demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Need a version of EncryptedProperties that extends java.util.Properties #157

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
We need an implementation of EncryptedProperties that extends from 
java.util.Properties so that it can be used with other classes/frameworks that 
require an instance of Properties. 

This should NOT be a change to DefaultEncryptedProperties since that might 
effect current users of that class. 

The getProperty() and setProperty() methods must throw a RuntimeException if 
encryption fails. 

A careful examination of the overridden methods in Properties and Hashtable 
must be made to ensure that no vulnerabilities are introduced. 

Original issue reported on code.google.com by augu...@gmail.com on 11 Oct 2010 at 7:30

GoogleCodeExporter commented 8 years ago
Clarification: setProperty() and getProperty() methods should not simply throw 
RuntimeException for failed encryption / decryption. Rather, they should throw 
some new _subclass_ of RuntimeException; e.g., EncryptionRuntimeException. 
Furthermore this unchecked exception should be declared in the method signature 
(even though it is not strictly required) as well as being described in the 
methods' javadoc. This will make it easier for developers to handle that 
exception if they should so desire.

Original comment by kevin.w.wall@gmail.com on 11 Oct 2010 at 9:09

GoogleCodeExporter commented 8 years ago
Three new classes attached for review. It took a while to dig through all the 
methods of Properties and Hashtable (especially put()) to come up with suitable 
replacements. 

Original comment by augu...@gmail.com on 12 Oct 2010 at 4:07

Attachments:

GoogleCodeExporter commented 8 years ago
Updated test case, based on the one for DefaultEncryptedProperties. All tests 
pass.

Original comment by augu...@gmail.com on 12 Oct 2010 at 4:08

Attachments:

GoogleCodeExporter commented 8 years ago
These changes look good to me - unless I see comments to the contrary I will 
plan on commiting this to the trunk this evening at 6pm MST.

Original comment by chrisisbeef on 13 Oct 2010 at 8:34

GoogleCodeExporter commented 8 years ago
Checked in 4 files. In source: 

org/owasp/esapi/errors/EnterpriseSecurityRuntimeException.java
org/owasp/esapi/errors/EncryptionRuntimeException.jav
org/owasp/esapi/reference/crypto/ReferenceEncryptedProperties.java

In test: 

org/owasp/esapi/reference/crypto/ReferenceEncryptedPropertiesTest.java

Original comment by augu...@gmail.com on 13 Oct 2010 at 10:26

GoogleCodeExporter commented 8 years ago
Also just checked in several more tests and a command line utility class for 
creating, reading and writing encrypted properties files and converting 
plaintext to encrypted properties.  

Original comment by augu...@gmail.com on 14 Oct 2010 at 3:23