search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
487 stars 111 forks source link

Unable to compile v1.2.3 branch with JDK8 #74

Closed janikgithub closed 2 months ago

janikgithub commented 2 months ago

I am building v1.2.3 

bash-4.2$ javac -version
javac 1.8.0_412
bash-4.2$ mvn -v
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /scratch/apache-maven/apache-maven-3.6.3

mvn clean package
INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
[ERROR] /scratch/gitroot/oswap/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java:[131,13] org.owasp.encoder.esapi.ESAPIEncoder.Impl is not abstract and does not override abstract method decodeFromJSON(java.lang.String) in org.owasp.esapi.Encoder
[INFO] 1 error
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for OWASP Java Encoder Project 1.2.3:
[INFO] 
[INFO] OWASP Java Encoder Project ......................... SUCCESS [  8.897 s]
[INFO] Java Encoder ....................................... SUCCESS [ 25.773 s]
[INFO] JSP Encoder ........................................ SUCCESS [  3.623 s]
[INFO] ESAPI Thunk ........................................ FAILURE [  9.044 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  47.522 s
[INFO] Finished at: 2024-07-26T00:23:13Z
[INFO] ------------------------------------------------------------------------
kwwall commented 2 months ago

@jmanico - Since this is related to ESAPI Thunk, you can assign this issue to me and I'll create a PR for it. It probably just needs a newer version of ESAPI. I am unable to assign this GH issue to myself.

kwwall commented 2 months ago

That's why I addressed the comment to @jmanico as he's one of the GitHub repo owners and should be able to do that.

On Thu, Jul 25, 2024, 11:22 PM janikgithub @.***> wrote:

I am not sure how to assign this issue to you.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/74#issuecomment-2251888379, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG7XNNVFB3BIGPJGTXLZOG6GBAVCNFSM6AAAAABLPRASFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJRHA4DQMZXHE . You are receiving this because you commented.Message ID: @.***>

jeremylong commented 2 months ago

Would be as simple as adding:

        public String decodeFromJSON(String s) {
            throw new UnsupportedOperationException("OWASP Java Encoder does not support decoding");
        }

        public String encodeForJSON(String s) {
            // forJavaScriptSource(s) could be used instead.
            return Encode.forJavaScript(s);
        }

I'm just not sure if the ESAPI implementation expects the output to be quoted or not?

jeremylong commented 2 months ago

If adding those two methods works - I can just push a PR. LMK

janikgithub commented 2 months ago

Is there an ETA for the PR? Thanks

kwwall commented 2 months ago

@jeremylong - I think there's a few problems with with your proposal:

  1. The idea of ESAPI Thunk is so that developers an still use ESAPI, but with the Java Encoder Project rather than ESAPI's default Encoder (DefaultEncoder). However if you just throw an exception for decodeFromJSON that will be inconsistent with other places where you are deferring to the ESAPI decoder which will cause confusion.
  2. If you decide to make it consistent by changing your ESAPIEncoder calls to decodeForHTML, decodeFromURL, and decodeFromBase64 then that could potentially break your client's code.
  3. The base version of ESAPI that supports JSON encoding / decoding is 2.5.1.0. You'd have to at least change your minimum lower bound for the ESAPI version accepted from 2.2.3.1 to 2.5.1.0. (Or, if you want to only accept versions of ESAPI that use the new Jakarta Servlet API rather than the older JavaEE Servlet API, you need to make 2.5.3.0 the base line and possibly allow for the optional 'jarkarta' \ to be passed down.

Note that we didn't make a big deal of keeping the same minor version # for this as best practice is to pin versions and ranges are discouraged. And 2.x has been around for so long and has had breaking changes (e.g., removing deprecating methods) and we generally reserve changing he minor # for breaking changes that are not 100% backward compatible. And since adding new features is backward compatible and we didn't bother to change the minor version # here. So, yeah, we have take some liberties with semantic versioning (although no more than Java's JDK itself), but I either forgot or wasn't aware that you were not using a pinned version of ESAPI.

