From b987d5d8850ec8e89bb8c8d1e5958dbb9e9e5ff0 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sat, 16 Nov 2024 17:46:17 -0500 Subject: [PATCH 1/9] Add more detailed, improved notes regarding CVE-2017-10355. --- suppressions.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/suppressions.xml b/suppressions.xml index 3c09dc8ff..ba522ec54 100644 --- a/suppressions.xml +++ b/suppressions.xml @@ -11,13 +11,15 @@ We are suppressing this because it is believed by the ESAPI and AntiSamy teams that it is a false positive. Dependency Check itself doesn't flag this and neither does Snyk. Dependency Check reports it because it is reported directly by Sonatype's OSS Index. For futher details, see - https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type=maven&component-name=xerces%2FxercesImpl + https://ossindex.sonatype.org/vulnerability/CVE-2017-10355?component-type=maven&component-name=xerces/xercesImpl + and https://github.com/OSSIndex/vulns/issues/328#issuecomment-1287175491. OSS Index seems to have the wrong CPE. They have 'cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:*', whereas the CPE IDs associated with NVD are 'cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:*' and - 'cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*'. + 'cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*'. (Note: as of Nov 2024, none of the CPEs even mention Xerces, but + rather seem to only refer to the JREs.) - Note also that this has been reported as GitHub issue #a 4614 + Note also that this has been reported as GitHub issue # 4614 for OWASP Dependency Check. For details, see https://github.com/jeremylong/DependencyCheck/issues/4614 ]]> f051f988aa2c9b4d25d05f95742ab0cc3ed789e2 From 13eef6ca437c6bb58e2eb871a7e099ebe699c60e Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 12:02:27 -0500 Subject: [PATCH 2/9] Update to support latest versions of dependencies and Maven plugins that ESAPI can support while still retaining Java 8 as the miminal JDK. --- pom.xml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index faaa933e2..45f7a9506 100644 --- a/pom.xml +++ b/pom.xml @@ -132,11 +132,11 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0-M11 + 2.0.0 2.0.9 4.8.6 - 4.8.6.4 - 3.5.1 + 4.8.6.6 + 3.5.2 1.8 @@ -243,7 +243,7 @@ org.owasp.antisamy antisamy - 1.7.6 + 1.7.7 @@ -740,6 +740,9 @@ org.owasp dependency-check-maven + 10.0.4 ${env.NVD_API_KEY} @@ -949,7 +952,7 @@ org.eclipse.transformer transformer-maven-plugin - 0.5.0 + 0.5.0 true From acebf45b11941f89b2dce89dc102fe56e02f0de8 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 14:19:31 -0500 Subject: [PATCH 3/9] Revert from version 2.0.0 to 2.0.0-M11 for 'maven-fluido-skin', otherwise 'mvn site' fails. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 45f7a9506..351e13445 100644 --- a/pom.xml +++ b/pom.xml @@ -132,7 +132,7 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0 + 2.0.0-M11 2.0.9 4.8.6 4.8.6.6 From ff6649fe42209c4a2cf27892affbcca274a1ec76 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 14:20:59 -0500 Subject: [PATCH 4/9] Delete code referring to the previously deprecated Validator.isValidSafeHTML methods. This is wrap up https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm. --- src/main/java/org/owasp/esapi/Validator.java | 95 +------------------ .../esapi/reference/DefaultValidator.java | 44 --------- .../HTMLValidationRuleClasspathTest.java | 37 +------- .../HTMLValidationRuleCleanTest.java | 57 +---------- .../HTMLValidationRuleThrowsTest.java | 32 +------ 5 files changed, 13 insertions(+), 252 deletions(-) diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java index be16fbf50..90eaa35ae 100644 --- a/src/main/java/org/owasp/esapi/Validator.java +++ b/src/main/java/org/owasp/esapi/Validator.java @@ -44,11 +44,10 @@ *

* CAUTION: There are many methods that take multiple (or only!) {@code String} * arguments. Be careful that you do not mix up the order of these, because for - * some methods such as {@code isValidSafeHTML} if you were to confuse the order of - * {@code context} and {@code input} arguments, you would not be verifying what - * you thought you were and it could have serious security consequences as a - * result. When there are 2 these {@code String} parameters—{@code context} and - * {@code input} arguments—the * {@code context} argument is always first. + * several methods that have {@code context} and {@code input} arguments, mixing up + * the order of those likely will result in serious security consequences. + * . When there are 2 these {@code String} parameters—{@code context} and + * {@code input} arguments—the {@code context} argument is always first. * See the individual method documentation for additional details. *

