The workaround I can find is to put the properties file in a sub-folder esapi which is documented way for this class. |
|
I have created a ticket to move our |
|
@lawrencexu , the "ROOT" case is buried in some long history. Back when this lib started, the recommended usage was to compile your own version of the library with your own properties files embedded in the source, at that time at the root of the directory. Then at some point they converted to Maven and it seems over time the possible locations grew, from "/" to ".esapi/" and so on. So it doesn't shock me that the documentation never mentioned the ROOT case. Thanks for pointing this out! |
|
If "ROOT" is the top level or a .war / .ear file, that sounds like a bad
default place for it, as that would be potentially susceptible to "direct
browsing" attacks. Why not have it look under "WEB-INF/" instead, so that
the JavaEE application container will protect it by default? (Or is that
what "ROOT" evaluates to?)
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Thu, May 2, 2019, 11:28 Matt Seil ***@***.***> wrote:
@lawrencexu <https://github.com/lawrencexu> , the "ROOT" case is buried
in some long history. Back when this lib started, the recommended usage was
to compile your own version of the library with your own properties files
embedded in the source, at that time at the root of the directory. Then at
some point they converted to Maven and it seems over time the possible
locations grew, from "/" to ".esapi/" and so on. So it doesn't shock me
that the documentation never mentioned the ROOT case. Thanks for pointing
this out!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#488 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAO6PG6YNIKIJ5JZRVVRAL3PTMCAFANCNFSM4HJGN2VA>
.
|
|
I believe that "ROOT" in this context is the root of the classpath. It evaluates to "ROOT" because of these lines: |
|
Yes, it's the same.
…On Wed, May 29, 2019 at 9:33 PM Kevin W. Wall ***@***.***> wrote:
@xeno6696 <https://github.com/xeno6696> Where do we stand with this? This
sounds related to the one PR #489
<#489>. Is it? Asking
because the proposed fix here sounds different than for the PR.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#488?email_source=notifications&email_token=ACIQAQKYED2DJZS4JVYZNRTPX5KILA5CNFSM4HJGN2VKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWRKMHI#issuecomment-497198621>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACIQAQMW2ZDOZSAFFZG2QU3PX5KILANCNFSM4HJGN2VA>
.
--
Matt Seil
Cyber Security Software Engineer
Member ACM/OWASP
|
|
Note in #489 (comment), @JoergAdler noted that: This was originally fixed in his PR, PR#489, but I rejected that PR because of excessive white-space diffs and that the fact that the properties file really only needed a single property. |
* Change release version to 2.2.0.0 for official release. * Update / correct ESAPI release steps. * Fix ironic spelling typo. * Fix ironic spelling typo. * Changes to suppress most of the noise, but also fixes to all for .XML and .PROPERTIES suffixes and to fix and return null when property is null or empty string. * Changes to suppress most of the noise and to actually handle the exceptions that we should have been all along (e.g., IOExceptions). * Comment out the crude benchmark related assertion that sometimes was failing because of JIT-related issues. Needs to be eventually replaced by JMH. * Close #499 by resetting 'parent' when Windows is detected to root of drive where Windows is installed. * Close issue #488. These are slight enhancements to PR #489 by @JoergAdler that I rejected because Eclipse did something to cause every line to differ. But shout out to Jörg Adler for originally finding this issue and patching it. * Close issue #488. These are slight enhancements to PR #489 by @JoergAdler that I rejected because Eclipse did something to cause every line to differ. But shout out to Jörg Adler for originally finding this issue and patching it. I also added an additional test or 2, so don't blame @JoergAdler if I messed that up. * Close issue #488. These are slight enhancements to PR #489 by @JoergAdler that I rejected because Eclipse did something to cause every line to differ. But shout out to Jörg Adler for originally finding this issue and patching it. I tremendously stripped down the contents of this file because really all it needed was a single property referencing the validation.properties file. * Add 3 additional issues that were closed and fixes to some minor formatting. * Final updates for the ESAPI 2.2.0.0 official release. * Figure I probably ought to add my name instead of assuming people knew it and my email address. * Changed schema from allowing unbounded number of properties to allow only 10000. That really should NOT be a problem. However, it should help silence some of the SAST engines. * Additional changes to fix GitHub Issue #500
When was ESAPI-2.2.0.0-RC2 released? Our applications fails to load
ESAPI.properties. The change seems to be with xeno6696@2837538This change attempts to load "ROOT" and not
fileName(aka., "ESAPI.properties"). We are picking up this RC version via the transitive dependency inencoder-esapi:Originally posted by @fransonsr in #487 (comment)
The text was updated successfully, but these errors were encountered: