[Esapi-user] Fortify vs ESAPI 2.0

Chris Schmidt chrisisbeef at gmail.com
Wed Feb 2 22:46:58 EST 2011


:facepalm: I thought i squashed all those system outs... Grrrrr

Sent from my iPwn

On Feb 2, 2011, at 8:34 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I'm running the latest version of Fortify 360 against the trunk of ESAPI 2.0.
> 
> I squashed the test cases and other unnecessary code.
> 
> I staged up the results here (this is the raw Fortify results file).
> 
> http://manico.net/ESAPI20.fpr
> 
> There are several false positive findings (XSS in validation exceptions, we can't encode - we do not know the context of display yet).
> 
> There are also several potential real findings (path manipulation in our Base64 encoder)
> 
> public static boolean decodeFileToFile( String infile, String outfile )
>    {
>        boolean success = false;
>        java.io.InputStream in = null;
>        java.io.OutputStream out = null;
>        try{
>            in  = new Base64.InputStream(
>                      new java.io.BufferedInputStream(
>                      new java.io.FileInputStream( infile ) ),
>                      Base64.DECODE );
>            out = new java.io.BufferedOutputStream( new
> java.io.FileOutputStream( outfile ) );
> 
> (and privacy issues leaking password data)
> 
>    protected DefaultUser getUserFromRememberToken() {
>        try {
> .
> .
> .
>            String username = data[0];
>            String password = data[1];
>            System.out.println("DATA0: " + username);
>            System.out.println("DATA1:" + password);
> 
> If you are interested, please take a look at the raw Fortify file. We
> should triage this list and solve the most critical issues before we go
> to GA.
> 
> - Jim
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list