org.owasp.esapi.ESAPI Java Examples

public static void printResults(String query, int[] counts, HttpServletResponse response) throws IOException{
	PrintWriter out = response.getWriter();
	out.write("<!DOCTYPE html>\n<html>\n<body>\n<p>");
	out.write("For query: " + ESAPI.encoder().encodeForHTML(query) + "<br>");
	try {
		if(counts.length > 0){
			if(counts[0] == Statement.SUCCESS_NO_INFO){
				out.write("The SQL query was processed successfully but the number of rows affected is unknown.");
				System.out.println("The SQL query was processed successfully but the number of rows affected is unknown.");
			}else if(counts[0] == Statement.EXECUTE_FAILED){
				out.write("The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails");
				System.out.println("The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails");
			}else{
				out.write("The number of affected rows are: " + counts[0]);
				System.out.println("The number of affected rows are: " + counts[0]);
			}
		}
	} finally {
		out.write("</p>\n</body>\n</html>");
	}
}
 

public static final String escapeHtmlAttribute(String str) {
    return ESAPI.encoder().encodeForHTMLAttribute(str);
}
 

/**
 * Initializes the OWASPI ESAPI library.
 */
protected static void initializeESAPI() {
    Logger log = getLogger();
    String systemPropertyKey = "org.owasp.esapi.SecurityConfiguration";
    String opensamlConfigImpl = ESAPISecurityConfig.class.getName();
    
    String currentValue = System.getProperty(systemPropertyKey);
    if (currentValue == null || currentValue.isEmpty()) {
        log.debug("Setting ESAPI SecurityConfiguration impl to OpenSAML internal class: {}", opensamlConfigImpl);
        System.setProperty(systemPropertyKey, opensamlConfigImpl);
        // We still need to call ESAPI.initialize() despite setting the system property, b/c within the ESAPI class
        // the property is only evaluated once in a static initializer and stored. The initialize method however
        // does overwrite the statically-set value from the system property. But still set the system property for 
        // consistency, so other callers can see what has been set.
        ESAPI.initialize(opensamlConfigImpl);
    } else {
        log.debug("ESAPI SecurityConfiguration impl was already set non-null and non-empty via system property, leaving existing value in place: {}",
                currentValue);
    }
}
 

/**
 * Performs HTTP POST based encoding.
 * 
 * @param artifactContext current request context
 * @param outTransport outbound HTTP transport
 * 
 * @throws MessageEncodingException thrown if there is a problem POST encoding the artifact
 */
protected void postEncode(SAMLMessageContext artifactContext, HTTPOutTransport outTransport)
        throws MessageEncodingException {
    log.debug("Performing HTTP POST SAML 2 artifact encoding");

    log.debug("Creating velocity context");
    VelocityContext context = new VelocityContext();
    Encoder esapiEncoder = ESAPI.encoder();
    String endpointURL = getEndpointURL(artifactContext).toString();
    String encodedEndpointURL = esapiEncoder.encodeForHTMLAttribute(endpointURL);
    log.debug("Setting action parameter to: '{}', encoded as '{}'", endpointURL, encodedEndpointURL);
    context.put("action", encodedEndpointURL);
    context.put("SAMLArt", buildArtifact(artifactContext).base64Encode());
    context.put("binding", getBindingURI());

    if (checkRelayState(artifactContext.getRelayState())) {
        String encodedRelayState = esapiEncoder.encodeForHTMLAttribute(artifactContext.getRelayState());
        log.debug("Setting RelayState parameter to: '{}', encoded as '{}'", artifactContext.getRelayState(), encodedRelayState);
        context.put("RelayState", encodedRelayState);
    }

    try {
        log.debug("Invoking velocity template");
        OutputStreamWriter outWriter = new OutputStreamWriter(outTransport.getOutgoingStream());
        velocityEngine.mergeTemplate(velocityTemplateId, "UTF-8", context, outWriter);
    } catch (Exception e) {
        log.error("Error invoking velocity template to create POST form", e);
        throw new MessageEncodingException("Error creating output document", e);
    }
}
 

