Fixes #894. Remove outdated commons-lang and commons-configuration dependencies with problematic CVEs.

pom.xml

@@ -194,15 +194,19 @@
                  -->
         </dependency>
         <dependency>
-            <groupId>commons-configuration</groupId>
-            <artifactId>commons-configuration</artifactId>
-            <version>1.10</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+            <version>2.12.0</version>
             <exclusions>
-                <!-- excluded because multiple dependencies import newer version. -->
+                <!-- excluded because dependencies import newer versions. -->
                 <exclusion>
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
                 <!-- Note: Because the following dependency is marked as provided to commons-configuration,
                      this exclusion doesn't actually do anything. But we include it so the convergence report
                      will report 100% convergence. Deleting this does not cause the convergence check to fail.
@@ -214,9 +218,23 @@
             </exclusions>
         </dependency>
         <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.6</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.18.0</version>
+            <scope>runtime</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.13.1</version>
+            <exclusions>
+                <!-- excluded because it has a CVE, and we've imported the newer version for runtime above. -->
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>commons-fileupload</groupId>

src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

@@ -33,9 +33,8 @@
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
 
-import org.apache.commons.lang.text.StrTokenizer;
+import org.apache.commons.text.StringTokenizer;
 import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.Logger;
 import org.owasp.esapi.PropNames;   // <== Actual property names moved to here. Eventually we'll do static import.
 import org.owasp.esapi.PropNames.DefaultSearchPath;
 import org.owasp.esapi.SecurityConfiguration;
@@ -651,7 +650,7 @@ protected void loadConfiguration() throws IOException {
 
             if(multivalued){
                 // the following cast warning goes away if the apache commons lib is updated to current version
-                validationPropFileNames = StrTokenizer.getCSVInstance(validationPropValue);
+                validationPropFileNames = StringTokenizer.getCSVInstance(validationPropValue);
             } else {
                 validationPropFileNames = Collections.singletonList(validationPropValue).iterator();
             }

src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoader.java

@@ -1,6 +1,6 @@
 package org.owasp.esapi.reference.accesscontrol.policyloader;
 
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.XMLConfiguration;
 
 
 public interface ACRParameterLoader <T> {

src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoaderHelper.java

@@ -1,6 +1,6 @@
 package org.owasp.esapi.reference.accesscontrol.policyloader;
 
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.XMLConfiguration;
 
 final public class ACRParameterLoaderHelper {
 

src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRPolicyFileLoader.java

@@ -3,8 +3,12 @@
 import java.io.File;
 import java.util.Collection;
 
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.builder.FileBasedConfigurationBuilder;
+import org.apache.commons.configuration2.builder.fluent.Parameters;
+import org.apache.commons.configuration2.convert.DefaultConversionHandler;
+import org.apache.commons.configuration2.convert.LegacyListDelimiterHandler;
+import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.XMLConfiguration;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.errors.AccessControlException;
@@ -15,15 +19,22 @@ final public class ACRPolicyFileLoader {
     public PolicyDTO load() throws AccessControlException {
         PolicyDTO policyDTO = new PolicyDTO();
         XMLConfiguration config;
-        File file = ESAPI.securityConfiguration().getResourceFile("ESAPI-AccessControlPolicy.xml");
+        final String configFileName = "ESAPI-AccessControlPolicy.xml";
+        File file = ESAPI.securityConfiguration().getResourceFile(configFileName);
         try
         {
-            config = new XMLConfiguration(file);
+            final DefaultConversionHandler conversionHandler = new DefaultConversionHandler();
+            conversionHandler.setListDelimiterHandler(new LegacyListDelimiterHandler(','));
+            config = new FileBasedConfigurationBuilder<>(XMLConfiguration.class)
+                    .configure(new Parameters().xml()
+                            .setConversionHandler(conversionHandler)
+                            .setFile(file)
+                            .setFileName(configFileName)).getConfiguration();
         }
         catch(ConfigurationException cex)
         {
             if(file == null) {
-                throw new AccessControlException("Unable to load configuration file for the following: " + "ESAPI-AccessControlPolicy.xml", "", cex);
+                throw new AccessControlException("Unable to load configuration file for the following: " + configFileName, "", cex);
             }
             throw new AccessControlException("Unable to load configuration file from the following location: " + file.getAbsolutePath(), "", cex);
         }

src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/DynaBeanACRParameterLoader.java

@@ -1,6 +1,6 @@
 package org.owasp.esapi.reference.accesscontrol.policyloader;
 
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.XMLConfiguration;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.reference.accesscontrol.DynaBeanACRParameter;