Title:
Implementing the OWASP ESAPI validator in batch mode generates NULL pointer exception
| View in TrackerStatus/Resolution/Reason: Closed/Withdrawn/NotABug
Reporter/Name(from Bugbase): Miguel Fernandez / Miguel Fernandez (Miguel Fernandez)
Created: 07/16/2013
Components: Security
Versions: 10.0
Failure Type: Non Functioning
Found In Build/Fixed In Build: 9.0.1 /
Priority/Frequency: Critical / All users will encounter
Locale/System: English / Win 2008 Server R2 64 bit
Vote Count: 0
Problem Description:
I have been working with the OWASP ESAPI utilities that are included with ColdFusion 9. The encoder utilities are pretty straight forward and I believe I have them working fine. The problem is with the validator utilities.
I can get them to work singly. That is, if I call the validator.getValidInput() method with "invalid" data it will throw an error that I can catch. However, when I try to call the validator method in batch I get a null pointer exception. By batch I mean attempting to execute groups of validation attempts. This is supposed to work by passing the validator.getValidInput() method a ValidationErrorList parameter which should tell it NOT to throw an error but instead just add the error to the error list. I cannot get it to work in this mode.
Steps to Reproduce:
Attached test script "test_fails.cfm" will generate the NULL pointer exception.
Actual Result:
NULL pointer exception is thrown.
java.lang.NullPointerException at
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:238) at
sun.reflect.GeneratedMethodAccessor377.invoke(Unknown Source) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
java.lang.reflect.Method.invoke(Unknown Source) at
coldfusion.runtime.StructBean.invoke(StructBean.java:536) at
coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393) at
cftest2ecfm989071068.runPage(D:\Web\test.cfm:19) at
coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at
coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at
coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at
cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\Application.cfc:70) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at
coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at
coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at
... rest of stack trace excluded because of size constraint ...
Expected Result:
The NULL pointer error should not be thrown. Instead any validation errors should be added to the ErrorList array and processing should continue. Although a workaround has been provided below, it should not be necessary. The ErrorList array should be initialized when it is instantiated.
Any Workarounds:
Thanks to the advice of Chris Schmidt on StackOverflow if you initialize the ErrorList variable before calling the validation methods it will work as expected. Add this line to the test script before calling the getValidInput method and it will work.
<cfset ErrorList = ErrorList.init() />
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3595899
External Customer Info:
External Company:
External Customer Name: Miguel-F
External Customer Email:
External Test Config: My Hardware and Environment details:
ColdFusion version: 9,0,1,274733
Java version: 1.6.0_38 (Sun)
Windows version: Windows Server 2008 R2Attachments:
- July 16, 2013 00:00:00: 1_test_fails.cfm
- July 16, 2013 00:00:00: 2_test_works.cfm
Comments: