[Esapi-user] Fortify vs ESAPI 2.0

Jim Manico jim.manico at owasp.org
Wed Feb 2 22:49:54 EST 2011


Chris,

There is no shame here! Mistakes happen! We just need to do our due
diligence and fix this stuff before GA.

Static Analysis is your friend. It's a good piece of assurance evidence
in the hands of experts like us. ;)

Aloha,
Jim

> :facepalm: I thought i squashed all those system outs... Grrrrr
> 
> Sent from my iPwn
> 
> On Feb 2, 2011, at 8:34 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> I'm running the latest version of Fortify 360 against the trunk of ESAPI 2.0.
>>
>> I squashed the test cases and other unnecessary code.
>>
>> I staged up the results here (this is the raw Fortify results file).
>>
>> http://manico.net/ESAPI20.fpr
>>
>> There are several false positive findings (XSS in validation exceptions, we can't encode - we do not know the context of display yet).
>>
>> There are also several potential real findings (path manipulation in our Base64 encoder)
>>
>> public static boolean decodeFileToFile( String infile, String outfile )
>>    {
>>        boolean success = false;
>>        java.io.InputStream in = null;
>>        java.io.OutputStream out = null;
>>        try{
>>            in  = new Base64.InputStream(
>>                      new java.io.BufferedInputStream(
>>                      new java.io.FileInputStream( infile ) ),
>>                      Base64.DECODE );
>>            out = new java.io.BufferedOutputStream( new
>> java.io.FileOutputStream( outfile ) );
>>
>> (and privacy issues leaking password data)
>>
>>    protected DefaultUser getUserFromRememberToken() {
>>        try {
>> .
>> .
>> .
>>            String username = data[0];
>>            String password = data[1];
>>            System.out.println("DATA0: " + username);
>>            System.out.println("DATA1:" + password);
>>
>> If you are interested, please take a look at the raw Fortify file. We
>> should triage this list and solve the most critical issues before we go
>> to GA.
>>
>> - Jim
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user



More information about the Esapi-user mailing list