org.owasp.esapi.ESAPI Java Examples
The following examples show how to use
org.owasp.esapi.ESAPI.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DatabaseHelper.java From Benchmark with GNU General Public License v2.0 | 6 votes |
public static void printResults(String query, int[] counts, HttpServletResponse response) throws IOException{ PrintWriter out = response.getWriter(); out.write("<!DOCTYPE html>\n<html>\n<body>\n<p>"); out.write("For query: " + ESAPI.encoder().encodeForHTML(query) + "<br>"); try { if(counts.length > 0){ if(counts[0] == Statement.SUCCESS_NO_INFO){ out.write("The SQL query was processed successfully but the number of rows affected is unknown."); System.out.println("The SQL query was processed successfully but the number of rows affected is unknown."); }else if(counts[0] == Statement.EXECUTE_FAILED){ out.write("The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails"); System.out.println("The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails"); }else{ out.write("The number of affected rows are: " + counts[0]); System.out.println("The number of affected rows are: " + counts[0]); } } } finally { out.write("</p>\n</body>\n</html>"); } }
Example #2
Source File: StringHelper.java From olat with Apache License 2.0 | 6 votes |
public static final String escapeHtmlAttribute(String str) { return ESAPI.encoder().encodeForHTMLAttribute(str); }
Example #3
Source File: DefaultBootstrap.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Initializes the OWASPI ESAPI library. */ protected static void initializeESAPI() { Logger log = getLogger(); String systemPropertyKey = "org.owasp.esapi.SecurityConfiguration"; String opensamlConfigImpl = ESAPISecurityConfig.class.getName(); String currentValue = System.getProperty(systemPropertyKey); if (currentValue == null || currentValue.isEmpty()) { log.debug("Setting ESAPI SecurityConfiguration impl to OpenSAML internal class: {}", opensamlConfigImpl); System.setProperty(systemPropertyKey, opensamlConfigImpl); // We still need to call ESAPI.initialize() despite setting the system property, b/c within the ESAPI class // the property is only evaluated once in a static initializer and stored. The initialize method however // does overwrite the statically-set value from the system property. But still set the system property for // consistency, so other callers can see what has been set. ESAPI.initialize(opensamlConfigImpl); } else { log.debug("ESAPI SecurityConfiguration impl was already set non-null and non-empty via system property, leaving existing value in place: {}", currentValue); } }
Example #4
Source File: HTTPArtifactEncoder.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Performs HTTP POST based encoding. * * @param artifactContext current request context * @param outTransport outbound HTTP transport * * @throws MessageEncodingException thrown if there is a problem POST encoding the artifact */ protected void postEncode(SAMLMessageContext artifactContext, HTTPOutTransport outTransport) throws MessageEncodingException { log.debug("Performing HTTP POST SAML 2 artifact encoding"); log.debug("Creating velocity context"); VelocityContext context = new VelocityContext(); Encoder esapiEncoder = ESAPI.encoder(); String endpointURL = getEndpointURL(artifactContext).toString(); String encodedEndpointURL = esapiEncoder.encodeForHTMLAttribute(endpointURL); log.debug("Setting action parameter to: '{}', encoded as '{}'", endpointURL, encodedEndpointURL); context.put("action", encodedEndpointURL); context.put("SAMLArt", buildArtifact(artifactContext).base64Encode()); context.put("binding", getBindingURI()); if (checkRelayState(artifactContext.getRelayState())) { String encodedRelayState = esapiEncoder.encodeForHTMLAttribute(artifactContext.getRelayState()); log.debug("Setting RelayState parameter to: '{}', encoded as '{}'", artifactContext.getRelayState(), encodedRelayState); context.put("RelayState", encodedRelayState); } try { log.debug("Invoking velocity template"); OutputStreamWriter outWriter = new OutputStreamWriter(outTransport.getOutgoingStream()); velocityEngine.mergeTemplate(velocityTemplateId, "UTF-8", context, outWriter); } catch (Exception e) { log.error("Error invoking velocity template to create POST form", e); throw new MessageEncodingException("Error creating output document", e); } }
Example #5
Source File: HTTPPostEncoder.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Populate the Velocity context instance which will be used to render the POST body. * * @param velocityContext the Velocity context instance to populate with data * @param messageContext the SAML message context source of data * @param endpointURL endpoint URL to which to encode message * @throws MessageEncodingException thrown if there is a problem encoding the message */ protected void populateVelocityContext(VelocityContext velocityContext, SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException { Encoder esapiEncoder = ESAPI.encoder(); String encodedEndpointURL = esapiEncoder.encodeForHTMLAttribute(endpointURL); log.debug("Encoding action url of '{}' with encoded value '{}'", endpointURL, encodedEndpointURL); velocityContext.put("action", encodedEndpointURL); velocityContext.put("binding", getBindingURI()); log.debug("Marshalling and Base64 encoding SAML message"); if (messageContext.getOutboundSAMLMessage().getDOM() == null) { marshallMessage(messageContext.getOutboundSAMLMessage()); } try { String messageXML = XMLHelper.nodeToString(messageContext.getOutboundSAMLMessage().getDOM()); String encodedMessage = Base64.encodeBytes(messageXML.getBytes("UTF-8"), Base64.DONT_BREAK_LINES); if (messageContext.getOutboundSAMLMessage() instanceof RequestAbstractType) { velocityContext.put("SAMLRequest", encodedMessage); } else if (messageContext.getOutboundSAMLMessage() instanceof StatusResponseType) { velocityContext.put("SAMLResponse", encodedMessage); } else { throw new MessageEncodingException( "SAML message is neither a SAML RequestAbstractType or StatusResponseType"); } } catch (UnsupportedEncodingException e) { log.error("UTF-8 encoding is not supported, this VM is not Java compliant."); throw new MessageEncodingException("Unable to encode message, UTF-8 encoding is not supported"); } String relayState = messageContext.getRelayState(); if (checkRelayState(relayState)) { String encodedRelayState = esapiEncoder.encodeForHTMLAttribute(relayState); log.debug("Setting RelayState parameter to: '{}', encoded as '{}'", relayState, encodedRelayState); velocityContext.put("RelayState", encodedRelayState); } }
Example #6
Source File: ESAPIEncoderTest.java From owasp-java-encoder with BSD 3-Clause "New" or "Revised" License | 6 votes |
public void testSerialization() throws Exception { // Note: ESAPI reference implementation is NOT serializable. Maybe // it will be in the future. Our implementation is however // guaranteed serializable. Encoder encoder = ESAPI.encoder(); ByteArrayOutputStream baos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(baos); oos.writeObject(encoder); oos.close(); ObjectInputStream ois = new ObjectInputStream( new ByteArrayInputStream(baos.toByteArray())); Encoder deserializedEncoder = (Encoder)ois.readObject(); assertSame(encoder, deserializedEncoder); }
Example #7
Source File: Utils.java From Benchmark with GNU General Public License v2.0 | 6 votes |
public static String encodeForHTML(Object param) { String value = "objectTypeUnknown"; if (param instanceof String) { } else if (param instanceof java.io.InputStream) { byte[] buff = new byte[1000]; int length = 0; try { java.io.InputStream stream = (java.io.InputStream) param; stream.reset(); length = stream.read(buff); } catch (IOException e) { buff[0] = (byte) '?'; length = 1; } ByteArrayOutputStream b = new ByteArrayOutputStream(); b.write(buff, 0, length); value = b.toString(); } return ESAPI.encoder().encodeForHTML(value); }
Example #8
Source File: FormWithValidation.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 6 votes |
/** * The idea is to do minimal validation on inputs. */ public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) { ActionErrors errors = new ActionErrors(); // boolean validName = false, validEmail = false; try { validName = ESAPI.validator().isValidInput("TestForm_name", name, "name", 20, false); validEmail = ESAPI.validator().isValidInput("TestForm_email", email, "email", 45, false); } catch (IntrusionException e) { log.severe(e.getMessage()); } if (!validName) errors.add("name", new ActionMessage("TestForm.name.invalid")); if (!validEmail) errors.add("email", new ActionMessage("TestForm.email.invalid")); return errors; }
Example #9
Source File: Utils.java From Benchmark with GNU General Public License v2.0 | 6 votes |
public static void printOSCommandResults(java.lang.Process proc, List<StringMessage> resp) throws IOException { BufferedReader stdInput = new BufferedReader(new InputStreamReader(proc.getInputStream())); BufferedReader stdError = new BufferedReader(new InputStreamReader(proc.getErrorStream())); try { // read the output from the command resp.add(new StringMessage("Message", "Here is the standard output of the command:<br>")); String s = null; String out = null; String outError = null; while ((s = stdInput.readLine()) != null) { out = ESAPI.encoder().encodeForHTML(s) + "<br>"; } resp.add(new StringMessage("Message", out)); // read any errors from the attempted command resp.add(new StringMessage("Message", "<br>Here is the std err of the command (if any):<br>")); while ((s = stdError.readLine()) != null) { outError = ESAPI.encoder().encodeForHTML(s) + "<br>"; } resp.add(new StringMessage("Message", outError)); } catch (IOException e) { System.out.println("An error ocurred while printOSCommandResults"); } }
Example #10
Source File: DatabaseHelper.java From Benchmark with GNU General Public License v2.0 | 5 votes |
public static void outputUpdateComplete(String sql, HttpServletResponse response) throws java.sql.SQLException, IOException { PrintWriter out = response.getWriter(); out.write("<!DOCTYPE html>\n<html>\n<body>\n<p>"); out.write("Update complete for query: " + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql) + "<br>\n"); out.write("</p>\n</body>\n</html>"); }
Example #11
Source File: XssServlet1.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 5 votes |
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String input1 = req.getParameter("input1"); resp.getWriter().write(input1); resp.getWriter().write(ESAPI.encoder().encodeForHTML(input1)); resp.getWriter().write(StringEscapeUtils.escapeHtml(input1)); }
Example #12
Source File: DatabaseHelper.java From Benchmark with GNU General Public License v2.0 | 5 votes |
public static void printResults(String query, int[] counts, List<StringMessage> resp) throws IOException{ resp.add(new StringMessage("Message", "For query: " + ESAPI.encoder().encodeForHTML(query) + "<br>" )); try { if(counts.length > 0){ if(counts[0] == Statement.SUCCESS_NO_INFO){ resp.add(new StringMessage("Message", "The SQL query was processed successfully but the number of rows affected is unknown." )); System.out.println("The SQL query was processed successfully but the number of rows affected is unknown."); }else if(counts[0] == Statement.EXECUTE_FAILED){ resp.add(new StringMessage("Message", "The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails" )); System.out.println("The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails"); }else{ resp.add(new StringMessage("Message", "The number of affected rows are: " + counts[0] )); System.out.println("The number of affected rows are: " + counts[0]); } } } finally { resp.add(new StringMessage("Message", "</p>\n</body>\n</html>" )); } }
Example #13
Source File: Utils.java From Benchmark with GNU General Public License v2.0 | 5 votes |
public static void printOSCommandResults(java.lang.Process proc, HttpServletResponse response) throws IOException { PrintWriter out = response.getWriter(); out.write( "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n" + "<html>\n" + "<head>\n" + "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=ISO-8859-1\">\n" + "</head>\n" + "<body>\n" + "<p>\n"); BufferedReader stdInput = new BufferedReader(new InputStreamReader(proc.getInputStream())); BufferedReader stdError = new BufferedReader(new InputStreamReader(proc.getErrorStream())); try { // read the output from the command // System.out.println("Here is the standard output of the // command:\n"); out.write("Here is the standard output of the command:<br>"); String s = null; while ((s = stdInput.readLine()) != null) { // System.out.println(s); out.write(ESAPI.encoder().encodeForHTML(s)); out.write("<br>"); } // read any errors from the attempted command // System.out.println("Here is the standard error of the command (if // any):\n"); out.write("<br>Here is the std err of the command (if any):<br>"); while ((s = stdError.readLine()) != null) { // System.out.println(s); out.write(ESAPI.encoder().encodeForHTML(s)); out.write("<br>"); } } catch (IOException e) { System.out.println("An error ocurred while printOSCommandResults"); } }
Example #14
Source File: XssServlet3.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 5 votes |
