ESAPI throwing org.owasp.esapi.errors.ConfigurationException when trying to log a warning

java spring esapi
mongiesama picture mongiesama · Apr 15, 2016 · Viewed 8.6k times · Source

We've added a filter to our spring webapp that checks all incoming requests for anything that could cause an XSS vulnerability. However, when it tries to write to the log, we get the following stack trace:

com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
    at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
    at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
    at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
    at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
    at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
    at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
    at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)

I have ESAPI.properties on the classpath, that seems to be otherwise working, that does have the "missing" class configured:

ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities

And DefaultHTTPUtilities is on the classpath as well.

Answer

mongiesama picture mongiesama · Apr 19, 2016

It turns out I was also importing a library called opensaml (as a dependency of some other dependency). This library has its own implementation of SecurityConfiguration, which is the interface ESAPI uses to load configuration. For some reason the opensaml implements nearly all the methods to just return null or 0:

package org.opensaml;
/**
 * Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
 */
public class ESAPISecurityConfig implements SecurityConfiguration {
    /** Constructor. */
    public ESAPISecurityConfig() {
    }
    // snip...
    /** {@inheritDoc} */
    public String getHTTPUtilitiesImplementation() {
        return null;
    }
    // snip....
}

In a class called DefaultBootstrap, this was getting executed somewhere during the startup of my application, which overrides ESAPI's default implementation:

protected static void initializeESAPI() {
    ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}

I couldn't get rid of the opensaml library, so I had to change my code so that before I invoke ESAPI, I override it back to the default implementation:

        ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
        value = ESAPI.encoder().canonicalize(value);

Related questions

How to fix Veracode CWE 117 (Improper Output Neutralization for Logs)

There is an Spring global @ExceptionHandler(Exception.class) method which logs exception like that: @ExceptionHandler(Exception.class) void handleException(Exception ex) { logger.error("Simple error message", ex); ... Veracode scan says that this logging has Improper Output Neutralization for Logs and …

Read More
What's the difference between @Component, @Repository & @Service annotations in Spring?

Can @Component, @Repository and @Service annotations be used interchangeably in Spring or do they provide any particular functionality besides acting as a notation device? In other words, if I have a Service class and I change the annotation from @Service …

Read More
How to configure port for a Spring Boot application

How do I configure the TCP/IP port listened on by a Spring Boot application, so it does not use the default port of 8080.

Read More