From 70e1506a05de208e1deccb89a71a1a1bf994320b Mon Sep 17 00:00:00 2001 From: Dario Viva <45972949+DarioViva42@users.noreply.github.com> Date: Tue, 6 Aug 2024 18:40:00 +0200 Subject: [PATCH 001/172] Update README.md rephrase warning message in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac6dda95e..2956cc916 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap # Jakarta EE Support **IMPORTANT:** ESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release -2.5.3.0. (Unfortunately, we were just forgot to note that in this **README** file. Duh!) +2.5.3.0. (Unfortunately, this information was previously missing in this **README** file.) Therefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10, and other applications or libraries requiring Jarkata EE. (If you find a case where it does From c73859623b7e6bc9e0d567e4fe37ad36b2aaabe9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:04:08 +0200 Subject: [PATCH 002/172] EncodingPatternPreservation: replace length check with isEmpty call --- .../org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java index 309485428..1990b5352 100644 --- a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java +++ b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java @@ -77,7 +77,7 @@ public String captureAndReplaceMatches(String input) { */ public String restoreOriginalContent(String input) { String result = input; - while (replacedContentList.size() > 0) { + while (!replacedContentList.isEmpty()) { String origValue = replacedContentList.remove(0); result = result.replaceFirst(replacementMarker, origValue); } From 0190e97810d4fe994997b58b8068ad50c00d3973 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:07:17 +0200 Subject: [PATCH 003/172] EncodingPatternPreservation: fix typo --- .../org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java index 1990b5352..b071fc195 100644 --- a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java +++ b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java @@ -89,7 +89,7 @@ public String restoreOriginalContent(String input) { /** * Allows the marker used as a replacement to be altered. * - * @param marker String replacment to use for regex matches. + * @param marker String replacement to use for regex matches. */ public void setReplacementMarker(String marker) { if (!replacedContentList.isEmpty()) { From 31d82009efa9b09664c3e50791fb678939a16169 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:08:26 +0200 Subject: [PATCH 004/172] AbstractCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/AbstractCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java index 77c153fcd..054e32978 100644 --- a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java @@ -25,7 +25,7 @@ *

* Be sure to see the several WARNINGs associated with the detailed * method descriptions. You will not find that in the "Method Summary" section - * of the javadoc because that only shows the intial sentence. + * of the javadoc because that only shows the initial sentence. * * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security From fc7800a1a4e4ed02a13093ec3307acbcfcfdefb9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:14:48 +0200 Subject: [PATCH 005/172] AbstractCodec: there is no such thing as a footgun usage --- src/main/java/org/owasp/esapi/codecs/AbstractCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java index 054e32978..5149b5d0a 100644 --- a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java @@ -96,7 +96,7 @@ public String encodeCharacter( char[] immune, Character c ) { /** - * To prevent accidental footgun usage and calling + * To prevent accidental usage and calling * {@link #encodeCharacter( char[], int)} when called with {@code char} and * {@code char} is first silently converted to {@code int} and then the * unexpected method is called. From 0b35b3115a7f726b6ff447f41cdc68fe5e7d199b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:19:05 +0200 Subject: [PATCH 006/172] AbstractPushbackSequence: fix typo. see https://languagetool.org/insights/post/regard/ --- .../java/org/owasp/esapi/codecs/AbstractPushbackSequence.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java index f90e07dbb..31b338d90 100644 --- a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java +++ b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java @@ -19,7 +19,7 @@ /** * This Abstract class provides the generic logic for using a {@link PushbackSequence} - * in regards to iterating strings. The final Impl is intended for the user to supply + * in regard to iterating strings. The final Impl is intended for the user to supply * a type T such that the pushback interface can be utilized for sequences * of type T. Presently this generic class is limited by the fact that * input is a String. From efb6300cff33049c7bb659b82ce48841da784839 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:20:23 +0200 Subject: [PATCH 007/172] AbstractPushbackSequence: replace length check with isEmpty call --- .../java/org/owasp/esapi/codecs/AbstractPushbackSequence.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java index 31b338d90..2562a8441 100644 --- a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java +++ b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java @@ -61,7 +61,7 @@ public boolean hasNext() { return true; if (input == null) return false; - if (input.length() == 0) + if (input.isEmpty()) return false; if (index >= input.length()) return false; From 8cc7fdb5a205a1d7ffb3d1d1d12e7842c9e4b1f2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:21:55 +0200 Subject: [PATCH 008/172] Base64: fix typo --- src/main/java/org/owasp/esapi/codecs/Base64.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 1af941510..0d7097afd 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -72,7 +72,7 @@ * Added the ability to "suspend" encoding in the Output Stream so * you can turn on and off the encoding if you need to embed base64 * data in an otherwise "normal" stream (like an XML file). - *

  • v1.5 - Output stream pases on flush() command but doesn't do anything itself. + *
  • v1.5 - Output stream passes on flush() command but doesn't do anything itself. * This helps when using GZIP streams. * Added the ability to GZip-compress objects before encoding them.
    • *
  • v1.4 - Added helper methods to read/write files.
    • From ab000a65aa977213678c173a5611ef8008efb3c0 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:31:05 +0200 Subject: [PATCH 009/172] Base64: declaring static methods with modifier 'final' makes no sense --- src/main/java/org/owasp/esapi/codecs/Base64.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 0d7097afd..3d26f9bd8 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -363,7 +363,7 @@ public class Base64 * in which case one of them will be picked, though there is * no guarantee as to which one will be picked. */ - private final static byte[] getAlphabet( int options ) + private static byte[] getAlphabet( int options ) { if( (options & URL_SAFE) == URL_SAFE ) return _URL_SAFE_ALPHABET; else if( (options & ORDERED) == ORDERED ) return _ORDERED_ALPHABET; @@ -379,7 +379,7 @@ private final static byte[] getAlphabet( int options ) * in which case one of them will be picked, though there is * no guarantee as to which one will be picked. */ - private final static byte[] getDecodabet( int options ) + private static byte[] getDecodabet( int options ) { if( (options & URL_SAFE) == URL_SAFE ) return _URL_SAFE_DECODABET; else if( (options & ORDERED) == ORDERED ) return _ORDERED_DECODABET; @@ -396,7 +396,7 @@ private Base64(){} * if you're embedding this code into a larger program. * @param args */ - public final static void main( String[] args ) + public static void main( String[] args ) { if( args.length < 3 ){ usage("Not enough arguments."); @@ -422,7 +422,7 @@ else if( flag.equals( "-d" ) ) { * * @param msg A message to include with usage info. */ - private final static void usage( String msg ) + private static void usage( String msg ) { System.err.println( msg ); System.err.println( "Usage: java Base64 -e|-d inputfile outputfile" ); From b0a85f4753ff9f614f786eb9649cba3fe08a634b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:35:04 +0200 Subject: [PATCH 010/172] Base64: fix typo --- src/main/java/org/owasp/esapi/codecs/Base64.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 3d26f9bd8..000c1b1ef 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -458,7 +458,7 @@ private static byte[] encode3to4( byte[] b4, byte[] threeBytes, int numSigBytes, * anywhere along their length by specifying * srcOffset and destOffset. * This method does not check to make sure your arrays - * are large enough to accomodate srcOffset + 3 for + * are large enough to accommodate srcOffset + 3 for * the source array or destOffset + 4 for * the destination array. * The actual number of significant bytes in your array is @@ -706,7 +706,7 @@ public static String encodeBytes( byte[] source, int off, int len, int options ) * anywhere along their length by specifying * srcOffset and destOffset. * This method does not check to make sure your arrays - * are large enough to accomodate srcOffset + 4 for + * are large enough to accommodate srcOffset + 4 for * the source array or destOffset + 3 for * the destination array. * This method returns the actual number of bytes that From ccde885a4f9a2d3cf800ecbf1835543d00781a64 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 19:44:59 +0200 Subject: [PATCH 011/172] CSSCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/CSSCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/CSSCodec.java b/src/main/java/org/owasp/esapi/codecs/CSSCodec.java index 9ffb60f32..d68cc1f1d 100644 --- a/src/main/java/org/owasp/esapi/codecs/CSSCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/CSSCodec.java @@ -147,7 +147,7 @@ public Character decodeCharacter(PushbackSequence input) switch(second) { // special whitespace cases. I assume they mean // for all of these to qualify as a "new - // line." Otherwise there is no specification + // line." Otherwise, there is no specification // of what to do for \f case '\r': if(input.peek('\n')) From ad33ea855397a53ea6c424678456558cfe64eb70 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:03:53 +0200 Subject: [PATCH 012/172] HashTrie: replace length check with isEmpty call --- src/main/java/org/owasp/esapi/codecs/HashTrie.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HashTrie.java b/src/main/java/org/owasp/esapi/codecs/HashTrie.java index b72b8c1fe..8555448f7 100644 --- a/src/main/java/org/owasp/esapi/codecs/HashTrie.java +++ b/src/main/java/org/owasp/esapi/codecs/HashTrie.java @@ -346,7 +346,7 @@ Set keySet(StringBuilder key, Set keys) if(value != null) // MUST toString here keys.add(key.toString()); - if(nextMap != null && nextMap.size() > 0) + if(nextMap != null && !nextMap.isEmpty()) { key.append('X'); for(Map.Entry> entry : nextMap.entrySet()) @@ -372,7 +372,7 @@ Set> entrySet(StringBuilder key, Set 0) + if(nextMap != null && !nextMap.isEmpty()) { key.append('X'); for(Map.Entry> entry : nextMap.entrySet()) From 43e7d21aca2a8d78934e261edb9af91622238140 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:06:26 +0200 Subject: [PATCH 013/172] HashTrie: fix typo --- src/main/java/org/owasp/esapi/codecs/HashTrie.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HashTrie.java b/src/main/java/org/owasp/esapi/codecs/HashTrie.java index 8555448f7..93c4a2756 100644 --- a/src/main/java/org/owasp/esapi/codecs/HashTrie.java +++ b/src/main/java/org/owasp/esapi/codecs/HashTrie.java @@ -396,7 +396,7 @@ public HashTrie() } /** - * Get the key value entry who's key is the longest prefix match. + * Get the key value entry whose key is the longest prefix match. * @param key The key to lookup * @return Entry with the longest matching key. */ @@ -408,7 +408,7 @@ public Map.Entry getLongestMatch(CharSequence key) } /** - * Get the key value entry who's key is the longest prefix match. + * Get the key value entry whose key is the longest prefix match. * @param keyIn Pushback reader to read the key from. This should * have a buffer at least as large as {@link #getMaxKeyLength()} * or an IOException may be thrown backing up. From e75eacbdf0ab7f688c701eda4043274a24823999 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:04:52 +0200 Subject: [PATCH 014/172] HashTrie: fix typo --- src/main/java/org/owasp/esapi/codecs/HashTrie.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HashTrie.java b/src/main/java/org/owasp/esapi/codecs/HashTrie.java index 93c4a2756..3ed3a424f 100644 --- a/src/main/java/org/owasp/esapi/codecs/HashTrie.java +++ b/src/main/java/org/owasp/esapi/codecs/HashTrie.java @@ -360,7 +360,7 @@ Set keySet(StringBuilder key, Set keys) } /** - * Recursively build a entry set. + * Recursively build an entry set. * @param key StringBuilder with our key. * @param entries Set to add to * @return entries with additions @@ -487,7 +487,7 @@ public T put(CharSequence key, T value) throws NullPointerException } /** - * Remove a entry. + * Remove an entry. * @return previous value * @throws UnsupportedOperationException always. */ From 8e7dbc3010f5a04c5a74f8c09f91da4deb6ee20b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:08:03 +0200 Subject: [PATCH 015/172] HashTrie: fix typo --- src/main/java/org/owasp/esapi/codecs/HashTrie.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HashTrie.java b/src/main/java/org/owasp/esapi/codecs/HashTrie.java index 3ed3a424f..f290cdd79 100644 --- a/src/main/java/org/owasp/esapi/codecs/HashTrie.java +++ b/src/main/java/org/owasp/esapi/codecs/HashTrie.java @@ -549,7 +549,7 @@ public T get(Object key) /** * Get the number of entries. - * @return the number or entries. + * @return the number of entries. */ public int size() { From 3db27a40e87c716c4427c25a555befd22bda6b43 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:09:52 +0200 Subject: [PATCH 016/172] HTMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java index 84ccb2ca5..864a59ba8 100644 --- a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java @@ -99,7 +99,7 @@ public String encodeCharacter( char[] immune, int codePoint ) { && codePoint != '\r' ) || ( codePoint >= 0x7f && codePoint <= 0x9f ) ) { - hex = REPLACEMENT_HEX; // Let's entity encode this instead of returning it + hex = REPLACEMENT_HEX; // Lets entity encode this instead of returning it codePoint = REPLACEMENT_CHAR; } From 0fb0f93a8c091b6b791c00dfd44775f4c0897c63 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:10:12 +0200 Subject: [PATCH 017/172] HTMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java index 864a59ba8..0021112a0 100644 --- a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java @@ -119,7 +119,7 @@ public String encodeCharacter( char[] immune, int codePoint ) { * Returns the decoded version of the character starting at index, or * null if no decoding is possible. * - * Formats all are legal both with and without semi-colon, upper/lower case: + * Formats all are legal both with and without semicolon, upper/lower case: * &#dddd; * &#xhhhh; * &name; @@ -198,7 +198,7 @@ private Integer parseNumber( PushbackSequence input ) { sb.appendCodePoint( c ); input.next(); - // if character is a semi-colon, eat it and quit + // if character is a semicolon, eat it and quit } else if (c == ';' ) { input.next(); break; @@ -239,7 +239,7 @@ private Integer parseHex( PushbackSequence input ) { sb.appendCodePoint( c ); input.next(); - // if character is a semi-colon, eat it and quit + // if character is a semicolon, eat it and quit } else if (c == ';' ) { input.next(); break; @@ -312,7 +312,7 @@ private Integer getNamedEntity( PushbackSequence input ) { for(int i=0;i Date: Tue, 6 Aug 2024 20:11:41 +0200 Subject: [PATCH 018/172] HTMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java index 0021112a0..ce9ade087 100644 --- a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java @@ -320,7 +320,7 @@ private Integer getNamedEntity( PushbackSequence input ) { } /** - * Build a unmodifiable Map from entity Character to Name. + * Build an unmodifiable Map from entity Character to Name. * @return Unmodifiable map. */ private static synchronized Map mkCharacterToEntityMap() @@ -584,7 +584,7 @@ private static synchronized Map mkCharacterToEntityMap() } /** - * Build a unmodifiable Trie from entitiy Name to Character + * Build an unmodifiable Trie from entitiy Name to Character * @return Unmodifiable trie. */ private static synchronized Trie mkEntityToCharacterTrie() From 29a842e826a652b4f1044ca0481d5b70c3ff3480 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:13:35 +0200 Subject: [PATCH 019/172] HTMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java index ce9ade087..30856adc3 100644 --- a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java @@ -584,7 +584,7 @@ private static synchronized Map mkCharacterToEntityMap() } /** - * Build an unmodifiable Trie from entitiy Name to Character + * Build an unmodifiable Trie from entity Name to Character * @return Unmodifiable trie. */ private static synchronized Trie mkEntityToCharacterTrie() From bd56cf67d0bd745d4c725b233fc248eb66978339 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:16:28 +0200 Subject: [PATCH 020/172] JSONCodec: simplify boolean expression --- src/main/java/org/owasp/esapi/codecs/JSONCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/JSONCodec.java b/src/main/java/org/owasp/esapi/codecs/JSONCodec.java index 524b2faac..25b8b438c 100644 --- a/src/main/java/org/owasp/esapi/codecs/JSONCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/JSONCodec.java @@ -96,7 +96,7 @@ public String encodeCharacter( char[] immune, int codePoint ) // WARNING!! Character based Codecs will only handle the byte range of 0-65535 (0x0-0xffff). // Passing any data represented by a higher numerical value will result in a downcast thus // destroying the original data with undefined results. - if ( Character.isValidCodePoint( codePoint ) == false ) { + if ( !Character.isValidCodePoint(codePoint) ) { // throw new IllegalArgumentException( "Invalid codepoint '" + String.format("0x%04X", codePoint) + "'." ); return ""; } From 8912f7bd97e41fd6d2c91594c71a9d4cbbe334f4 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:17:13 +0200 Subject: [PATCH 021/172] MySQLCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/MySQLCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java index 193dfa208..d798af8d5 100644 --- a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java @@ -63,7 +63,7 @@ public class MySQLCodec extends AbstractCharacterCodec { * please see the Manual at * @link http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html#sqlmode_ansi * - * Currently the only supported modes are: + * Currently, the only supported modes are: * ANSI * STANDARD */ From a27f903389aafd8119997ce25b1db68b7158b1a2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:17:57 +0200 Subject: [PATCH 022/172] MySQLCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/MySQLCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java index d798af8d5..c507b0362 100644 --- a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java @@ -195,7 +195,7 @@ private String encodeCharacterMySQL( Character c ) { * Returns the decoded version of the character starting at index, or * null if no decoding is possible. * - * Formats all are legal (case sensitive) + * Formats all are legal (case-sensitive) * In ANSI_MODE '' decodes to ' * In MYSQL_MODE \x decodes to x (or a small list of specials) */ From 14ba93f87b7f711649678d82adffc45f9caf5046 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:20:05 +0200 Subject: [PATCH 023/172] PercentCodec: fix link --- src/main/java/org/owasp/esapi/codecs/PercentCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/PercentCodec.java b/src/main/java/org/owasp/esapi/codecs/PercentCodec.java index 5775055bb..f4c03dae7 100644 --- a/src/main/java/org/owasp/esapi/codecs/PercentCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/PercentCodec.java @@ -54,7 +54,7 @@ public class PercentCodec extends AbstractCharacterCodec * @return str encoded in UTF-8 as bytes. * @throws IllegalStateException wrapped {@link * UnsupportedEncodingException} if - * {@link String.getBytes(String)} throws it. + * {@link String#getBytes(String)} throws it. */ private static byte[] toUtf8Bytes(String str) { From c9d8368dce8fae68cac2d9a8e54823ec54fd04c7 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:22:14 +0200 Subject: [PATCH 024/172] PushBackSequenceImpl: fix typo --- .../java/org/owasp/esapi/codecs/PushBackSequenceImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java index 9f0c5223c..4f0847f1e 100644 --- a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java +++ b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java @@ -60,9 +60,9 @@ public Integer nextOctal() { } /** - * Returns true if the parameter character is a hexidecimal digit 0 through 9, a through f, or A through F. + * Returns true if the parameter character is a hexadecimal digit 0 through 9, a through f, or A through F. * @param c - * @return true if it is a hexidecimal digit, false otherwise. + * @return true if it is a hexadecimal digit, false otherwise. */ public static boolean isHexDigit( Integer c ) { if ( c == null ) return false; From 2bbe52236a3554e4eb214985f9a3409c3a45935a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:21:54 +0200 Subject: [PATCH 025/172] PushBackSequenceImpl: replace length check with isEmpty call --- .../java/org/owasp/esapi/codecs/PushBackSequenceImpl.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java index 4f0847f1e..9c116cc2b 100644 --- a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java +++ b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java @@ -30,7 +30,7 @@ public Integer next() { return save; } if ( input == null ) return null; - if ( input.length() == 0 ) return null; + if ( input.isEmpty() ) return null; if ( index >= input.length() ) return null; final Integer point = input.codePointAt(index); index += Character.charCount(point); @@ -88,7 +88,7 @@ public static boolean isOctalDigit( Integer c ) { public Integer peek() { if ( pushback != null ) return pushback; if ( input == null ) return null; - if ( input.length() == 0 ) return null; + if ( input.isEmpty() ) return null; if ( index >= input.length() ) return null; return input.codePointAt(index); } @@ -101,7 +101,7 @@ public Integer peek() { public boolean peek( Integer c ) { if ( pushback != null && pushback.intValue() == c ) return true; if ( input == null ) return false; - if ( input.length() == 0 ) return false; + if ( input.isEmpty() ) return false; if ( index >= input.length() ) return false; return input.codePointAt(index) == c; } From d419c6b38b1a55c51269e71a3654150267351ec8 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:29:50 +0200 Subject: [PATCH 026/172] PushbackString: replace length check with isEmpty call --- src/main/java/org/owasp/esapi/codecs/PushbackString.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/PushbackString.java b/src/main/java/org/owasp/esapi/codecs/PushbackString.java index b25cc1f20..310bdeeae 100644 --- a/src/main/java/org/owasp/esapi/codecs/PushbackString.java +++ b/src/main/java/org/owasp/esapi/codecs/PushbackString.java @@ -59,7 +59,7 @@ public boolean hasNext() { if (input == null){ return false; } - if (input.length() == 0){ + if (input.isEmpty()){ return false; } if (index >= input.length()){ @@ -82,7 +82,7 @@ public Character next() { if (input == null){ return null; } - if (input.length() == 0){ + if (input.isEmpty()){ return null; } if (index >= input.length()){ @@ -164,7 +164,7 @@ public Character peek() { if (input == null){ return null; } - if (input.length() == 0){ + if (input.isEmpty()){ return null; } if (index >= input.length()){ @@ -185,7 +185,7 @@ public boolean peek(Character c) { if (input == null){ return false; } - if (input.length() == 0){ + if (input.isEmpty()){ return false; } if (index >= input.length()){ From aac6ab1c721c018995d6b436558dcb812926b99b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:30:18 +0200 Subject: [PATCH 027/172] PushbackString: fix typo --- src/main/java/org/owasp/esapi/codecs/PushbackString.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/PushbackString.java b/src/main/java/org/owasp/esapi/codecs/PushbackString.java index 310bdeeae..c66996a56 100644 --- a/src/main/java/org/owasp/esapi/codecs/PushbackString.java +++ b/src/main/java/org/owasp/esapi/codecs/PushbackString.java @@ -124,11 +124,11 @@ public Character nextOctal() { } /** - * Returns true if the parameter character is a hexidecimal digit 0 through + * Returns true if the parameter character is a hexadecimal digit 0 through * 9, a through f, or A through F. * * @param c - * @return true if it is a hexidecimal digit, false otherwise. + * @return true if it is a hexadecimal digit, false otherwise. */ public static boolean isHexDigit(Character c) { if (c == null){ From 3d47910b46538f61e02c6b1f01c1da63050073dc Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:32:07 +0200 Subject: [PATCH 028/172] Trie: Modifier 'public' is redundant in interface --- src/main/java/org/owasp/esapi/codecs/Trie.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Trie.java b/src/main/java/org/owasp/esapi/codecs/Trie.java index fbb8c99ec..ab25b43b9 100644 --- a/src/main/java/org/owasp/esapi/codecs/Trie.java +++ b/src/main/java/org/owasp/esapi/codecs/Trie.java @@ -9,9 +9,9 @@ public interface Trie extends Map { - public Map.Entry getLongestMatch(CharSequence key); - public Map.Entry getLongestMatch(PushbackReader keyIn) throws IOException; - public int getMaxKeyLength(); + Map.Entry getLongestMatch(CharSequence key); + Map.Entry getLongestMatch(PushbackReader keyIn) throws IOException; + int getMaxKeyLength(); static class TrieProxy implements Trie { @@ -158,7 +158,7 @@ public Set> entrySet() } } - public static class Util + static class Util { private Util() { From 86ef51dfd493fad043019ad969acc8cd77c2ac9e Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:33:14 +0200 Subject: [PATCH 029/172] Trie: Modifier 'static' is redundant for inner classes of interfaces --- src/main/java/org/owasp/esapi/codecs/Trie.