[Esapi-user] WAF problems

Jim Manico jim.manico at owasp.org
Thu Feb 3 13:36:12 EST 2011


I agree, this is just configuration file loading which happens infrequently
and is likely not attacker driven.

However, this is (very) bad practice for a web application in general. If
you depend on garbage collection to close streams, then you lose control of
when that happens. If for any reason fileIO in the WAF occurs on a more
frequent basis, it could (key word, could) be easy to DOS a high traffic
site since file pointers are not released until the stream is closed - and
garbage collection time can not be deterministically triggered via code. We
ran into this at Sun quite a bit for high traffic sites.

So I would call this a "low" level finding, not a critical issue, to Jeff's
point. But we should "fix" this someday.

- Jim

On Thu, Feb 3, 2011 at 7:37 AM, Jeff Williams <
jeff.williams at aspectsecurity.com> wrote:

> The best practice is to close these in a finally block (not always as
> simple as it looks).  But my understanding is that there are built-in
> finalizers that will close file handle streams when they're not used any
> more.  Note that all three of these cases are very unlikely to be called
> frequently, and no way for an attacker to make it happen, so the idea
> that they represent a DOS vulnerability is remote to say the least.
>
> --Jeff
>
>
> -----Original Message-----
> From: esapi-user-bounces at lists.owasp.org
> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Wednesday, February 02, 2011 10:41 PM
> To: ESAPI-Developers; ESAPI Users List
> Subject: [Esapi-user] WAF problems
>
> If you are using the ESAPI 2.0 WAF,  take note. I noticed that there are
> a few instances where streams are not being closed properly. (I think)
> this could lead to a DOS or resource problem. Could you please confirm?
>
>        private String getFileContents(File f) throws IOException {
>
>                FileReader fr = new FileReader(f);
>                StringBuffer sb = new StringBuffer();
>                String line;
>                BufferedReader br = new BufferedReader(fr); <- never
> released
>
>                while( (line=br.readLine()) != null ) {
>                        sb.append(line +
> System.getProperty("line.separator"));
>                }
>
>                return sb.toString();
>        }
>
>
>
> and
>
>
>
>        public void setConfiguration( String policyFilePath, String
> webRootDir ) throws FileNotFoundException {
>                try {
>                        appGuardConfig =
> ConfigurationParser.readConfigurationFile(new FileInputStream(new
> File(policyFilePath)), webRootDir);
>                        lastConfigReadTime = System.currentTimeMillis();
>                        configurationFilename = policyFilePath;
>                } catch (ConfigurationException e ) {
>            // TODO: It would be ideal if this method through the
> ConfigurationException rather than catching it and
>            // writing the error to the console.
>                        e.printStackTrace();
>                }
>        }
>
>
>
> and
>
>                /*
>                 * Open up configuration file and populate the
> AppGuardian configuration object.
>                 */
>
>                try {
>
>                        String webRootDir =
> fc.getServletContext().getRealPath("/");
>                        appGuardConfig =
> ConfigurationParser.readConfigurationFile(new
> FileInputStream(configurationFilename),webRootDir);
>
>
> DOMConfigurator.configure(realLogSettingsFilename);
>
>                        lastConfigReadTime = System.currentTimeMillis();
>
>                } catch (FileNotFoundException e) {
>                        throw new ServletException(e);
>                } catch (ConfigurationException e) {
>                        throw new ServletException(e);
>                }
>
>        }
>
>
> Thoughts?
>
> - Jim
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110203/63876541/attachment.html 


More information about the Esapi-user mailing list