Closed janikgithub closed 2 months ago
@jmanico - Since this is related to ESAPI Thunk, you can assign this issue to me and I'll create a PR for it. It probably just needs a newer version of ESAPI. I am unable to assign this GH issue to myself.
That's why I addressed the comment to @jmanico as he's one of the GitHub repo owners and should be able to do that.
On Thu, Jul 25, 2024, 11:22 PM janikgithub @.***> wrote:
I am not sure how to assign this issue to you.
— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/74#issuecomment-2251888379, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG7XNNVFB3BIGPJGTXLZOG6GBAVCNFSM6AAAAABLPRASFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJRHA4DQMZXHE . You are receiving this because you commented.Message ID: @.***>
Would be as simple as adding:
public String decodeFromJSON(String s) {
throw new UnsupportedOperationException("OWASP Java Encoder does not support decoding");
}
public String encodeForJSON(String s) {
// forJavaScriptSource(s) could be used instead.
return Encode.forJavaScript(s);
}
I'm just not sure if the ESAPI implementation expects the output to be quoted or not?
If adding those two methods works - I can just push a PR. LMK
Is there an ETA for the PR? Thanks
@jeremylong - I think there's a few problems with with your proposal:
decodeFromJSON
that will be inconsistent with other places where you are deferring to the ESAPI decoder which will cause confusion.Note that we didn't make a big deal of keeping the same minor version # for this as best practice is to pin versions and ranges are discouraged. And 2.x has been around for so long and has had breaking changes (e.g., removing deprecating methods) and we generally reserve changing he minor # for breaking changes that are not 100% backward compatible. And since adding new features is backward compatible and we didn't bother to change the minor version # here. So, yeah, we have take some liberties with semantic versioning (although no more than Java's JDK itself), but I either forgot or wasn't aware that you were not using a pinned version of ESAPI.
@kwwall can you look at https://github.com/OWASP/owasp-java-encoder/pull/76? Currently getting:
testEncode(org.owasp.encoder.esapi.ESAPIEncoderTest) Time elapsed: 0.221 sec <<< ERROR!
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
at org.owasp.encoder.esapi.ESAPIEncoderTest.testEncode(ESAPIEncoderTest.java:26)
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
... 24 more
Caused by: java.lang.ExceptionInInitializerError
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:315)
at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:85)
at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:109)
at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:68)
at org.owasp.encoder.esapi.ESAPIEncoder$Impl.<init>(ESAPIEncoder.java:141)
at org.owasp.encoder.esapi.ESAPIEncoder$Impl.<clinit>(ESAPIEncoder.java:135)
at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118)
... 29 more
Caused by: org.owasp.esapi.errors.ConfigurationException: esapi-java-logging.properties is no longer supported. See https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory for information on corrective actions.
at org.owasp.esapi.logging.java.JavaLogFactory.<clinit>(JavaLogFactory.java:106)
... 41 more
testSerialization(org.owasp.encoder.esapi.ESAPIEncoderTest) Time elapsed: 0.001 sec <<< ERROR!
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
at org.owasp.encoder.esapi.ESAPIEncoderTest.testSerialization(ESAPIEncoderTest.java:34)
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
... 24 more
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.owasp.encoder.esapi.ESAPIEncoder$Impl
at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118)
... 29 more
AFKB, but this one is easy. Find and delete the 'esapi-java-logging.properties' file. Full details for corrective actions at:
https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory
On Sun, Jul 28, 2024, 7:43 AM Jeremy Long @.***> wrote:
@kwwall https://github.com/kwwall can you look at #76 https://github.com/OWASP/owasp-java-encoder/pull/76? Currently getting:
testEncode(org.owasp.encoder.esapi.ESAPIEncoderTest) Time elapsed: 0.221 sec <<< ERROR! org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception. at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101) at org.owasp.encoder.esapi.ESAPIEncoderTest.testEncode(ESAPIEncoderTest.java:26) Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ... 24 more Caused by: java.lang.ExceptionInInitializerError at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81) at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139) at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155) at org.owasp.esapi.reference.DefaultEncoder.
(DefaultEncoder.java:85) at org.owasp.esapi.reference.DefaultEncoder. (DefaultEncoder.java:109) at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:68) at org.owasp.encoder.esapi.ESAPIEncoder$Impl. (ESAPIEncoder.java:141) at org.owasp.encoder.esapi.ESAPIEncoder$Impl. (ESAPIEncoder.java:135) at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118) ... 29 more Caused by: org.owasp.esapi.errors.ConfigurationException: esapi-java-logging.properties is no longer supported. See https://github.com/ESAPI/esapi-java-legacy/wiki/Configuring-the-JavaLogFactory for information on corrective actions. at org.owasp.esapi.logging.java.JavaLogFactory. (JavaLogFactory.java:106) ... 41 more testSerialization(org.owasp.encoder.esapi.ESAPIEncoderTest) Time elapsed: 0.001 sec <<< ERROR! org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.encoder.esapi.ESAPIEncoder) CTOR threw exception. at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101) at org.owasp.encoder.esapi.ESAPIEncoderTest.testSerialization(ESAPIEncoderTest.java:34) Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ... 24 more Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.owasp.encoder.esapi.ESAPIEncoder$Impl at org.owasp.encoder.esapi.ESAPIEncoder.getInstance(ESAPIEncoder.java:118) ... 29 more
— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/74#issuecomment-2254487572, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG5IBHRFFQG55OIG3D3ZOTKOZAVCNFSM6AAAAABLPRASFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGQ4DONJXGI . You are receiving this because you were mentioned.Message ID: @.***>
Will this PR be merged into v1.2.3? Thanks
no - we will be releasing 1.3.0 once the rest of the PRs are merged.
What JDK will it support? Any ETA? Thanks
resulting jars will be Java 8 - but it will require Java 17 to build and test due to the required dependencies for the jakarta-jsp test cases.
What is the ETA for the 1.3.0 release? Thanks
this week
I am building v1.2.3