From 838c4736d969942c3811cc21433087316971a7fc Mon Sep 17 00:00:00 2001 From: kwwall Date: Wed, 29 May 2024 23:14:07 -0400 Subject: [PATCH 01/20] Modifying pom.xml for next planned release. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 49131449d..37187903d 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.5.4.0 + 2.5.5.0-SNAPSHOT jar From d06d95755df254bfc86e67392ac5fbfe07931554 Mon Sep 17 00:00:00 2001 From: kwwall Date: Thu, 30 May 2024 18:46:19 -0400 Subject: [PATCH 02/20] Rewrote 1st paragraph to note ESAPI DOES support Jakarta EE. --- README.md | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 71a0f1f98..4c4468441 100644 --- a/README.md +++ b/README.md @@ -14,18 +14,37 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap -# Special note regarding Spring Boot 3, Spring 6, Tomcat 10 and other applications / libraries requiring Jakarta EE - - - - -
-IMPORTANT: We are aware that all versions of ESAPI (unless you are using very select parts) do not work with Jakarta EE. Jakarta EE relies on jakarta.servlet-api. ESAPI is built to use javax.servlet-api. This causes things like Spring Boot 3, Spring 6, Tomcat 10, the latest version of Jetty, etc. to fail to load certain (well, many) ESAPI classes. The reason for this is that the package names between these 2 libraryes are different! The dependency javax.servlet-api has a package namespace of javax.servlet. The jakarta.servlet-api library is using the package namespace of jakarta.servlet. So references to things like ServletRequest, ServletResponse, etc. in ESAPI are using javax.servlet.ServletRequest and javax.servlet.ServletResponse respectively. We cannot make it work for both at once and we will not stop supporting javax.servlet-api, which is what most of our existing ESAPI clients are using. -

-Therefore PLEASE STOP sending us emails and/or creating GitHub issues regarding this! Instead, please -read ongoing the GitHub discussion https://github.com/ESAPI/esapi-java-legacy/discussions/768 for further details. -

-
+# Jakarta EE Support +**IMPORTANT:** +ESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release +2.5.3.0. (Unfortunately, we were just forgot to note that in this **README** file. Duh!) + +Therefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10, +and other applications or libraries requiring Jarkata EE. (If you find a case where it does +not, please file a GitHub issue for it.) + +The ESAPI jar file supporting Jakarta will be named esapi-_version_-jakarta.jar. To use that +specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI dependency in your +**pom.xml** as: +```xml + + org.owasp.esapi + esapi + 2.5.3.0-SNAPSHOT + jakarta + +``` +(or any other version later than 2.5.3.0). Thanks to Jonathon Putney for creating a PR to +fix this. There is a long discussion in GitHub Discussion [#768](https://github.com/ESAPI/esapi-java-legacy/discussions/768) +where this was first announced, for those of you have insomnia or really long attention +spans and are interested in the approaches that were tried. + +Of course, ESAPI also still continues to support the older Java EE Servlet API (i.e., **javax.servlet** namespace) as well. In +fact, without the +```xml +jakarta +``` +that's the version that will be used by default. # A word about ESAPI vulnerabilities A summary of all the vulnerabilities that we have written about in either the From f05876c0be84c6d4c358f36fa7874b4dc7e37957 Mon Sep 17 00:00:00 2001 From: kwwall Date: Thu, 30 May 2024 19:03:07 -0400 Subject: [PATCH 03/20] Add bullet about deleting JUL config file if using JUL for logging. Change latest release to 2.5.4.0. --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4c4468441..ac6dda95e 100644 --- a/README.md +++ b/README.md @@ -96,9 +96,15 @@ link to the specific release notes. (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!! * ESAPI 2.3.0.0 is the last release to support Java 7 as the minimal JDK. Starting with release 2.4.0.0, Java 8 or later is required. +* Starting with ESAPI 2.5.4.0, if you were using ESAPI's default logger, JUL + (i.e., you had the property **ESAPI.Logger** set to "org.owasp.esapi.logging.java.JavaLogFactory"), + then you must remove (or rename) the old ESAPI configuration file **esapi-java-logger.properties**. + Failure to do so will cause ESAPI to throw a `ConfigurationException`, thereby + preventing your application from starting. For important additional details, please see + the ESAPI GitHub Discussion https://github.com/ESAPI/esapi-java-legacy/discussions/841. # Locating ESAPI Jar files -The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.3.1. +The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.4.0. All the *regular* ESAPI jars, with the exception of the ESAPI configuration jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached GPG signature, are available from Maven Central. The ESAPI configuration From 036b83a6b336899a66bfa524f6db712d820aab29 Mon Sep 17 00:00:00 2001 From: kwwall Date: Thu, 30 May 2024 19:18:40 -0400 Subject: [PATCH 04/20] Added lead-in paragraph and updated 'Supported Versions' table. --- SECURITY.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 455c21fc6..df4e09bfa 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,19 @@ # Security Policy +In general, because the ESAPI core development is so small (3 people, all +working full time jobs), we can only support the latest version of ESAPI. +If you are locked in to some previous version and are unable to upgrade +to the latest version, perhaps one or more of us might consider back-porting +a patch (especially if it is the only way to address an ESAPI vulnerability), +but if it is anything but trivial, we would charge a TBD consulting fee. + ## Supported Versions + | Version | Supported | | ------- | ------------------ | -| 2.5.1.0 (latest) | :white_check_mark: | -| 2.1.0.1-2.5.0.0 | :x:, upgrade to latest release | +| 2.5.4.0 (latest) | :white_check_mark: | +| 2.1.0.1-2.5.3.1 | :x:, upgrade to latest release | | <= 1.4.x | :x:, no longer supported AT ALL | ## Reporting a Vulnerability From cb3839f24c8117ae5d6b63a40a68a3b88606f89a Mon Sep 17 00:00:00 2001 From: kwwall Date: Thu, 30 May 2024 20:07:06 -0400 Subject: [PATCH 05/20] Suppress 2 CVEs that appear to be false positives: CVE-2024-29131 & CVE-2024-29133 --- suppressions.xml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/suppressions.xml b/suppressions.xml index 876c4fa6e..3c09dc8ff 100644 --- a/suppressions.xml +++ b/suppressions.xml @@ -45,5 +45,20 @@ ]]> CVE-2017-10355 - + + + 2b36e4adfb66d966c5aef2d73deb6be716389dc9 + CVE-2024-29131 + + + + 2b36e4adfb66d966c5aef2d73deb6be716389dc9 + CVE-2024-29133 + From b610633ec17b0e70520d0a3d8b5462a1bee8f01e Mon Sep 17 00:00:00 2001 From: "Kevin W. Wall" Date: Sun, 14 Jul 2024 16:36:45 -0400 Subject: [PATCH 06/20] Pom updates to address issue #847 (#848) * Close GitHub issue #847. 1. Update pom to latest version of compatible dependencies and plugins. 2. Remove commons-io:commons-io:2.15.1 previously needed for convergence as Commons FileUpload no longer requires it and AntiSamy 1.7.5 now uses 2.15.1. So we no longer need to explicitly load it for convergence to succeed. * Minor documentation tweaks to esapi.tld. --- pom.xml | 55 ++++++++++----------------- src/main/resources/META-INF/esapi.tld | 6 ++- 2 files changed, 24 insertions(+), 37 deletions(-) diff --git a/pom.xml b/pom.xml index 37187903d..661519330 100644 --- a/pom.xml +++ b/pom.xml @@ -134,9 +134,9 @@ 2.0.0-M3 2.0.0-M9 2.0.9 - 4.8.5 - 4.8.5.0 - 3.2.5 + 4.8.6 + 4.8.6.2 + 3.3.0 1.8 @@ -233,7 +233,7 @@ org.apache.commons commons-collections4 - 4.5.0-M1 + 4.5.0-M2 org.apache-extras.beanshell @@ -243,7 +243,7 @@ org.owasp.antisamy antisamy - 1.7.5 + 1.7.6 @@ -274,21 +274,6 @@ 1.4.01 - - - - commons-io - commons-io - 2.15.1 - - com.github.spotbugs @@ -423,17 +408,17 @@ org.apache.maven.plugins maven-dependency-plugin - 3.6.1 + 3.7.1 org.apache.maven.plugins maven-release-plugin - 3.0.1 + 3.1.0 org.codehaus.mojo versions-maven-plugin - 2.16.2 + 2.17.0 file:${project.basedir}/versionRuleset.xml @@ -488,7 +473,7 @@ org.apache.maven.plugins maven-clean-plugin - 3.3.2 + 3.4.0 @@ -543,7 +528,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.4.1 + 3.5.0 org.codehaus.mojo @@ -553,7 +538,7 @@ org.codehaus.mojo animal-sniffer-enforcer-rule - 1.23 + 1.24 @@ -636,7 +621,7 @@ org.apache.maven.plugins maven-jar-plugin - 3.4.1 + 3.4.2 @@ -648,9 +633,9 @@ - org.apache.maven.plugins - maven-javadoc-plugin - 3.6.3 + org.apache.maven.plugins + maven-javadoc-plugin + 3.7.0 8 none @@ -668,19 +653,19 @@ org.apache.maven.plugins maven-jxr-plugin - 3.3.2 + 3.4.0 org.apache.maven.plugins maven-pmd-plugin - 3.22.0 + 3.23.0 org.apache.maven.plugins maven-project-info-reports-plugin - 3.5.0 + 3.6.1 @@ -694,7 +679,7 @@ The skin is referenced in src/site/site.xml. --> org.apache.maven.plugins maven-site-plugin - 4.0.0-M14 + 4.0.0-M15 org.apache.maven.skins @@ -755,7 +740,7 @@ org.owasp dependency-check-maven - 9.2.0 + 10.0.2 ${env.NVD_API_KEY} 1.0 diff --git a/src/main/resources/META-INF/esapi.tld b/src/main/resources/META-INF/esapi.tld index 596acb9c8..1a730f420 100644 --- a/src/main/resources/META-INF/esapi.tld +++ b/src/main/resources/META-INF/esapi.tld @@ -7,7 +7,7 @@ ~ Enterprise Security API (ESAPI) project. For details, please see ~ http://www.owasp.org/index.php/ESAPI. ~ - ~ Copyright (c) 2007 - The OWASP Foundation + ~ Copyright (c) 2007-2024 - The OWASP Foundation ~ ~ The ESAPI is published by OWASP under the BSD license. You should read and accept the ~ LICENSE before you use, modify, and/or redistribute this software. @@ -22,7 +22,7 @@ xsi:schemaLocation=" http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd" - version="2.0"> + version="2.x"> OWASP Enterprise Security API (ESAPI) provides a JSP Tag Library that supplies easy access to @@ -30,6 +30,8 @@ functions. These can be used to properly escape user supplied data at display time so that it cannot be used in injection attacks like Cross Site Scripting (XSS). + This tag library applies to all of ESAPI 2.x versions. Its + interface hasn't changed since 2.0. OWASP ESAPI 2.0 From 3a78d6d110c67eb06b85bc47e5ef77fc79775161 Mon Sep 17 00:00:00 2001 From: mickeyz07 <32490762+mickeyz07@users.noreply.github.com> Date: Fri, 6 Sep 2024 00:13:58 +0100 Subject: [PATCH 07/20] Update the logging properties to opt-out of the prefix events #844 (#845) * Update the logging properties to opt-out of the prefix events #844 * Update the logging properties to opt-out of the prefix events, second iteration for #844 * Update the logging properties to opt-out of the prefix events, third iteration * Update the logging properties to opt-out of the prefix events #844 fourt iteration * Update the logging properties to opt-out of the prefix events #844 fifth iteration * Update the logging properties to opt-out of the prefix events #844 sixt iteration * Update the logging properties to opt-out of the prefix events #844 seventh iteration * Update the logging properties to opt-out of the prefix events ESAPI#844 eigth iteration * Update the logging properties to opt-out of the prefix events ESAPI#844 ninth iteration --- configuration/esapi/ESAPI.properties | 4 + src/main/java/org/owasp/esapi/PropNames.java | 1 + .../appender/EventTypeLogSupplier.java | 14 ++- .../logging/appender/LogPrefixAppender.java | 38 ++++-- .../logging/appender/ServerInfoSupplier.java | 22 +++- .../esapi/logging/java/JavaLogFactory.java | 27 +++- .../esapi/logging/slf4j/Slf4JLogFactory.java | 27 +++- .../DefaultSecurityConfiguration.java | 6 +- ...entTypeLogSupplierIgnoreEventTypeTest.java | 45 +++++++ .../appender/LogPrefixAppenderTest.java | 54 +++++++- .../ServerInfoSupplierIgnoreLogNameTest.java | 116 ++++++++++++++++++ src/test/resources/esapi/ESAPI.properties | 4 + 12 files changed, 337 insertions(+), 21 deletions(-) create mode 100644 src/test/java/org/owasp/esapi/logging/appender/EventTypeLogSupplierIgnoreEventTypeTest.java create mode 100644 src/test/java/org/owasp/esapi/logging/appender/ServerInfoSupplierIgnoreLogNameTest.java diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties index d489cdce8..b5b6aacc6 100644 --- a/configuration/esapi/ESAPI.properties +++ b/configuration/esapi/ESAPI.properties @@ -407,6 +407,10 @@ Logger.UserInfo=true # Determines whether ESAPI should log the session id and client IP. Logger.ClientInfo=true +# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME]. +# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used +Logger.LogPrefix=true + #=========================================================================== # ESAPI Intrusion Detection # diff --git a/src/main/java/org/owasp/esapi/PropNames.java b/src/main/java/org/owasp/esapi/PropNames.java index 2f3f8ee49..ab30e47fa 100644 --- a/src/main/java/org/owasp/esapi/PropNames.java +++ b/src/main/java/org/owasp/esapi/PropNames.java @@ -111,6 +111,7 @@ public final class PropNames { public static final String LOG_ENCODING_REQUIRED = "Logger.LogEncodingRequired"; public static final String LOG_APPLICATION_NAME = "Logger.LogApplicationName"; public static final String LOG_SERVER_IP = "Logger.LogServerIP"; + public static final String LOG_PREFIX = "Logger.LogPrefix"; public static final String VALIDATION_PROPERTIES = "Validator.ConfigurationFile"; public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued"; diff --git a/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java b/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java index 681839af5..93d3bd416 100644 --- a/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java +++ b/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java @@ -30,18 +30,24 @@ public class EventTypeLogSupplier // implements Supplier { /** EventType reference to supply log representation of. */ private final EventType eventType; + /** Whether to log or not the event type */ + private boolean logEventType = true; /** * Ctr * - * @param evtyp EventType reference to supply log representation for + * @param eventType EventType reference to supply log representation for */ - public EventTypeLogSupplier(EventType evtyp) { - this.eventType = evtyp == null ? Logger.EVENT_UNSPECIFIED : evtyp; + public EventTypeLogSupplier(EventType eventType) { + this.eventType = eventType == null ? Logger.EVENT_UNSPECIFIED : eventType; } // @Override -- Uncomment when we switch to Java 8 as minimal baseline. public String get() { - return eventType.toString(); + return logEventType ? eventType.toString() : ""; + } + + public void setLogEventType(boolean logEventType) { + this.logEventType = logEventType; } } diff --git a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java index 20f692ebf..57cddfa26 100644 --- a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java +++ b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java @@ -35,27 +35,47 @@ public class LogPrefixAppender implements LogAppender { private final boolean logApplicationName; /** Application Name to record. */ private final String appName; + /** Whether or not to print the prefix. */ + private final boolean logPrefix; /** - * Ctr. + * Constructor * * @param logUserInfo Whether or not to record user information * @param logClientInfo Whether or not to record client information * @param logServerIp Whether or not to record server ip information * @param logApplicationName Whether or not to record application name * @param appName Application Name to record. + * @param logPrefix is set by default to true */ + @SuppressWarnings("JavadocReference") public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) { + this(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, true); + } + + /** + * Constructor + * + * @param logUserInfo Whether or not to record user information + * @param logClientInfo Whether or not to record client information + * @param logServerIp Whether or not to record server ip information + * @param logApplicationName Whether or not to record application name + * @param appName Application Name to record. + * @param logPrefix Whether or not to print the prefix + */ + public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName, boolean logPrefix) { this.logUserInfo = logUserInfo; this.logClientInfo = logClientInfo; this.logServerIp = logServerIp; this.logApplicationName = logApplicationName; this.appName = appName; + this.logPrefix = logPrefix; } @Override public String appendTo(String logName, EventType eventType, String message) { EventTypeLogSupplier eventTypeSupplier = new EventTypeLogSupplier(eventType); + eventTypeSupplier.setLogEventType(this.logPrefix); UserInfoSupplier userInfoSupplier = new UserInfoSupplier(); userInfoSupplier.setLogUserInfo(logUserInfo); @@ -66,6 +86,7 @@ public String appendTo(String logName, EventType eventType, String message) { ServerInfoSupplier serverInfoSupplier = new ServerInfoSupplier(logName); serverInfoSupplier.setLogServerIp(logServerIp); serverInfoSupplier.setLogApplicationName(logApplicationName, appName); + serverInfoSupplier.setLogLogName(logPrefix); String eventTypeMsg = eventTypeSupplier.get().trim(); String userInfoMsg = userInfoSupplier.get().trim(); @@ -80,17 +101,20 @@ public String appendTo(String logName, EventType eventType, String message) { String[] optionalPrefixContent = new String[] {userInfoMsg + clientInfoMsg, serverInfoMsg}; - StringBuilder logPrefix = new StringBuilder(); - //EventType is always appended - logPrefix.append(eventTypeMsg); + StringBuilder logPrefixBuilder = new StringBuilder(); + //EventType is always appended (unless we specifically asked not to Log Prefix) + if (this.logPrefix) { + logPrefixBuilder.append(eventTypeMsg); + } for (String element : optionalPrefixContent) { if (!element.isEmpty()) { - logPrefix.append(" "); - logPrefix.append(element); + logPrefixBuilder.append(" "); + logPrefixBuilder.append(element); } } - return String.format(RESULT_FORMAT, logPrefix.toString(), message); + String logPrefixContent = logPrefixBuilder.toString(); + return logPrefixContent.trim().isEmpty() ? message : String.format(RESULT_FORMAT, logPrefixContent, message); } } diff --git a/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java b/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java index 45fb4da55..8d62a58f0 100644 --- a/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java +++ b/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java @@ -34,7 +34,8 @@ public class ServerInfoSupplier // implements Supplier private boolean logAppName = true; /** The application name to log. */ private String applicationName = ""; - + /** Whether to log the Name */ + private boolean logLogName = true; /** Reference to the associated logname/module name. */ private final String logName; @@ -57,10 +58,14 @@ public String get() { appInfo.append(request.getLocalAddr()).append(":").append(request.getLocalPort()); } } - if (logAppName) { - appInfo.append("/").append(applicationName); + + if (this.logAppName) { + appInfo.append("/").append(this.applicationName); + } + + if (this.logLogName) { + appInfo.append("/").append(logName); } - appInfo.append("/").append(logName); return appInfo.toString(); } @@ -74,6 +79,15 @@ public void setLogServerIp(boolean log) { this.logServerIP = log; } + /** + * Specify whether the instance should record the prefix. + * + * @param logLogName {@code true} to record + */ + public void setLogLogName(boolean logLogName) { + this.logLogName = logLogName; + } + /** * Specify whether the instance should record the application name * diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java index 9ebd52d92..8cca8fb25 100644 --- a/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java +++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java @@ -20,6 +20,7 @@ import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED; import static org.owasp.esapi.PropNames.LOG_SERVER_IP; import static org.owasp.esapi.PropNames.LOG_USER_INFO; +import static org.owasp.esapi.PropNames.LOG_PREFIX; import java.io.IOException; import java.io.InputStream; @@ -79,7 +80,17 @@ public class JavaLogFactory implements LogFactory { boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME); String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME); boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP); - JAVA_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName); + + boolean logPrefix = true; + try { + logPrefix = ESAPI.securityConfiguration().getBooleanProp(LOG_PREFIX); + } catch (ConfigurationException ex) { + System.out.println("ESAPI: Failed to read Log Prefix configuration " + LOG_PREFIX + ". Defaulting to enabled" + + ". Caught " + ex.getClass().getName() + + "; exception message was: " + ex); + } + + JAVA_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix); Map levelLookup = new HashMap<>(); levelLookup.put(Logger.ALL, JavaLogLevelHandlers.ALWAYS); @@ -144,6 +155,20 @@ public class JavaLogFactory implements LogFactory { return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName); } + /** + * Populates the default log appender for use in factory-created loggers. + * @param appName + * @param logApplicationName + * @param logServerIp + * @param logClientInfo + * @param logPrefix + * + * @return LogAppender instance. + */ + /*package*/ static LogAppender createLogAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName, boolean logPrefix) { + return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix); + } + @Override public Logger getLogger(String moduleName) { diff --git a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java index af113b80c..5e1810a93 100644 --- a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java +++ b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java @@ -23,6 +23,7 @@ import org.owasp.esapi.LogFactory; import org.owasp.esapi.Logger; import org.owasp.esapi.codecs.HTMLEntityCodec; +import org.owasp.esapi.errors.ConfigurationException; import org.owasp.esapi.logging.appender.LogAppender; import org.owasp.esapi.logging.appender.LogPrefixAppender; import org.owasp.esapi.logging.cleaning.CodecLogScrubber; @@ -36,6 +37,7 @@ import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME; import static org.owasp.esapi.PropNames.APPLICATION_NAME; import static org.owasp.esapi.PropNames.LOG_SERVER_IP; +import static org.owasp.esapi.PropNames.LOG_PREFIX; import org.slf4j.LoggerFactory; /** * LogFactory implementation which creates SLF4J supporting Loggers. @@ -69,7 +71,17 @@ public class Slf4JLogFactory implements LogFactory { boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME); String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME); boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP); - SLF4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName); + + boolean logPrefix = true; + try { + logPrefix = ESAPI.securityConfiguration().getBooleanProp(LOG_PREFIX); + } catch (ConfigurationException ex) { + System.out.println("ESAPI: Failed to read Log Prefix configuration " + LOG_PREFIX + ". Defaulting to enabled" + + ". Caught " + ex.getClass().getName() + + "; exception message was: " + ex); + } + + SLF4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix); Map levelLookup = new HashMap<>(); levelLookup.put(Logger.ALL, Slf4JLogLevelHandlers.TRACE); @@ -114,6 +126,19 @@ public class Slf4JLogFactory implements LogFactory { return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName); } + /** + * Populates the default log appender for use in factory-created loggers. + * @param appName + * @param logApplicationName + * @param logServerIp + * @param logClientInfo + * @param logPrefix + * + * @return LogAppender instance. + */ + /*package*/ static LogAppender createLogAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName, boolean logPrefix) { + return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix); + } @Override public Logger getLogger(String moduleName) { diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index 8cba81982..eb561349b 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -1441,14 +1441,14 @@ public Boolean getBooleanProp(String propertyName) throws ConfigurationException try { return esapiPropertyManager.getBooleanProp(propertyName); } catch (ConfigurationException ex) { - String property = properties.getProperty( propertyName ); + String property = properties.getProperty(propertyName); if ( property == null ) { throw new ConfigurationException( "SecurityConfiguration for " + propertyName + " not found in ESAPI.properties"); } - if ( property.equalsIgnoreCase("true") || property.equalsIgnoreCase("yes" ) ) { + if ( property.equalsIgnoreCase("true") || property.equalsIgnoreCase("yes") ) { return true; } - if ( property.equalsIgnoreCase("false") || property.equalsIgnoreCase( "no" ) ) { + if ( property.equalsIgnoreCase("false") || property.equalsIgnoreCase("no") ) { return false; } throw new ConfigurationException( "SecurityConfiguration for " + propertyName + " has incorrect " + diff --git a/src/test/java/org/owasp/esapi/logging/appender/EventTypeLogSupplierIgnoreEventTypeTest.java