tracker issue : CF-3043827

select a category, or use search below
(searches all categories and all time range)
Title:

Bug 86912:This is an enhancement request for the ESAPI integration and encoding methods

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Jason Dean / Jason Dean (Jason Dean)

Created: 05/19/2011

Components: Security, General

Versions: 10.0

Failure Type: Unspecified

Found In Build/Fixed In Build: 0000 / 279574

Priority/Frequency: Trivial / Unknown

Locale/System: English / Platforms All

Vote Count: 0

Problem:

This is an enhancement request for the ESAPI integration and encoding methods. One of the things canonicalize() does in the ESAPI is to allow the developer to have it throw an exception if multiple encoding or mixed encoding is used (on by default). 
Method:

For example, these unit tests pass because the exception is throw:<cffunction name="EncoderShouldThrowExceptionIntrusionExceptionOnMixedEncodingESAPI" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset var codecs = createObject("java", "java.util.ArrayList") /><cfset codecs.add("HTMLEntityCodec") /><cfset codecs.add("CSSCodec") /><cfset codecs.add("PercentCodec") /><cfset codecs.add("JavaScriptCodec") /><cfset var defautEncoder = createObject("java","org.owasp.esapi.reference.DefaultEncoder").init(codecs) /><cfset defautEncoder.canonicalize("&##37;3Cscript") /></cffunction><cffunction name="EncoderShouldThrowExceptionIntrusionExceptionMultipleEncodingESAPI" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset var codecs = createObject("java", "java.util.ArrayList") /><cfset codecs.add("HTMLEntityCodec") /><cfset codecs.add("CSSCodec") /><cfset codecs.add("PercentCodec") /><cfset codecs.add("JavaScriptCodec") /><cfset var defautEncoder = createObject("java","org.owasp.esapi.reference.DefaultEncoder").init(codecs) /><cfset defautEncoder.canonicalize("&##37;Cscript") /></cffunction>But when I run these unit tests, they fail because the exception is not thrown.  Should it be thrown?  Should we have an option for it?<cffunction name="EncoderShouldThrowExceptionIntrusionExceptionMixedEncodingCF" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset encodeForHTML("&##37;3Cscript") /></cffunction><cffunction name="EncoderShouldThrowExceptionIntrusionExceptionMultipleEncodingCF" access="public" returntype="void" output="false" mxunit:expectedexception="org.owasp.esapi.errors.IntrusionException"><cfset encodeForHTML("&##37;Cscript") /></cffunction>Perhaps a per app setting or ESAPI.properties setting that tells it to throw the exception, or just allow the exception to bubble up to CF and then if someone wants to supress it they can use the ESAPI.properties IntrusionDetector.Disable=true
Result:

N/A

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3043827

External Customer Info:
External Company:  
External Customer Name: Jason Dean
External Customer Email: 4EF2503348075808992015A9
External Test Config: 05/19/2011

Attachments:

Comments: