[Esapi-user] Fortify vs ESAPI 2.0

Jim Manico jim.manico at owasp.org
Wed Feb 2 22:34:22 EST 2011

I'm running the latest version of Fortify 360 against the trunk of ESAPI 2.0.

I squashed the test cases and other unnecessary code.

I staged up the results here (this is the raw Fortify results file).


There are several false positive findings (XSS in validation exceptions, we can't encode - we do not know the context of display yet).

There are also several potential real findings (path manipulation in our Base64 encoder)

public static boolean decodeFileToFile( String infile, String outfile )
        boolean success = false;
        java.io.InputStream in = null;
        java.io.OutputStream out = null;
            in  = new Base64.InputStream(
                      new java.io.BufferedInputStream(
                      new java.io.FileInputStream( infile ) ),
                      Base64.DECODE );
            out = new java.io.BufferedOutputStream( new
java.io.FileOutputStream( outfile ) );

(and privacy issues leaking password data)

    protected DefaultUser getUserFromRememberToken() {
        try {
            String username = data[0];
            String password = data[1];
            System.out.println("DATA0: " + username);
            System.out.println("DATA1:" + password);

If you are interested, please take a look at the raw Fortify file. We
should triage this list and solve the most critical issues before we go
to GA.

- Jim

More information about the Esapi-user mailing list