tracker issue : CF-3595943

select a category, or use search below
(searches all categories and all time range)
Title:

Implementing the OWASP ESAPI validator in batch mode generates NULL pointer exception

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): Miguel Fernandez / Miguel Fernandez (Miguel Fernandez)

Created: 07/16/2013

Components: General Server

Versions: 10.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 0

Duplicate ID:	CF-3595899

Problem Description: 
I entered bug #3595899 for ColdFusion 9.0.1 and the same issue occurs in ColdFusion 10.  I have been working with the OWASP ESAPI utilities that are included with ColdFusion. The encoder utilities are pretty straight forward and I believe I have them working fine. The problem is with the validator utilities.

I can get them to work singly. That is, if I call the validator.getValidInput() method with "invalid" data it will throw an error that I can catch. However, when I try to call the validator method in batch I get a null pointer exception. By batch I mean attempting to execute groups of validation attempts. This is supposed to work by passing the validator.getValidInput() method a ValidationErrorList parameter which should tell it NOT to throw an error but instead just add the error to the error list. I cannot get it to work in this mode.


Steps to Reproduce:
Attached test script "test_fails.cfm" will generate the NULL pointer exception.


Actual Result:
NULL pointer exception is thrown.

Expected Result:
The NULL pointer error should not be thrown. Instead any validation errors should be added to the ErrorList array and processing should continue. Although a workaround has been provided below, it should not be necessary. The ErrorList array should be initialized when it is instantiated.


Any Workarounds:
Thanks to the advice of Chris Schmidt on StackOverflow if you initialize the ErrorList variable before calling the validation methods it will work as expected. Add this line to the test script before calling the getValidInput method and it will work.
<cfset ErrorList = ErrorList.init() />

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3595943

External Customer Info:
External Company:  
External Customer Name: Miguel-F
External Customer Email:  
External Test Config: My Hardware and Environment details:

ColdFusion version: 10,283111 

Java version: 1.6.0_41

Windows version: Windows XP

Attachments:

  1. July 16, 2013 00:00:00: 1_test_fails.cfm
  2. July 16, 2013 00:00:00: 2_test_works.cfm

Comments:

Here is a link to the StackOverflow discussion - http://stackoverflow.com/questions/17304845/how-to-implement-the-owasp-esapi-validator-with-groups-of-validation-attempts-in
Comment by External U.
14935 | July 16, 2013 08:22:26 AM GMT
Not sure why this was closed as a duplicate. It is the same issue but different versions of ColdFusion; 9.0.1 and 10.0
Comment by External U.
14936 | July 17, 2013 06:34:46 AM GMT
It does not make sense to keep the same bugs open for two different versions as ultimately the fix will be made in the current version. the one logged for 9.0.1 has been kept open.
Comment by Rupesh K.
14937 | July 17, 2013 06:42:15 AM GMT