jeremylong commented 2 months ago

@kwwall can you look at https://github.com/OWASP/owasp-java-encoder/pull/76? Currently getting:

testEncode(org.owasp.encoder.esapi.ESAPIEncoderTest)  Time elapsed: 0.221 sec  <<< ERROR!
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    at org.owasp.encoder.esapi.ESAPIEncoderTest.testEncode(ESAPIEncoderTest.java:26)
Caused by: java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 24 more
Caused by: java.lang.ExceptionInInitializerError
    at java.base/java.lang.Class.forName0(Native Method)
    at java.base/java.lang.Class.forName(Class.java:315)
    at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:85)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:109)
    at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:68)
    at org.owasp.encoder.esapi.ESAPIEncoder$Impl.<init>(ESAPIEncoder.java:141)
    at org.owasp.encoder.esapi.ESAPIEncoder$Impl.<clinit>(ESAPIEncoder.java:135)
    at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118)
    ... 29 more
Caused by: org.owasp.esapi.errors.ConfigurationException: esapi-java-logging.properties is no longer supported.  See https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory for information on corrective actions.
    at org.owasp.esapi.logging.java.JavaLogFactory.<clinit>(JavaLogFactory.java:106)
    ... 41 more

testSerialization(org.owasp.encoder.esapi.ESAPIEncoderTest)  Time elapsed: 0.001 sec  <<< ERROR!
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    at org.owasp.encoder.esapi.ESAPIEncoderTest.testSerialization(ESAPIEncoderTest.java:34)
Caused by: java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 24 more
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.owasp.encoder.esapi.ESAPIEncoder$Impl
    at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118)
    ... 29 more
kwwall commented 2 months ago

AFKB, but this one is easy. Find and delete the 'esapi-java-logging.properties' file. Full details for corrective actions at:

https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory

On Sun, Jul 28, 2024, 7:43 AM Jeremy Long @.***> wrote:

@kwwall https://github.com/kwwall can you look at #76 https://github.com/OWASP/owasp-java-encoder/pull/76? Currently getting:

testEncode(org.owasp.encoder.esapi.ESAPIEncoderTest) Time elapsed: 0.221 sec <<< ERROR! org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception. at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101) at org.owasp.encoder.esapi.ESAPIEncoderTest.testEncode(ESAPIEncoderTest.java:26) Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ... 24 more Caused by: java.lang.ExceptionInInitializerError at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81) at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139) at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155) at org.owasp.esapi.reference.DefaultEncoder.(DefaultEncoder.java:85) at org.owasp.esapi.reference.DefaultEncoder.(DefaultEncoder.java:109) at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:68) at org.owasp.encoder.esapi.ESAPIEncoder$Impl.(ESAPIEncoder.java:141) at org.owasp.encoder.esapi.ESAPIEncoder$Impl.(ESAPIEncoder.java:135) at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118) ... 29 more Caused by: org.owasp.esapi.errors.ConfigurationException: esapi-java-logging.properties is no longer supported. See https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory for information on corrective actions. at org.owasp.esapi.logging.java.JavaLogFactory.(JavaLogFactory.java:106) ... 41 more

testSerialization(org.owasp.encoder.esapi.ESAPIEncoderTest) Time elapsed: 0.001 sec <<< ERROR! org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception. at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101) at org.owasp.encoder.esapi.ESAPIEncoderTest.testSerialization(ESAPIEncoderTest.java:34) Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ... 24 more Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.owasp.encoder.esapi.ESAPIEncoder$Impl at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118) ... 29 more

— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/74#issuecomment-2254487572, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG5IBHRFFQG55OIG3D3ZOTKOZAVCNFSM6AAAAABLPRASFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGQ4DONJXGI . You are receiving this because you were mentioned.Message ID: @.***>

janikgithub commented 2 months ago

Will this PR be merged into v1.2.3? Thanks

jeremylong commented 2 months ago

no - we will be releasing 1.3.0 once the rest of the PRs are merged.

janikgithub commented 2 months ago

What JDK will it support? Any ETA? Thanks

jeremylong commented 2 months ago

resulting jars will be Java 8 - but it will require Java 17 to build and test due to the required dependencies for the jakarta-jsp test cases.

dwong77 commented 2 months ago

What is the ETA for the 1.3.0 release? Thanks

jeremylong commented 2 months ago

this week