b/src/test/java/org/owasp/esapi/logging/appender/EventTypeLogSupplierIgnoreEventTypeTest.java new file mode 100644 index 000000000..3f8858bfa --- /dev/null +++ b/src/test/java/org/owasp/esapi/logging/appender/EventTypeLogSupplierIgnoreEventTypeTest.java @@ -0,0 +1,45 @@ +package org.owasp.esapi.logging.appender; + +import static org.junit.Assert.assertEquals; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.owasp.esapi.Logger; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +@RunWith(Parameterized.class) +public class EventTypeLogSupplierIgnoreEventTypeTest { + + @Parameterized.Parameters (name="{0} -> {1}") + public static Collection assembleTests() { + List paramSets = new ArrayList<>(); + paramSets.add(new Object[] {Logger.EVENT_FAILURE,""}); + paramSets.add(new Object[] {Logger.EVENT_SUCCESS,""}); + paramSets.add(new Object[] {Logger.EVENT_UNSPECIFIED,""}); + paramSets.add(new Object[] {Logger.SECURITY_AUDIT,""}); + paramSets.add(new Object[] {Logger.SECURITY_FAILURE,""}); + paramSets.add(new Object[] {Logger.SECURITY_SUCCESS,""}); + paramSets.add(new Object[] {null, ""}); + + return paramSets; + } + + private final Logger.EventType eventType; + private final String expectedResult; + + public EventTypeLogSupplierIgnoreEventTypeTest(Logger.EventType eventType, String result) { + this.eventType = eventType; + this.expectedResult = result; + } + + @Test + public void testEventTypeLogIgnoreEventType() { + EventTypeLogSupplier supplier = new EventTypeLogSupplier(eventType); + supplier.setLogEventType(false); + assertEquals(expectedResult, supplier.get()); + } +} diff --git a/src/test/java/org/owasp/esapi/logging/appender/LogPrefixAppenderTest.java b/src/test/java/org/owasp/esapi/logging/appender/LogPrefixAppenderTest.java index bc733ec2e..cbd368b5e 100644 --- a/src/test/java/org/owasp/esapi/logging/appender/LogPrefixAppenderTest.java +++ b/src/test/java/org/owasp/esapi/logging/appender/LogPrefixAppenderTest.java @@ -145,7 +145,6 @@ public void testLogContentWhenUserInfoEmptyAndClientInfoEmptyAndServerInfoEmpty( runTest(ETL_RESULT, EMPTY_RESULT, EMPTY_RESULT, EMPTY_RESULT, "[EVENT_TYPE]"); } - private void runTest(String typeResult, String userResult, String clientResult, String serverResult, String exResult) throws Exception{ when(etlsSpy.get()).thenReturn(typeResult); when(uisSpy.get()).thenReturn(userResult); @@ -163,4 +162,57 @@ private void runTest(String typeResult, String userResult, String clientResult, assertEquals(exResult + " " + testName.getMethodName() + "-MESSAGE", result); } + + @Test + public void testLogContentWhenServerInfoEmptyAndIgnoreLogPrefix() throws Exception { + runTestWithLogPrefixIgnore(ETL_RESULT, UIS_RESULT, CIS_RESULT, EMPTY_RESULT, false, "[ USER_INFO:CLIENT_INFO]"); + } + + @Test + public void testLogContentWhenUserInfoEmptyAndServerInfoEmptyAndIgnoreLogPrefix() throws Exception { + runTestWithLogPrefixIgnore(ETL_RESULT, EMPTY_RESULT, CIS_RESULT, EMPTY_RESULT, false, "[ CLIENT_INFO]"); + } + + @Test + public void testLogContentWhenUserInfoEmptyAndClientInfoEmptyAndIgnoreLogPrefix() throws Exception { + runTestWithLogPrefixIgnore(ETL_RESULT, EMPTY_RESULT, EMPTY_RESULT, SIS_RESULT, false, "[ -> SERVER_INFO]"); + } + + @Test + public void testLogContentWhenClientInfoEmptyAndServerInfoEmptyAndIgnoreLogPrefix() throws Exception { + runTestWithLogPrefixIgnore(ETL_RESULT, UIS_RESULT, EMPTY_RESULT, EMPTY_RESULT, false, "[ USER_INFO]"); + } + + @Test + public void testLogContentWhenUserInfoEmptyAndClientInfoEmptyAndServerInfoEmptyAndIgnoreLogPrefix() throws Exception { + runTestWithLogPrefixIgnore(ETL_RESULT, EMPTY_RESULT, EMPTY_RESULT, EMPTY_RESULT, false, ""); + } + + private void runTestWithLogPrefixIgnore(String typeResult, String userResult, String clientResult, String serverResult, boolean logPrefix, String exResult) throws Exception{ + etlsSpy.setLogEventType(logPrefix); + when(etlsSpy.get()).thenReturn(typeResult); + + when(uisSpy.get()).thenReturn(userResult); + when(cisSpy.get()).thenReturn(clientResult); + + sisSpy.setLogLogName(logPrefix); + when(sisSpy.get()).thenReturn(serverResult); + + whenNew(EventTypeLogSupplier.class).withArguments(testEventType).thenReturn(etlsSpy); + whenNew(UserInfoSupplier.class).withNoArguments().thenReturn(uisSpy); + whenNew(ClientInfoSupplier.class).withNoArguments().thenReturn(cisSpy); + whenNew(ServerInfoSupplier.class).withArguments(testLoggerName).thenReturn(sisSpy); + + //Since everything is mocked these booleans don't much matter aside from the later verifies + LogPrefixAppender lpa = new LogPrefixAppender(false, false, false, false, null, false); + String result = lpa.appendTo(testLoggerName, testEventType, testLogMessage); + + if (exResult.isEmpty()) { + assertEquals( testName.getMethodName() + "-MESSAGE", result); + } + else { + assertEquals(exResult + " " + testName.getMethodName() + "-MESSAGE", result); + } + } + } diff --git a/src/test/java/org/owasp/esapi/logging/appender/ServerInfoSupplierIgnoreLogNameTest.java b/src/test/java/org/owasp/esapi/logging/appender/ServerInfoSupplierIgnoreLogNameTest.java new file mode 100644 index 000000000..5bd3c8335 --- /dev/null +++ b/src/test/java/org/owasp/esapi/logging/appender/ServerInfoSupplierIgnoreLogNameTest.java @@ -0,0 +1,116 @@ +package org.owasp.esapi.logging.appender; + +import static org.junit.Assert.assertEquals; +import static org.mockito.Mockito.mock; +import static org.powermock.api.mockito.PowerMockito.mockStatic; +import static org.powermock.api.mockito.PowerMockito.when; + +import javax.servlet.http.HttpServletRequest; + +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TestName; +import org.junit.runner.RunWith; +import org.owasp.esapi.ESAPI; +import org.powermock.core.classloader.annotations.PrepareForTest; +import org.powermock.modules.junit4.PowerMockRunner; + +@RunWith(PowerMockRunner.class) +@PrepareForTest({ ESAPI.class }) +public class ServerInfoSupplierIgnoreLogNameTest { + @Rule + public TestName testName = new TestName(); + + private HttpServletRequest request; + + @Before + public void buildStaticMocks() { + request = mock(HttpServletRequest.class); + mockStatic(ESAPI.class); + } + + @Test + public void verifyFullOutputIgnoreLogName() throws Exception { + when(ESAPI.class, "currentRequest").thenReturn(request); + when(request.getLocalAddr()).thenReturn("LOCAL_ADDR"); + when(request.getLocalPort()).thenReturn(99999); + + ServerInfoSupplier sis = new ServerInfoSupplier(testName.getMethodName()); + sis.setLogApplicationName(true, testName.getMethodName() + "-APPLICATION"); + sis.setLogServerIp(true); + sis.setLogLogName(false); + + String result = sis.get(); + assertEquals("LOCAL_ADDR:99999/" + testName.getMethodName() + "-APPLICATION", + result); + } + + @Test + public void verifyOutputNullRequestIgnoreLogName() throws Exception { + when(ESAPI.class, "currentRequest").thenReturn(null); + ServerInfoSupplier sis = new ServerInfoSupplier(testName.getMethodName()); + sis.setLogApplicationName(true, testName.getMethodName() + "-APPLICATION"); + sis.setLogServerIp(true); + sis.setLogLogName(false); + + String result = sis.get(); + assertEquals("/" + testName.getMethodName() + "-APPLICATION", result); + } + + @Test + public void verifyOutputNoAppNameIgnoreLogName() throws Exception { + when(ESAPI.class, "currentRequest").thenReturn(request); + when(request.getLocalAddr()).thenReturn("LOCAL_ADDR"); + when(request.getLocalPort()).thenReturn(99999); + + ServerInfoSupplier sis = new ServerInfoSupplier(testName.getMethodName()); + sis.setLogApplicationName(false, null); + sis.setLogServerIp(true); + sis.setLogLogName(false); + + String result = sis.get(); + assertEquals("LOCAL_ADDR:99999", result); + } + + @Test + public void verifyOutputNullAppNameIgnoreLogName() throws Exception { + when(ESAPI.class, "currentRequest").thenReturn(request); + when(request.getLocalAddr()).thenReturn("LOCAL_ADDR"); + when(request.getLocalPort()).thenReturn(99999); + + ServerInfoSupplier sis = new ServerInfoSupplier(testName.getMethodName()); + sis.setLogApplicationName(true, null); + sis.setLogServerIp(true); + sis.setLogLogName(false); + + String result = sis.get(); + assertEquals("LOCAL_ADDR:99999/null", result); + } + + @Test + public void verifyOutputNoServerIpIgnoreLogName() { + ServerInfoSupplier sis = new ServerInfoSupplier(testName.getMethodName()); + sis.setLogApplicationName(true, testName.getMethodName() + "-APPLICATION"); + sis.setLogServerIp(false); + sis.setLogLogName(false); + + String result = sis.get(); + assertEquals("/" + testName.getMethodName() + "-APPLICATION", result); + } + + @Test + public void verifyOutputNullRequestNoServerIpNullAppNameIgnoreLogName() throws Exception { + when(ESAPI.class, "currentRequest").thenReturn(null); + ServerInfoSupplier sis = new ServerInfoSupplier(testName.getMethodName()); + sis.setLogApplicationName(false, null); + sis.setLogServerIp(false); + sis.setLogLogName(false); + + String result = sis.get(); + assertEquals("", result); + } + + +} + diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties index c967bad33..8ffc61f66 100644 --- a/src/test/resources/esapi/ESAPI.properties +++ b/src/test/resources/esapi/ESAPI.properties @@ -439,6 +439,10 @@ Logger.UserInfo=true # Determines whether ESAPI should log the session id and client IP. Logger.ClientInfo=true +# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME]. +# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used +Logger.LogPrefix=true + #=========================================================================== # ESAPI Intrusion Detection # From cb02efe53cb8ebedb8e0909033008927ce71a511 Mon Sep 17 00:00:00 2001 From: Dario Viva <45972949+DarioViva42@users.noreply.github.com> Date: Sat, 14 Sep 2024 03:16:16 +0200 Subject: [PATCH 08/20] Fix Typos in documentation and comments (#852) * Update README.md rephrase warning message in README.md * EncodingPatternPreservation: fix typo * AbstractCodec: fix typo * AbstractCodec: there is no such thing as a footgun usage * AbstractPushbackSequence: fix typo. see https://languagetool.org/insights/post/regard/ * Base64: fix typo * HashTrie: fix typo * HashTrie: fix typo * HTMLEntityCodec: fix typo * MySQLCodec: fix typo * MySQLCodec: fix typo * PushBackSequenceImpl: fix typo * PushbackString: fix typo * EsapiConfiguration: fix typo * AbstractPrioritizedPropertyLoader: fix typo * AbstractPrioritizedPropertyLoader: fix grammar * CipherText: fix typo * CipherTextSerializer: fix typo * CryptoHelper: fix typo * CryptoHelper: fix typo * CryptoHelper: fix grammar * CryptoToken: fix typo * CryptoToken: fix typo * PlainText: fix typo * RequestRateThrottleFilter: fix typo * SecurityWrapperRequest: fix typo * CompositeLogScrubber: fix typo * JavaLogBridge: fix typo * Authenticator: fix typo * Encoder: fix typo * Encryptor: untangle unclear sentence * ESAPI: fix typo * HTTPUtilities: fix typo * HTTPUtilities: fix typo * Logger: fix typo * Logger: fix typo * SecurityConfiguration: fix typo * StringUtilities: correct javadoc * User: fix typo * Validator: fix typo * Validator: fix typo * CollectionsUtil: fix typo * ObjFactory: fix typo * EncodeForBase64Tag: fix typo * EncodeForCSSTag: fix typo * EncodeForHTMLAttributeTag: fix typo * EncodeForHTMLTag: fix typo * EncodeForJavaScriptTag: fix typo * EncodeForURLTag: fix typo * EncodeForVBScriptTag: fix typo * EncodeForXMLAttributeTag: fix typo * EncodeForXMLTag: fix typo * EncodeForXPathTag: fix typo * AbstractAccessReferenceMap: fix typo * StringUtilities: replaceNull: rephrase javadoc using @code * Encryptor: decrypt: fix typo, use expression from before f5e138c8c15498d82e26c83d1d86a59ac6b8c082 * User: setLastFailedLoginTime: use "authenticate" instead of "log in" --- README.md | 2 +- src/main/java/org/owasp/esapi/Authenticator.java | 2 +- src/main/java/org/owasp/esapi/ESAPI.java | 2 +- src/main/java/org/owasp/esapi/Encoder.java | 2 +- src/main/java/org/owasp/esapi/Encryptor.java | 8 ++++---- src/main/java/org/owasp/esapi/HTTPUtilities.java | 2 +- src/main/java/org/owasp/esapi/Logger.java | 4 ++-- .../java/org/owasp/esapi/SecurityConfiguration.java | 2 +- src/main/java/org/owasp/esapi/StringUtilities.java | 2 +- src/main/java/org/owasp/esapi/User.java | 2 +- src/main/java/org/owasp/esapi/Validator.java | 8 ++++---- .../java/org/owasp/esapi/codecs/AbstractCodec.java | 4 ++-- .../owasp/esapi/codecs/AbstractPushbackSequence.java | 2 +- src/main/java/org/owasp/esapi/codecs/Base64.java | 2 +- .../java/org/owasp/esapi/codecs/HTMLEntityCodec.java | 8 ++++---- src/main/java/org/owasp/esapi/codecs/HashTrie.java | 6 +++--- src/main/java/org/owasp/esapi/codecs/MySQLCodec.java | 4 ++-- .../org/owasp/esapi/codecs/PushBackSequenceImpl.java | 4 ++-- .../java/org/owasp/esapi/codecs/PushbackString.java | 4 ++-- .../esapi/codecs/ref/EncodingPatternPreservation.java | 2 +- .../AbstractPrioritizedPropertyLoader.java | 4 ++-- .../esapi/configuration/consts/EsapiConfiguration.java | 2 +- src/main/java/org/owasp/esapi/crypto/CipherText.java | 2 +- .../org/owasp/esapi/crypto/CipherTextSerializer.java | 6 +++--- src/main/java/org/owasp/esapi/crypto/CryptoHelper.java | 6 +++--- src/main/java/org/owasp/esapi/crypto/CryptoToken.java | 4 ++-- src/main/java/org/owasp/esapi/crypto/PlainText.java | 2 +- .../owasp/esapi/filters/RequestRateThrottleFilter.java | 2 +- .../owasp/esapi/filters/SecurityWrapperRequest.java | 2 +- .../esapi/logging/cleaning/CompositeLogScrubber.java | 2 +- .../org/owasp/esapi/logging/java/JavaLogBridge.java | 2 +- .../esapi/reference/AbstractAccessReferenceMap.java | 10 +++++----- .../java/org/owasp/esapi/tags/EncodeForBase64Tag.java | 2 +- .../java/org/owasp/esapi/tags/EncodeForCSSTag.java | 2 +- .../owasp/esapi/tags/EncodeForHTMLAttributeTag.java | 2 +- .../java/org/owasp/esapi/tags/EncodeForHTMLTag.java | 2 +- .../org/owasp/esapi/tags/EncodeForJavaScriptTag.java | 2 +- .../java/org/owasp/esapi/tags/EncodeForURLTag.java | 2 +- .../org/owasp/esapi/tags/EncodeForVBScriptTag.java | 2 +- .../org/owasp/esapi/tags/EncodeForXMLAttributeTag.java | 2 +- .../java/org/owasp/esapi/tags/EncodeForXMLTag.java | 2 +- .../java/org/owasp/esapi/tags/EncodeForXPathTag.java | 2 +- .../java/org/owasp/esapi/util/CollectionsUtil.java | 10 +++++----- src/main/java/org/owasp/esapi/util/ObjFactory.java | 2 +- 44 files changed, 74 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index ac6dda95e..2956cc916 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap # Jakarta EE Support **IMPORTANT:** ESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release -2.5.3.0. (Unfortunately, we were just forgot to note that in this **README** file. Duh!) +2.5.3.0. (Unfortunately, this information was previously missing in this **README** file.) Therefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10, and other applications or libraries requiring Jarkata EE. (If you find a case where it does diff --git a/src/main/java/org/owasp/esapi/Authenticator.java b/src/main/java/org/owasp/esapi/Authenticator.java index e113b0bdd..4e83903d5 100644 --- a/src/main/java/org/owasp/esapi/Authenticator.java +++ b/src/main/java/org/owasp/esapi/Authenticator.java @@ -148,7 +148,7 @@ public interface Authenticator { *

* WARNING: The implementation of this method as defined in the * default reference implementation class, {@code FileBasedAuthenticator}, - * uses a password hash algorthim that is known to be weak. You are advised + * uses a password hash algorithm that is known to be weak. You are advised * to replace the default reference implementation class with your own custom * implementation that uses a stronger password hashing algorithm. * See class comments in * {@code FileBasedAuthenticator} for further details. diff --git a/src/main/java/org/owasp/esapi/ESAPI.java b/src/main/java/org/owasp/esapi/ESAPI.java index ef389d020..c42a21ff8 100644 --- a/src/main/java/org/owasp/esapi/ESAPI.java +++ b/src/main/java/org/owasp/esapi/ESAPI.java @@ -93,7 +93,7 @@ public static Authenticator authenticator() { } /** - * The ESAPI Encoder is primarilly used to provide output encoding to + * The ESAPI Encoder is primarily used to provide output encoding to * prevent Cross-Site Scripting (XSS). * @return the current ESAPI Encoder object being used to encode and decode data for this application. */ diff --git a/src/main/java/org/owasp/esapi/Encoder.java b/src/main/java/org/owasp/esapi/Encoder.java index 22ae8f94b..ad4950dc9 100644 --- a/src/main/java/org/owasp/esapi/Encoder.java +++ b/src/main/java/org/owasp/esapi/Encoder.java @@ -519,7 +519,7 @@ public interface Encoder { * * NB: The reference implementation encodes almost everything and may over-encode. * - * The difficulty with XPath encoding is that XPath has no built in mechanism for escaping + * The difficulty with XPath encoding is that XPath has no built-in mechanism for escaping * characters. It is possible to use XQuery in a parameterized way to * prevent injection. * diff --git a/src/main/java/org/owasp/esapi/Encryptor.java b/src/main/java/org/owasp/esapi/Encryptor.java index 28bb896a3..c1729a839 100644 --- a/src/main/java/org/owasp/esapi/Encryptor.java +++ b/src/main/java/org/owasp/esapi/Encryptor.java @@ -162,8 +162,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext) *

* @param ciphertext The {@code CipherText} object to be decrypted. * @return The {@code PlainText} object resulting from decrypting the specified - * ciphertext. Note that it it is desired to convert the returned - * plaintext byte array to a Java String is should be done using + * ciphertext. Note that if it is desired to convert the returned + * plaintext byte array to a Java String it should be done using * {@code new String(byte[], "UTF-8");} rather than simply using * {@code new String(byte[]);} which uses native encoding and may * not be portable across hardware and/or OS platforms. @@ -186,8 +186,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext) * @param key The {@code SecretKey} to use for encrypting the plaintext. * @param ciphertext The {@code CipherText} object to be decrypted. * @return The {@code PlainText} object resulting from decrypting the specified - * ciphertext. Note that it it is desired to convert the returned - * plaintext byte array to a Java String is should be done using + * ciphertext. Note that if it is desired to convert the returned + * plaintext byte array to a Java String it should be done using * {@code new String(byte[], "UTF-8");} rather than simply using * {@code new String(byte[]);} which uses native encoding and may * not be portable across hardware and/or OS platforms. diff --git a/src/main/java/org/owasp/esapi/HTTPUtilities.java b/src/main/java/org/owasp/esapi/HTTPUtilities.java index 9cdfc36b0..582f1a1b7 100644 --- a/src/main/java/org/owasp/esapi/HTTPUtilities.java +++ b/src/main/java/org/owasp/esapi/HTTPUtilities.java @@ -377,7 +377,7 @@ public interface HTTPUtilities * everything to keey your application and environment secure. Some of the more obvious omissions are the * absence of examining the actual file content to determine the actual file type or running some AV scan * on the uploaded files. You have to add that functionality to you if you want or need that. Some - * reasource that you may find usefule are: + * resource that you may find useful are: *
    *
  • OWASP File Upload Cheat Sheet
    • *
  • OWASP Denial of Service Cheat Sheet
    • diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java index 288509b92..b0a5b7ccc 100644 --- a/src/main/java/org/owasp/esapi/Logger.java +++ b/src/main/java/org/owasp/esapi/Logger.java @@ -89,9 +89,9 @@ * the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above. *

    * Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in - * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations + * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI reference implementations * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but - * they are also largely usuable out-of-the-box with some additional minimal log configuration. + * they are also largely usable out-of-the-box with some additional minimal log configuration. * * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java index 564206de0..e0b529b49 100644 --- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java @@ -179,7 +179,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader { * considered the default key size that ESAPI will use for symmetric * ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, * which is the minimum key size (in bits) that ESAPI will support - * for encryption. (There is no miminimum for decryption.) + * for encryption. (There is no minimum for decryption.) * * @return the key length (in bits) * @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead. diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java index 55f8c55a3..ef95a91ce 100644 --- a/src/main/java/org/owasp/esapi/StringUtilities.java +++ b/src/main/java/org/owasp/esapi/StringUtilities.java @@ -90,7 +90,7 @@ public static boolean contains(StringBuilder input, char c) { } /** - * Returns the replace value if the value of test is null, "null", or "" + * Returns {@code replace} if {@code test} is null, "null" (case-insensitive), or blank, otherwise {@code test} * * @param test The value to test * @param replace The replacement value diff --git a/src/main/java/org/owasp/esapi/User.java b/src/main/java/org/owasp/esapi/User.java index 6c29b4f59..fc5ca980c 100644 --- a/src/main/java/org/owasp/esapi/User.java +++ b/src/main/java/org/owasp/esapi/User.java @@ -380,7 +380,7 @@ public interface User extends Principal, Serializable { /** * Set the time of the last failed login for this user. * - * @param lastFailedLoginTime the date and time when the user just failed to login correctly. + * @param lastFailedLoginTime the date and time when the user just failed to authenticate correctly. */ void setLastFailedLoginTime(Date lastFailedLoginTime); diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java index c662daaa1..be16fbf50 100644 --- a/src/main/java/org/owasp/esapi/Validator.java +++ b/src/main/java/org/owasp/esapi/Validator.java @@ -384,10 +384,10 @@ public interface Validator { boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; /** - * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that + * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input - * that gets HTML encoded (e.g., a single quote (') might get chaged to """). + * that gets HTML encoded (e.g., a single quote (') might get changed to """). *

    * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your @@ -414,10 +414,10 @@ public interface Validator { String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException; /** - * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that + * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input - * that gets HTML encoded (e.g., a single quote (') might get chaged to """). + * that gets HTML encoded (e.g., a single quote (') might get changed to """). *

    * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java index 77c153fcd..5149b5d0a 100644 --- a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java @@ -25,7 +25,7 @@ *

    * Be sure to see the several WARNINGs associated with the detailed * method descriptions. You will not find that in the "Method Summary" section - * of the javadoc because that only shows the intial sentence. + * of the javadoc because that only shows the initial sentence. * * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security @@ -96,7 +96,7 @@ public String encodeCharacter( char[] immune, Character c ) { /** - * To prevent accidental footgun usage and calling + * To prevent accidental usage and calling * {@link #encodeCharacter( char[], int)} when called with {@code char} and * {@code char} is first silently converted to {@code int} and then the * unexpected method is called. diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java index f90e07dbb..31b338d90 100644 --- a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java +++ b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java @@ -19,7 +19,7 @@ /** * This Abstract class provides the generic logic for using a {@link PushbackSequence} - * in regards to iterating strings. The final Impl is intended for the user to supply + * in regard to iterating strings. The final Impl is intended for the user to supply * a type T such that the pushback interface can be utilized for sequences * of type T. Presently this generic class is limited by the fact that * input is a String. diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 1af941510..0d7097afd 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -72,7 +72,7 @@ * Added the ability to "suspend" encoding in the Output Stream so * you can turn on and off the encoding if you need to embed base64 * data in an otherwise "normal" stream (like an XML file). - *

  • v1.5 - Output stream pases on flush() command but doesn't do anything itself. + *
  • v1.5 - Output stream passes on flush() command but doesn't do anything itself. * This helps when using GZIP streams. * Added the ability to GZip-compress objects before encoding them.
