[Owasp-esapi] ESAPI Crunch Time!

Jeff Williams jeff.williams at owasp.org
Thu Oct 25 17:14:40 EDT 2007


Hi everyone,

 

There are less than 3 weeks to go before the OWASP Conference in San Jose.
So I'm putting in a final push to get all the known issues in ESAPI
resolved.  Thank all of you who have provided comments.  If you haven't had
a chance to dig in yet, please take this opportunity now!  I need your
expertise for this project to succeed.  You might start with the Javadoc -
the MOST important thing about this project is that the API "just works".

 

There are a number of enhancements in this release.  We're up to 85.1% test
coverage and that's pretty good.  I've also addressed all the meaningful PMD
and FindBugs issues.  I'm particularly  pleased with the exception handling,
security logging, and intrusion detection.  Anyone who uses this library
will get all of that without any real extra effort on their part.  I also
modified EnterpriseSecurityException to have two messages, one for the
users, and one for the logs - that's the way I've been teaching it for
years, and doing it right in the exception is super clean.

 

This release includes two little sample applications.  One is a user
administration servlet that you can use to create and delete users.  You can
create a default user with Authenticator.main() or else you can stick with
the one that's in there - username "Alice", password "test".  There's also a
little test application that shows a few of the features of the ESAPI.

 

I could really use some help with the items listed below.  Many of them are
related to canonicalization, which is a difficult concept to capture in an
API like this.  I think I have a handle on it, but haven't started
implementing it yet. The old approach of having a single "canonicalize"
method is just too limiting.  Besides canonicalization, there are 35 or so
other thorny little issues that need resolving.

 

 


ISSUES 

			

The following items are real issues that I have questions about resolving.
You can find them all in the code in Eclipse in the Tasks view.

			

Resource

Location

Description


AccessController.java

line 211

FIXME : AAA think about canonicalization here - use Java file canonicalizer


AccessController.java

line 288

FIXME : AAA need to canonicalize!


Authenticator.java

line 119

FIXME : AAA is this whole anonymous user concept right?


Authenticator.java

line 349

FIXME : AAA the login servlet path should also be a configuration - this


Authenticator.java

line 385

FIXME : AAA need a full scrub of persistence - otherwise logging reloads
before the action completes!


Authenticator.java

line 446

FIXME : AAA - consider throwing an exception here as this is always insecure


Encoder.java

line 144

FIXME : AAA How to handle strings that contain HTML entity encoded
information already. Don't double encode.


Encoder.java

line 147

FIXME : AAA shouldn't we use an HTML entity encoding canonicalizer here?


Encoder.java

line 218

FIXME : AAA add a check to all encoding methods to see if the data is
already encoded.


Encoder.java

line 228

FIXME : AAA add a check to all encoding methods to see if the data is
already encoded.


Encoder.java

line 263

FIXME : AAA add a check to all encoding methods to see if the data is
already encoded.


Encoder.java

line 344

FIXME : AAA add a check to all encoding methods to see if the data is
already encoded.


Encoder.java

line 396

FIXME : AAA need test code and cleanup on this...


Encoder.java

line 87

FIXME : AAA make all character sets configurable


Encoder.java

line 91

FIXME : AAA need a good pattern to identify HTML entity encoded elements
within a string


Encoder.java

line 92

FIXME : AAA may need new methods to canonicalize for lots of different
encodings


Encoder.java

line 93

FIXME : AAA see isHTMLEntityEncoded() below


EncryptedProperties.java

line 129

FIXME : AAA verify that this still works


Encryptor.java

line 107

FIXME : AAA don't we have to save these off somewhere?


Encryptor.java

line 63

FIXME : AAA need global scrub of what methods need to log


Encryptor.java

line 97

FIXME : AAA add encryption algorithm to configuration


ESAPIAdmin.java

line 63

FIXME - AAA need to add CSRF protection to all urls with
HTTPUtilities.addCSRFToken()


HTTPUtilities.java

line 102

FIXME : AAA test if setting a separate set-cookie header for each cookie
works!


HTTPUtilities.java

line 114

FIXME : AAA should this throw an IntrusionException?


HTTPUtilities.java

line 247

FIXME : AAA - investigate how this is implemented and take a substring of
the protocol instead?


HTTPUtilities.java

line 82

FIXME : AAA getCurrentUser should never return null


IntrusionDetector.java

line 131

FIXME : AAA how to logout without request, response??  Threadlocals?


IntrusionException.java

line 39

FIXME : AAA this shouldn't be public


Logger.java

line 50

FIXME : AAA this causes some weird classloading problem, since
SecurityConfiguration logs.


