Merge branch 'develop' into develop

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,35 +4,37 @@ about: Create a report to help us improve
 title: ''
 labels: bug
 assignees: ''
-
 ---
 
-**Describe the bug**
+[**NOTE:** Please do NOT just ask general questions here as they will _not_ be answered. Instead, please use the GitHub Discussions and create a new topic under 'Questions and Answers". Also, please delete the instructions and replace them with actual text and delete the sections that are not relevant.]
+
+#### Describe the bug
 A clear and concise description of what the bug is.
 
-**Specify what ESAPI version(s) you are experiencing this bug in*
-This is especially important if it is not the latest version of ESAPI.
+#### Specify what ESAPI version(s) you are experiencing this bug in
+This is especially important if it is not the latest version of ESAPI. Also, if you are using the Jakarta version (e.g., '<classifier>jakarta</classier>'), then please note that as well.
 
-**To Reproduce**
+#### To Reproduce
 List the steps to reproduce the behavior or (ideally) attach a small JUnit test to reproduce the problem. Please _be specific_.
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
+Note also any specific configuration changes that are needed to replicate the problem. That is especially important if you are not using the default configuration files (ESAPI.properties, validation.properties, antisamy-esapi.xml, etc.)
 
-**Expected behavior**
+#### Expected behavior
 A clear and concise description of what you expected to happen.
 
-**Screenshots**
+#### Screenshots
 If applicable, add screenshots to help explain your problem.
 [**NOTE:** Please do NOT just ask general questions here as they will _not_ be answered. Instead, please use the GitHub Discussions and create a new topic under 'Questions and Answers".
 Please delete any irrelevant portion of this template before submitting your GitHub issue. Thanks.]
 
-**Platform environment (please complete the following information):**
+#### Platform environment (please complete the following information)
  - OS: [e.g. iOS]
  - Browser [e.g. chrome, safari]
  - JDK version used with ESAPI
 
-**Additional context**
+#### Additional context
 Add any other context about the problem here.
 If known, please select the label corresponding to the affected ESAPI component.

.github/ISSUE_TEMPLATE/enhancement-request.md

@@ -4,20 +4,18 @@ about: Suggest an enhancment for this project
 title: ''
 labels: enhancement
 assignees: ''
-
 ---
 
-[**NOTE:** Please do NOT just ask general questions here as they will _not_ be answered. Instead, please use the GitHub Discussions and create a new topic under 'Questions and Answers".
-Please delete any irrelevant portion of this template before submitting your GitHub issue. Thanks.]
+[**NOTE:** Please do NOT just ask general questions here as they will _not_ be answered. Instead, please use the GitHub Discussions and create a new topic under 'Questions and Answers". Please delete any irrelevant portion of this template before submitting your GitHub issue. Thanks.]
 
-**Is your feature request related to a problem? Please describe.**
+#### Is your feature request related to a problem? Please describe.
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-**Describe the solution you'd like**
+#### Describe the solution you'd like
 A clear and concise description of what you want to happen. Note that this may include some appropriate type of documentation that is lacking or unclear.
 
-**Describe alternatives you've considered including other security libraries**
+#### Describe alternatives you've considered including other security libraries
 A clear and concise description of any alternative solutions or features you've considered.
 
-**Additional context**
+#### Additional context
 Add any other context or screenshots about the feature request here.

.gitignore

@@ -2,6 +2,7 @@
 /target
 /.settings/**
 .classpath
+.java-version
 .project
 *.swp
 *~
@@ -16,3 +17,4 @@ bin/
 ciphertext-portable.ser
 ReferenceEncryptedProperties.test.txt
 test.out
+.DS_Store

CONTRIBUTING-TO-ESAPI.txt

@@ -12,6 +12,15 @@ A Special Note on GitHub Authentication:
     Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
     for details and plan accordingly.
 
+A Special Note Regarding Making Commits for PRs
+    Shortly after the 2.5.1.0 ESAPI release in late November 2022, the ESAPI
+    team decided to lock down the 'develop' amd 'main' branches. Merges from
+    PRs are done to the 'develop' branch. That means that if you intend to
+    contribute to ESAPI, you must be signing your commits. Please see the
+    GitHub instructions at
+        https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
+    for details.
+
 
 Finding Something Interesting to Work on:
 
@@ -54,7 +63,7 @@ Required Software:
     this.]
 
 Building ESAPI:
-    https://www.owasp.org/index.php/ESAPI-Building briefly discusses how to
+    https://github.com/ESAPI/esapi-java-legacy/wiki/Building-ESAPI briefly discusses how to
     build ESAPI via Maven.
 
     Also https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-for-Java-with-Eclipse
@@ -81,7 +90,10 @@ Steps to work with ESAPI:
        'issue-#' where '#' is the GitHub issue # is will be working on, but
        you can call it whatever. E.g.,
             git checkout -b issue-#
-    4. Work on the GitHub issue on this newly created issue-# branch.
+    4. Work on the GitHub issue on this newly created issue-# branch. Be sure
+       that you also create new JUnit tests as required that confirm that the
+       issue is corrected, or if you are introducing new functionality, ensure
+       that functionality is sufficiently covered.
     5. Make sure everything builds correctly and all the JUnit tests pass
        ('mvn test'). [Note: There are some known issues with test failures if
        your are running under Windows and your local ESAPI Git repo located
@@ -104,11 +116,16 @@ Steps to work with ESAPI:
             $ git remote -v | grep origin       # Confirm 'origin' refers to YOUR PERSONAL GitHub repo
             $ git push origin issue-444         # Push the committed changes on the 'issue-444' branch
     9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a
-       'Pull Request' from your 'issue-#' branch.
+       'Pull Request' (PR) from your 'issue-#' branch.
    10. Back on your local personal laptop / desktop, merge your issue branch with
        your local 'develop' branch. I.e.,
             $ git checkout develop
             $ git merge issue-444
+   11. Do not remove your branch on your forked repository until your PR from your
+       branch has been merged into the ESAPI/esapi-java/legacy 'develop' branch.
+       Note at least one the 3 main contributors on will review your commits before
+       merging them and they may do a formal code review and request further changes.
+       Once they are satisfied, they will merge your PR.
 
 In theory, you can do all this 'git' magic from Eclipse and presumably other
 IDEs like Oracle NetBeans or IntelliJ IDEA). From Eclipse, it is right-click

README.md

@@ -14,6 +14,19 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
 </tr>
 </table>
 
+# Special note regarding Spring Boot 3, Spring 6, Tomcat 10 and other applications / libraries requiring Jakarta EE
+<table border=<5>
+<tr>
+<td>
+<b>IMPORTANT:</b> We are aware that all versions of ESAPI (unless you are using very select parts) do not work with Jakarta EE. Jakarta EE relies on <b>jakarta.servlet-api</b>. ESAPI is built to use <b>javax.servlet-api</b>. This causes things like Spring Boot 3, Spring 6, Tomcat 10, the latest version of Jetty, etc. to fail to load certain (well, many) ESAPI classes. The reason for this is that the package names between these 2 libraryes are different! The dependency <b>javax.servlet-api</b> has a package namespace of <code>javax.servlet</code>. The <b>jakarta.servlet-api</b> library is using the package namespace of <code>jakarta.servlet</code>. So references to things like <code>ServletRequest</code>, <code>ServletResponse</code>, etc. in ESAPI are using <code>javax.servlet.ServletRequest</code> and <code>javax.servlet.ServletResponse</code> respectively. We cannot make it work for both at once and we will not stop supporting <b>javax.servlet-api</b>, which is what most of our existing ESAPI clients are using.
+<p>
+Therefore <b>PLEASE STOP</b> sending us emails and/or creating GitHub issues regarding this! Instead, please
+read ongoing the GitHub discussion https://github.com/ESAPI/esapi-java-legacy/discussions/768 for further details.
+</p>
+</td>
+</tr>
+</table>
+
 # A word about ESAPI vulnerabilities
 A summary of all the vulnerabilities that we have written about in either the
 ESAPI Security Bulletins or in the GitHub Security Advisories may be found
@@ -32,7 +45,7 @@ Development for the "next generation" of ESAPI (starting with ESAPI 3.0), will b
 GitHub repository at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java).
 
