Fierozen / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

DefaultSecurityConfiguration.getInstance causes NullPointerException when ESAPI.properties doesn't exist #205

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. I stumbled across this while calling static methods on ELEncodeFunctions, 
but it seems like it would affect anything that uses ObjFactory to get a 
SecurityConfiguration.
Putting a blank ESAPI.properties file on the classpath makes it work.

What is the expected output? What do you see instead?
Ideally I shouldn't need to set up an empty properties file just to be able to 
use basic (html/javascript/whatever)-escaping. If you insist on a properties 
file, at least make it do something useful when it can't load its config 
instead of logging a warning and then going down a code path that is guaranteed 
to cause an NPE.

What version of the product are you using? On what operating system?
2.0_rc10

Does this issue affect only a specified browser or set of browsers?
Not browser-specific

Please provide any additional information below.

Here's the stack trace (including a little bit of context from using the static 
methods via EL):
Caused by: javax.el.ELException: Problems calling function 
'esapi:encodeForHTMLAttribute'
    at org.apache.el.parser.AstFunction.getValue(AstFunction.java:115)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
    at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:938)
    at org.apache.jsp.WEB_002dINF.jsp.search_005fquery_005flog_jsp._jspService(search_005fquery_005flog_jsp.java:173)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:386)
    ... 31 more
Caused by: org.owasp.esapi.errors.ConfigurationException: 
java.lang.reflect.InvocationTargetException SecurityConfiguration class 
(org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:182)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
    at org.owasp.esapi.tags.ELEncodeFunctions.encodeForHTMLAttribute(ELEncodeFunctions.java:104)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.el.parser.AstFunction.getValue(AstFunction.java:110)
    ... 37 more
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 45 more
Caused by: java.lang.NullPointerException
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.getESAPIProperty(DefaultSecurityConfiguration.java:1057)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.setCipherXProperties(DefaultSecurityConfiguration.java:245)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:220)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:75)
    ... 50 more

Original issue reported on code.google.com by marsh...@software.mpierce.org on 3 Feb 2011 at 1:30

GoogleCodeExporter commented 9 years ago
This should now be fixed as a result of SVN revision 1700 and a fix to Google 
Issue #207.

You should now get a meaningful ConfigurationException thrown if no 
ESAPI.properties
file can be loaded.

Original comment by kevin.w.wall@gmail.com on 4 Feb 2011 at 7:21