diff --git a/README.md b/README.md index 43bb29711..8e4933f1e 100644 --- a/README.md +++ b/README.md @@ -32,8 +32,11 @@ Development for the "next generation" of ESAPI (starting with ESAPI 3.0), will b GitHub repository at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java). **IMPORTANT NOTES:** -* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.4.0.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make. +* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.5.0.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make. * Also, the *minimal* baseline Java version to use ESAPI is now Java 8. (This was changed from Java 7 during the 2.4.0.0 release.) +* Support was dropped for Log4J 1 during ESAPI 2.5.0.0 release. If you need it, configure it via SLF4J. See the + [2.5.0.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt) +for details. # Where can I find ESAPI 3.x? As mentioned above, you can find it at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java). @@ -63,7 +66,7 @@ link to the specific release notes. Starting with release 2.4.0.0, Java 8 or later is required. # Locating ESAPI Jar files -The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.4.0.0. +The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.0.0. All the *regular* ESAPI jars, with the exception of the ESAPI configuration jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached GPG signature, are available from Maven Central. The ESAPI configuration @@ -85,11 +88,11 @@ to be using such classes directly in your code. At the ESAPI team's discretion, it will also not apply for any known exploitable vulnerabilities for which no available workaround exists. -**IMPORTANT NOTES:** The next planned removal of deprecated code is for us to -remove all the Log4J 1.x related ESAPI Logger code. The Log4J 1 ESAPI Logger -was first marked deprecated in ESAPI 2.2.1.0, which was released July 13, 2022. -This means that on or shortly after, you can expect a new ESAPI release that -will no longer have a dependency on Log4J 1. **YOU HAVE BEEN WARNED!!!** +**IMPORTANT NOTES:** As of ESAPI 2.5.0.0, all the Log4J 1.x related code +has been removed from the ESAPI code base (with the exception of some +references in documentation). If you must, you still should be able to +use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release +notes for further details. # Contributing to ESAPI legacy ### How can I contribute or help with fix bugs? diff --git a/documentation/esapi4java-core-2.5.0.0-release-notes.txt b/documentation/esapi4java-core-2.5.0.0-release-notes.txt new file mode 100644 index 000000000..67186f17f --- /dev/null +++ b/documentation/esapi4java-core-2.5.0.0-release-notes.txt @@ -0,0 +1,243 @@ +Release notes for ESAPI 2.5.0.0 + Release date: 2022-07-17 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.4.0.0, 2022-04-24 + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ + +In addition to this summary, please also be sure to thoroughly read the section "Changes Requiring Special Attention", below. + +Major changes: + Logging: + The major change in ESAPI 2.5.0.0 is the removal of the Log4J 1 dependency (specifically, log4j-1.2.17). It has been removed because in accordance with the ESAPI deprecation policy (see the README.md file), the Log4J supported logger has been deprecated for 2 years. + + For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you will notice that the 4 Log4J 1.x related CVEs are no longer flagged. This is because of removal of the Log4J 1.2.17 dependency. + + Any remaining flagged vulnerabilities (e.g., CVE-2020-7791 for transitive dependency batik-i18n-1.14) are believed to be false positives. + + You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. + + AntiSamy 1.7.0 and potentially breaking changes + We have updated to AntiSamy 1.7.0. If you have a custom version of antisamy-esapi.xml,then be sure to read the section "Changes Requiring Special Attention", below. + +Minor changes: + Miscellaneous bug fixes, Javadoc enhancements, and minor dependency updates. + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.4.0.0 release: + 212 Java source files + 4325 JUnit tests in 136 Java source files (1 test skipped) + +ESAPI 2.5.0.0 release: + 206 Java source files + 4274 JUnit tests in 131 Java source files (0 tests skipped) + +18 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2022-04-24) + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +717 Update to AntiSamy 1.7.0 once it is officially released +715 ESAPI - Not working with Eclipse bug +713 Should '/' be encoded for LDAP searches? bug +705 Add more details to DefaultValidator class-level javadoc on ESAPI canonicalization properties Component-Docs Component-Validator javadoc +702 ValidatorTest#testIsValidDirectoryPathGHSL_POC fails on Mac +695 Esapi 2.3.0.0 does not supported in opensaml 2.6.6 bug +692 Multiple (2x) encoding detected in from PercentCodec question +690 Plugin/Dependency Version Updates +689 Clean-up ESAPI Javadoc Component-Docs javadoc +686 ESAPI canonicalization