* @@ -297,92 +296,6 @@ public interface Validator { */ Date getValidDate(String context, String input, DateFormat format, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; - /** - * Returns {@code true} if the parameter {@code input} is valid and presumably safe. - *

- * WARNING: Note that the only safe way to use this method is if you - * instead of using the passed-in parameter '{@code input}' (which should - * not be completely trusted as-is, regardless of whether this method returns - * {@code true}), you first sanitize (i.e., cleanse) the parameter '{@code input}' - * by first by calling one of the {@code getValidSafeHTML} methods on it. For - * additional details explaining the rationale for this, please see the referenced - * ESAPI Security Bulletin 12 in the referenced GitHub Security Advisory - * mentioned in the "See Also" section below. - * - * @param context - * A descriptive tag name for the input that you are validating (e.g., user_comment). - * This value is used by any logging or error handling that is done with respect to the value passed in. - * @param input - * The actual user input data to validate. Note that the expectation - * is that this input is allowed to contain "safe" HTML markup, - * otherwise you should not be using this {@code Validator} method - * at all. - * @param maxLength - * The maximum {@code String} length allowed for {@code input}. - * @param allowNull - * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. - * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. - * - * @return True if the {@code input} is presumably safe, otherwise false. - * - * @throws IntrusionException The parameter {@code input} likely indicates an attack. - * - * @deprecated Deprecated as of ESAPI 2.5.3.0. This method will be removed in 1 year - * after the ESAPI 2.5.3.0 release date (2023-11-24). - * - * @see GitHub Security Advisory: Validator.isValidSafeHTML - * is being deprecated and will be deleted in 1 year - */ - @Deprecated - boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws IntrusionException; - - /** - * Returns {@code true} if the parameter {@code input} is valid and presumably safe. - * Any exceptions are added to the supplied {@code errorList} parameter. - *

- *

- * Calls {@link #getValidSafeHTML(String, String, int, boolean)}, - * and returns true if no exceptions are thrown. - *

- * WARNING: Note that the only safe way to use this method is if you - * instead of using the passed-in parameter '{@code input}' (which should - * not be completely trusted as-is, regardless of whether this method returns - * {@code true}), you first sanitize (i.e., cleanse) the parameter '{@code input}' - * by first by calling one of the {@code getValidSafeHTML} methods on it. For - * additional details explaining the rationale for this, please see the referenced - * ESAPI Security Bulletin 12 in the referenced GitHub Security Advisory - * mentioned in the "See Also" section below. - * - * @param context - * A descriptive tag name for the input that you are validating (e.g., user_comment). - * This value is used by any logging or error handling that is done with respect to the value passed in. - * @param input - * The actual user input data to validate. Note that the expectation - * is that this input is allowed to contain "safe" HTML markup, - * otherwise you should not be using this {@code Validator} method - * at all. - * @param maxLength - * The maximum {@code String} length allowed for {@code input}. - * @param allowNull - * If {@code allowNull} is true then an input that is NULL or an empty string will be legal. - * If {@code allowNull} is false then NULL or an empty String will throw a ValidationException. - * @param errorList The error list to which any {@code ValidationException} messages are added. - * - * @return True if the {@code input} is presumably safe, otherwise false. - * - * @throws IntrusionException The parameter {@code input} likely indicates an