无需访问部署环境即可确定ESAPI配置属性?

时间:2017-06-02 23:54:50

标签: java spring maven configuration esapi

我们最近首次在Java Spring应用程序上运行了Veracode扫描并发现了许多安全漏洞,我们可以确定的最佳解决方案是通过ESAPI对用户输入进行编码。

在这种情况下,因为有人问过,“用户输入”意味着,例如,来自cookie的GUID,但Veracode认识到cookie可能被伪造,因此需要对cookie内容进行消毒...即,使用ESAPI编码功能如下:

logger.debug("Attempting to broadcast message to all connections with GUID " + ESAPI.encoder().encodeForHTML(guid));

我们正在使用Maven,所以为了在我们的项目中包含ESAPI,我们所做的只是在我们的POM文件中:

<dependency>
  <groupId>org.owasp.esapi</groupId>
  <artifactId>esapi</artifactId>
  <version>2.0.1</version>
</dependency>

它“只是奏效了”。除了开始使用import org.owasp.esapi.ESAPI;之外,我们确实没有做任何其他事情,我们去了城镇,在本地测试中表现非常好。

但是,一旦我们进行部署,它就失败了:

org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) ~[esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:184) ~[esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99) ~[esapi-2.0.1.jar:2.0.1]

我们无权访问部署环境,因为第三方管理它。报告类似问题的其他StackOverflow问题报告说,他们的问题的答案涉及丢失ESAPI.properties文件。在我们的本地开发和测试中,我们不需要担心任何类似的事情,但我担心其他人报告需要设置一个/设置一个路径。

有没有办法在我们的代码中(这是我们真正给予部署团队的所有代码)确保ESAPI将在部署环境中运行?

1 个答案:

答案 0 :(得分:0)

实际上,SO的大多数其他问题都会给你答案。以下是代码中的评论:

/**
 * The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
 * implementation, resources can be put in several locations, which are searched in the following order:
 * <p>
 * 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
 * <p>
 * 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
 * You can set this on the java command line as follows (for example):
 * <pre>
 *      java -Dorg.owasp.esapi.resources="C:\temp\resources"
 * </pre>
 * You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
 * in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
 * <p>
 * 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
 * inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
 * <p>
 * 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
 * <p>
 * Once the Configuration is initialized with a resource directory, you can edit it to set things like master
 * keys and passwords, logging locations, error thresholds, and allowed file extensions.
 * <p>
 * WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
 *
 * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
 * @author Jim Manico (jim .at. manico.net) <a href="http://www.manico.net">Manico.net</a>
 * @author Kevin Wall (kevin.w.wall .at. gmail.com)
 */

在您的情况下,对于将运行您的Web应用程序的部署命令,请根据此处第2部分中列出的java Runtime属性为部署团队提供一个目录。他们需要将其添加到触发的任何脚本/命令中,以旋转您的Web容器。

相关问题
最新问题