    • *
  • v1.4 - Added helper methods to read/write files.
    • diff --git a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java index 84ccb2ca5..d71b6e536 100644 --- a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java @@ -119,7 +119,7 @@ public String encodeCharacter( char[] immune, int codePoint ) { * Returns the decoded version of the character starting at index, or * null if no decoding is possible. * - * Formats all are legal both with and without semi-colon, upper/lower case: + * Formats all are legal both with and without semicolon, upper/lower case: * &#dddd; * &#xhhhh; * &name; @@ -198,7 +198,7 @@ private Integer parseNumber( PushbackSequence input ) { sb.appendCodePoint( c ); input.next(); - // if character is a semi-colon, eat it and quit + // if character is a semicolon, eat it and quit } else if (c == ';' ) { input.next(); break; @@ -239,7 +239,7 @@ private Integer parseHex( PushbackSequence input ) { sb.appendCodePoint( c ); input.next(); - // if character is a semi-colon, eat it and quit + // if character is a semicolon, eat it and quit } else if (c == ';' ) { input.next(); break; @@ -312,7 +312,7 @@ private Integer getNamedEntity( PushbackSequence input ) { for(int i=0;i getLongestMatch(CharSequence key) } /** - * Get the key value entry who's key is the longest prefix match. + * Get the key value entry whose key is the longest prefix match. * @param keyIn Pushback reader to read the key from. This should * have a buffer at least as large as {@link #getMaxKeyLength()} * or an IOException may be thrown backing up. @@ -549,7 +549,7 @@ public T get(Object key) /** * Get the number of entries. - * @return the number or entries. + * @return the number of entries. */ public int size() { diff --git a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java index 193dfa208..c507b0362 100644 --- a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java @@ -63,7 +63,7 @@ public class MySQLCodec extends AbstractCharacterCodec { * please see the Manual at * @link http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html#sqlmode_ansi * - * Currently the only supported modes are: + * Currently, the only supported modes are: * ANSI * STANDARD */ @@ -195,7 +195,7 @@ private String encodeCharacterMySQL( Character c ) { * Returns the decoded version of the character starting at index, or * null if no decoding is possible. * - * Formats all are legal (case sensitive) + * Formats all are legal (case-sensitive) * In ANSI_MODE '' decodes to ' * In MYSQL_MODE \x decodes to x (or a small list of specials) */ diff --git a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java index 9f0c5223c..4f0847f1e 100644 --- a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java +++ b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java @@ -60,9 +60,9 @@ public Integer nextOctal() { } /** - * Returns true if the parameter character is a hexidecimal digit 0 through 9, a through f, or A through F. + * Returns true if the parameter character is a hexadecimal digit 0 through 9, a through f, or A through F. * @param c - * @return true if it is a hexidecimal digit, false otherwise. + * @return true if it is a hexadecimal digit, false otherwise. */ public static boolean isHexDigit( Integer c ) { if ( c == null ) return false; diff --git a/src/main/java/org/owasp/esapi/codecs/PushbackString.java b/src/main/java/org/owasp/esapi/codecs/PushbackString.java index b25cc1f20..377ed829e 100644 --- a/src/main/java/org/owasp/esapi/codecs/PushbackString.java +++ b/src/main/java/org/owasp/esapi/codecs/PushbackString.java @@ -124,11 +124,11 @@ public Character nextOctal() { } /** - * Returns true if the parameter character is a hexidecimal digit 0 through + * Returns true if the parameter character is a hexadecimal digit 0 through * 9, a through f, or A through F. * * @param c - * @return true if it is a hexidecimal digit, false otherwise. + * @return true if it is a hexadecimal digit, false otherwise. */ public static boolean isHexDigit(Character c) { if (c == null){ diff --git a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java index 309485428..9ca5c51a8 100644 --- a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java +++ b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java @@ -89,7 +89,7 @@ public String restoreOriginalContent(String input) { /** * Allows the marker used as a replacement to be altered. * - * @param marker String replacment to use for regex matches. + * @param marker String replacement to use for regex matches. */ public void setReplacementMarker(String marker) { if (!replacedContentList.isEmpty()) { diff --git a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java index 8869694ce..2ca897707 100644 --- a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java +++ b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java @@ -7,7 +7,7 @@ import java.util.Properties; /** - * Abstrace class that supports two "levels" of priorities for ESAPI properties. + * Abstract class that supports two "levels" of priorities for ESAPI properties. * The higher level is the property file supported by an "operations" team and * the lower level is the property file intended to be supported by the * "development" team. ESAPI properties defined in the lower level properties @@ -42,7 +42,7 @@ public AbstractPrioritizedPropertyLoader(String filename, int priority) throws I /** * Get priority of this property loader. If two and more loaders can return value for the same property key, - * the one with highest priority will be chosen. + * the one with the highest priority will be chosen. * @return priority of this property loader */ public int priority() { diff --git a/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java b/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java index e5e330569..43df2fa1c 100644 --- a/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java +++ b/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java @@ -16,7 +16,7 @@ public enum EsapiConfiguration { String configName; /** - * Priority of configuration (higher numer - higher priority). + * Priority of configuration (higher number - higher priority). */ int priority; diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java index e0b549da3..185ac5e14 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherText.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java @@ -494,7 +494,7 @@ public boolean validateMAC(SecretKey authKey) { /** * Return this {@code CipherText} object as a portable (i.e., network byte * ordered) serialized byte array. Note this is not the same as - * returning a serialized object using Java serialization. Instead this + * returning a serialized object using Java serialization. Instead, this * is a representation that all ESAPI implementations will use to pass * ciphertext between different programming language implementations. * diff --git a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java index c5daa7d85..3e155f440 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java @@ -26,7 +26,7 @@ * and do not have extensive support for the various implementation languages which ESAPI * supports. (Perhaps wishful thinking that other ESAPI implementations such as * ESAPI for .NET, ESAPI for C, ESAPI for C++, etc. will all support a single, common - * serialization technique so they could exchange encrypted data.) + * serialization technique, so they could exchange encrypted data.) * * @author kevin.w.wall@gmail.com * @since 2.0 @@ -207,7 +207,7 @@ private byte[] computeSerialization(int kdfInfo, long timestamp, // All strings are written as UTF-8 encoded byte streams with the // length prepended before it as a short. The prepended length is - // more for the benefit of languages like C so they can pre-allocate + // more for the benefit of languages like C, so they can pre-allocate // char arrays without worrying about buffer overflows. private void writeString(ByteArrayOutputStream baos, String str) { byte[] bytes; @@ -405,7 +405,7 @@ private CipherText convertToCipherText(byte[] cipherTextSerializedBytes) // Fixed in ESAPI crypto version 20130839. Previously is didn't really matter // because there was only one version (20110203) and it defaulted to that // version, which was the current version. But we don't want that as now there - // are two versions and we could be decrypting data encrypted using the previous + // are two versions, and we could be decrypting data encrypted using the previous // version. ct.setKDF_PRF(kdfPrf); ct.setKDFVersion(kdfVers); diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java index 922fbf33d..2254837ce 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java @@ -50,7 +50,7 @@ public class CryptoHelper { * @param keySize The key size, in bits. * @return A random {@code SecretKey} is returned. * @throws EncryptionException Thrown if cannot create secret key conforming to - * requested algorithm with requested size. Typically this is caused by + * requested algorithm with requested size. Typically, this is caused by * specifying an unavailable algorithm or invalid key size. */ public static SecretKey generateSecretKey(String alg, int keySize) @@ -128,7 +128,7 @@ public static SecretKey generateSecretKey(String alg, int keySize) * be a common encoding supported by all Java implementations. Support * for it is usually in rt.jar.) This exception is also thrown if the * requested {@code keySize} parameter exceeds the length of the number of - * bytes provded in the {@code keyDerivationKey} parameter. + * bytes provided in the {@code keyDerivationKey} parameter. * @throws InvalidKeyException Likely indicates a coding error. Should not happen. * @throws EncryptionException Throw for some precondition violations. * @deprecated Use same method in {@code KeyDerivationFunction} instead. This method will be removed as of @@ -254,7 +254,7 @@ public static boolean isMACRequired(CipherText ct) { * should be embedded within the {@code CipherText} object by using a * derived key based on the specified {@code SecretKey}. * - * @param sk The {@code SecretKey} used to derived a key to check + * @param sk The {@code SecretKey} used to derive a key to check * the authenticity via the MAC. * @param ct The {@code CipherText} that we are checking for a * valid MAC. diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java index c12ee10dc..c6171b75a 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java @@ -68,10 +68,10 @@ * * The attribute value may contain any value. However, values containing * either '=' or ';' will be quoted using '\'. Likewise, values containing '\' - * will also be quoted using '\'. Hence if original name/value pair were + * will also be quoted using '\'. Hence, if original name/value pair were * name=ab=xy\; * this would be represented as name=ab\=xy\\\;. * To ensure things are "safe" (from a security perspective), attribute - * names must conform the the Java regular expression + * names must conform to the Java regular expression * 
      *          [A-Za-z0-9_\.-]+
  *
    diff --git a/src/main/java/org/owasp/esapi/crypto/PlainText.java b/src/main/java/org/owasp/esapi/crypto/PlainText.java index 60fda894c..4866b8048 100644 --- a/src/main/java/org/owasp/esapi/crypto/PlainText.java +++ b/src/main/java/org/owasp/esapi/crypto/PlainText.java @@ -16,7 +16,7 @@ * an {@code UnsupportedEncodingException}. However, UTF-8 encoding * should be a standard encoding for all Java installations, so an * {@code UnsupportedEncodingException} never actually be thrown. Therefore, - * in order to to keep client code uncluttered, any possible + * in order to keep client code uncluttered, any possible * {@code UnsupportedEncodingException}s will be first logged, and then * re-thrown as a {@code RuntimeException} with the original * {@code UnsupportedEncodingException} as the cause. diff --git a/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java b/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java index ed263e55e..47774b895 100644 --- a/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java +++ b/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java @@ -62,7 +62,7 @@ public void init(FilterConfig filterConfig) * Checks to see if the current session has exceeded the allowed number * of requests in the specified time period. If the threshold has been * exceeded, then a short error message is written to the output stream and - * no further processing is done on the request. Otherwise the request is + * no further processing is done on the request. Otherwise, the request is * processed as normal. * @param request * @param response diff --git a/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java b/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java index 26fa7a7a3..71c74c652 100644 --- a/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java +++ b/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java @@ -628,7 +628,7 @@ public String getRequestURI() { /** * Returns the URL from the HttpServletRequest after canonicalizing and * filtering out any dangerous characters. - * @return The currect request URL + * @return The current request URL */ public StringBuffer getRequestURL() { String url = getHttpServletRequest().getRequestURL().toString(); diff --git a/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java b/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java index 1638ca51f..72da7f2ba 100644 --- a/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java +++ b/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java @@ -21,7 +21,7 @@ * LogScrubber implementation which performs iterative delegate to an ordered * List of LogScrubbers.
