[Esapi-user] parameter value as null

ricardo gualberto r_gualberto at hotmail.com
Tue May 24 10:51:38 EDT 2011


There are a good number of URL requests on our web application that have a parameter with a null value like param2= of this sample URL  http://localhost:16311/ibm/console?param1=value1&param2=  . These pages are broke  as expected after adding the SecurityWrapper because null values are not allowed. 
I extended the ESAPI classes SecurityWrapper and SecurityWrapperRequest. On my SecurityWrapperRequest class I have defined the allowNull as true on all getParameter() methods. The getParameter methods with allowNull=true are been called for sure but a NullPointerException is thrown on my class called SecurityFilter that extends SecurityWrapper. Do you have any ideas on how to allow null parameter values? 




 javax.servlet.ServletException: java.lang.NullPointerException
[5/23/11 17:23:59:262 BST] 0000003d SystemErr     R     at org.apache.struts.action.RequestProcessor.processException(RequestProcessor.java:541)
[5/23/11 17:23:59:264 BST] 0000003d SystemErr     R     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:482)
[5/23/11 17:23:59:264 BST] 0000003d SystemErr     R     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
[5/23/11 17:23:59:265 BST] 0000003d SystemErr     R     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1420)
[5/23/11 17:23:59:265 BST] 0000003d SystemErr     R     at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:502)
[5/23/11 17:23:59:266 BST] 0000003d SystemErr     R     at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
[5/23/11 17:23:59:267 BST] 0000003d SystemErr     R     at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
[5/23/11 17:23:59:267 BST] 0000003d SystemErr     R     at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1655)
[5/23/11 17:23:59:267 BST] 0000003d SystemErr     R     at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1595)
[5/23/11 17:23:59:268 BST] 0000003d SystemErr     R     at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:131)
[5/23/11 17:23:59:268 BST] 0000003d SystemErr     R     at com.micromuse.precision.common.servlets.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:94)
[5/23/11 17:23:59:273 BST] 0000003d SystemErr     R     at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:184)
[5/23/11 17:23:59:273 BST] 0000003d SystemErr     R     at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
[5/23/11 17:23:59:274 BST] 0000003d SystemErr     R     at com.micromuse.precision.common.servlets.SessionFilter.doFilter(SessionFilter.java:73)
[5/23/11 17:23:59:274 BST] 0000003d SystemErr     R     at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:184)
[5/23/11 17:23:59:274 BST] 0000003d SystemErr     R     at 
com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
[5/23/11 17:23:59:275 BST] 0000003d SystemErr     R     at com.micromuse.precision.common.servlets.SecurityFilter.doFilter(SecurityFilter.java:91)

This is the doFilter method of my class where the exception is thrown.




public void doFilter(ServletRequest request, ServletResponse response,
						 FilterChain chain) throws IOException, ServletException
	{
        if (!(request instanceof HttpServletRequest)) {
            chain.doFilter(request, response);
            return;
        }


        try {
            HttpServletRequest hrequest = (HttpServletRequest)request;
            HttpServletResponse hresponse = (HttpServletResponse)response;


            RequestWrapper secureRequest = new RequestWrapper(hrequest);
            ResponseWrapper secureResponse = new ResponseWrapper(hresponse);
	    // Set the configuration on the wrapped request
            secureRequest.setAllowableContentRoot(allowableResourcesRoot);


            ESAPI.httpUtilities().setCurrentHTTP(secureRequest, secureResponse);

chain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());
        } 
catch (Exception e) {
            System.err.println( "Error in SecurityWrapper: " + e.getMessage());
            request.setAttribute("message", e.getMessage() );
        } 
finally {
            ESAPI.httpUtilities().clearCurrent();
        }

} 

These are the getParameter methods of my extended class

    public java.lang.String getParameter(java.lang.String name) {
    return super.getParameter(name, true);
    }

    public java.lang.String getParameter(java.lang.String name,
                     boolean allowNull) {
    return super.getParameter(name, true);
    }

    public java.lang.String getParameter(java.lang.String name,
                     boolean allowNull,
                     int maxLength) {
    return super.getParameter(name, true, maxLength);
    }

    public java.lang.String  getParameter(java.lang.String name,
                                     boolean allowNull,
                                     int maxLength,
                                     java.lang.String regexName)
    {
    return super.getParameter(name, true, maxLength, regexName);
    }
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110524/b87267e4/attachment-0001.html 


More information about the Esapi-user mailing list