/**
 * Populate the Velocity context instance which will be used to render the POST body.
 * 
 * @param velocityContext the Velocity context instance to populate with data
 * @param messageContext the SAML message context source of data
 * @param endpointURL endpoint URL to which to encode message
 * @throws MessageEncodingException thrown if there is a problem encoding the message
 */
protected void populateVelocityContext(VelocityContext velocityContext, SAMLMessageContext messageContext,
        String endpointURL) throws MessageEncodingException {
    
    Encoder esapiEncoder = ESAPI.encoder();

    String encodedEndpointURL = esapiEncoder.encodeForHTMLAttribute(endpointURL);
    log.debug("Encoding action url of '{}' with encoded value '{}'", endpointURL, encodedEndpointURL);
    velocityContext.put("action", encodedEndpointURL);
    velocityContext.put("binding", getBindingURI());

    log.debug("Marshalling and Base64 encoding SAML message");
    if (messageContext.getOutboundSAMLMessage().getDOM() == null) {
        marshallMessage(messageContext.getOutboundSAMLMessage());
    }
    try {
        String messageXML = XMLHelper.nodeToString(messageContext.getOutboundSAMLMessage().getDOM());
        String encodedMessage = Base64.encodeBytes(messageXML.getBytes("UTF-8"), Base64.DONT_BREAK_LINES);
        if (messageContext.getOutboundSAMLMessage() instanceof RequestAbstractType) {
            velocityContext.put("SAMLRequest", encodedMessage);
        } else if (messageContext.getOutboundSAMLMessage() instanceof StatusResponseType) {
            velocityContext.put("SAMLResponse", encodedMessage);
        } else {
            throw new MessageEncodingException(
                    "SAML message is neither a SAML RequestAbstractType or StatusResponseType");
        }
    } catch (UnsupportedEncodingException e) {
        log.error("UTF-8 encoding is not supported, this VM is not Java compliant.");
        throw new MessageEncodingException("Unable to encode message, UTF-8 encoding is not supported");
    }

    String relayState = messageContext.getRelayState();
    if (checkRelayState(relayState)) {
        String encodedRelayState = esapiEncoder.encodeForHTMLAttribute(relayState);
        log.debug("Setting RelayState parameter to: '{}', encoded as '{}'", relayState, encodedRelayState);
        velocityContext.put("RelayState", encodedRelayState);
    }
}
 

public void testSerialization() throws Exception {
    // Note: ESAPI reference implementation is NOT serializable.  Maybe
    // it will be in the future.  Our implementation is however
    // guaranteed serializable.

    Encoder encoder = ESAPI.encoder();

    ByteArrayOutputStream baos = new ByteArrayOutputStream();

    ObjectOutputStream oos = new ObjectOutputStream(baos);
    oos.writeObject(encoder);
    oos.close();

    ObjectInputStream ois = new ObjectInputStream(
        new ByteArrayInputStream(baos.toByteArray()));

    Encoder deserializedEncoder = (Encoder)ois.readObject();

    assertSame(encoder, deserializedEncoder);
}
 

public static String encodeForHTML(Object param) {

		String value = "objectTypeUnknown";
		if (param instanceof String) {
		} else if (param instanceof java.io.InputStream) {
			byte[] buff = new byte[1000];
			int length = 0;
			try {
				java.io.InputStream stream = (java.io.InputStream) param;
				stream.reset();
				length = stream.read(buff);
			} catch (IOException e) {
				buff[0] = (byte) '?';
				length = 1;
			}
			ByteArrayOutputStream b = new ByteArrayOutputStream();
			b.write(buff, 0, length);
			value = b.toString();
		}
		return ESAPI.encoder().encodeForHTML(value);
	}
 

/**
 * The idea is to do minimal validation on inputs.
 */
public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {
    ActionErrors errors = new ActionErrors();