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Trie.java b/src/main/java/org/owasp/esapi/codecs/Trie.java index ab25b43b9..6f53e977f 100644 --- a/src/main/java/org/owasp/esapi/codecs/Trie.java +++ b/src/main/java/org/owasp/esapi/codecs/Trie.java @@ -13,7 +13,7 @@ public interface Trie extends Map Map.Entry getLongestMatch(PushbackReader keyIn) throws IOException; int getMaxKeyLength(); - static class TrieProxy implements Trie + class TrieProxy implements Trie { private Trie wrapped; @@ -115,7 +115,7 @@ public int hashCode() } } - static class Unmodifiable extends TrieProxy + class Unmodifiable extends TrieProxy { Unmodifiable(Trie toWrap) { @@ -158,7 +158,7 @@ public Set> entrySet() } } - static class Util + class Util { private Util() { From 2b55b334ec65a1372ce2b0aef1f04bcbc63c397a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:36:50 +0200 Subject: [PATCH 030/172] XMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java index c28734387..054cd1e6d 100644 --- a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java @@ -49,7 +49,7 @@ public class XMLEntityCodec extends AbstractCharacterCodec private static final HashTrie entityToCharacterMap; static - { // populate entitites + { // populate entities entityToCharacterMap = new HashTrie(); entityToCharacterMap.put("lt", '<'); entityToCharacterMap.put("gt", '>'); From e95e5d9c676df7a5b683abe37271c0f7fdbecf1e Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:37:33 +0200 Subject: [PATCH 031/172] XMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java index 054cd1e6d..b53eec304 100644 --- a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java @@ -153,9 +153,9 @@ private static Character getNumericEntity(PushbackSequence input) } /** - * Convert a integer code point to a Character. + * Convert an integer code point to a Character. * @param i the integer - * @return i as a Character or null if i is a invalid code point + * @return i as a Character or null if i is an invalid code point * or outside of the Java char range. */ private static Character int2char(int i) From 0611d3cc4c507bc82dcd206d46529cc7088dc3c2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:38:18 +0200 Subject: [PATCH 032/172] XMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java index b53eec304..cfe7dfff2 100644 --- a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java @@ -204,7 +204,7 @@ private static Character parseNumber(PushbackSequence input) } /** - * Converts the rest of a hexidecimal numeric entity to a character. + * Converts the rest of a hexadecimal numeric entity to a character. * @param input The input to read from. It is assumed that input * is positioned at the character after the &#[xX] * @return The character decoded or null on failutre. From 34f96cfe691db288f875fae89392af3010e9a944 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:39:01 +0200 Subject: [PATCH 033/172] XMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java index cfe7dfff2..0d81c36ee 100644 --- a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java @@ -190,7 +190,7 @@ private static Character parseNumber(PushbackSequence input) sb.append(c); } if(c==null) - return null; // not ';' termintated + return null; // not ';' terminated if(sb.length()<=0) // no digits return null; try @@ -247,7 +247,7 @@ private static Character parseHex(PushbackSequence input) } } if(c==null) - return null; // not ';' termintated + return null; // not ';' terminated if(sb.length()<=0) // no digits return null; try From 108f659fbf3ed5253621dbeadb520ba81bb5dd57 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:38:38 +0200 Subject: [PATCH 034/172] XMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java index 0d81c36ee..c139a3ab6 100644 --- a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java @@ -207,7 +207,7 @@ private static Character parseNumber(PushbackSequence input) * Converts the rest of a hexadecimal numeric entity to a character. * @param input The input to read from. It is assumed that input * is positioned at the character after the &#[xX] - * @return The character decoded or null on failutre. + * @return The character decoded or null on failure. */ private static Character parseHex(PushbackSequence input) { @@ -266,7 +266,7 @@ private static Character parseHex(PushbackSequence input) * null if no decoding is possible. * @param input The input to read from. It is assumed that input * is positioned at the character after the &. - * @return The character decoded or null on failutre. + * @return The character decoded or null on failure. */ private Character getNamedEntity(PushbackSequence input) { From 329acddba44b8878b92cd0fc3214c4a6c15b73ad Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:39:54 +0200 Subject: [PATCH 035/172] XMLEntityCodec: fix typo --- src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java index c139a3ab6..a171b0544 100644 --- a/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/XMLEntityCodec.java @@ -292,7 +292,7 @@ private Character getNamedEntity(PushbackSequence input) input.next(); // read & for(int i=0;i Date: Tue, 6 Aug 2024 20:40:28 +0200 Subject: [PATCH 036/172] EsapiConfiguration: fix typo --- .../owasp/esapi/configuration/consts/EsapiConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java b/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java index e5e330569..43df2fa1c 100644 --- a/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java +++ b/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java @@ -16,7 +16,7 @@ public enum EsapiConfiguration { String configName; /** - * Priority of configuration (higher numer - higher priority). + * Priority of configuration (higher number - higher priority). */ int priority; From 5d2bc33820a9f132bacf2706827310d1067be254 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:41:21 +0200 Subject: [PATCH 037/172] AbstractPrioritizedPropertyLoader: fix typo --- .../esapi/configuration/AbstractPrioritizedPropertyLoader.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java index 8869694ce..cf145a800 100644 --- a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java +++ b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java @@ -7,7 +7,7 @@ import java.util.Properties; /** - * Abstrace class that supports two "levels" of priorities for ESAPI properties. + * Abstract class that supports two "levels" of priorities for ESAPI properties. * The higher level is the property file supported by an "operations" team and * the lower level is the property file intended to be supported by the * "development" team. ESAPI properties defined in the lower level properties From 6b05a8eb7eb843fa0f465b3234f42df4d90383df Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:41:53 +0200 Subject: [PATCH 038/172] AbstractPrioritizedPropertyLoader: fix grammar --- .../esapi/configuration/AbstractPrioritizedPropertyLoader.