[Esapi-dev] Code Scan

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Wed Jun 15 12:42:13 EDT 2011 

ESAPI WAF was renamed to OWASP JAVA WAF and will be no longer part of
ESAPI mainstream.
 
Not sure if it was already removed from ESAPI 2.0 GA, but if not that
could be an easy way to remove these code flaws from ESAPI. Anyway, any
volunteer work is very welcome :) you can download the latest version of
WAF here http://code.google.com/p/owasp-java-waf/source/checkout
 
Regards,
Juan C Calderon


________________________________

From: Yan Yan Wang [mailto:yan.y.wang.r7lv at statefarm.com] 
Sent: Wednesday, June 15, 2011 11:19 AM
To: Calderon, Juan Carlos (GE, Corporate, consultant);
esapi-dev at lists.owasp.org
Subject: RE: [Esapi-dev] Code Scan



Hi Juan,

 

This is a Klocwork scan on ESAPI only. I was somewhat concerned with the
findings, thought I'd ask y'all opinions. :D What would you like me to
request? I probably could make the changes if desired.

 

Thanks!

 

YanYan

 

From: Calderon, Juan Carlos (GE, Corporate, consultant)
[mailto:juan.calderon at ge.com] 
Sent: Wednesday, June 15, 2011 11:02 AM
To: Yan Yan Wang; esapi-dev at lists.owasp.org
Subject: RE: [Esapi-dev] Code Scan

 

All these findings are related to ESAPI WAF (except for those on
DefaultHTTPUtilities class) I will take them into consideration for the
next release

 

Question YanYan, is this related to fortify scans on OWASP code? if not
then to raise a request for that specifically I am interesting in making
sure the code is high quality.

 

Regards,

Juan C Calderon

 

________________________________

From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Yan Yan Wang
Sent: Wednesday, June 15, 2011 10:52 AM
To: esapi-dev at lists.owasp.org
Subject: [Esapi-dev] Code Scan

Hi everyone,

 

We performed a code scan on ESAPI, and I am not sure if the following
findings might be concerns. Could someone advice please?

 

Thanks.

 

YanYan

 

InterceptingServletOutputStream: 

 

line 59 

SV.DOS.TMPFILEEXIT : File 'File.createTempFile(...)' is created as
temporary file but not deleted on exit : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingServletO
utputStream.java : 59 : Severe : Analyze : Existing

 

Line 45

RLK.FIELD : Possible leak of system resource 'java.io.RandomAccessFile'
stored in field 'out'. Resource is not closed in any of the class
methods. : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingServletO
utputStream.java : 45 : Error : Defer : Existing

 

InterceptingHTTPServletRequest: 

line 101

SV.DOS.TMPFILEEXIT : File 'File.createTempFile(...)' is created as
temporary file but not deleted on exit : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingHTTPServ
letRequest.java : 101 : Severe : Analyze : Existing

 

DefaultHTTPUtilities: 

line 576

SV.DOS.TMPFILEEXIT : File 'f' is created as temporary file but not
deleted on exit : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\reference\DefaultHTTPUtilities.ja
va : 576 : Severe : Analyze : Existing

 

Line 305

SV.DATA.BOUND : Unvalidated user input from 'value' stored at parameter
'stringObjectEntry.getValue()' of call to setAttribute(...). This is
considered to be trusted storage and its users might not perform data
validation extracting from it : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\reference\DefaultHTTPUtilities.ja
va : 305 : Unexpected : Defer : Existing

 

BeanShellRule: 

line 104

RLK.IN : Input stream 'fr' is not closed on exit. : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\rules\BeanShellRule.java :
104 : Error : Analyze : Existing

 

ESAPIWebApplicationFirewallFilter: 

line 166

RLK.IN : Input stream 'new FileInputStream(...)' is not closed on exit.
: C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\ESAPIWebApplicationFirewallFi
lter.java : 166 : Error : Analyze : Existing

 

Line 90

RLK.IN : Input stream 'new FileInputStream(...)' is not closed on exit.
: C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\ESAPIWebApplicationFirewallFi
lter.java : 90 : Error : Analyze : Existing

 

InterceptingHTTPServletRequest

Line 53

RLK.FIELD : Possible leak of system resource 'java.io.RandomAccessFile'
stored in field 'requestBody'. Resource is not closed in any of the
class methods. : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingHTTPServ
letRequest.java : 53 : Error : Defer : Existing

 

ConfigurationParser

Line 141

JD.CATCH : Catching 'java.lang.NullPointerException' explicitly is
usually a bad practice. Use preventive checks on data instead. : C:\
ESAPI_GA\src\main\java\org\owasp\esapi\waf\configuration\ConfigurationPa
rser.java : 141 : Investigate : Analyze : Existing

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110615/7d441009/attachment.html

More information about the Esapi-dev mailing list