    //
    boolean validName = false, validEmail = false;
    try {
        validName = ESAPI.validator().isValidInput("TestForm_name", name, "name", 20, false);
        validEmail = ESAPI.validator().isValidInput("TestForm_email", email, "email", 45, false);
    } catch (IntrusionException e) {
        log.severe(e.getMessage());
    }
    if (!validName) errors.add("name", new ActionMessage("TestForm.name.invalid"));
    if (!validEmail) errors.add("email", new ActionMessage("TestForm.email.invalid"));

    return errors;
}
 

public static void printOSCommandResults(java.lang.Process proc, List<StringMessage> resp) throws IOException {
	BufferedReader stdInput = new BufferedReader(new InputStreamReader(proc.getInputStream()));
	BufferedReader stdError = new BufferedReader(new InputStreamReader(proc.getErrorStream()));

	try {
		// read the output from the command
		resp.add(new StringMessage("Message", "Here is the standard output of the command:<br>"));
		String s = null;
		String out = null;
		String outError = null;
		while ((s = stdInput.readLine()) != null) {
			out = ESAPI.encoder().encodeForHTML(s) + "<br>";
		}
		resp.add(new StringMessage("Message", out));
		// read any errors from the attempted command
		resp.add(new StringMessage("Message", "<br>Here is the std err of the command (if any):<br>"));
		while ((s = stdError.readLine()) != null) {
			outError = ESAPI.encoder().encodeForHTML(s) + "<br>";
		}

		resp.add(new StringMessage("Message", outError));
	} catch (IOException e) {
		System.out.println("An error ocurred while printOSCommandResults");
	}
}
 

public static void outputUpdateComplete(String sql, HttpServletResponse response) throws java.sql.SQLException, IOException {
	
	PrintWriter out = response.getWriter();
	
	out.write("<!DOCTYPE html>\n<html>\n<body>\n<p>");
	out.write("Update complete for query: " + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql) + "<br>\n");
	out.write("</p>\n</body>\n</html>");
}
 

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    String input1 = req.getParameter("input1");

    resp.getWriter().write(input1);

    resp.getWriter().write(ESAPI.encoder().encodeForHTML(input1));
    resp.getWriter().write(StringEscapeUtils.escapeHtml(input1));
}
 

public static void printResults(String query, int[] counts, List<StringMessage> resp) throws IOException{
	resp.add(new StringMessage("Message",
			"For query: " + ESAPI.encoder().encodeForHTML(query) + "<br>"
		));
	try {
		if(counts.length > 0){
			if(counts[0] == Statement.SUCCESS_NO_INFO){
				resp.add(new StringMessage("Message",
						"The SQL query was processed successfully but the number of rows affected is unknown."
					));
				System.out.println("The SQL query was processed successfully but the number of rows affected is unknown.");
			}else if(counts[0] == Statement.EXECUTE_FAILED){
				resp.add(new StringMessage("Message",
						"The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails"
					));
				System.out.println("The SQL query failed to execute successfully and occurs only if a driver continues to process commands after a command fails");
			}else{
				resp.add(new StringMessage("Message",
						"The number of affected rows are: " + counts[0]
								));
				System.out.println("The number of affected rows are: " + counts[0]);
			}
		}
	} finally {
		resp.add(new StringMessage("Message",
				"</p>\n</body>\n</html>"
				));
	}
}
 

public static void printOSCommandResults(java.lang.Process proc, HttpServletResponse response) throws IOException {
	PrintWriter out = response.getWriter();
	out.write(
			"<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n"
					+ "<html>\n" + "<head>\n"
					+ "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=ISO-8859-1\">\n" + "</head>\n"
					+ "<body>\n" + "<p>\n");

	BufferedReader stdInput = new BufferedReader(new InputStreamReader(proc.getInputStream()));
	BufferedReader stdError = new BufferedReader(new InputStreamReader(proc.getErrorStream()));

	try {
		// read the output from the command
		// System.out.println("Here is the standard output of the
		// command:\n");
		out.write("Here is the standard output of the command:<br>");
		String s = null;
		while ((s = stdInput.readLine()) != null) {
			// System.out.println(s);
			out.write(ESAPI.encoder().encodeForHTML(s));
			out.write("<br>");
		}

		// read any errors from the attempted command
		// System.out.println("Here is the standard error of the command (if
		// any):\n");
		out.write("<br>Here is the std err of the command (if any):<br>");
		while ((s = stdError.readLine()) != null) {
			// System.out.println(s);
			out.write(ESAPI.encoder().encodeForHTML(s));
			out.write("<br>");
		}
	} catch (IOException e) {
		System.out.println("An error ocurred while printOSCommandResults");
	}
}
 

public void writeWithEncoders(PrintWriter pw, String input1) {
    pw.write(input1);
    String encoded = ESAPI.encoder().encodeForHTML(input1);
    pw.write(encoded.toLowerCase() + SAFE_VALUE);
    pw.write(StringEscapeUtils.escapeHtml(input1));
    pw.write(ESAPI.encoder().decodeForHTML(encoded) + SAFE_VALUE);
    pw.write(myEncode(input1));
    pw.write(myDecode(encoded));
    pw.write(input1.replaceAll("[\"'<>&]", ""));
}
 