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java index cf145a800..2ca897707 100644 --- a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java +++ b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java @@ -42,7 +42,7 @@ public AbstractPrioritizedPropertyLoader(String filename, int priority) throws I /** * Get priority of this property loader. If two and more loaders can return value for the same property key, - * the one with highest priority will be chosen. + * the one with the highest priority will be chosen. * @return priority of this property loader */ public int priority() { From 78eb9c28207aa448bc9e57589529572313207e5b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:43:11 +0200 Subject: [PATCH 039/172] AbstractPrioritizedPropertyLoader: fix typo --- .../esapi/configuration/AbstractPrioritizedPropertyLoader.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java index 2ca897707..debdc1174 100644 --- a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java +++ b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java @@ -73,7 +73,7 @@ private void initProperties() throws IOException { if ( file.canRead() ) { loadPropertiesFromFile(file); } else { - throw new IOException("Can't read specificied configuration file: " + filename); + throw new IOException("Can't read specified configuration file: " + filename); } } else { throw new FileNotFoundException("Specified configuration file " + filename + " does not exist or not regular file"); From 72a1429a7bdeaf4accf0a2a9f3173762f3d8c0f9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:44:55 +0200 Subject: [PATCH 040/172] EsapiPropertyLoaderFactory: replace with isEmpty call --- .../owasp/esapi/configuration/EsapiPropertyLoaderFactory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/configuration/EsapiPropertyLoaderFactory.java b/src/main/java/org/owasp/esapi/configuration/EsapiPropertyLoaderFactory.java index d6a1dffcd..49bd4766b 100644 --- a/src/main/java/org/owasp/esapi/configuration/EsapiPropertyLoaderFactory.java +++ b/src/main/java/org/owasp/esapi/configuration/EsapiPropertyLoaderFactory.java @@ -19,7 +19,7 @@ public class EsapiPropertyLoaderFactory { public static AbstractPrioritizedPropertyLoader createPropertyLoader(EsapiConfiguration cfg) throws ConfigurationException, IOException { String cfgPath = System.getProperty(cfg.getConfigName()); - if ( cfgPath == null || cfgPath.equals("") ) { + if ( cfgPath == null || cfgPath.isEmpty() ) { // TODO / FIXME: // This case was previously a warning, but it should NOT have been // since these system properties are optional. Most people just use From a43c119fb80af2ea2e60b7237a695b9bab9a27e3 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:52:45 +0200 Subject: [PATCH 041/172] CipherText: fix typo --- src/main/java/org/owasp/esapi/crypto/CipherText.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java index e0b549da3..45873f45f 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherText.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java @@ -484,7 +484,7 @@ public boolean validateMAC(SecretKey authKey) { return true; } else { // This *used* to be the case (for versions 2.0 and 2.0.1) where we tried to - // accomodate the deprecated decrypt() method from ESAPI 1.4. Unfortunately, + // accommodate the deprecated decrypt() method from ESAPI 1.4. Unfortunately, // that was an EPIC FAIL. (See Google Issue # 306 for details.) logger.warning(Logger.SECURITY_FAILURE, "MAC may have been tampered with (e.g., length set to 0)."); return false; // Deprecated decrypt() method removed, so now return false. From 41b4ee4b9b67ea3049ac330e999e56976f2ab03b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:52:59 +0200 Subject: [PATCH 042/172] CipherText: fix typo --- src/main/java/org/owasp/esapi/crypto/CipherText.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java index 45873f45f..d706f39c9 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherText.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java @@ -494,7 +494,7 @@ public boolean validateMAC(SecretKey authKey) { /** * Return this {@code CipherText} object as a portable (i.e., network byte * ordered) serialized byte array. Note this is not the same as - * returning a serialized object using Java serialization. Instead this + * returning a serialized object using Java serialization. Instead, this * is a representation that all ESAPI implementations will use to pass * ciphertext between different programming language implementations. * From 74b154849faae62d6524b57045d8cf7ea8acb5e8 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:53:22 +0200 Subject: [PATCH 043/172] CipherText: fix typo --- src/main/java/org/owasp/esapi/crypto/CipherText.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java index d706f39c9..ef72ef984 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherText.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java @@ -539,7 +539,7 @@ public void setCiphertext(byte[] ciphertext) { if ( ! macComputed() ) { if ( ciphertext == null || ciphertext.length == 0 ) { - throw new EncryptionException("Encryption faled; no ciphertext", + throw new EncryptionException("Encryption failed; no ciphertext", "Ciphertext may not be null or 0 length!"); } if ( isCollected(CipherTextFlags.CIPHERTEXT) ) { @@ -573,7 +573,7 @@ public void setIVandCiphertext(byte[] iv, byte[] ciphertext) } if ( ! macComputed() ) { if ( ciphertext == null || ciphertext.length == 0 ) { - throw new EncryptionException("Encryption faled; no ciphertext", + throw new EncryptionException("Encryption failed; no ciphertext", "Ciphertext may not be null or 0 length!"); } if ( iv == null || iv.length == 0 ) { From 0b4db8c3a11648f9a59e533d441b6927b5208e00 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:54:23 +0200 Subject: [PATCH 044/172] CipherText: fix typo --- src/main/java/org/owasp/esapi/crypto/CipherText.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java index ef72ef984..58f5a8635 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherText.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java @@ -789,7 +789,7 @@ protected boolean canEqual(Object other) { * 
          *      HMAC-SHA1(nonce, IV + plaintext)
      *
