[Esapi-user] Fortify vs ESAPI 2.0
Chris Schmidt
chrisisbeef at gmail.com
Wed Feb 2 22:46:58 EST 2011
:facepalm: I thought i squashed all those system outs... Grrrrr
Sent from my iPwn
On Feb 2, 2011, at 8:34 PM, Jim Manico <jim.manico at owasp.org> wrote:
> I'm running the latest version of Fortify 360 against the trunk of ESAPI 2.0.
>
> I squashed the test cases and other unnecessary code.
>
> I staged up the results here (this is the raw Fortify results file).
>
> http://manico.net/ESAPI20.fpr
>
> There are several false positive findings (XSS in validation exceptions, we can't encode - we do not know the context of display yet).
>
> There are also several potential real findings (path manipulation in our Base64 encoder)
>
> public static boolean decodeFileToFile( String infile, String outfile )
> {
> boolean success = false;
> java.io.InputStream in = null;
> java.io.OutputStream out = null;
> try{
> in = new Base64.InputStream(
> new java.io.BufferedInputStream(
> new java.io.FileInputStream( infile ) ),
> Base64.DECODE );
> out = new java.io.BufferedOutputStream( new
> java.io.FileOutputStream( outfile ) );
>
> (and privacy issues leaking password data)
>
> protected DefaultUser getUserFromRememberToken() {
> try {
> .
> .
> .
> String username = data[0];
> String password = data[1];
> System.out.println("DATA0: " + username);
> System.out.println("DATA1:" + password);
>
> If you are interested, please take a look at the raw Fortify file. We
> should triage this list and solve the most critical issues before we go
> to GA.
>
> - Jim
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
More information about the Esapi-user
mailing list