    * The results of the delegate list of LogScrubbers is additive, meaning that - * the the original message is passed to the first delegate and its return value + * the original message is passed to the first delegate and its return value * is passed to the second (etc).
    * */ diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java index 078afdf9b..2d1243c05 100644 --- a/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java +++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Logger.EventType; /** - * Contract for translating an ESAPI log event into an Java log event. + * Contract for translating an ESAPI log event into a Java log event. * */ public interface JavaLogBridge { diff --git a/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java b/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java index 242ff3e47..c17109913 100644 --- a/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java +++ b/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java @@ -90,9 +90,9 @@ public AbstractAccessReferenceMap( int initialSize ) { * the direct references * @deprecated This constructor internally calls the abstract method * {@link #getUniqueReference()}. Since this is a constructor, any - * subclass that implements getUniqueReference() has not had it's + * subclass that implements getUniqueReference() has not had its * own constructor run. This leads to strange bugs because subclass - * internal state is initializaed after calls to getUniqueReference() + * internal state is initialized after calls to getUniqueReference() * have already happened. If this constructor is desired in a * subclass, consider running {@link #update(Set)} in the subclass * constructor instead. @@ -108,7 +108,7 @@ public AbstractAccessReferenceMap( Set directReferences ) { * Instantiates a new access reference map with the specified size allotment * and initializes the map with the passed in references. Note that if you pass * in an initialSize that is less than the size of the passed in set, the map will - * need to be resized while it is being loaded with the references so it is + * need to be resized while it is being loaded with the references, so it is * best practice to verify that the size being passed in is always larger than * the size of the set that is being passed in. * @@ -119,9 +119,9 @@ public AbstractAccessReferenceMap( Set directReferences ) { * * @deprecated This constructor internally calls the abstract method * {@link #getUniqueReference()}. Since this is a constructor, any - * subclass that implements getUniqueReference() has not had it's + * subclass that implements getUniqueReference() has not had its * own constructor run. This leads to strange bugs because subclass - * internal state is initializaed after calls to getUniqueReference() + * internal state is initialized after calls to getUniqueReference() * have already happened. If this constructor is desired in a * subclass, consider running {@link #update(Set)} in the subclass * constructor instead. diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java b/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java index 5551f2251..a9300ffa4 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java @@ -7,7 +7,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body using Base64. + * JSP tag that encodes its body using Base64. */ public class EncodeForBase64Tag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java index 1def5ee07..b2e6452cb 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in CSS. + * JSP tag that encodes its body for use in CSS. */ public class EncodeForCSSTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java index 5e07d8c7f..969bb0015 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in a HTML attribute. + * JSP tag that encodes its body for use in a HTML attribute. */ public class EncodeForHTMLAttributeTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java index 3cd317557..d9584dffa 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in HTML. + * JSP tag that encodes its body for use in HTML. */ public class EncodeForHTMLTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java index fe4d68eb9..b8d3c5483 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in JavaScript. + * JSP tag that encodes its body for use in JavaScript. */ public class EncodeForJavaScriptTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java index 28b03af7e..ab9a6734c 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java @@ -6,7 +6,7 @@ import org.owasp.esapi.errors.EncodingException; /** - * JSP tag that encode's it's body for use in a URL. + * JSP tag that encodes its body for use in a URL. */ public class EncodeForURLTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java index 43ddee272..033ef06f9 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in VBScript. + * JSP tag that encodes its body for use in VBScript. */ public class EncodeForVBScriptTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java index 4ad11e87a..7b2a1264c 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in a XML attribute. + * JSP tag that encodes its body for use in a XML attribute. */ public class EncodeForXMLAttributeTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java index 320b0484a..f06ad3710 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in XML. + * JSP tag that encodes its body for use in XML. */ public class EncodeForXMLTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java index 1ff953880..0a36c32c0 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in XPath. + * JSP tag that encodes its body for use in XPath. */ public class EncodeForXPathTag extends BaseEncodeTag { diff --git a/src/main/java/org/owasp/esapi/util/CollectionsUtil.java b/src/main/java/org/owasp/esapi/util/CollectionsUtil.java index 2607f6255..a4284030e 100644 --- a/src/main/java/org/owasp/esapi/util/CollectionsUtil.java +++ b/src/main/java/org/owasp/esapi/util/CollectionsUtil.java @@ -40,9 +40,9 @@ public static Set arrayToSet(char...array) } /** - * Convert a char array to a unmodifiable Set. + * Convert a char array to an unmodifiable Set. * @param array the contents of the new Set - * @return a unmodifiable Set containing the elements in the + * @return an unmodifiable Set containing the elements in the * array. */ public static Set arrayToUnmodifiableSet(char...array) @@ -76,7 +76,7 @@ public static char[] strToChars(String str) /** * Convert a String to a set of characters. * @param str The string to convert - * @return A set containing the characters in str. A empty set + * @return A set containing the characters in str. An empty set * is returned if str is null. */ public static Set strToSet(String str) @@ -92,9 +92,9 @@ public static Set strToSet(String str) } /** - * Convert a String to a unmodifiable set of characters. + * Convert a String to an unmodifiable set of characters. * @param str The string to convert - * @return A set containing the characters in str. A empty set + * @return A set containing the characters in str. An empty set * is returned if str is null. */ public static Set strToUnmodifiableSet(String str) diff --git a/src/main/java/org/owasp/esapi/util/ObjFactory.java b/src/main/java/org/owasp/esapi/util/ObjFactory.java index 0e3340894..3faa6a847 100644 --- a/src/main/java/org/owasp/esapi/util/ObjFactory.java +++ b/src/main/java/org/owasp/esapi/util/ObjFactory.java @@ -17,7 +17,7 @@ /** * A generic object factory to create an object of class T. T must be a concrete - * class that has a no-argument public constructor or a implementor of the Singleton pattern + * class that has a no-argument public constructor or an implementor of the Singleton pattern * that has a no-arg static getInstance method. If the class being created has a getInstance * method, it will be used as a singleton and newInstance() will never be called on the * class no matter how many times it comes through this factory. From 57c12af7873709e9a660042450cf2bc9d64d02ac Mon Sep 17 00:00:00 2001 From: Debajit Kumar Phukan <71944582+DebajitKumarPhukan@users.noreply.github.com> Date: Sat, 14 Sep 2024 22:45:19 +0530 Subject: [PATCH 09/20] Improved documentation (#853) * Updated README.md --- README.md | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2956cc916..613a441f4 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend org.owasp.esapi esapi - 2.5.3.0-SNAPSHOT + 2.5.4.0 jakarta ``` @@ -46,6 +46,41 @@ fact, without the ``` that's the version that will be used by default. +# Quickstart - Maven Example +### Step 1: Add the required maven dependencies. +```xml + + org.owasp.esapi + esapi + 2.5.3.0 [or later] + jakarta + + + + jakarta.servlet + jakarta.servlet-api + 6.1.0 + provided + +``` +### Step 2: Create 2 properties file namely: ESAPI.properties and validation.properties and add them to your classpath. You can refer to below for boilerplate configurations. +[ESAPI.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/ESAPI.properties)
    +[validation.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/validation.properties) + +### Step 3: Let's say, you want to remediate log injection vulnerabilities. Below is an example to achieve it. +```code +import org.owasp.esapi.ESAPI; +import org.owasp.esapi.Logger; + +public class Example { + private static Logger LOGGER = ESAPI.getLogger(Example.class); + public void printLog(){ + LOGGER.info(Logger.EVENT_SUCCESS, "Log injection remediated !"); + } +} +``` +For more examples, please visit [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/). + # A word about ESAPI vulnerabilities A summary of all the vulnerabilities that we have written about in either the ESAPI Security Bulletins or in the GitHub Security Advisories may be found From 84aed566fc7258513ac26e2db6c6bd17e3067efb Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 00:39:48 -0400 Subject: [PATCH 10/20] Modest changes to README.md after PR 853. --- README.md | 75 +++++++++++++++++++------------------------------------ 1 file changed, 26 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 613a441f4..c793d99c2 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend org.owasp.esapi esapi - 2.5.4.0 + 2.5.5.0 jakarta ``` @@ -46,40 +46,6 @@ fact, without the ``` that's the version that will be used by default. -# Quickstart - Maven Example -### Step 1: Add the required maven dependencies. -```xml - - org.owasp.esapi - esapi - 2.5.3.0 [or later] - jakarta - - - - jakarta.servlet - jakarta.servlet-api - 6.1.0 - provided - -``` -### Step 2: Create 2 properties file namely: ESAPI.properties and validation.properties and add them to your classpath. You can refer to below for boilerplate configurations. -[ESAPI.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/ESAPI.properties)
