search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
483 stars 112 forks source link

ESAPI 2.2.0.0-RC2 causes compilation errors in Java Encoder project #31

Closed kwwall closed 4 years ago

kwwall commented 5 years ago

Running 'mvn compile' causes the following compilation errors in the encoder-esapi artifact (aka, ESAPI Thunk) when used with esapi-2.2.0.0-rc2.jar:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project encoder-esapi: Compilation failure
[ERROR] /home/kww/Code/GitHub/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java:[128,13] org.owasp.encoder.esapi.ESAPIEncoder.Impl is not abstract and does not override abstract method getCanonicalizedURI(java.net.URI) in org.owasp.esapi.Encoder

Note that this problem was described as part of your GitHub issue #30 but is not related to that. It was the serendipitous discovery caused by the non-pinned ESAPI transitive dependency that allowed this issue to be discovered.

If you want to eventually be able to support ESAPI 2.2.0.0 this will need to be fixed.

guruhb commented 5 years ago

week before owasp compiled without below error (But compilation failing now). org.owasp.encoder.esapi.ESAPIEncoder.Impl is not abstract and does not override abstract method getCanonicalizedURI(java.net.URI) in org.owasp.esapi.Encoder

Haven't changed any version of the "mvn or java" even getting the same error on released tag v1.2.1 and v1.2.2. What could lead to this compilation failure ?

kwwall commented 5 years ago

It's failing because the ESAPI dependency is not pinned to a specific version, so the latest 2.x ESAPI jar gets used. But on 4/29, we pushed a new ESAPI release to Maven Central (2.2.0.0-RC2) which it is now pulling down. That new ESAPI jar has changed some of the interfaces. Thus the compilation errors.

-kevin

Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us.

On Thu, May 2, 2019, 03:45 guru prasad HB notifications@github.com wrote:

week before owasp compiled without below error . org.owasp.encoder.esapi.ESAPIEncoder.Impl is not abstract and does not override abstract method getCanonicalizedURI(java.net.URI) in org.owasp.esapi.Encoder

Haven't changed any version of the "mvn or java" even getting the same error on released tag v1.2.1 and v1.2.2. What could lead to this compilation failure ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/31#issuecomment-488580148, or mute the thread https://github.com/notifications/unsubscribe-auth/AAO6PGYSZ2I2KU47XDRD45TPTKL2NANCNFSM4HJQ767Q .

jmanico commented 4 years ago

I am assuming this is fixed, please reopen if not.

kwwall commented 4 years ago

@jmanico - Not fixed; needs reopened. If you ask nicely, I'll even submit a PR. :)

jmanico commented 4 years ago

Can we please have a PR, Kevin? Pretty please?

-- Jim Manico @Manicode

On Jul 29, 2020, at 8:44 PM, Kevin W. Wall notifications@github.com wrote:

 @jmanico - Not fixed; needs reopened. If you ask nicely, I'll even submit a PR. :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

kwwall commented 4 years ago

@jmanico - Since the OWASP Java Encoder project is already using SLF4J and has that configured, I am just going to configure ESAPI to use SLF4J That will greatly simplify things since I don't need to use the esapi-java-logging.properties and can eliminate some of the Logger properties.

kwwall commented 4 years ago

Okay; upon close look, you are not using any logger at all, so exceptions are not logged. But NBD. SLF4J works better without configuration than does JUL.