[Esapi-user] Esapi-user Digest, Vol 20, Issue 7

ashish kumar gautam gautamashishkumar at gmail.com
Fri Jul 15 00:49:22 EDT 2011


On Thu, Jul 14, 2011 at 9:30 PM, <esapi-user-request at lists.owasp.org> wrote:

> Send Esapi-user mailing list submissions to
>        esapi-user at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/esapi-user
> or, via email, send a message with subject or body 'help' to
>        esapi-user-request at lists.owasp.org
>
> You can reach the person managing the list at
>        esapi-user-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Esapi-user digest..."
>
>
> Today's Topics:
>
>   1. Re: [Esapi-dev] ESAPI Question (Chris Schmidt)
>   2. Upgrade Guide for ESAPI 1.4 users (Rob Spremulli)
>   3. Re: Upgrade Guide for ESAPI 1.4 users (Chris Schmidt)
>   4. how to validate binary data - example copy pdf or image file
>      (Hafiz, Abdul - Kansas City, MO)
>   5. Re: how to validate binary data - example copy pdf or image
>      file (Jim Manico)
>   6. Re: how to validate binary data - example copy pdf or     image
>      file (Jeff Williams)
>   7. Re: Upgrade Guide for ESAPI 1.4 users (Kevin W. Wall)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 13 Jul 2011 11:55:49 -0600
> From: Chris Schmidt <chris.schmidt at owasp.org>
> Subject: Re: [Esapi-user] [Esapi-dev] ESAPI Question
> To: Yan Yan Wang <yan.y.wang.r7lv at statefarm.com>
> Cc: "esapi-dev at lists.owasp.org" <esapi-dev at lists.owasp.org>,
>        "Esapi-user at lists.owasp.org" <Esapi-user at lists.owasp.org>
> Message-ID: <4E1DDC25.1080503 at owasp.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Looks to me like ESAPI isn't able to find the esapi.properties file in
> your test classpath. Ensure that the properties file is accessible and
> is being found by ESAPI and you should be good to go. :)
>
> On 7/13/2011 11:51 AM, Yan Yan Wang wrote:
> > Thanks for everyone's response.
> >
> > Yes, we are testing our own code that uses esapi. We have tried to mockup
> requests and call setCurrent on httputilities, it failed. Does someone have
> a junit test code snippet that I can take a look at it? We use RSA on win.
> >
> > Here is the stack trace:
> >
> > java.lang.Exception: Unexpected exception,
> expected<sf.iasc.application.ssoeventhandler.exception.UnexpectedApplicationException>
>  but was<org.owasp.esapi.errors.ConfigurationException>
> >       at
> org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:110)
> >       at
> org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.java:79)
> >       at
> org.junit.internal.runners.MethodRoadie.runBeforesThenTestThenAfters(MethodRoadie.java:87)
> >       at
> org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie.java:77)
> >       at
> org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:42)
> >       at
> org.junit.internal.runners.JUnit4ClassRunner.invokeTestMethod(JUnit4ClassRunner.java:88)
> >       at
> org.junit.internal.runners.JUnit4ClassRunner.runMethods(JUnit4ClassRunner.java:51)
> >       at
> org.junit.internal.runners.JUnit4ClassRunner$1.run(JUnit4ClassRunner.java:44)
> >       at
> org.junit.internal.runners.ClassRoadie.runUnprotected(ClassRoadie.java:26)
> >       at
> org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:36)
> >       at
> org.junit.internal.runners.JUnit4ClassRunner.run(JUnit4ClassRunner.java:42)
> >       at
> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:38)
> >       at
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> >       at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
> >       at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
> >       at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
> >       at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
> > Caused by: org.owasp.esapi.errors.ConfigurationException:
> java.lang.reflect.InvocationTargetException SecurityConfiguration class
> (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw
> exception.
> >       at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
> >       at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:182)
> >       at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
> >       at
> sf.iasc.application.ssoeventhandler.event.RedirectingEvent.appendQueryStringToUrl(RedirectingEvent.java:114)
> >       at
> sf.iasc.application.ssoeventhandler.event.RedirectingEventTest.appendQueryStringThrowsUnexpectedApplicationExceptionWhenQueryStringParameterFailsValidation(RedirectingEventTest.java:348)
> >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >       at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
> >       at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >       at java.lang.reflect.Method.invoke(Method.java:618)
> >       at org.junit.internal.runners.TestMethod.invoke(TestMethod.java:59)
> >       at
> org.junit.internal.runners.MethodRoadie.runTestMethod(MethodRoadie.java:98)
> >       ... 16 more
> > Caused by: java.lang.reflect.InvocationTargetException
> >       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >       at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
> >       at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >       at java.lang.reflect.Method.invoke(Method.java:618)
> >       at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
> >       ... 26 more
> > Caused by: java.lang.NullPointerException
> >       at
> org.owasp.esapi.reference.DefaultSecurityConfiguration.getESAPIProperty(DefaultSecurityConfiguration.java:1057)
> >       at
