Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

[ss839x]

After upgrading to Spring Boot 2.6.6, getting Exception while canonicalize.

Used the default validation.properties and ESAPI.properties file. Do we need to change any thing specific in the config. ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

Code: ESAPI.encoder().canonicalize(value);

org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

[jeremiahjstacey]

The template provided for bug creation is intended to help us help you better. Please consider the following:

Specify what ESAPI version(s) you are experiencing this bug in This is especially important if it is not the latest version of ESAPI.

Platform environment (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• JDK version used with ESAPI

Additionally, providing the full stacktrace from the exception thrown will make a significant difference.

[kwwall]

In addition, if you upgraded from a previous version of ESAPI in the process, let us know what ESAPI version that was, as well as the one that is currently having a problem. I vaguely recall a few changes to that method that potentially could have broken something unintentionally, but we don't won't know what changes are significant unless we have something to compare it to.

Lastly, if you can duplicate the problem in a short code snippet or an new test via a PR to EncoderTest, that would be ideal.

[ss839x]

The template provided for bug creation is intended to help us help you better. Please consider the following:

Specify what ESAPI version(s) you are experiencing this bug in This is especially important if it is not the latest version of ESAPI. Platform environment (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• JDK version used with ESAPI

Additionally, providing the full stacktrace from the exception thrown will make a significant difference.

Thank you so much for checking... hope the following information helps. My guess is all with the property file, was there any thing new.

Earlier app used esapi (2.0.1) and now upgraded to esapi (2.5.0.0). Made the change while upgrading Spring Boot to 2.6.6. Right now I try in Windows 10 64bit, using eclipse along with JDK 1.8.

Stack Trace with a simple class...

ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set ESAPI: Attempting to load ESAPI.properties via file I/O. ESAPI: Attempting to load ESAPI.properties as resource file via file I/O. ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\XXXX\git\abc_springUpgrade\ESAPI.properties ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties ESAPI: Not found in 'user.home' (C:\Users\XXX) directory: C:\Users\XXXX\esapi\ESAPI.properties ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException ESAPI: Attempting to load ESAPI.properties via the classpath. ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!

ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false ESAPI: Attempting to load validation.properties via file I/O. ESAPI: Attempting to load validation.properties as resource file via file I/O. ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\XXXXX\git\firstnetimportal_springUpgrade\validation.properties ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties ESAPI: Not found in 'user.home' (C:\Users\XXXXX) directory: C:\Users\XXXXXX\esapi\validation.properties ESAPI: Loading validation.properties via file I/O failed. ESAPI: Attempting to load validation.properties via the classpath.

ESAPI: validation.properties could not be loaded by any means. fail.. Caught java.lang.IllegalArgumentException; exception message was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.

ESAPI: DefaultSecurityConfiguration: The code to print all the properties is currently commented out Exception in thread "main" org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception. at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101) at com.att.firstnetimportal.util.XSSStripWrapper.stripXSS(XSSStripWrapper.java:16) at com.att.firstnetimportal.util.CheckStrip.main(CheckStrip.java:14) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ... 3 more Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory LogFactory class (org.owasp.esapi.reference.Log4JLogFactory) must be in class path. at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108) at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139) at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155) at org.owasp.esapi.reference.DefaultEncoder.(DefaultEncoder.java:83) at org.owasp.esapi.reference.DefaultEncoder.(DefaultEncoder.java:106) at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:67) ... 8 more Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81) ... 13 more

[ss839x]

In addition, if you upgraded from a previous version of ESAPI in the process, let us know what ESAPI version that was, as well as the one that is currently having a problem. I vaguely recall a few changes to that method that potentially could have broken something unintentionally, but we don't won't know what changes are significant unless we have something to compare it to.

Lastly, if you can duplicate the problem in a short code snippet or an new test via a PR to EncoderTest, that would be ideal.

Thanks for your help, Just mentioned all the required details above....

[jeremiahjstacey]

The issue is related to your ESAPI.properties file. There are several updates to class locations and new properties that have changed since 2.0.1.

If you have not already, please look through the Releases for the project. There are some highlights pointed out there. Additionally, you can find more specific items in the Documentation Directory of the baseline -- Specifically the files ending in -release-notes.txt

The specific problem you're having is 2-fold. Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory

1. ESAPI no longer supports Log4J 1.x
2. The logging implementations have been moved to a new location in the baseline, so your options are either:
   • org.owasp.esapi.logging.slf4j.Slf4JLogFactory OR
   • org.owasp.esapi.logging.java.JavaLogFactory

It may be beneficial to pull down esapi-2.5.0.0-configuration.jar and work through merging any of your customizations from your 2.0.1 version

[kwwall]

If you really want to use Log4J, you can of course do that via SLF4J and the (I think) slf4j-log4j12 jar. Also, this discussion #696, may be helpful. The reason this happens is that ESAPI eats its own dog food and the ESAPI Encoder uses the ESAPI Logger to do logging.

Also, thanks for providing the additional details. That saves us a lot of back-and-forth to gather information. This was perfect.

[jeremiahjstacey]

@kwwall I am converting this to a discussion, as this is not an issue with the behavior of the library but more related to version upgrade process for a specific environment.