in DefaultEncoder ignoring Encoder.DefaultCodecList property bug Component-Encoder +684 Hello world +682 Update baseline to java 1.8 +674 Add the missing Javadoc for the Validator interface Component-Docs Component-Validator good first issue +656 DefaultHTTPUtility uses hard coded Header name/value lengths (Note: Actually fixed in ESAPI 2.3.0.0, but just closed this release. - kww) +644 Do not include a logging implementation as a dependency slf4j-simple +620 Move the default property names and values out of a reference implementation class Component-SecurityConfiguration +587 Drop Xerces dependency from pom.xml Build-Maven Vulnerable Dependencies +534 Delete Deprecated Log4J implementation and Dependencies wait4future + +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- + +Important ESAPI Logging Changes + +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it having first been deprecated.) Thus, your only choice for ESAPI logging are: + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implementation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. + * Create your own custom logger. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 + +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x + +Potentially Breaking Changes in AntiSamy 1.7.0 + +* This version of ESAPI has upgraded to the latest version of AntiSamy (1.7.0 at the time of our release). AntiSamy 1.7.0 has some breaking changes to its SDK and the way that it processes AntiSamy policy files, of which the antisamy-esapi.xml file, included in our esapi-2.5.0.0-configuration.jar found at https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.5.0.0/esapi-2.4.0.0-configuration.jar, is the one we include. + +* None of the AntiSamy SDK changes affected how ESAPI, in its default configuration, uses it, but you may be affected if you have customized your AntiSamy policy file. If your regression tests fail when you upgrade to ESAPI 2.5.0.0 sand they seem to be related to AntiSamy, then please review https://github.com/nahsra/antisamy/blob/main/README.md#important---api-breaking-changes-in-170. Also, as a temporary workaround, you could do something like this (in Maven, but similar exclusion can be done with Gradle) to allow you time to correct your customized AntiSamy policy file: + + + org.owasp.esapi + esapi + 2.5.0.0 + + + + org.owasp.antisamy + antisamy + + + + + org.owasp.antisamy + antisamy + 1.6.8 + + +Indeed the only change that we had to make is to alter a JUnit test that was intended to ensure that invalid AntiSamy policy files could be disabled by setting + Policy.setSchemaValidation(false); +before processing any AntiSamy policy file not conforming to its schema. This specific (previously deprecated) method was removed in AntiSamy 1.7.0 so the schema validation checks can no longer be ignored. (And hence the reason for the workaround noted above.) + +Instead, we simply changed the JUnit test to check that the expected AntiSamy org.owasp.validator.html.PolicyException class is thrown when the invalid policy file is loaded. + +----------------------------------------------------------------------------- + + Remaining Known Issues / Problems + +----------------------------------------------------------------------------- +'mvn site' fails to build these two reports: + "Tag reference" report --- maven-taglib-plugin:2.4:tagreference + "Taglibdoc documentation" report --- maven-taglib-plugin:2.4:taglibdoc + +Thus no tag library documentation will be generated. :-( + +We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.) + +No others problems are known, other than the remaining open issues on GitHub. + +----------------------------------------------------------------------------- + + Other changes in this release, some of which not tracked via GitHub issues + +----------------------------------------------------------------------------- + +* Minor updates to README.md file with respect to version information. + +----------------------------------------------------------------------------- + +Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-17) +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. + +# +# 34 PRs merged since ESAPI 2.4.0.0 release +# +Developer Total Total Number # Merged +(GitHub ID) commits of Files Changed PRs +======================================================== +jeremiahjstacey 265 180 24 +kwwall 35 64 5 +xeno6696 1 267 1 +noloader 5 2 1 +stevebosman-oc 4 3 2 +VinodAnandan 1 1 1 +======================================================== + Total PRs: 34 + +----------------------------------------------------------------------------- + +CHANGELOG: Create your own. May I suggest: + + git log --stat --since=2022-04-24 --reverse --pretty=medium + + which will show all the commits since just after the previous (2.4.0.0) release. + + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree + ... + [INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ esapi --- + [INFO] org.owasp.esapi:esapi:jar:2.5.0.0 + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided + [INFO] +- xom:xom:jar:1.3.7:compile + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile + [INFO] +- commons-lang:commons-lang:jar:2.6:compile + [INFO] +- commons-fileupload:commons-fileupload:jar:1.4:compile + [INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile + [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.0:compile + [INFO] | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.63.0:compile + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.4:compile + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile + [INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile + [INFO] +- commons-io:commons-io:jar:2.11.0:compile + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.7.1:compile + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile + [INFO] +- commons-codec:commons-codec:jar:1.15:test + [INFO] +- junit:junit:jar:4.13.2:test + [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test + [INFO] | \- org.objenesis:objenesis:jar:3.2:test + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.35:test + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test + [INFO] \- org.apache.commons:commons-math3:jar:3.2:test + ... + + +----------------------------------------------------------------------------- + +Acknowledgments: + A special shout-out our new contributors noloader, stevebosman-oc, and VinodAnandan. + Another hat tip to Dave Wichers, Sebastián Passaro, and the rest of the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696) diff --git a/pom.xml b/pom.xml index e8743c1a1..05bb55181 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.4.1.0-SNAPSHOT + 2.5.0.0 jar @@ -149,6 +149,17 @@ 2021-05-07 00:00:00 + + + + + org.apache.httpcomponents.core5 + httpcore5 + 5.1.4 + + + + javax.servlet @@ -248,7 +259,7 @@ org.owasp.antisamy antisamy - 1.6.8 + 1.7.0 org.slf4j diff --git a/scripts/README.txt b/scripts/README.txt index 61df78f20..b61b287da 100644 --- a/scripts/README.txt +++ b/scripts/README.txt @@ -12,4 +12,5 @@ newReleaseNotes.sh -- Bash script to create the release notes boillerplate from vars.2.2.3.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh vars.2.2.3.1 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh vars.2.3.0.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh +vars.2.4.0.0 -- File that is 'sourced' (as in "source ./filename") and used with newReleaseNotes.sh vars.template -- Template to construct the release specific vars files diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt index b4a953bf9..1d7c8c460 100644 --- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt +++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt @@ -1,6 +1,7 @@ @@@@ IMPORTANT: Be sure to 1) save in DOS text format, and 2) Delete this line and others starting with @@@@ @@@@ Edit this file in vim with :set tw=0 @@@@ Meant to be used with scripts/newReleaseNotes.sh and the 'vars.*' scripts there. +@@@@ There are specific references to ESAPI 2.5.0.0 and other old releases in this file. Do NOT change the version #s. They are there for a reason. Release notes for ESAPI ${VERSION} Release date: ${YYYY_MM_DD_RELEASE_DATE} Project leaders: @@ -13,11 +14,14 @@ Previous release: ESAPI ${PREV_VERSION}, ${PREV_RELEASE_DATE} Executive Summary: Important Things to Note for this Release ------------------------------------------------------------ @@@@ View previous release notes to see examples of what to put here. This is typical. YMMV. +@@@@ Obviously, you should summarize any major changes / new features here. This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Details follow. -For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you might notice that there is vulnerability in xerces:xercesImpl:2.12.0 that ESAPI uses (also a transitive dependency) that is similar to CVE-2020-14621. Unfortunately there is no official patch for this in the regular Maven Central repository. Further details are described in Security Bulletin #3, which is viewable here - https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf -and associated with this release on GitHub. Manual workarounds possible. See the security bulletin for further details. +For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you will notice that the 4 Log4J 1.x related CVEs are no longer flagged. This is because we have finally removed the Log4J 1.2.17 dependency in ESAPI 2.5.0.0. + +Any remaining flagged vulnerabilities (e.g., CVE-2020-7791 for transitive dependency batik-i18n-1.14) are believed to be false postives. + +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. ================================================================================================================= @@ -49,78 +53,30 @@ Issue # GitHub Issue Title ----------------------------------------------------------------------------- @@@@ NOTE any special notes here. Probably leave this one, but I would suggest noting additions BEFORE this. -[If you have already successfully been using ESAPI 2.2.1.0 or later, you probably can skip this