public void writeWithEncoders(PrintWriter pw, String input1) { pw.write(input1); String encoded = ESAPI.encoder().encodeForHTML(input1); pw.write(encoded.toLowerCase() + SAFE_VALUE); pw.write(StringEscapeUtils.escapeHtml(input1)); pw.write(ESAPI.encoder().decodeForHTML(encoded) + SAFE_VALUE); pw.write(myEncode(input1)); pw.write(myDecode(encoded)); pw.write(input1.replaceAll("[\"'<>&]", "")); }
Example #15
Source File: ResponseSplittingServlet.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 5 votes |
@Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) { Cookie cookie = new Cookie("name", unknown()); cookie.setValue(req.getParameter("p") + "x"); resp.setHeader("header", req.getParameter("h1")); resp.addHeader("header", unknown()); callCookieSink(req.getParameter("h2")); String encoded = ESAPI.encoder().encodeForURL(req.getParameter("h3")); resp.addHeader("header", ESAPI.encoder().decodeFromURL(encoded)); // false positives String safe = "x".concat("y"); Cookie safeCookie = new Cookie("name", safe); safeCookie.setValue(safe + "x"); resp.setHeader("header", safe); resp.addHeader("header", encoded.concat(safe)); HttpServletResponseWrapper resWrapper = new HttpServletResponseWrapper(resp); resWrapper.setHeader("header2",req.getParameter("a")); resWrapper.addHeader("header3",req.getParameter("b")); }
Example #16
Source File: ESAPIEncoderTest.java From owasp-java-encoder with BSD 3-Clause "New" or "Revised" License | 4 votes |
public void testEncode() throws Exception { // Note: ESAPI reference encodes as: "<>&Ω" // That's 25 characters to OWASP Java Encoder's 14. assertEquals("<>&\u03a9", ESAPI.encoder().encodeForXML("<>&\u03a9")); }
Example #17
Source File: StringHelper.java From olat with Apache License 2.0 | 4 votes |
public static final String escapeJavaScript(String str) { return ESAPI.encoder().encodeForJavaScript(str); // return StringEscapeUtils.escapeJavaScript(str); }
Example #18
Source File: SecurityUtil.java From albert with MIT License | 4 votes |
public static final String escapeMySQL(String source){ return ESAPI.encoder().encodeForSQL(MYSQL_CODEC, source); }
Example #19
Source File: DatabaseHelper.java From Benchmark with GNU General Public License v2.0 | 4 votes |
public static void outputUpdateComplete(String sql, List<StringMessage> resp) throws java.sql.SQLException, IOException { resp.add(new StringMessage("Message", "Update complete for query: " + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql) + "<br>\n" )); }
Example #20
Source File: LogForgingDemo.java From tutorials with MIT License | 4 votes |
public static String encode(String message) { message = message.replace('\n', '_').replace('\r', '_').replace('\t', '_'); message = ESAPI.encoder().encodeForHTML(message); return message; }
Example #21
Source File: CommandInjectionSafe.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
public void safeCommandEcoded(String input) { String cmd = "ls "+ ESAPI.encoder().encodeForOS(new WindowsCodec() , input); new ProcessBuilder().command(cmd.split(" ")); }
Example #22
Source File: XssServlet3.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
public String myDecode(String str) { return ESAPI.encoder().decodeForHTML(str + "safe") + "safe"; }
Example #23
Source File: XssServlet3.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
public String myEncode(String str) { return ESAPI.encoder().encodeForHTML(str + "safe") + "safe"; }
Example #24
Source File: XssServlet3.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String input1 = req.getParameter("input1"); sinkCalledOnlyWithEncoded(resp.getWriter(), ESAPI.encoder().encodeForHTML(input1)); writeWithEncoders(resp.getWriter(), input1); }
Example #25
Source File: EsapiCrypto.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
static void decryptMethods(SecretKey secretKey) throws EncryptionException { CipherText ct = new CipherText(); ESAPI.encryptor().decrypt(ct); ESAPI.encryptor().decrypt(secretKey,ct); ESAPI.encryptor().decrypt(""); //ESAPI 2.0.1 and lower }
Example #26
Source File: EsapiCrypto.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
static void encryptMethods(SecretKey secretKey,PlainText pt) throws EncryptionException { ESAPI.encryptor().encrypt(pt); ESAPI.encryptor().encrypt(secretKey,pt); ESAPI.encryptor().encrypt("Encrypt me"); //ESAPI 2.0.1 and lower }
Example #27
Source File: xss_005f5_005fmultiple_005ftransfer_005flocal_jsp.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