    - * Note that only HMAC-SHA1 is used for the MAC calcuation. Unlike + * Note that only HMAC-SHA1 is used for the MAC calculation. Unlike * the PRF used for derived key generation in the {@code KeyDerivationFunction} * class, the user cannot change the algorithm used to compute the MAC itself. * One reason for that is that we don't want the MAC value to be excessively From 90c930d8c163fdf4270d0432e179e0423416f3fe Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:58:14 +0200 Subject: [PATCH 045/172] CipherTextSerializer: fix grammar --- .../java/org/owasp/esapi/crypto/CipherTextSerializer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java index c5daa7d85..24a15139b 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java @@ -34,8 +34,8 @@ */ public class CipherTextSerializer { // This should be *same* version as in CipherText & KeyDerivationFunction as - // these versions all need to work together. Therefore, when one changes one - // one these versions, the other should be reviewed and changed as well to + // these versions all need to work together. Therefore, when someone changes one + // of these versions, the other should be reviewed and changed as well to // accommodate any differences. // Previous versions: 20110203 - Original version (ESAPI releases 2.0 & 2.0.1) // 20130830 - Fix to issue #306 (release 2.1.0) From cee815cdd24f0b13df502dbc76795cf00e0ec195 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:58:54 +0200 Subject: [PATCH 046/172] CipherTextSerializer: fix typo --- src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java index 24a15139b..abd44be1b 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java @@ -39,7 +39,7 @@ public class CipherTextSerializer { // accommodate any differences. // Previous versions: 20110203 - Original version (ESAPI releases 2.0 & 2.0.1) // 20130830 - Fix to issue #306 (release 2.1.0) - // We check that in an static initialization block below. + // We check that in a static initialization block below. public static final int cipherTextSerializerVersion = 20130830; // Current version. Format: YYYYMMDD, max is 99991231. private static final long serialVersionUID = cipherTextSerializerVersion; From 1474758fb0bb0ea923369fcee340c2be683fabd2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 20:56:58 +0200 Subject: [PATCH 047/172] CipherTextSerializer: fix typo --- .../java/org/owasp/esapi/crypto/CipherTextSerializer.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java index abd44be1b..29a561988 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java @@ -26,7 +26,7 @@ * and do not have extensive support for the various implementation languages which ESAPI * supports. (Perhaps wishful thinking that other ESAPI implementations such as * ESAPI for .NET, ESAPI for C, ESAPI for C++, etc. will all support a single, common - * serialization technique so they could exchange encrypted data.) + * serialization technique, so they could exchange encrypted data.) * * @author kevin.w.wall@gmail.com * @since 2.0 @@ -207,7 +207,7 @@ private byte[] computeSerialization(int kdfInfo, long timestamp, // All strings are written as UTF-8 encoded byte streams with the // length prepended before it as a short. The prepended length is - // more for the benefit of languages like C so they can pre-allocate + // more for the benefit of languages like C, so they can pre-allocate // char arrays without worrying about buffer overflows. private void writeString(ByteArrayOutputStream baos, String str) { byte[] bytes; @@ -405,7 +405,7 @@ private CipherText convertToCipherText(byte[] cipherTextSerializedBytes) // Fixed in ESAPI crypto version 20130839. Previously is didn't really matter // because there was only one version (20110203) and it defaulted to that // version, which was the current version. But we don't want that as now there - // are two versions and we could be decrypting data encrypted using the previous + // are two versions, and we could be decrypting data encrypted using the previous // version. ct.setKDF_PRF(kdfPrf); ct.setKDFVersion(kdfVers); From 23985cdef0d452f2dd80220a8f7159dcbc513b52 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:02:31 +0200 Subject: [PATCH 048/172] CipherTextSerializer: replace length check with isEmpty call --- src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java index 29a561988..c8b0315b2 100644 --- a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java +++ b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java @@ -212,7 +212,7 @@ private byte[] computeSerialization(int kdfInfo, long timestamp, private void writeString(ByteArrayOutputStream baos, String str) { byte[] bytes; try { - if ( str == null || str.length() == 0 ) { + if ( str == null || str.isEmpty() ) { throw new IllegalArgumentException("Program error? writeString: str is null or empty!"); } bytes = str.getBytes("UTF8"); From 3df9171b6b2f88e7bfe07e358b18845957e2871a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:03:45 +0200 Subject: [PATCH 049/172] CryptoHelper: fix typo --- src/main/java/org/owasp/esapi/crypto/CryptoHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java index 922fbf33d..98f2eb518 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java @@ -50,7 +50,7 @@ public class CryptoHelper { * @param keySize The key size, in bits. * @return A random {@code SecretKey} is returned. * @throws EncryptionException Thrown if cannot create secret key conforming to - * requested algorithm with requested size. Typically this is caused by + * requested algorithm with requested size. Typically, this is caused by * specifying an unavailable algorithm or invalid key size. */ public static SecretKey generateSecretKey(String alg, int keySize) From 86ba9ed4c37e117a915c60f954707a419d790b60 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:04:53 +0200 Subject: [PATCH 050/172] CryptoHelper: fix typo --- src/main/java/org/owasp/esapi/crypto/CryptoHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java index 98f2eb518..1f2b5bfea 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java @@ -128,7 +128,7 @@ public static SecretKey generateSecretKey(String alg, int keySize) * be a common encoding supported by all Java implementations. Support * for it is usually in rt.jar.) This exception is also thrown if the * requested {@code keySize} parameter exceeds the length of the number of - * bytes provded in the {@code keyDerivationKey} parameter. + * bytes provided in the {@code keyDerivationKey} parameter. * @throws InvalidKeyException Likely indicates a coding error. Should not happen. * @throws EncryptionException Throw for some precondition violations. * @deprecated Use same method in {@code KeyDerivationFunction} instead. This method will be removed as of From 058ba935df840c313c02876fa03a4bb2d5f49114 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:04:29 +0200 Subject: [PATCH 051/172] CryptoHelper: replace with isEmpty call --- src/main/java/org/owasp/esapi/crypto/CryptoHelper.