raviteja07 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

JavaEncryptor.seal/unseal does not escape data, unseal method not in unit tests #28

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Bad test case:
    public void testSeal2() throws IntegrityException, EncryptionException {
        Encryptor instance = ESAPI.encryptor(); 
        String plaintext = "MY:DATA";
        String seal = instance.seal( plaintext, instance.getTimeStamp() +
1000*60 );
        instance.verifySeal( seal );
        String unsealed = instance.unseal(seal);
        assertEquals(unsealed, plaintext);
    }

Information:

The seal/unseal system in JavaEncryptor uses a colon (':') to delimit the
parts of the seal (expiration, random data, and data). Because colons are
not escaped and the data not encoded, colons in the data will cause the
produced seal to be unsealable, throwing an "Invalid seal" exception.

In addition, the unseal method is not tested in the unit tests.

Recommendations in descending order of preference:

* Ascii armor the data by base64 encoding it to ensure the delimiter is not
in the data when composing the seal.

OR

* Use an escaping scheme to escape the delimiter. 

OR

* State explicitly in the doc that the data cannot contain the delimiter.

AND test the unseal method in the unit tests.

What version of the product are you using? On what operating system?
SVN revision 574.

Original issue reported on code.google.com by cyounk...@gmail.com on 7 Aug 2009 at 6:23

GoogleCodeExporter commented 9 years ago
In addition, seal() / unseal() methods use the deprecated (read "insecure") 
encrypt()
/ decrypt() methods.

Original comment by kevin.w.wall@gmail.com on 5 May 2010 at 2:49

GoogleCodeExporter commented 9 years ago
This should now be fixed as per SVN commit made on 7/26/2010 (SVN revision 
1453.)

Original comment by kevin.w.wall@gmail.com on 31 Jul 2010 at 2:25