 **IMPORTANT NOTES:**
-* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.5.0.0 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.
+* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.5.3.1 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.
 * Also, the *minimal* baseline Java version to use ESAPI is now Java 8. (This was changed from Java 7 during the 2.4.0.0 release.)
 * Support was dropped for Log4J 1 during ESAPI 2.5.0.0 release. If you need it, configure it via SLF4J. See  the
   [2.5.0.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt)
@@ -66,7 +79,7 @@ link to the specific release notes.
   Starting with release 2.4.0.0, Java 8 or later is required.
 
 # Locating ESAPI Jar files
-The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.0.0.
+The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.3.1.
 All the *regular* ESAPI jars, with the exception of the ESAPI configuration
 jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached
 GPG signature, are available from Maven Central. The ESAPI configuration
@@ -88,6 +101,15 @@ to be using such classes directly in your code. At the ESAPI team's discretion,
 it will also not apply for any known exploitable vulnerabilities for which
 no available workaround exists.
 
+## Exceptions to Deprecation Policy
+We will make some exceptions to the normal 2 year period. In particular, in the
+cases were we believe that keeping a specific deprecated class or method around
+can introduce security issues (generally because many of you have a habit of
+completely ignoring deprecation warnings), we sometimes will shorten that 2 year
+period. When we decide to do that, we will announce that as part of the
+deprecation message.
+
+## Log4J 1.x Removal
 **IMPORTANT NOTES:** As of ESAPI 2.5.0.0, all the Log4J 1.x related code
 has been removed from the ESAPI code base (with the exception of some
 references in documentation). If you must, you still should be able to

SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.4.0.0 (latest) | :white_check_mark: |
-| 2.1.0.1-2.3.0.0  | :x:, upgrade to latest release |
+| 2.5.1.0 (latest) | :white_check_mark: |
+| 2.1.0.1-2.5.0.0  | :x:, upgrade to latest release |
 | <= 1.4.x  | :x:, no longer supported AT ALL |
 