> org.owasp.esapi.reference.DefaultSecurityConfiguration.setCipherXProperties(DefaultSecurityConfiguration.java:245)
> >       at
> org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:220)
> >       at
> org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:75)
> >       ... 31 more
> >
> > -----Original Message-----
> > From: Chris Schmidt [mailto:chris.schmidt at owasp.org]
> > Sent: Tuesday, July 12, 2011 7:52 PM
> > To: Jim Manico
> > Cc: Yan Yan Wang; esapi-dev at lists.owasp.org; Esapi-user at lists.owasp.org
> > Subject: Re: [Esapi-user] [Esapi-dev] ESAPI Question
> >
> > It sounds more like you are trying to unit test your own code that is
> using esapi, is that correct? If so - you will need to mock up requests and
> call setCurrent on httpitiliyies with your mock requests prior to each test
> running (setup) and clearcurrent after each (teardown)
> >
> > Sent from my iPwn
> >
> > On Jul 12, 2011, at 5:23 PM, Jim Manico<jim.manico at owasp.org>  wrote:
> >
> >> Can you send us your log file entries illustrating this problem in
> detail?
> >>
> >> - Jim
> >>
> >>
> >>> We encountered ?org.owasp.esapi.errors.ConfigurationException? during
> >>> unit testing. The JUnit test isn't running in-container as ESAPI is. We
> >>> could implement a mock object, but the tests can't verify that ESAPI is
> >>> returning the correct value since it has to run in container. Does
> >>> anyone have good suggestions for the problem?
> >>>
> >>> Thanks.
> >>>
> >>> YanYan
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Esapi-dev mailing list
> >>> Esapi-dev at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/esapi-dev
> >> _______________________________________________
> >> Esapi-user mailing list
> >> Esapi-user at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 13 Jul 2011 16:45:14 -0400
> From: Rob Spremulli <rob.spremulli+esapi at gmail.com>
> Subject: [Esapi-user] Upgrade Guide for ESAPI 1.4 users
> To: esapi-user <esapi-user at lists.owasp.org>
> Message-ID:
>        <CAMopZBeBth_HDx+Swtquc-+pMOMcAETrYddTRYeisBaxNMOGjg at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> Now that 2.0 is finally released, is there any documentation regarding
> an upgrade path from 1.4 to 2.0?  Things like the ESAPI class have
> been modified to remove set methods, and I know there were major
> overhauls to the validators and encoders, which were extended in 1.4.
>
> Short of doing a diff of the source code, is there any guide for
> remediation of changes between 1.4 and 2.0?
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 13 Jul 2011 15:00:31 -0600
> From: Chris Schmidt <chris.schmidt at owasp.org>
> Subject: Re: [Esapi-user] Upgrade Guide for ESAPI 1.4 users
> To: esapi-user at lists.owasp.org
> Message-ID: <4E1E076F.1050201 at owasp.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> There really isn't - part of the justification is that the 2.0 API has
> been largely untouched for a year or more, with a few small exceptions.
> As far as signature changes, there are a few (Encoder.canonicalize being
> the biggie) but aside from the changes to the ESAPI Locator class, they
> should be backwards compatible. I can assure you that if you were to
> undertake such a task as creating a upgrade document would be much
> appreciated by the community. :)
>
> Keep us posted on your progress regardless and feel free to hit us up
> with any questions you may have!
>
> On 7/13/2011 2:45 PM, Rob Spremulli wrote:
> > Now that 2.0 is finally released, is there any documentation regarding
> > an upgrade path from 1.4 to 2.0?  Things like the ESAPI class have
> > been modified to remove set methods, and I know there were major
> > overhauls to the validators and encoders, which were extended in 1.4.
> >
> > Short of doing a diff of the source code, is there any guide for
> > remediation of changes between 1.4 and 2.0?
> > _______________________________________________
> > Esapi-user mailing list
> > Esapi-user at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 13 Jul 2011 22:34:47 +0000
> From: "Hafiz, Abdul - Kansas City, MO" <abdul.hafiz at kcc.usda.gov>
> Subject: [Esapi-user] how to validate binary data - example copy pdf
>        or      image file
> To: "esapi-user at lists.owasp.org" <esapi-user at lists.owasp.org>
> Message-ID:
>        <
> C635728406EACE4895D07FC0D4879800013B51 at 001FSN2MPN1-024.001f.mgd2.msft.net>
>
> Content-Type: text/plain; charset="us-ascii"
>
> In example below, I am copying a PDF file. AppScan Source reports
> Vulnerability Validation.EncodingRequired. I cannot encode in this case
> because I want exact copy of srcFile. Only option, I may have is to validate
> before writing it to outputStream. How to perform validation on binary data
> using ESAPI?
>
>        try {
>            InputStream oInStream = new FileInputStream(srcFile);
>            OutputStream oOutStream = new FileOutputStream(destFile);
>
>            // Transfer bytes from in to out
>            byte[] oBytes = new byte[1024];
>            int nLength;
>            BufferedInputStream oBuffInputStream = new
> BufferedInputStream(oInStream);
>            while ((nLength = oBuffInputStream.read(oBytes)) > 0)
>            {
>                oOutStream.write(oBytes, 0, nLength);
>            }
>            oInStream.close();
>            oOutStream.close();
>        } catch (IOException e){
>            throw new CopyException("IOException copying file", e);
>        }
>
> Thanks,
> Abdul
>
>
>
> -------------------------------------------------------------------------------------------
>