section.] - -Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we had deprecated the use of Log4J 1.x because was way past its end-of-life. (Note: As of ESAPI 2.5.0.0, we have officially removed all Log4J 1 dependencies, after it had been deprecated for 2 years as per our deprecation policy.) We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be. - -However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will notice that you need to change ESAPI.Logger and also possibly provide some other properties as well to get the logging behavior that you desire. - -To use ESAPI logging in ESAPI 2.2.1.0 (and later), you will need to set the ESAPI.Logger property to - org.owasp.esapi.logging.java.JavaLogFactory - To use the new default, java.util.logging (JUL) - org.owasp.esapi.logging.slf4j.Slf4JLogFactory - To use the new (to release 2.2.0.0) SLF4J logger +Important JDK Support Announcement +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. -In addition, if you wish to use JUL for logging, you *MUST* supply an "esapi-java-logging.properties" file in your classpath. This file is included in the 'esapi-2.2.2.0-configuration.jar' file provided under the 'Assets' section of the GitHub Release at - https://github.com/ESAPI/esapi-java-legacy/releases/esapi-2.2.2.0 +Important ESAPI Logging Changes -Unfortunately, there was a logic error in the static initializer of JavaLogFactory (now fixed in this release) that caused a NullPointerException to be thrown so that the message about the missing "esapi-java-logging.properties" file was never seen. +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implemmentation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 -If you are using JavaLogFactory, you will also want to ensure that you have the following ESAPI logging properties set: - # Set the application name if these logs are combined with other applications - Logger.ApplicationName=ExampleApplication - # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true - Logger.LogEncodingRequired=false - # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. - Logger.LogApplicationName=true - # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. - Logger.LogServerIP=true - # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you - # want to place it in a specific directory. - Logger.LogFileName=ESAPI_logging_file - # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) - Logger.MaxLogFileSize=10000000 - # Determines whether ESAPI should log the user info. - Logger.UserInfo=true - # Determines whether ESAPI should log the session id and client IP. - Logger.ClientInfo=true - -See GitHub issue #560 for additional details. - - -Finally, while ESAPI still supports JDK 7 (even though that too is way past end-of-life), the next ESAPI release will move to JDK 8 as the minimal baseline. (We already use Java 8 for development but still to Java 7 source and runtime compatibility.) We need to do this out of necessity because some of our dependencies are no longer doing updates that support Java 7. +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x ----------------------------------------------------------------------------- Remaining Known Issues / Problems ----------------------------------------------------------------------------- -If you use Java 7 (the minimal Java baseline supported by ESAPI) and try to run 'mvn test' there is one test that fails. This test passes with Java 8. The failing test is: - - [ERROR] Tests run: 5, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.203 s - <<< FAILURE! - in org.owasp.esapi.crypto.SecurityProviderLoaderTest - [ERROR] org.owasp.esapi.crypto.SecurityProviderLoaderTest.testWithBouncyCastle - Time elapsed: 0.116 s <<< FAILURE! - java.lang.AssertionError: Encryption w/ Bouncy Castle failed with - EncryptionException for preferred cipher transformation; exception was: - org.owasp.esapi.errors.EncryptionException: Encryption failure (unavailable - cipher requested) - at - org.owasp.esapi.crypto.SecurityProviderLoaderTest.testWithBouncyCastle(Security - ProviderLoaderTest.java:133) - -I will spare you all the details and tell you that this has to do with Java 7 not being able to correctly parse the signed Bouncy Castle JCE provider jar. More details are available at: - https://www.bouncycastle.org/latest_releases.html -and - https://github.com/bcgit/bc-java/issues/477 -I am sure that there are ways of making Bouncy Castle work with Java 7, but since ESAPI does not rely on Bouncy Castle (it can use any compliant JCE provider), this should not be a problem. (It works fine with the default SunJCE provider.) If it is important to get the BC provider working with the ESAPI Encryptor and Java 7, then open a GitHub issue and we will take a deeper look at it and see if we can suggest something. - - - -Another problem is if you run 'mvn test' from the 'cmd' prompt (and possibly PowerShell as well), you will get intermittent failures (generally between 10-25% of the time) at arbitrary spots. If you run it again without any changes it will work fine