 ## Reporting a Vulnerability

Vulnerability-Summary.md

@@ -23,5 +23,9 @@ was provided in the description of the CVE.
 |[7](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin7.pdf)|Improper validation (or, specifically, not using parameterized SQL queries) of a SQL statement makes Apache Log4j JDBCAppender vulnerable to SQL Injection. This potentially could allow attackers to execute unintended SQL statements by entering data that is logged via Log4J 1.|[CWE-89](https://cwe.mitre.org/data/definitions/89.html)|[CVE-2022-23305](https://nvd.nist.gov/vuln/detail/CVE-2022-23305)|All versions of ESAPI are vulnerable and impacted if your application is doing both of the following:1) Using the deprecated ESAPI Log4J logging.2) You have changed your default log4j.xml (or log4j.properties) file to use JDBCAppender.|None. ESAPI uses ConsoleAppender as the default appender even if ESAPI logging is configured to use Log4J 1.|
 |[8](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf)<br/>[GHSA-q77q-vx4q-xx6q](https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q)|Improper sanitization of user-controlled input permitted by an incorrect regular expression in an ESAPI configuration file can result in that input being unintentionally executing javascript: URLs, resulting in Cross-Site Scripting (XSS).|[CWE-79](https://cwe.mitre.org/data/definitions/79.html)|[CVE-2022-24891](https://nvd.nist.gov/vuln/detail/CVE-2022-24891)|A malformed regular expression in ESAPI’s default AntiSamy policy file, “antisamy-esapi.xml”, accidentally allowed the “:” character to match as a part of the “onsiteURL” regular expression. This allowed 'javascript:' pseudo-URIs to slip past ESAPI which could result in XSS vulnerabilities. Note that this vulnerability dates back at least to the ESAPI 1.4 release.|ESAPI 1.4 and all ESAPI 2.x versions before 2.3.0.0.|
 |[9](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin9.pdf)|Apache Log4j 1’s JMSSink is vulnerable to insecure deserialization of untrusted logged data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service that the attacker has access to. This may resulting in remote code execution.|[CWE-502](https://cwe.mitre.org/data/definitions/502.html)|[CVE-2022-23302](https://nvd.nist.gov/vuln/detail/CVE-2022-23302)|Remote Code Execution is possible.|None. ESAPI uses ConsoleAppender as the default appender even if ESAPI logging is configured to use Log4J 1.|
-|[10](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin10.pdf)|There is an RCE flaw caused by an insecure deserialization vulnerability in Apache Chainsaw, a Java-based GUI log viewer.            CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw 2.x prior to 2.1.0. However, prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists and remains unfixed.|[CWE-502](https://cwe.mitre.org/data/definitions/502.html)|[CVE-2022-23307](https://nvd.nist.gov/vuln/detail/CVE-2022-23307)|Remote Code Execution is possible if you are running Apache Chainsaw 1.x from the Apache Log4J 1.2.x jar..|None. ESAPI uses ConsoleAppender as the default appender even if ESAPI logging is configured to use Log4J 1.|
+|[10](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin10.pdf)|There is an RCE flaw caused by an insecure deserialization vulnerability in Apache Chainsaw, a Java-based GUI log viewer.            CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw 2.x prior to 2.1.0. However, prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists and remains unfixed.|[CWE-502](https://cwe.mitre.org/data/definitions/502.html)|[CVE-2022-23307](https://nvd.nist.gov/vuln/detail/CVE-2022-23307)|Remote Code Execution is possible if you are running Apache Chainsaw 1.x from the Apache Log4J 1.2.x jar.|None. ESAPI uses ConsoleAppender as the default appender even if ESAPI logging is configured to use Log4J 1.|
 |[GHSA-8m5h-hrqm-pxm2](https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2)|The default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.|[CWE-22](https://cwe.mitre.org/data/definitions/22.html)|[CVE-2022-23457](https://nvd.nist.gov/vuln/detail/CVE-2022-23457)|Control-flow bypass may be possible.|ESAPI 2.x, prior to the ESAPI 2.3.0.0 release. Version 2.3.0.0 and later are patched.|
+|[11](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin11.pdf)|There is a DoS vulerablity in the FileUploadBase class of Apache Commons FileUpload for releases prior to 1.5. That DoS vulnerability is caused by not limiting the number of files that could be uploaded per single request.|[CWE-770](https://cwe.mitre.org/data/definitions/770.html)|[CVE-2023-24998](https://nvd.nist.gov/vuln/detail/CVE-2023-24998)|None. ESAPI uses a subclass of the affected FileUpladBase abstract class from Apache Commons FileUpload to which a new setFileCountMax() method was added.|Addressed in ESAPI 2.5.2.0 and later.|
+|[GHSA-r68h-jhhj-9jvm](https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm)|Decribes why ESAPI's Validator.isValidSafeHTML is being deprecated and will be removed one year after the ESAPI 2.5.3.0 release date.|[CWE-80](https://cwe.mitre.org/data/definitions/80.html)|N/A (no CVE)|XSS may be possible depending on how the method is used.|All ESAPI versions (all 1.x and 2.x versions). No patch is available until the methods are deleted one year after the ESAPI 2.5.3.0 release date.|
+
+