ESAPI.properties file not being built / deployed as part of production downloads

nxbdi / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java

1 stars 0 forks source link

ESAPI.properties file not being built / deployed as part of production downloads #309

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

The 'configuration/esapi/ESAPI.properties' file and all other files under the 
'configuration/esapi' directory are missing from the ESAPI production builds. 
(E.g., it is missing from the 2.1.0 release.)

This is causing some to use the ESAPI.properties file found in 
'src/test/resources/esapi/ESAPI.properties' which has some (intentionally) 
insecure additional property values (e.g., 
Encryptor.cipher_modes.additional_allowed=CBC,ECB -- ECB mode is normally not 
there). It also increases the likelihood that developers are using the test 
versions of Encryptor.MasterKey and Encryptor.MasterSalt property values.

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 22 Oct 2013 at 5:04

GoogleCodeExporter commented 9 years ago

Agreed.

I started using the test properties file until during setup I realised it was 
definitely needing production tweaks before use.

Are these production files available anywhere else?

Many thanks for the product guys.

Original comment by gli...@gmail.com on 20 May 2014 at 8:43

GoogleCodeExporter commented 9 years ago

I also can't seem to see the files here.

https://owasp-esapi-java.googlecode.com/svn/tags/esapi-2.1.0/src/main/
https://owasp-esapi-java.googlecode.com/svn/branches/2.1/

Not sure if I am looking in the right area, but this seems that the production 
files are not even committed to the version control?

Original comment by gli...@gmail.com on 20 May 2014 at 9:17

GoogleCodeExporter commented 9 years ago

You can find the latest configuration files under 'trunk/configuration/esapi'.
If you want to use SVN from the command line,
svn checkout 
https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi 
esapi-config-files

should work. If you want to directly browse for them, start here:
https://code.google.com/p/owasp-esapi-java/source/browse/#svn%2Ftrunk%2Fconfigur
ation%2Fesapi

Hope that helps. And if you know how to fix this issue, I'm all ears.
-kevin wall

Original comment by kevin.w.wall@gmail.com on 21 May 2014 at 4:47

GoogleCodeExporter commented 9 years ago

Hi Kevin

Many thanks for the reply and info, will go and check it out right now.

Thanks again.

Original comment by gli...@gmail.com on 21 May 2014 at 5:27

GoogleCodeExporter commented 9 years ago

Pretty sure you can fix this by updating your dist.xml file under 
src/main/assembly.  Currently your looking for configuration/.esapi instead of 
configuration/esapi like it is in source.

 <fileSet>
            <directory>configuration</directory>
            <outputDirectory>configuration</outputDirectory>
            <includes>
                <include>.esapi/**/*</include>
                <include>log4j.dtd</include>
                <include>log4j.xml</include>
                <include>properties/**/*</include>
            </includes>
        </fileSet>

Original comment by craig.fl...@gmail.com on 18 Jul 2014 at 12:13