Title:
Bug 86912:This is an enhancement request for the ESAPI integration and encoding methods
| View in TrackerStatus/Resolution/Reason: Closed/Fixed/
Reporter/Name(from Bugbase): Jason Dean / Jason Dean (Jason Dean)
Created: 05/19/2011
Versions: 10.0
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 / 279574
Priority/Frequency: Trivial / Unknown
Locale/System: English / Platforms All
Vote Count: 0
Problem:
This is an enhancement request for the ESAPI integration and encoding methods. One of the things canonicalize() does in the ESAPI is to allow the developer to have it throw an exception if multiple encoding or mixed encoding is used (on by default).
Method:
For example, these unit tests pass because the exception is throw:<cffunction name="EncoderShouldThrowExceptionIntrusionExceptionOnMixedEncodingESAPI" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset var codecs = createObject("java", "java.util.ArrayList") /><cfset codecs.add("HTMLEntityCodec") /><cfset codecs.add("CSSCodec") /><cfset codecs.add("PercentCodec") /><cfset codecs.add("JavaScriptCodec") /><cfset var defautEncoder = createObject("java","org.owasp.esapi.reference.DefaultEncoder").init(codecs) /><cfset defautEncoder.canonicalize("&##37;3Cscript") /></cffunction><cffunction name="EncoderShouldThrowExceptionIntrusionExceptionMultipleEncodingESAPI" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset var codecs = createObject("java", "java.util.ArrayList") /><cfset codecs.add("HTMLEntityCodec") /><cfset codecs.add("CSSCodec") /><cfset codecs.add("PercentCodec") /><cfset codecs.add("JavaScriptCodec") /><cfset var defautEncoder = createObject("java","org.owasp.esapi.reference.DefaultEncoder").init(codecs) /><cfset defautEncoder.canonicalize("&##37;Cscript") /></cffunction>But when I run these unit tests, they fail because the exception is not thrown. Should it be thrown? Should we have an option for it?<cffunction name="EncoderShouldThrowExceptionIntrusionExceptionMixedEncodingCF" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset encodeForHTML("&##37;3Cscript") /></cffunction><cffunction name="EncoderShouldThrowExceptionIntrusionExceptionMultipleEncodingCF" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset encodeForHTML("&##37;Cscript") /></cffunction>Perhaps a per app setting or ESAPI.properties setting that tells it to throw the exception, or just allow the exception to bubble up to CF and then if someone wants to supress it they can use the ESAPI.properties IntrusionDetector.Disable=true
Result:
N/A
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3043827
External Customer Info:
External Company:
External Customer Name: Jason Dean
External Customer Email: 4EF2503348075808992015A9
External Test Config: 05/19/2011
Attachments:
Comments: