search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
598 stars 363 forks source link

Validation does not work with esapi jakarta jar #837

Closed popa-raluca closed 2 months ago

popa-raluca commented 2 months ago

Describe the bug

I'm trying to use ESAPI library to validate input fields. I have a gradle project with SpringBoot 3.2.3, i added the esapi lib with implementation 'org.owasp.esapi:esapi:2.5.3.0:jakarta' Trying to run the following code ESAPI.validator().getValidInput("Safe String",input , "SafeString", 1024, false, true) it will fail with ClassNotFoundException and following stacktrace java.lang.ClassNotFoundException: javax.servlet.http.HttpServletRequest at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) ~[na:na] at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[na:na] at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) ~[na:na] at java.base/java.lang.Class.getDeclaredMethods0(Native Method) ~[na:na] at java.base/java.lang.Class.privateGetDeclaredMethods(Class.java:3578) ~[na:na] at java.base/java.lang.Class.getMethodsRecursive(Class.java:3719) ~[na:na] at java.base/java.lang.Class.getMethod0(Class.java:3705) ~[na:na] at java.base/java.lang.Class.getMethod(Class.java:2393) ~[na:na] at org.owasp.esapi.util.ObjFactory.loadMethodByStringName(ObjFactory.java:196) ~[esapi-2.5.3.1.jar:2.5.3.1] at org.owasp.esapi.util.ObjFactory.findSingletonCreateMethod(ObjFactory.java:173) ~[esapi-2.5.3.1.jar:2.5.3.1] at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:84) ~[esapi-2.5.3.1.jar:2.5.3.1] at org.owasp.esapi.ESAPI.validator(ESAPI.java:192) ~[esapi-2.5.3.1.jar:2.5.3.1]

Looking at the codebase in DefaultValidator I can see it has import javax.servlet.http.HttpServletRequest;

kwwall commented 2 months ago

This line in your exception stack trace:

at org.owasp.esapi.util.ObjFactory.loadMethodByStringName(ObjFactory.java:196) ~[esapi-2.5.3.1.jar:2.5.3.1]

shows that you are using the wrong jar file. The Jakarta jar file for ESAPI should be named 'esapi-jakarta-2.5.3.1.jar' instead. (E.g., see https://repo1.maven.org/maven2/org/owasp/esapi/esapi/2.5.3.1/.) Maybe Gradle pulled down both versions or the wrong version, I'm not sure. I you want to create a mini-dummy project using your build.gradle and Spring Boot 3.x, I can take a look at it and see if I can figure it out, but otherwise, I don't have the time to troubleshoot this for quite some time.

kwwall commented 2 months ago

@popa-raluca - BTW, one quick and dirty workaround might be for you to explicitly download the 'esapi-jakarta-2.5.3.1.jar' directly from https://repo1.maven.org/maven2/org/owasp/esapi/esapi/2.5.3.1/ and then rename 'esapi-jakarta-2.5.3.1.jar' as 'esapi-2.5.3.1.jar'. It's admittedly a bit of a kludge, but it should allow you to make progress. If this happens with the Jakarta version of the jar though, please let us know. I just used 'strings' to confirm that the 'javax.servlet.http' package had been rewritten (at the byte-code level) as 'jakarta.servlet.http', but that's the only testing I did on it.

popa-raluca commented 2 months ago

I think the problem was that the initial dependency that I added was without the jakarta identifier, and a clean build didn't add the correct lib afterwards. I was able to force redownload of the dependencies using gradle clean build --refresh-dependencies and then the right jakarta jar was added.