attack. - * - * @deprecated Deprecated as of ESAPI 2.5.3.0. This method will be removed in 1 year - * after the ESAPI 2.5.3.0 release date (2023-11-24). - * - * @see GitHub Security Advisory: Validator.isValidSafeHTML - * is being deprecated and will be deleted in 1 year - */ - @Deprecated - boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; - /** * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index fd39858aa..a458f40db 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -99,9 +99,6 @@ public class DefaultValidator implements org.owasp.esapi.Validator { private static Logger logger = ESAPI.log(); private static volatile Validator instance = null; private static boolean alreadyLogged = false; - private static String deprecationWarning = "WARNING: You are using the Validator.isValidSafeHTML interface, " + - "which has been deprecated and should be avoided. See GitHub Security Advisory " + - "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm for details."; public static Validator getInstance() { if ( instance == null ) { @@ -379,47 +376,6 @@ public Date getValidDate(String context, String input, DateFormat format, boolea return safeDate; } - /** - * {@inheritDoc} - *

- * This implementation does not throw {@link IntrusionException}. - */ - @Override - public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) { - // Ensure a message about deprecation is logged once if this or the - // other isValidSafeHTML method is called. - if ( ! alreadyLogged ) { - logger.always(Logger.SECURITY_AUDIT, deprecationWarning); - alreadyLogged = true; - } - try { - getValidSafeHTML( context, input, maxLength, allowNull); - return true; - } catch( Exception e ) { - return false; - } - } - - /** - * {@inheritDoc} - */ - @Override - public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException { - // Ensure a message about deprecation is logged once if this or the - // other isValidSafeHTML method is called. - if ( ! alreadyLogged ) { - logger.always(Logger.SECURITY_AUDIT, deprecationWarning); - alreadyLogged = true; - } - try { - getValidSafeHTML( context, input, maxLength, allowNull); - return true; - } catch( ValidationException e ) { - errors.addError(context, e); - return false; - } - } - /** * {@inheritDoc} *

diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java index d7ac1ceff..9492c6b7c 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java @@ -47,16 +47,11 @@ * * This class tests the case of a non-standard AntiSamy policy file along with * the case where the new ESAPI.property - * {@code Validator.HtmlValidationAction} + * Validator.HtmlValidationAction * is set to "throw", which causes certain calls to - * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML() + * {@code ESAPI.validator().getValidSafeHTML()} * to throw a ValidationException rather than simply logging a warning and returning * the cleansed (sanitizied) output when certain unsafe input is encountered. - * - * It should be noted that several of the tests in this file are deprecated because - * they use {@code Validator.isValidSafeHTML} which is deprecated. See the - * deprecation warnings for those methods respective Javadoc for further - * details. */ public class HTMLValidationRuleClasspathTest { /** The intentionally non-compliant (to the AntiSamy XSD) AntiSamy policy file. We don't intend to @@ -177,32 +172,4 @@ public void testGetValidSafeHTML() throws Exception { } } - /** - * @deprecated because Validator.isValidSafeHTML is deprecated. - * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean) - * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean,org.owasp.esapi.ValidationErrorList) - */ - @Deprecated - @Test - public void testIsValidSafeHTML() { - System.out.println("isValidSafeHTML"); - Validator instance = ESAPI.validator(); - thrownEx = ExpectedException.none(); // Not expecting any exceptions here. - - assertTrue(instance.isValidSafeHTML("test", "Jeff", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Aspect Security", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. ", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test.

", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - - ValidationErrorList errors = new ValidationErrorList(); - assertFalse(instance.isValidSafeHTML("test1", "Test. ", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test2", "Test.
", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test3", "Test. alert(document.cookie)", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test4", "Test. alert(document.cookie)", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test5", "Test. alert(document.cookie)", 100, false, errors)); - assertTrue( errors.size() == 5 ); - } } diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java index c28d24f9d..964df6c1f 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java @@ -56,9 +56,9 @@ * that were originally part of src/test/java/org/owasp/esapi/reference/ValidatorTest.java. * * This class tests the cases where the new ESAPI.property - * Validator.HtmlValidationAction + * Validator.HtmlValidationAction * is set to "clean", which causes certain calls to - * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML() + * {@code ESAPI.validator().getValidSafeHTML()} * to simply log a warning and return the cleansed (sanitized) output rather * than throwing a ValidationException when certain unsafe input is * encountered. @@ -275,53 +275,6 @@ public void testAntiSamy_CVE_2023_43643() { } //////////////////////////////////////// - /** - * @deprecated because Validator.isValidSafeHTML is deprecated. - * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean) - * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean,org.owasp.esapi.ValidationErrorList) - */ - @Deprecated - @Test - public void testIsValidSafeHTML() { - System.out.println("testIsValidSafeHTML"); - Validator instance = ESAPI.validator(); - - assertTrue(instance.isValidSafeHTML("test", "Jeff", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Aspect Security", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. ", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test.
", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - - ValidationErrorList errors = new ValidationErrorList(); - assertTrue(instance.isValidSafeHTML("test1", "Jeff", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test2", "Aspect Security", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test3", "Test. ", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test4", "Test.
", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test5", "Test. alert(document.cookie)", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test6", "Test. alert(document.cookie)", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test7", "Test. alert(document.cookie)", 100, false, errors)); - assertTrue(errors.size() == 0); - - // Extracted from testIEConditionalComment(). - String input = ""; - boolean isSafe = instance.isValidSafeHTML("test12", input, 100, false, errors); - assertTrue(instance.isValidSafeHTML("test12", input, 100, false, errors)); // Safe bc "" gets returned!!! - - // Extracted from testNekoDOSWithAnHTMLComment() - errors = new ValidationErrorList(); - input = "" + expectedSafeText + ""; - boolean result = instance.isValidSafeHTML("CVE-2021-35043", badVoodoo, 200, false); - assertTrue( result ); - } - // This test has been significantly changed because as on AntiSamy 1.7.4 // (first used with ESAPI 2.5.3.0) has changed the results of // Validator.getValidSafeHTMLfor this output. Prior to AntiSamy 1.7.4, the @@ -335,7 +288,7 @@ public void testIsValidSafeHTML() { // // Also, this test, which originally used Validator.isValidSafeHTML(), has been // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML() - // has been deprecated. See GitHub Security Advisory + // has been removed as of ESAPI 2.6.0.0. See GitHub Security Advisory // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm // and the referenced ESAPI Security Bulletin mentioned therein. @Test @@ -368,7 +321,7 @@ public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception { // // Also, this test, which originally used Validator.isValidSafeHTML(), has been // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML() - // has been deprecated. See GitHub Security Advisory + // has been removed as of ESAPI 2.6.0.0. See GitHub Security Advisory // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm // and the referenced ESAPI Security Bulletin mentioned therein. @Test @@ -403,7 +356,7 @@ public void testScriptTagAfterStyleClosing() throws Exception { // // Also, this test, which originally used Validator.isValidSafeHTML(), has been // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML() - // has been deprecated. See GitHub Security Advisory + // has been removed as of ESAPI 2.6.0.0. See GitHub Security Advisory // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm // and the referenced ESAPI Security Bulletin mentioned therein. @Test diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java index f0a658512..01235325d 100644 --- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java +++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java @@ -42,9 +42,9 @@ * that were originally part of src/test/java/org/owasp/esapi/reference/ValidatorTest.java. * * This class tests the cases where the new ESAPI.property - * Validator.HtmlValidationAction + * Validator.HtmlValidationAction * is set to "throw", which causes certain calls to - * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML() + * {@code ESAPI.validator().getValidSafeHTML()} * to throw a ValidationException rather than simply logging a warning and returning * the cleansed (sanitizied) output when certain unsafe input is encountered. */ @@ -143,32 +143,4 @@ public void testGetValidSafeHTML() throws Exception { } } - /** - * @deprecated because Validator.isValidSafeHTML is deprecated. - * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean) - * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean,org.owasp.esapi.ValidationErrorList) - */ - @Deprecated - @Test - public void testIsValidSafeHTML() { - System.out.println("isValidSafeHTML"); - Validator instance = ESAPI.validator(); - thrownEx = ExpectedException.none(); // Not expecting any exceptions here. - - assertTrue(instance.isValidSafeHTML("test", "Jeff", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Aspect Security", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. ", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test.
", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - assertFalse(instance.isValidSafeHTML("test", "Test. alert(document.cookie)", 100, false)); - - ValidationErrorList errors = new ValidationErrorList(); - assertFalse(instance.isValidSafeHTML("test1", "Test. ", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test2", "Test.
", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test3", "Test. alert(document.cookie)", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test4", "Test. alert(document.cookie)", 100, false, errors)); - assertFalse(instance.isValidSafeHTML("test5", "Test. alert(document.cookie)", 100, false, errors)); - assertTrue( errors.size() == 5 ); - } } From 0fda292b9dcf2d394acd1d39b00e7d947ee372d4 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 14:27:11 -0500 Subject: [PATCH 5/9] Adjust release date so it agrees with Maven Central repository. Release was started on 10/7 but did not complete until after midnight. --- scripts/vars.2.5.5.0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vars.2.5.5.0 b/scripts/vars.2.5.5.0 index 1c0478de7..3f483d045 100644 --- a/scripts/vars.2.5.5.0 +++ b/scripts/vars.2.5.5.0 @@ -8,7 +8,7 @@ VERSION=2.5.5.0 PREV_VERSION=2.5.4.0 # Release date of current version in yyyy-mm-dd format -YYYY_MM_DD_RELEASE_DATE=2024-10-07 +YYYY_MM_DD_RELEASE_DATE=2024-10-08 # Previous ESAPI release date in same format PREV_RELEASE_DATE=2024-05-30 From d349fc42724e096ad0adfdcbd9fd97cd014adf57 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 14:32:52 -0500 Subject: [PATCH 6/9] Set previous release date in pom. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 351e13445..b6b9fcb33 100644 --- a/pom.xml +++ b/pom.xml @@ -141,7 +141,7 @@ - 2024-05-30 00:00:00 + 2024-10-08 00:00:00 From 8c4ad157ee9b65e5a820d3968d97b6d8235a9cb6 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 15:31:53 -0500 Subject: [PATCH 7/9] For release 2.6.0.0 info --- scripts/vars.2.6.0.0 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 scripts/vars.2.6.0.0 diff --git a/scripts/vars.2.6.0.0 b/scripts/vars.2.6.0.0 new file mode 100644 index 000000000..e44bce867 --- /dev/null +++ b/scripts/vars.2.6.0.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.6.0.0 + +# Previous ESAPI version +PREV_VERSION=2.5.5.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2024-11-25 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2024-10-08 From 2993c794d7030f1fa0a8583a549a2d3737d58e99 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 16:07:58 -0500 Subject: [PATCH 8/9] Update to reference latest release, 2.6.0.0. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c793d99c2..b0928bacb 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend org.owasp.esapi esapi - 2.5.5.0 + 2.6.0.0 jakarta ``` @@ -105,7 +105,7 @@ link to the specific release notes. the ESAPI GitHub Discussion https://github.com/ESAPI/esapi-java-legacy/discussions/841. # Locating ESAPI Jar files -The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.4.0. +The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.6.0.0. All the *regular* ESAPI jars, with the exception of the ESAPI configuration jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached GPG signature, are available from Maven Central. The ESAPI configuration From 01a64a2cd2f022953201af3b5ea8d0cfc84964da Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 16:13:27 -0500 Subject: [PATCH 9/9] Release notes for ESAPI 2.6.0.0 release. --- .../esapi4java-core-2.6.0.0-release-notes.txt | 192 ++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 documentation/esapi4java-core-2.6.0.0-release-notes.txt diff --git a/documentation/esapi4java-core-2.6.0.0-release-notes.txt b/documentation/esapi4java-core-2.6.0.0-release-notes.txt new file mode 100644 index 000000000..cf8c953ae --- /dev/null +++ b/documentation/esapi4java-core-2.6.0.0-release-notes.txt @@ -0,0 +1,192 @@ +Release notes for ESAPI 2.6.0.0 + Release date: 2024-11-25 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.5.5.0, 2024-10-08 + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ +This ESAPI release removes the Validator.isValidSafeHTML methods and references to it from ESAPI code. We will NOT be replacing it. This is to fulfill GitHub Security Advisory https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm and GitHub issue #859. + +ESAPI was also updated to use the latest version of AntiSamy, 1.7.7. + +Notes if you are not updating from the immediate previous release. release 2.5.5.0: + * You need to read through the series of release notes FIRST, going in order. + * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read: + + esapi4java-core-2.4.0.0-release-notes.txt + esapi4java-core-2.5.0.0-release-notes.txt + esapi4java-core-2.5.1.0-release-notes.txt + esapi4java-core-2.5.2.0-release-notes.txt + ...etc., up through the current set of release notes... + esapi4java-core-2.x.y.z-release-notes.txt + +in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.) + +If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI. + +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. + + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.5.5.0 release: + 207 Java source files + 4297 JUnit tests in 131 Java test files + +ESAPI 2.6.0.0 release: + 207 Java source files + 4312 JUnit tests in 133 Java source files + +2 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-10-08) + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +204 DefalutValidator.isValidSafeHTML() doesn't work (wontfix) +859 Remove deprecated Validator.isValidSafeHTML methods +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- +Breaking Change - deprecated methods removed +* As of 2.6.0.0, the methods Validator.isValidSafeHTML are deleted. We won't be bring them back. See https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm and the associated Security Bulletin for details. + +Important JDK Support Announcement +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. + +Important ESAPI Logging Changes + +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implemmentation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 + +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x + +----------------------------------------------------------------------------- + + Remaining Known Issues / Problems + +----------------------------------------------------------------------------- +None known, other than the remaining open issues on GitHub. + +----------------------------------------------------------------------------- + +Other changes in this release, some of which not tracked via GitHub issues + +----------------------------------------------------------------------------- + +* Minor updates to README.md file with respect to version information. + +----------------------------------------------------------------------------- + +Developer Activity Report (Changes between release 2.5.5.0 and 2.6.0.0, i.e., between 2024-10-08 and 2024-11-25) +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. +Figures do not include rejected PRs. + +Developer Total Total Number # Merged +(GitHub ID) commits of Files Changed PRs +======================================================== +kwwall 12 11 1 +======================================================== + Total PRs: 1 + +----------------------------------------------------------------------------- + +CHANGELOG: Create your own. May I suggest: + + git log --stat --since=2024-10-08 --reverse --pretty=medium + + which will show all the commits since just after the previous (2.5.5.0) release. + + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree + ... + [INFO] --- maven-dependency-plugin:3.8.0:tree (default-cli) @ esapi --- + [INFO] org.owasp.esapi:esapi:jar:2.6.0.0-SNAPSHOT + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided + [INFO] +- xom:xom:jar:1.3.9:compile + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile + [INFO] +- commons-lang:commons-lang:jar:2.6:compile + [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile + [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile + [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.7:compile + [INFO] | +- commons-io:commons-io:jar:2.18.0:compile + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.4.1:compile + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.3.1:compile + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.3.1:compile + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.18:compile + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.18:compile + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.18:compile + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.18:compile + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.18:compile + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.10:compile + [INFO] | +- org.htmlunit:neko-htmlunit:jar:4.6.0:compile + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile + [INFO] +- org.slf4j:slf4j-api:jar:2.0.16:compile + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.6:compile (optional) + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional) + [INFO] +- commons-codec:commons-codec:jar:1.17.1:test + [INFO] +- junit:junit:jar:4.13.2:test + [INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test + [INFO] | \- org.objenesis:objenesis:jar:3.2:test + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test + [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test + [INFO] ------------------------------------------------------------------------ + [INFO] BUILD SUCCESS + [INFO] ------------------------------------------------------------------------ + [INFO] Total time: 0.884 s + [INFO] Finished at: 2024-11-25T15:35:40-05:00 + [INFO] ------------------------------------------------------------------------ + +----------------------------------------------------------------------------- + +Acknowledgments: + Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.7. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696)