without any failures. We have discovered that it doesn't seem to fail if you run the tests from an IDE like Eclipse or if you redirect both stdout and stderr to a file; e.g., - - C:\code\esapi-java-legacy> mvn test >testoutput.txt 2>&1 - -We believe these failures is because the maven-surefire-plugin is by default not forking a new JVM process for each test class. We are looking into this. For now, we have only have observed this behavior on Windows 10. If you see this error, please do NOT report it as a GitHub issue unless you know a fix for it. (And yes, we are aware of 'false' in the pom for the maven-surefire-plugin, but that causes other tests to fail that we haven't had time to fix.) +None known, other than the remaining open issues on GitHub. ----------------------------------------------------------------------------- @@ -128,13 +84,16 @@ We believe these failures is because the maven-surefire-plugin is by default not ----------------------------------------------------------------------------- -* Minor updates to README.md file +* Minor updates to README.md file with respect to version information. ----------------------------------------------------------------------------- Developer Activity Report (Changes between release ${PREV_VERSION} and ${VERSION}, i.e., between ${PREV_RELEASE_DATE} and ${YYYY_MM_DD_RELEASE_DATE}) Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. +@@@@ +@@@@ This section needs to be manually updated. +@@@@ Developer Total Total Number # Merged (GitHub ID) commits of Files Changed PRs ======================================================== @@ -144,8 +103,6 @@ kwwall 7 8 0 ======================================================== Total PRs: 2 -There were also several snyk-bot PRs that were rejected for various reasons, mostly because 1) I was already making the proposed changes and preferred to do them in single commit or 2) there were other reasons for rejecting them (such as the dependency requiring Java 8). The proposed changes that were not outright rejected were included as part of commit a8a79bc5196653500ce664b7b063284e60bddaa0. - ----------------------------------------------------------------------------- CHANGELOG: Create your own. May I suggest: @@ -154,6 +111,13 @@ CHANGELOG: Create your own. May I suggest: which will show all the commits since just after the previous (${PREV_VERSION}) release. + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + ----------------------------------------------------------------------------- Direct and Transitive Runtime and Test Dependencies: @@ -163,8 +127,9 @@ Direct and Transitive Runtime and Test Dependencies: ----------------------------------------------------------------------------- +@@@@ Review these notes, especially the reference to the AntiSamy version information. Acknowledgments: - Another hat tip to Dave Wichers for promptly releasing AntiSamy 1.6.1. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. A special thanks to the ESAPI community from the ESAPI project co-leaders: Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! diff --git a/scripts/vars.2.4.0.0 b/scripts/vars.2.4.0.0 new file mode 100644 index 000000000..9e2f84ded --- /dev/null +++ b/scripts/vars.2.4.0.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.4.0.0 + +# Previous ESAPI version +PREV_VERSION=2.3.0.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2022-04-24 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2022-04-16 diff --git a/scripts/vars.2.5.0.0 b/scripts/vars.2.5.0.0 new file mode 100644 index 000000000..e01d7dd54 --- /dev/null +++ b/scripts/vars.2.5.0.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.5.0.0 + +# Previous ESAPI version +PREV_VERSION=2.4.0.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2022-07-17 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2022-04-24 diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java index ccd2e1d6d..082bd626c 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleAntisamyPropertyTest.java @@ -15,12 +15,8 @@ */ package org.owasp.esapi.reference.validation; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; -import org.owasp.validator.html.Policy; +import org.owasp.validator.html.PolicyException; /** * Isolate scope test to assert the behavior of the HTMLValidationRule @@ -32,21 +28,9 @@ public class HTMLValidationRuleAntisamyPropertyTest { */ private static final String INVALID_ANTISAMY_POLICY_FILE = "antisamy-InvalidPolicy.xml"; - @AfterClass - public static void enableAntisamySchemaValidation() { - Policy.setSchemaValidation(true); - } - - @BeforeClass - public static void disableAntisamySchemaValidation() { - Policy.setSchemaValidation(false); - //System property is read once, so we're preferring the static method for testing. - //System.setProperty( "owasp.validator.validateschema", "false" ); - } - - @Test + @Test( expected = PolicyException.class ) public void checkAntisamySystemPropertyWorksAsAdvertised() throws Exception { HTMLValidationRule.loadAntisamyPolicy(INVALID_ANTISAMY_POLICY_FILE); } - + }