I think, you have to use apache Teka library for this purpose


>
> --
> Best regards,
> Ashish K. Gautam
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/esapi-user/attachments/20110713/19fe7d67/attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Wed, 13 Jul 2011 15:58:39 -0700
> From: Jim Manico <jim.manico at owasp.org>
> Subject: Re: [Esapi-user] how to validate binary data - example copy
>        pdf or image file
> To: "Hafiz, Abdul - Kansas City, MO" <abdul.hafiz at kcc.usda.gov>
> Cc: "esapi-user at lists.owasp.org" <esapi-user at lists.owasp.org>
> Message-ID: <-8491627323890759316 at unknownmsgid>
> Content-Type: text/plain; charset="iso-8859-1"
>
> ESAPI does not do file upload binary analysis. This is a brutally complex
> topic that us file-contextual.
>
> For PDF validation, this is, by far, the best research to date.
>
>
> http://blog.modsecurity.org/2010/10/advanced-topic-of-the-week-preventing-malicious-pdf-file-uploads.html
>
> - Jim Manico
>
> On Jul 13, 2011, at 3:34 PM, "Hafiz, Abdul - Kansas City, MO" <
> abdul.hafiz at kcc.usda.gov> wrote:
>
>  In example below, I am copying a PDF file. AppScan Source reports
> Vulnerability Validation.EncodingRequired. I cannot encode in this case
> because I want exact copy of srcFile. Only option, I may have is to
> validate
> before writing it to outputStream. How to perform validation on binary data
> using ESAPI?
>
>        *try* {
>            InputStream oInStream = *new* FileInputStream(srcFile);
>            OutputStream oOutStream = *new* FileOutputStream(destFile);
>
>            // Transfer bytes from in to out
>            *byte*[] oBytes = *new* *byte*[1024];
>            *int* nLength;
>            BufferedInputStream oBuffInputStream = *new*BufferedInputStream(
> oInStream);
>            *while* ((nLength = oBuffInputStream.read(oBytes)) > 0)
>            {
>                oOutStream.write(oBytes, 0, nLength);
>            }
>            oInStream.close();
>            oOutStream.close();
>        } *catch* (IOException e){
>            *throw* *new* CopyException("IOException copying file", e);
>        }
>
> Thanks,
> Abdul
>
>
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/esapi-user/attachments/20110713/2aee1986/attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Wed, 13 Jul 2011 19:17:59 -0400
> From: "Jeff Williams" <jeff.williams at aspectsecurity.com>
> Subject: Re: [Esapi-user] how to validate binary data - example copy
>        pdf or  image file
> To: "Jim Manico" <jim.manico at owasp.org>,        "Hafiz, Abdul - Kansas
> City,
>        MO" <abdul.hafiz at kcc.usda.gov>
> Cc: esapi-user at lists.owasp.org
> Message-ID:
>        <B9A412898630124ABE8350F4EBD32E8401A5D1E4 at mymail.aspectsecurity.com
> >
> Content-Type: text/plain; charset="us-ascii"
>
> If untrusted data is used to specify srcFile or dstFile, then AppScan
> has correctly identified a potential problem. However, they
> miscategorized it, since this is not an interpreter problem that needs
> encoding.  Rather, they should be worried about disclosing the srcFile
> data or damaging the dstFile data.
>
>
>
> On the other hand, if both srcFile and dstFile are trusted, they may be
> assuming that the content of srcFile is dangerous and shouldn't be
> copied to dstFile.  If the content of srcFile comes from an untrusted
> source, then that's also a good finding even if they misclassified that
> one too.
>
>
>
> If the srcFile and dstFile are trusted, and the content of srcFile comes
> from the local disk and is being written back to the local disk, then I
> don't see the risk.  In this case, the finding is a false alarm.
>
>
>
> --Jeff
>
>
>
>
>
> From: esapi-user-bounces at lists.owasp.org
> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Wednesday, July 13, 2011 6:59 PM
> To: Hafiz, Abdul - Kansas City, MO
> Cc: esapi-user at lists.owasp.org
> Subject: Re: [Esapi-user] how to validate binary data - example copy pdf
> or image file
>
>
>
> ESAPI does not do file upload binary analysis. This is a brutally
> complex topic that us file-contextual.
>
>
>