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
    Cookie cookie = new Cookie("name", unknown());
    cookie.setValue(req.getParameter("p") + "x");
    resp.setHeader("header", req.getParameter("h1"));
    resp.addHeader("header", unknown());
    callCookieSink(req.getParameter("h2"));
    String encoded = ESAPI.encoder().encodeForURL(req.getParameter("h3"));
    resp.addHeader("header", ESAPI.encoder().decodeFromURL(encoded));
    
    // false positives
    String safe = "x".concat("y");
    Cookie safeCookie = new Cookie("name", safe);
    safeCookie.setValue(safe + "x");
    resp.setHeader("header", safe);
    resp.addHeader("header", encoded.concat(safe));


    HttpServletResponseWrapper resWrapper = new HttpServletResponseWrapper(resp);
    resWrapper.setHeader("header2",req.getParameter("a"));
    resWrapper.addHeader("header3",req.getParameter("b"));
}
 

public void testEncode() throws Exception {
    // Note: ESAPI reference encodes as: "<>&Ω"
    // That's 25 characters to OWASP Java Encoder's 14.
    assertEquals("&lt;&gt;&amp;\u03a9", ESAPI.encoder().encodeForXML("<>&\u03a9"));
}
 

public static final String escapeJavaScript(String str) {
    return ESAPI.encoder().encodeForJavaScript(str);
    // return StringEscapeUtils.escapeJavaScript(str);
}
 

public static final String escapeMySQL(String source){
	return ESAPI.encoder().encodeForSQL(MYSQL_CODEC, source);
}
 

public static void outputUpdateComplete(String sql, List<StringMessage> resp) throws java.sql.SQLException, IOException {
	resp.add(new StringMessage("Message",
			"Update complete for query: " + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql) + "<br>\n"
	));
}
 

public static String encode(String message) {
	message = message.replace('\n', '_').replace('\r', '_').replace('\t', '_');
	message = ESAPI.encoder().encodeForHTML(message);
	return message;
}
 

public void safeCommandEcoded(String input) {
    String cmd = "ls "+ ESAPI.encoder().encodeForOS(new WindowsCodec() , input);
    new ProcessBuilder().command(cmd.split(" "));
}
 

public String myDecode(String str) {
    return ESAPI.encoder().decodeForHTML(str + "safe") + "safe";
}
 

public String myEncode(String str) {
    return ESAPI.encoder().encodeForHTML(str + "safe") + "safe";
}
 

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    String input1 = req.getParameter("input1");
    sinkCalledOnlyWithEncoded(resp.getWriter(), ESAPI.encoder().encodeForHTML(input1));
    writeWithEncoders(resp.getWriter(), input1);
}
 

static void decryptMethods(SecretKey secretKey) throws EncryptionException {
    CipherText ct = new CipherText();
    ESAPI.encryptor().decrypt(ct);
    ESAPI.encryptor().decrypt(secretKey,ct);
    ESAPI.encryptor().decrypt(""); //ESAPI 2.0.1 and lower
}
 

static void encryptMethods(SecretKey secretKey,PlainText pt) throws EncryptionException {

        ESAPI.encryptor().encrypt(pt);
        ESAPI.encryptor().encrypt(secretKey,pt);
        ESAPI.encryptor().encrypt("Encrypt me"); //ESAPI 2.0.1 and lower
    }
 

public void _jspService(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response)
      throws java.io.IOException, javax.servlet.ServletException {

    final java.lang.String _jspx_method = request.getMethod();
    if (!"GET".equals(_jspx_method) && !"POST".equals(_jspx_method) && !"HEAD".equals(_jspx_method) && !javax.servlet.DispatcherType.ERROR.equals(request.getDispatcherType())) {
      response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "JSPs only permit GET POST or HEAD");
      return;
    }