    -[validation.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/validation.properties) - -### Step 3: Let's say, you want to remediate log injection vulnerabilities. Below is an example to achieve it. -```code -import org.owasp.esapi.ESAPI; -import org.owasp.esapi.Logger; - -public class Example { - private static Logger LOGGER = ESAPI.getLogger(Example.class); - public void printLog(){ - LOGGER.info(Logger.EVENT_SUCCESS, "Log injection remediated !"); - } -} -``` -For more examples, please visit [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/). # A word about ESAPI vulnerabilities A summary of all the vulnerabilities that we have written about in either the @@ -118,7 +84,7 @@ The ESAPI release notes may be found in ESAPI's "documentation" directory. They See the GitHub [Releases](https://github.com/ESAPI/esapi-java-legacy/releases) information for a list of releases which generally link to the specific release notes. -### Really IMPORTANT information in release notes +### Really IMPORTANT information in release notes - Ignore at your peril * Starting with ESAPI 2.2.1.0, important details changed reading the ESAPI Logger. If you have are getting things like ClassNotFoundException, you probably have not read it. Please be sure to read this specific section @@ -176,6 +142,30 @@ references in documentation). If you must, you still should be able to use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release notes for further details. +# Quickstart - Maven Example +### Step 1: Add the required dependencies. +See https://mvnrepository.com/artifact/org.owasp.esapi/esapi/latest, the tab for +whatever build tool you are using. If you need the Jakarta version, make sure to +add +```xml + jakarta +``` +and include whatever jakara.servlet:jakarta.servlet-api version you are using with +```xml + provided +``` +### Step 2: Obtain the 2 properties files ESAPI.properties and validation.properties +1. Download these 2 files from the ESAPI release that you are using from https://github.com/ESAPI/esapi-java-legacy/releases + and download the esapi--configuration.jar file (and the .asc file if you wish to confirm the GPG signature). +2. Unjar that configuration file that you just downloaded and find the 2 + properties files under the "configuration/esapi" subdirectory where you + unjarred the config jar. +3. Read through Javadoc for [DefaultSecurityConfiguration](https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html) + to understand the ways that ESAPI locates these files and then use the mechanism that works best for you. Copy the 2 properties + files from the 'configuration/esapi' directory to the directory where you + choose to have them reside. Note that you may also edit them to customize + them according to your needs. + # Contributing to ESAPI legacy ### How can I contribute or help with fix bugs? Fork and submit a pull request! Easy as pi! (How's that for an irrational @@ -250,19 +240,6 @@ discussion or even show us how it works with a PR. (Note that we vet all pull requests, including coding style of any contributions, so please use the same coding style found in the files you are already editing.) -# Ancient History -### What happened to Google code? -In mid-2014 ESAPI migrated all code and issues from Google Code to GitHub. This migration was completed in November 2014. - -### What about the issues still located on Google Code? -All issues from Google Code have been migrated to GitHub issues. We now -use GitHut Issues for reporting everything *except* security vulnerabilities. -Other bug tracking sites are undoubtedly more advanced, but as developers, -we do not want to spent time having to close issues from multiple bug-tracking -systems. Therefore, until the synchronization happens with the Atlassian Jira -instance that we have (but are not using; see GitHub issue #371), please -ONLY use GitHub Issues for reporting bugs. - # References: Where to Find More Information on ESAPI **OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/ From 807820e856a0962216375a9e3760b7b2adbbd7eb Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 00:41:23 -0400 Subject: [PATCH 11/20] Update to lastest version of bcprov-jdk18on so Dependabot will stop complaining. Note that this is only used in a 'test' scope anyway and to the best of my knowlege, none of the test uses of any of the vulnerable Bouncy Castle methods. --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 661519330..6310cb4db 100644 --- a/pom.xml +++ b/pom.xml @@ -303,8 +303,8 @@ org.bouncycastle - bcprov-jdk15on - 1.70 + bcprov-jdk18on + 1.78.1 test From 08f52e7169ee55541eac5afda59761bc94c9b63e Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 00:52:19 -0400 Subject: [PATCH 12/20] Initial commit for Markdown version of 'CONTRIBUTING-TO-ESAPI.txt'. --- CONTRIBUTING.md | 118 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..4c095cb35 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,118 @@ +# Contributing to ESAPI -- Details + +## Getting Started +If you have not already done so, go back and read the section +"[Contributing to ESAPI legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)" in ESAPI's README.md file. It +may contain updates and advice not contained herein. + +### A Special Note on GitHub Authentication +GitHub has announced that they are deprecating password based authentication +using username / password and beginning 2021-08-13, you will no longer be +able to your password to authenticate to 'git' operations on GitHub.com. +Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ +for details and plan accordingly. + +### A Special Note Regarding Making Commits for PRs +Shortly after the 2.5.1.0 ESAPI release in late November 2022, the ESAPI +team decided to lock down the 'develop' amd 'main' branches. Merges from +PRs are done to the 'develop' branch. That means that if you intend to +contribute to ESAPI, you must be signing your commits. Please see the +GitHub instructions at + https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits +for details. + +### Git Branching Model +We are following the branching model described in + https://nvie.com/posts/a-successful-git-branching-model +If you are unfamiliar with it, you would be advised to give it a quick +perusal. The major point is that the 'main' (formerly 'master') branch is +reserved for official releases (which will be tagged), the 'develop' branch +is used for ongoing development work and is the default branch, and we +generally work off 'issue' branches named 'issue-#' where # is the GitHub +issue number. (The last is not an absolute requirement, but rather a +suggested approach.) + +Finally, we recommend setting the git property 'core.autocrlf' to 'input' +in your $HOME/.gitconfig file; e.g., that file should contain something +like this: + + [core] + autocrlf = input + + +### Required Software +We use Maven for building. Maven 3.6.3 or later is required. You also need +JDK 8 or later. [Note: If you use JDK 9 or later, there will be multiple +failures when you try to run 'mvn test' as well as some general warnings. +See [ESAPI GitHub issue #496](https://github.com/ESAPI/esapi-java-legacy/issues/496) for details. We welcome volunteers to address +this.] +## Finding Something Interesting to Work on + +See the section [Contributing to ESAPI Legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy) +in the ESAPI README for suggestions. While you don't *have* to work on something labeled "good first issue" +or "help wanted", those are good places to start for someone not yet familiar with the ESAPI code base. + +You will need a account on GitHub though. Once you create one, let us know +what it is. Then if you want to work on a particular issue, we can assign +it to you so someone else won't take it. + +If you have questions, email Kevin Wall (Kevin.W.Wall@gmail.com) or Matt +Seil (xeno6696@gmail.com). + + +## Building ESAPI +See our local GitHub wiki page, [Building ESAPI](https://github.com/ESAPI/esapi-java-legacy/wiki/Building-ESAPI), +which briefly discusses how to build ESAPI via Maven. + +You can also refer to [Using ESAPI for Java with Eclipse](https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-for-Java-with-Eclipse) +if you prefer working from IDEs. There is also a much older ESAPI wiki page, +[Building with Eclipse](https://www.owasp.org/index.php/ESAPI-BuildingWithEclipse) +that might be useful. + +As always, any contributions to ESAPI's admittedly skimpy documentation in this area is welcome. +In particular, contributing some hints about debugging applications using ESAPI +would be very useful to our ESAPI clients. + +## Steps to work with ESAPI +I usually do everything from the bash command prompt in Linux Mint, +but other people use Windows. If you prefer an IDE, I can't help you +much, but I can help with at least modest problems. If you have more +difficult problems, I will probably refer you to my project co-leader, +Matt who groks git a lot better than I. + +But the basic high level steps are: + +1. Fork https://github.com/ESAPI/esapi-java-legacy to your own GitHub repository using the GitHub web site. +2. On your local laptop, clone your own GitHub ESAPI repo (i.e, the forked repo created in previous step) +3. Create a new branch to work on an issue. I usually name the branch 'issue-#' where '#' is the GitHub issue # is will be working on, but you can call it whatever. E.g., + ```bash + $ git checkout -b issue-# + ``` +4. Work on the GitHub issue on this newly created issue-# branch. Be sure that you also create new JUnit tests as required that confirm that the issue is corrected, or if you are introducing new functionality, ensure + that functionality is sufficiently covered. +5. Make sure everything builds correctly and all the JUnit tests pass ('mvn test'). [Note: There are some known issues with test failures if your are running under Windows and your local ESAPI Git repo located anywhere other than the C: drive, where the test `ValidatorTest.testIsValidDirectoryPath()` fails. +6. If you have added any dependencies, please also run OWASP Dependency-Check and look at the generated report left in 'target/dependency-check-report.html' to make sure there were not any CVEs introduced. (Alternately you can run 'mvn verify' which will first run the tests and then run Dependency-Check.) Note if this is the first time you have run Dependency-Check for ESAPI, expect it to take a while (often 30 minutes or so!). To execute Dependency Check from Maven, run: + ```bash + $ mvn org.owasp:dependency-check-maven:check + ``` +7. Commit your changes locally. +8. Push your 'issue-#' branch to your personal, forked ESAPI GitHub repo. E.g., + ```bash + $ git checkout issue-444 + $ git remote -v | grep origin # Confirm 'origin' refers to YOUR PERSONAL GitHub repo + $ git push origin issue-444 # Push the committed changes on the 'issue-444' branch + ``` +9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a 'Pull Request' (PR) from your 'issue-#' branch. +10. Back on your local personal laptop / desktop, merge your issue branch with your local 'develop' branch. I.e., + $ git checkout develop + $ git merge issue-444 +11. Do not remove your branch on your forked repository until your PR from your branch has been merged into the ESAPI/esapi-java/legacy 'develop' branch. + Note at least one the 3 main contributors on will review your commits before + merging them and they may do a formal code review and request further changes. + Once they are satisfied, they will merge your PR. + +In theory, you can do all this 'git' magic from Eclipse and presumably other +IDEs like Oracle NetBeans or JetBrains IntelliJ IDEA. From Eclipse, it is right-click +on the project and then select 'Team' to do the commits, etc. If you choose that +route, you're pretty much on your own because none of us use that for Git +interactions. From 865441e51b974b6791dc0f711c95971f831d22fd Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 19:30:53 -0400 Subject: [PATCH 13/20] Update Maven plugins. --- pom.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 6310cb4db..31a4e7379 100644 --- a/pom.xml +++ b/pom.xml @@ -132,11 +132,11 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0-M9 + 2.0.0-M10 2.0.9 4.8.6 - 4.8.6.2 - 3.3.0 + 4.8.6.4 + 3.5.0 1.8 @@ -533,7 +533,7 @@ org.codehaus.mojo extra-enforcer-rules - 1.8.0 + 1.9.0 org.codehaus.mojo From 4ed69f3bc997fce6fb96b4dcb9d1c6b463e656d0 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 19:40:14 -0400 Subject: [PATCH 14/20] Set previous release date to 2024-05-30. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 31a4e7379..1da06d99f 100644 --- a/pom.xml +++ b/pom.xml @@ -141,7 +141,7 @@ - 2023-12-01 00:00:00 + 2024-05-30 00:00:00 From 53ecd8690525a6381691fa3e239ffa68c84395ec Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 19:51:24 -0400 Subject: [PATCH 15/20] Fix Javadoc warning. --- .../java/org/owasp/esapi/logging/appender/LogPrefixAppender.