> For PDF validation, this is, by far, the best research to date.
>
>
>
> http://blog.modsecurity.org/2010/10/advanced-topic-of-the-week-preventin
> g-malicious-pdf-file-uploads.html
>
> - Jim Manico
>
>
> On Jul 13, 2011, at 3:34 PM, "Hafiz, Abdul - Kansas City, MO"
> <abdul.hafiz at kcc.usda.gov> wrote:
>
>        In example below, I am copying a PDF file. AppScan Source
> reports Vulnerability Validation.EncodingRequired. I cannot encode in
> this case because I want exact copy of srcFile. Only option, I may have
> is to validate before writing it to outputStream. How to perform
> validation on binary data using ESAPI?
>
>
>
>                try {
>
>                    InputStream oInStream = new
> FileInputStream(srcFile);
>
>                    OutputStream oOutStream = new
> FileOutputStream(destFile);
>
>
>
>                    // Transfer bytes from in to out
>
>                    byte[] oBytes = new byte[1024];
>
>                    int nLength;
>
>                    BufferedInputStream oBuffInputStream = new
> BufferedInputStream(oInStream);
>
>                    while ((nLength = oBuffInputStream.read(oBytes)) >
> 0)
>
>                    {
>
>                        oOutStream.write(oBytes, 0, nLength);
>
>                    }
>
>                    oInStream.close();
>
>                    oOutStream.close();
>
>                } catch (IOException e){
>
>                    throw new CopyException("IOException copying file",
> e);
>
>                }
>
>
>
>        Thanks,
>        Abdul
>
>
>
>
>
>
>
>        _______________________________________________
>        Esapi-user mailing list
>        Esapi-user at lists.owasp.org
>        https://lists.owasp.org/mailman/listinfo/esapi-user
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/esapi-user/attachments/20110713/15e577c7/attachment-0001.html
>
> ------------------------------
>
> Message: 7
> Date: Thu, 14 Jul 2011 00:36:18 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] Upgrade Guide for ESAPI 1.4 users
> To: rob.spremulli+esapi at gmail.com
> Cc: esapi-user <esapi-user at lists.owasp.org>
> Message-ID:
>        <CAOPE6PgKBW6CvVsGk11WtFcueuRH5S+Uz+yxC-2Q6HtynsYCrA at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Wed, Jul 13, 2011 at 4:45 PM, Rob Spremulli
> <rob.spremulli+esapi at gmail.com> wrote:
> > Now that 2.0 is finally released, is there any documentation regarding
> > an upgrade path from 1.4 to 2.0? ?Things like the ESAPI class have
> > been modified to remove set methods, and I know there were major
> > overhauls to the validators and encoders, which were extended in 1.4.
>
> Rob,
> What sort of thing did you have in mind...something that provides a
> method-by-method
> different (if so, see jdiff, below) or something higher level, such as
> something
> at the class or even package level?
>
> I can speak for the major part that I worked on, which was the symmetric
> encryption methods (encrypt / decrypt methods). If you were using the
> symmetric encryption from ESAPI 1.4, you need to burn that code to the
> ground and use the ESAPI 2.0 Encryptor interface. (I would not recommend
> using the deprecated APIs either.)
>
> Details of why the symmetric encryption was redone is described in this
> doc:
> <
> http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-readme-crypto-changes.html
> >
>
> > Short of doing a diff of the source code, is there any guide for
> > remediation of changes between 1.4 and 2.0?
>
> I'd try jdiff (http://javadiff.sourceforge.net/) before I'd resort to
> diffing the source files. Jdiff gives you a HTML report of the API
> diffs by looking at differences in the generated Javadoc.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." ? ? ? ?-- Nathaniel Borenstein
>
>
> ------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> End of Esapi-user Digest, Vol 20, Issue 7
> *****************************************
>



-- 
Best regards,
Ashish K. Gautam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110715/4316475a/attachment.html 


More information about the Esapi-user mailing list