    final javax.servlet.jsp.PageContext pageContext;
    javax.servlet.http.HttpSession session = null;
    final javax.servlet.ServletContext application;
    final javax.servlet.ServletConfig config;
    javax.servlet.jsp.JspWriter out = null;
    final java.lang.Object page = this;
    javax.servlet.jsp.JspWriter _jspx_out = null;
    javax.servlet.jsp.PageContext _jspx_page_context = null;


    try {
      response.setContentType("text/html;charset=UTF-8");
      pageContext = _jspxFactory.getPageContext(this, request, response,
      			null, true, 8192, true);
      _jspx_page_context = pageContext;
      application = pageContext.getServletContext();
      config = pageContext.getServletConfig();
      session = pageContext.getSession();
      out = pageContext.getOut();
      _jspx_out = out;

      out.write('\n');

    Object taintedInput = request.getAttribute("input");
    //Tainted input transfer to another local variable
    String castTaintedInput = (String) taintedInput;
    String transfert1 = castTaintedInput;
    String transfert2 = transfert1;
    String transfert3 = transfert2;

      out.write('\n');
      out.write('\n');
      out.write('\n');
      out.print(
transfert3
);
      out.write('\n');
      out.write('\n');
      out.print(
ESAPI.encoder().encodeForHTML(transfert3)
);
    } catch (java.lang.Throwable t) {
      if (!(t instanceof javax.servlet.jsp.SkipPageException)){
        out = _jspx_out;
        if (out != null && out.getBufferSize() != 0)
          try {
            if (response.isCommitted()) {
              out.flush();
            } else {
              out.clearBuffer();
            }
          } catch (java.io.IOException e) {}
        if (_jspx_page_context != null) _jspx_page_context.handlePageException(t);
        else throw new ServletException(t);
      }
    } finally {
      _jspxFactory.releasePageContext(_jspx_page_context);
    }
  }
 

public void _jspService(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response)
      throws java.io.IOException, javax.servlet.ServletException {

    final java.lang.String _jspx_method = request.getMethod();
    if (!"GET".equals(_jspx_method) && !"POST".equals(_jspx_method) && !"HEAD".equals(_jspx_method) && !javax.servlet.DispatcherType.ERROR.equals(request.getDispatcherType())) {
      response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "JSPs only permit GET POST or HEAD");
      return;
    }

    final javax.servlet.jsp.PageContext pageContext;
    javax.servlet.http.HttpSession session = null;
    final javax.servlet.ServletContext application;
    final javax.servlet.ServletConfig config;
    javax.servlet.jsp.JspWriter out = null;
    final java.lang.Object page = this;
    javax.servlet.jsp.JspWriter _jspx_out = null;
    javax.servlet.jsp.PageContext _jspx_page_context = null;


    try {
      response.setContentType("text/html;charset=UTF-8");
      pageContext = _jspxFactory.getPageContext(this, request, response,
      			null, true, 8192, true);
      _jspx_page_context = pageContext;
      application = pageContext.getServletContext();
      config = pageContext.getServletConfig();
      session = pageContext.getSession();
      out = pageContext.getOut();
      _jspx_out = out;

      out.write('\n');

    Object taintedInput = request.getAttribute("input");
    //Tainted input transfer to another local variable
    String castTaintedInput = (String) taintedInput;

      out.write('\n');
      out.write('\n');
      out.write('\n');
      out.print(
castTaintedInput
);
      out.write('\n');
      out.write('\n');
      out.print(
ESAPI.encoder().encodeForHTML(castTaintedInput)
);
    } catch (java.lang.Throwable t) {
      if (!(t instanceof javax.servlet.jsp.SkipPageException)){
        out = _jspx_out;
        if (out != null && out.getBufferSize() != 0)
          try {
            if (response.isCommitted()) {
              out.flush();
            } else {
              out.clearBuffer();
            }
          } catch (java.io.IOException e) {}
        if (_jspx_page_context != null) _jspx_page_context.handlePageException(t);
        else throw new ServletException(t);
      }
    } finally {
      _jspxFactory.releasePageContext(_jspx_page_context);
    }
  }
 

public static final String encodeForHTMLAttribute(String source){
	return ESAPI.encoder().encodeForHTMLAttribute(source);
}
 

public static final String encodeForHTML(String source){
	return ESAPI.encoder().encodeForHTML(source);
}