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java index 57cddfa26..237d43ac6 100644 --- a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java +++ b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java @@ -46,7 +46,6 @@ public class LogPrefixAppender implements LogAppender { * @param logServerIp Whether or not to record server ip information * @param logApplicationName Whether or not to record application name * @param appName Application Name to record. - * @param logPrefix is set by default to true */ @SuppressWarnings("JavadocReference") public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) { From e74b77d43d26642744a0e05fa24b7ea8b7a4850c Mon Sep 17 00:00:00 2001 From: kwwall Date: Sat, 5 Oct 2024 10:20:26 -0400 Subject: [PATCH 16/20] Add helpful comments in ESAPI release preparation. --- scripts/README.txt | 3 +++ scripts/esapi4java-core-TEMPLATE-release-notes.txt | 2 ++ 2 files changed, 5 insertions(+) diff --git a/scripts/README.txt b/scripts/README.txt index 75735efd3..0e28bb29c 100644 --- a/scripts/README.txt +++ b/scripts/README.txt @@ -1,5 +1,8 @@ This directory is for utilities used for building / packaging / releasing ESAPI. +The scripts and configuration files in this directory are mostly used to create ESAPI release notes. +(The 2 'mvnQuietTest' scripts are the major exceptions to that.) + ======================== README.txt -- This readme file. diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt index 280b85483..3aabe5d38 100644 --- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt +++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt @@ -48,6 +48,8 @@ ESAPI ${PREV_VERSION} release: ESAPI ${VERSION} release: @@@@ Count them and run 'mvn test' to get the # of tests. +@@@@ Count Java source files by executing: +@@@@ find src/main -type f -name '*.java' | wc -l #### Java source files #### JUnit tests in #### Java source files From e2053d2d27788005423e082729e1d7c1fbad89e9 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sat, 5 Oct 2024 11:54:23 -0400 Subject: [PATCH 17/20] New release notes --- .../esapi4java-core-2.5.5.0-release-notes.txt | 199 ++++++++++++++++++ scripts/vars.2.5.5.0 | 14 ++ 2 files changed, 213 insertions(+) create mode 100644 documentation/esapi4java-core-2.5.5.0-release-notes.txt create mode 100644 scripts/vars.2.5.5.0 diff --git a/documentation/esapi4java-core-2.5.5.0-release-notes.txt b/documentation/esapi4java-core-2.5.5.0-release-notes.txt new file mode 100644 index 000000000..c03b522ce --- /dev/null +++ b/documentation/esapi4java-core-2.5.5.0-release-notes.txt @@ -0,0 +1,199 @@ +Release notes for ESAPI 2.5.5.0 + Release date: 2024-10-06 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.5.4.0, 2024-05-30 + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ +This is a minor release. All changes should be backward compatible with the previous ESAPI version. +The updates cover the following areas: +* Updates to dependencies and Maven plugins. +* New logging feature added which should be useful in cloud environments where you are paying for log storage. + See GitHub issue https://github.com/ESAPI/esapi-java-legacy/issues/844 for details. +* Documentation clean-up. + +Notes if you are not updating from the immediate previous release. release 2.5.4.0: + * You need to read through the series of release notes FIRST, going in order. + * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read: + + esapi4java-core-2.4.0.0-release-notes.txt + esapi4java-core-2.5.0.0-release-notes.txt + esapi4java-core-2.5.1.0-release-notes.txt + esapi4java-core-2.5.2.0-release-notes.txt + ...etc., up through the current set of release notes... + esapi4java-core-2.x.y.z-release-notes.txt + +in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.) + +If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI. + +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. + + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.5.4.0 release: + 207 Java source files + 4297 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped) + +ESAPI 2.5.5.0 release: + 207 Java source files + 4315 JUnit tests in 133 Java source files (0 failures, 0 errors, 0 tests skipped) + +8 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive') +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-05-30) + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +844 Update the logging properties to opt-out of the prefix events Component-Logger enhancement +846 ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator +847 Update ESAPI pom to use latest version of AntiSamy (1.7.6) +851 Fix typos + + +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- + +Important JDK Support Announcement +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. + +Important ESAPI Logging Changes + +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implemmentation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 + +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x + +----------------------------------------------------------------------------- + + Remaining Known Issues / Problems + +----------------------------------------------------------------------------- +None known, other than the remaining open issues on GitHub. + +----------------------------------------------------------------------------- + + Other changes in this release, some of which not tracked via GitHub issues + +----------------------------------------------------------------------------- + +* Minor updates to README.md file with respect to version information. + +----------------------------------------------------------------------------- + +Developer Activity Report (Changes between release 2.5.4.0 and 2.5.5.0, i.e., between 2024-05-30 and 2024-10-06) +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. +Note: This only lists merged PRs, not those that were closed as rejected. + +Developer Total Total Number # Merged +(GitHub ID) commits of Files Changed PRs +============================================================ +DebajitKumarPhukan 7 1 1 +DarioViva42 57 44 1 +mickeyz07 10 12 1 +kwwall 2 2 1 +============================================================ + Total PRs: 4 + +----------------------------------------------------------------------------- + +CHANGELOG: Create your own. May I suggest: + + git log --stat --since=2024-05-30 --reverse --pretty=medium + + which will show all the commits since just after the previous (2.5.4.0) release. + + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree + [INFO] -----------------------< org.owasp.esapi:esapi >------------------------ + [INFO] Building ESAPI 2.5.5.0-SNAPSHOT + [INFO] --------------------------------[ jar ]--------------------------------- + [INFO] + [INFO] --- maven-dependency-plugin:3.7.1:tree (default-cli) @ esapi --- + [INFO] org.owasp.esapi:esapi:jar:2.5.5.0-SNAPSHOT + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided + [INFO] +- xom:xom:jar:1.3.9:compile + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile + [INFO] +- commons-lang:commons-lang:jar:2.6:compile + [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile + [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile + [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.6:compile + [INFO] | +- commons-io:commons-io:jar:2.16.1:compile + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.3.1:compile + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.5:compile + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.17:compile + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.17:compile + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.17:compile + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.17:compile + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.17:compile + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.9:compile + [INFO] | +- org.htmlunit:neko-htmlunit:jar:4.3.0:compile + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile + [INFO] +- org.slf4j:slf4j-api:jar:2.0.13:compile + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.6:compile (optional) + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional) + [INFO] +- commons-codec:commons-codec:jar:1.17.0:test + [INFO] +- junit:junit:jar:4.13.2:test + [INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test + [INFO] | \- org.objenesis:objenesis:jar:3.2:test + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test + [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test + [INFO] ------------------------------------------------------------------------ + +----------------------------------------------------------------------------- + +Acknowledgments: + A special shout-out to our new ESAPI contributors, mickeyz07, DarioViva42, and DebajitKumarPhukan. + Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696) diff --git a/scripts/vars.2.5.5.0 b/scripts/vars.2.5.5.0 new file mode 100644 index 000000000..f64e62384 --- /dev/null +++ b/scripts/vars.2.5.5.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.5.5.0 + +# Previous ESAPI version +PREV_VERSION=2.5.4.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2024-10-06 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2024-05-30 From 07775d7e7344846e334a190730a7d17056e5b516 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 6 Oct 2024 18:57:00 -0400 Subject: [PATCH 18/20] Few more dependency and plugin upates; remove '-SNAPSHOT' suffix from release version. --- pom.xml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/pom.xml b/pom.xml index 1da06d99f..d8b63a31e 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.5.5.0-SNAPSHOT + 2.5.5.0 jar @@ -132,11 +132,11 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0-M10 + 2.0.0-M11 2.0.9 4.8.6 4.8.6.4 - 3.5.0 + 3.5.1 1.8 @@ -260,7 +260,7 @@ org.slf4j slf4j-api - 2.0.13 + 2.0.16 xml-apis @@ -286,7 +286,7 @@ commons-codec commons-codec - 1.17.0 + 1.17.1 test @@ -408,17 +408,17 @@ org.apache.maven.plugins maven-dependency-plugin - 3.7.1 + 3.8.0 org.apache.maven.plugins maven-release-plugin - 3.1.0 + 3.1.1 org.codehaus.mojo versions-maven-plugin - 2.17.0 + 2.17.1 file:${project.basedir}/versionRuleset.xml @@ -431,7 +431,7 @@ org.cyclonedx cyclonedx-maven-plugin - 2.8.0 + 2.8.2 package @@ -513,7 +513,7 @@ org.apache.maven.plugins maven-deploy-plugin - 3.1.2 + 3.1.3 @@ -602,7 +602,7 @@ org.apache.maven.plugins maven-gpg-plugin - 3.2.4 + 3.2.7 sign-artifacts @@ -615,7 +615,7 @@ org.apache.maven.plugins maven-install-plugin - 3.1.2 + 3.1.3 @@ -635,7 +635,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 3.7.0 + 3.10.1 8 none @@ -653,19 +653,19 @@ org.apache.maven.plugins maven-jxr-plugin - 3.4.0 + 3.5.0 org.apache.maven.plugins maven-pmd-plugin - 3.23.0 + 3.25.0 org.apache.maven.plugins maven-project-info-reports-plugin - 3.6.1 + 3.7.0 @@ -679,7 +679,7 @@ The skin is referenced in src/site/site.xml. --> org.apache.maven.plugins maven-site-plugin - 4.0.0-M15 + 4.0.0-M16 org.apache.maven.skins @@ -740,7 +740,7 @@ org.owasp dependency-check-maven - 10.0.2 + 10.0.4 ${env.NVD_API_KEY} 1.0 From a160de070ad02b5308ae27d2f3d638d92fd4c2d3 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 6 Oct 2024 19:05:30 -0400 Subject: [PATCH 19/20] Update section on commit / PR history. --- documentation/esapi4java-core-2.5.5.0-release-notes.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/esapi4java-core-2.5.5.0-release-notes.txt b/documentation/esapi4java-core-2.5.5.0-release-notes.txt index c03b522ce..0be387f6b 100644 --- a/documentation/esapi4java-core-2.5.5.0-release-notes.txt +++ b/documentation/esapi4java-core-2.5.5.0-release-notes.txt @@ -108,9 +108,9 @@ Developer Total Total Number # Merged DebajitKumarPhukan 7 1 1 DarioViva42 57 44 1 mickeyz07 10 12 1 -kwwall 2 2 1 +kwwall 11 8 2 ============================================================ - Total PRs: 4 + Total PRs: 5 ----------------------------------------------------------------------------- From 3f2ff053269572dceef78bdefe3b8c3ecfd83076 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 7 Oct 2024 21:22:33 -0400 Subject: [PATCH 20/20] Fix release date. --- documentation/esapi4java-core-2.5.5.0-release-notes.txt | 4 ++-- scripts/vars.2.5.5.0 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/esapi4java-core-2.5.5.0-release-notes.txt b/documentation/esapi4java-core-2.5.5.0-release-notes.txt index 0be387f6b..69a4e6e77 100644 --- a/documentation/esapi4java-core-2.5.5.0-release-notes.txt +++ b/documentation/esapi4java-core-2.5.5.0-release-notes.txt @@ -1,5 +1,5 @@ Release notes for ESAPI 2.5.5.0 - Release date: 2024-10-06 + Release date: 2024-10-07 Project leaders: -Kevin W. Wall -Matt Seil @@ -98,7 +98,7 @@ None known, other than the remaining open issues on GitHub. ----------------------------------------------------------------------------- -Developer Activity Report (Changes between release 2.5.4.0 and 2.5.5.0, i.e., between 2024-05-30 and 2024-10-06) +Developer Activity Report (Changes between release 2.5.4.0 and 2.5.5.0, i.e., between 2024-05-30 and 2024-10-07) Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. Note: This only lists merged PRs, not those that were closed as rejected. diff --git a/scripts/vars.2.5.5.0 b/scripts/vars.2.5.5.0 index f64e62384..1c0478de7 100644 --- a/scripts/vars.2.5.5.0 +++ b/scripts/vars.2.5.5.0 @@ -8,7 +8,7 @@ VERSION=2.5.5.0 PREV_VERSION=2.5.4.0 # Release date of current version in yyyy-mm-dd format -YYYY_MM_DD_RELEASE_DATE=2024-10-06 +YYYY_MM_DD_RELEASE_DATE=2024-10-07 # Previous ESAPI release date in same format PREV_RELEASE_DATE=2024-05-30