[Esapi-user] parameter value as null

Chris Schmidt chrisisbeef at gmail.com
Tue May 24 16:00:31 EDT 2011


It's difficult to tell from this included code, however - my initial 
thought is that this isn't a problem with the wrapped request itself, 
but rather something in the filter itself is throwing a NPE. I would 
look closely at what is happening on line 91 of that class 
(SecurityFilter), and follow it's command stack to locate where your NPE 
is actually occuring.

On 5/24/2011 8:51 AM, ricardo gualberto wrote:
> There are a good number of URL requests on our web application that 
> have a parameter with a null value like param2= of this sample URL  
> http://localhost:16311/ibm/console?param1=value1&param2=  . These 
> pages are broke as expected after adding the SecurityWrapper because 
> null values are not allowed.
> I extended the ESAPI classes SecurityWrapper and 
> SecurityWrapperRequest. On my SecurityWrapperRequest class I have 
> defined the allowNull as true on all getParameter() methods. The 
> getParameter methods with allowNull=true are been called for sure but 
> a NullPointerException is thrown on my class called SecurityFilter 
> that extends SecurityWrapper. Do you have any ideas on how to allow 
> null parameter values?
> javax.servlet.ServletException: java.lang.NullPointerException
> [5/23/11 17:23:59:262 BST] 0000003d SystemErr R at 
> org.apache.struts.action.RequestProcessor.processException(RequestProcessor.java:541)
> [5/23/11 17:23:59:264 BST] 0000003d SystemErr R at 
> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:482)
> [5/23/11 17:23:59:264 BST] 0000003d SystemErr R at 
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
> [5/23/11 17:23:59:265 BST] 0000003d SystemErr R at 
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1420)
> [5/23/11 17:23:59:265 BST] 0000003d SystemErr R at 
> org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:502)
> [5/23/11 17:23:59:266 BST] 0000003d SystemErr R at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
> [5/23/11 17:23:59:267 BST] 0000003d SystemErr R at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
> [5/23/11 17:23:59:267 BST] 0000003d SystemErr R at 
> com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1655)
> [5/23/11 17:23:59:267 BST] 0000003d SystemErr R at 
> com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1595)
> [5/23/11 17:23:59:268 BST] 0000003d SystemErr R at 
> com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:131)
> [5/23/11 17:23:59:268 BST] 0000003d SystemErr R at 
> com.micromuse.precision.common.servlets.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:94)
> [5/23/11 17:23:59:273 BST] 0000003d SystemErr R at 
> com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:184)
> [5/23/11 17:23:59:273 BST] 0000003d SystemErr R at 
> com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
> [5/23/11 17:23:59:274 BST] 0000003d SystemErr R at 
> com.micromuse.precision.common.servlets.SessionFilter.doFilter(SessionFilter.java:73)
> [5/23/11 17:23:59:274 BST] 0000003d SystemErr R at 
> com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:184)
> [5/23/11 17:23:59:274 BST] 0000003d SystemErr R at
> com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
> [5/23/11 17:23:59:275 BST] 0000003d SystemErr R at 
> com.micromuse.precision.common.servlets.SecurityFilter.doFilter(SecurityFilter.java:91) 
>
>
>
> This is the doFilter method of my class where the exception is thrown.
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException
> {
> if (!(request instanceof HttpServletRequest)) {
> chain.doFilter(request, response);
> return;
> }
>
> try {
> HttpServletRequest hrequest = (HttpServletRequest)request;
> HttpServletResponse hresponse = (HttpServletResponse)response;
>
> RequestWrapper secureRequest = new RequestWrapper(hrequest);
> ResponseWrapper secureResponse = new ResponseWrapper(hresponse);
> // Set the configuration on the wrapped request
> secureRequest.setAllowableContentRoot(allowableResourcesRoot);
>
> ESAPI.httpUtilities().setCurrentHTTP(secureRequest, secureResponse);
> chain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());
> }
> catch (Exception e) {
> System.err.println( "Error in SecurityWrapper: " + e.getMessage());
> request.setAttribute("message", e.getMessage() );
> }
> finally {
> ESAPI.httpUtilities().clearCurrent();
> }
> }
>
>
> These are the getParameter methods of my extended class
>
>   public java.lang.String getParameter(java.lang.String name) {
>     return super.getParameter(name, true);
>     }
>
>     public java.lang.String getParameter(java.lang.String name,
>                      boolean allowNull) {
>     return super.getParameter(name, true);
>     }
>
>     public java.lang.String getParameter(java.lang.String name,
>                      boolean allowNull,
>                      int maxLength) {
>     return super.getParameter(name, true, maxLength);
>     }
>
>     public java.lang.String  getParameter(java.lang.String name,
>                                      boolean allowNull,
>                                      int maxLength,
>                                      java.lang.String regexName)
>     {
>     return super.getParameter(name, true, maxLength, regexName);
>     }
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110524/6ea95e72/attachment.html 


More information about the Esapi-user mailing list