SecurityConfiguration.java

line 349

FIXME : AAA ensure defaults are set for ALL calls to getProperty in this
class


SecurityConfiguration.java

line 383

FIXME : AAA integrate this


User.java

line 136

FIXME : AAA validate account name


User.java

line 145

FIXME : AAA don't save CSRF token


User.java

line 573

FIXME : AAA verify loggedIn is properly maintained


User.java

line 859

FIXME : AAA this is a strange place for the event class to live.  Move to
somewhere more appropriate.


Validator.java

line 204

FIXME : AAA temporary - what makes file content valid? Maybe need a
parameter here?


Validator.java

line 224

FIXME : AAA should this validation really throw an IntrusionException?


Validator.java

line 313

FIXME - This gets double-encoded characters! Need to catch exception or
decide not to throw it


Validator.java

line 388

FIXME : AAA I think this is just wrong - canonicalization needs work


Validator.java

line 41

FIXME : AAA should all these methods be getValid?? and return a
canonicalized form? and throw an exception? Aargh you


Validator.java

line 419

FIXME : AAA ANY method that doesn't use isValidString MUST canonicaliz for
itself!!!


Validator.java

line 421

FIXME : AAA this is just a simple blacklist test - will use Anti-SAMY

			
			

ENHANCEMENTS

			

The following items are "ENHANCEMENTS" that are currently slated for future
releases. These are generally reserved for things that would be nice
additions or make ESAPI more configurable, but are not absolutely required
to be resolved for a 1.0 release.

			

Resource

Location

Description


Authenticator.java

line 514

FIXME : ENHANCE make the lengths configurable?


Encoder.java

line 126

FIXME : ENHANCE Performance enhancement here but character arrays must be
sorted, which they're currently not.


Encoder.java

line 171

FIXME : ENHANCE - should this just strip out nonprintables? Why send 
to the browser?


Encoder.java

line 230

FIXME : ENHANCE this is a negative list -- make positive?


Encryptor.java

line 148

FIXME : ENHANCE make iterations configurable


Executor.java

line 100

FIXME : ENHANCE need a timer


Executor.java

line 78

FIXME : ENHANCE make configurable regexes? Update comments!


HTTPUtilities.java

line 44

FIXME : ENHANCE Consider a tinyurl-like thing with mapped or encrypted data


ILogger.java

line 30

FIXME : ENHANCE Is this type approach right? Should it be configurable
somehow?


IValidator.java

line 302

FIXME : ENHANCE timeout too!


Logger.java

line 28

FIXME : ENHANCE somehow make configurable so that successes and failures are
logged according to a configuration.


SecurityConfiguration.java

line 319

FIXME : ENHANCE should read these quotas into a map and cache them


SecurityConfiguration.java

line 352

FIXME : ENHANCE: performance by caching these patterns


SecurityConfiguration.java

line 43

FIXME : ENHANCE make a getCharacterSet( name );


SecurityConfiguration.java

line 44

FIXME : ENHANCE make character sets configurable


User.java

line 104

FIXME : ENHANCE enable this required password change feature?


User.java

line 114

FIXME : ENHANCE consider adding these for access control support


User.java

line 139

FIXME : ENHANCE make regex for split ignore spaces - "r1, r2, r3" doesn't
work but "r1,r2,r3" does


User.java

line 243

FIXME : ENHANCE - make admin only methods separate from public API


User.java

line 286

FIXME : ENHANCE what about disabling for a short time period - to address
DOS attack?


User.java

line 473

FIXME : ENHANCE should expiration happen automatically?  Or based on
lastPasswordChangeTime?


User.java

line 876

FIXME : ENHANCE move all this event stuff inside IntrusionDetector?


UserTest.java

line 433

FIXME : ENHANCE shouldn't this just be one timeout method that does both
checks???


Validator.java

line 443

FIXME : ENHANCE what about isValidNamedPattern() that loads a set of regexes
from the ESAPI.properties


Validator.java

line 84

FIXME : ENHANCE consider renaming to detectEncodingAttack - double-encoding
and other encoding probs.


Validator.java

line 85

FIXME : ENHANCE consider moving canonicalize to Encoder


ValidatorTest.java

line 259

FIXME : ENHANCE doesn't accept filenames, just directories - should it?

			
						

 

Thank for all the help on this,

 

--Jeff

 

Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 

Work: 410-707-1487

Main: 301-604-4882

"Dedicated to finding and fighting the causes of insecure software"

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20071025/9f118b01/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: esapi.zip
Type: application/x-zip-compressed
Size: 2399975 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20071025/9f118b01/attachment-0001.bin 


More information about the Owasp-esapi mailing list