public void _jspService(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException { final java.lang.String _jspx_method = request.getMethod(); if (!"GET".equals(_jspx_method) && !"POST".equals(_jspx_method) && !"HEAD".equals(_jspx_method) && !javax.servlet.DispatcherType.ERROR.equals(request.getDispatcherType())) { response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "JSPs only permit GET POST or HEAD"); return; } final javax.servlet.jsp.PageContext pageContext; javax.servlet.http.HttpSession session = null; final javax.servlet.ServletContext application; final javax.servlet.ServletConfig config; javax.servlet.jsp.JspWriter out = null; final java.lang.Object page = this; javax.servlet.jsp.JspWriter _jspx_out = null; javax.servlet.jsp.PageContext _jspx_page_context = null; try { response.setContentType("text/html;charset=UTF-8"); pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true); _jspx_page_context = pageContext; application = pageContext.getServletContext(); config = pageContext.getServletConfig(); session = pageContext.getSession(); out = pageContext.getOut(); _jspx_out = out; out.write('\n'); Object taintedInput = request.getAttribute("input"); //Tainted input transfer to another local variable String castTaintedInput = (String) taintedInput; String transfert1 = castTaintedInput; String transfert2 = transfert1; String transfert3 = transfert2; out.write('\n'); out.write('\n'); out.write('\n'); out.print( transfert3 ); out.write('\n'); out.write('\n'); out.print( ESAPI.encoder().encodeForHTML(transfert3) ); } catch (java.lang.Throwable t) { if (!(t instanceof javax.servlet.jsp.SkipPageException)){ out = _jspx_out; if (out != null && out.getBufferSize() != 0) try { if (response.isCommitted()) { out.flush(); } else { out.clearBuffer(); } } catch (java.io.IOException e) {} if (_jspx_page_context != null) _jspx_page_context.handlePageException(t); else throw new ServletException(t); } } finally { _jspxFactory.releasePageContext(_jspx_page_context); } }
Example #28
Source File: xss_005f2_005ftransfer_005flocal_jsp.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 4 votes |
public void _jspService(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException { final java.lang.String _jspx_method = request.getMethod(); if (!"GET".equals(_jspx_method) && !"POST".equals(_jspx_method) && !"HEAD".equals(_jspx_method) && !javax.servlet.DispatcherType.ERROR.equals(request.getDispatcherType())) { response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "JSPs only permit GET POST or HEAD"); return; } final javax.servlet.jsp.PageContext pageContext; javax.servlet.http.HttpSession session = null; final javax.servlet.ServletContext application; final javax.servlet.ServletConfig config; javax.servlet.jsp.JspWriter out = null; final java.lang.Object page = this; javax.servlet.jsp.JspWriter _jspx_out = null; javax.servlet.jsp.PageContext _jspx_page_context = null; try { response.setContentType("text/html;charset=UTF-8"); pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true); _jspx_page_context = pageContext; application = pageContext.getServletContext(); config = pageContext.getServletConfig(); session = pageContext.getSession(); out = pageContext.getOut(); _jspx_out = out; out.write('\n'); Object taintedInput = request.getAttribute("input"); //Tainted input transfer to another local variable String castTaintedInput = (String) taintedInput; out.write('\n'); out.write('\n'); out.write('\n'); out.print( castTaintedInput ); out.write('\n'); out.write('\n'); out.print( ESAPI.encoder().encodeForHTML(castTaintedInput) ); } catch (java.lang.Throwable t) { if (!(t instanceof javax.servlet.jsp.SkipPageException)){ out = _jspx_out; if (out != null && out.getBufferSize() != 0) try { if (response.isCommitted()) { out.flush(); } else { out.clearBuffer(); } } catch (java.io.IOException e) {} if (_jspx_page_context != null) _jspx_page_context.handlePageException(t); else throw new ServletException(t); } } finally { _jspxFactory.releasePageContext(_jspx_page_context); } }
Example #29
Source File: SecurityUtil.java From albert with MIT License | 4 votes |
public static final String encodeForHTMLAttribute(String source){ return ESAPI.encoder().encodeForHTMLAttribute(source); }
Example #30
Source File: SecurityUtil.java From albert with MIT License | 4 votes |
public static final String encodeForHTML(String source){ return ESAPI.encoder().encodeForHTML(source); }