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java index 1f2b5bfea..ef035184b 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java @@ -56,7 +56,7 @@ public class CryptoHelper { public static SecretKey generateSecretKey(String alg, int keySize) throws EncryptionException { - if ( alg == null || alg.equals("") ) { + if ( alg == null || alg.isEmpty() ) { throw new IllegalArgumentException("Algorithm must not be null or empty."); // Avoid later possibly ambiguous NPE. } if ( keySize <= 0 ) { @@ -189,7 +189,7 @@ public static boolean isCombinedCipherMode(String cipherMode) if ( cipherMode == null ) { throw new IllegalArgumentException("Cipher mode may not be null"); } - if ( cipherMode.equals("") ) { + if ( cipherMode.isEmpty() ) { throw new IllegalArgumentException("Cipher mode may not be empty string"); } List combinedCipherModes = From 28216b79439226c209ce2bd6b3f390f00c8b0f90 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:06:18 +0200 Subject: [PATCH 052/172] CryptoHelper: fix grammar --- src/main/java/org/owasp/esapi/crypto/CryptoHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java index ef035184b..a665449b5 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java @@ -254,7 +254,7 @@ public static boolean isMACRequired(CipherText ct) { * should be embedded within the {@code CipherText} object by using a * derived key based on the specified {@code SecretKey}. * - * @param sk The {@code SecretKey} used to derived a key to check + * @param sk The {@code SecretKey} used to derive a key to check * the authenticity via the MAC. * @param ct The {@code CipherText} that we are checking for a * valid MAC. From 62f1e5f95cb76f0793f9e2a3f2fad043132e3acc Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:07:52 +0200 Subject: [PATCH 053/172] CryptoToken: fix typo --- src/main/java/org/owasp/esapi/crypto/CryptoToken.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java index c12ee10dc..168431e71 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java @@ -71,7 +71,7 @@ * will also be quoted using '\'. Hence if original name/value pair were * name=ab=xy\; * this would be represented as name=ab\=xy\\\;. * To ensure things are "safe" (from a security perspective), attribute - * names must conform the the Java regular expression + * names must conform to the Java regular expression * 
      *          [A-Za-z0-9_\.-]+
  *
    From ac70d5536e3aae4f511e50b60d959ca0f5416f10 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:08:02 +0200 Subject: [PATCH 054/172] CryptoToken: fix typo --- src/main/java/org/owasp/esapi/crypto/CryptoToken.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java index 168431e71..c6171b75a 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java @@ -68,7 +68,7 @@ * * The attribute value may contain any value. However, values containing * either '=' or ';' will be quoted using '\'. Likewise, values containing '\' - * will also be quoted using '\'. Hence if original name/value pair were + * will also be quoted using '\'. Hence, if original name/value pair were * name=ab=xy\; * this would be represented as name=ab\=xy\\\;. * To ensure things are "safe" (from a security perspective), attribute * names must conform to the Java regular expression From f5002a4b7c94c81d361927ecfbb869aaa9a7dfc5 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:09:56 +0200 Subject: [PATCH 055/172] CryptoToken: fix typo --- src/main/java/org/owasp/esapi/crypto/CryptoToken.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java index c6171b75a..7e3f9a367 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java @@ -409,7 +409,7 @@ public String getAttribute(String name) { */ @SuppressWarnings("unchecked") public Map getAttributes() { - // Unfortunately, this requires a cast, which requires us to supress warnings. + // Unfortunately, this requires a cast, which requires us to suppress warnings. return (Map) attributes.clone(); } From 2c34a36d523d4f55e9c2d41dcae3596fada93d9a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:09:37 +0200 Subject: [PATCH 056/172] CryptoToken: remove unnecessary return --- src/main/java/org/owasp/esapi/crypto/CryptoToken.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java index 7e3f9a367..2acf9a5c1 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java @@ -385,7 +385,6 @@ public void addAttributes(final Map attrs) throws ValidationExce String value = entry.getValue(); setAttribute(key, value); } - return; } /** @@ -724,7 +723,6 @@ private void decryptToken(SecretKey skey, String b64token) throws EncryptionExce } attributes.put(name, value); } - return; } private SecretKey getDefaultSecretKey(String encryptAlgorithm) { From 8fbedf03e1a955f885656bbcc8e33c6be775febd Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:12:34 +0200 Subject: [PATCH 057/172] CryptoToken: fix typo --- src/main/java/org/owasp/esapi/crypto/CryptoToken.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java index 2acf9a5c1..0dce89e94 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java @@ -566,7 +566,7 @@ private String getQuotedAttributes() { // Do NOT define a toString() method as there may be sensitive // information contained in the attribute names. If we absolutely // need this, then only return the username and expiration time, and - // _maybe_ the attribute names, but not there values. And obviously, + // _maybe_ the attribute names, but not their values. And obviously, // we NEVER want to include the SecretKey should we decide to do this. /* * public String toString() { return null; } From 03d9d7202c684b196e9d58269d29f0043d412932 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:14:24 +0200 Subject: [PATCH 058/172] KeyDerivationFunction: replace with isEmpty call --- src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java index 02f925bfb..d2d9ead07 100644 --- a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java +++ b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java @@ -319,7 +319,7 @@ public SecretKey computeDerivedKey(SecretKey keyDerivationKey, int keySize, Stri throw new IllegalArgumentException("Key size (" + keySize + ") must be a even multiple of 8-bits."); } - if ( purpose == null || "".equals(purpose) ) { + if ( purpose == null || purpose.isEmpty() ) { throw new IllegalArgumentException("Purpose may not be null or empty."); } From 29ed93d26da820d6c645150ba4677d55bf503824 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:15:14 +0200 Subject: [PATCH 059/172] KeyDerivationFunction: fix typo --- src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java index d2d9ead07..a16cf1f44 100644 --- a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java +++ b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java @@ -440,7 +440,7 @@ public SecretKey computeDerivedKey(SecretKey keyDerivationKey, int keySize, Stri // not do this if tmpKey were declared in the do-while loop. // Of course, in reality, trying to stomp these bits out is probably not // realistic because the JIT is likely toing to be smart enough to - // optimze this loop away. We probably could try to outsmart it, by + // optimize this loop away. We probably could try to outsmart it, by // (say) writing out the overwritten bits to /dev/null, but then even // then we'd still probably have to overwrite with random bits rather // than all null chars. How much is enough? Who knows? But it does point From 312b71317bf490390281a72169bab6ce0d8f7554 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:15:33 +0200 Subject: [PATCH 060/172] KeyDerivationFunction: fix typo --- src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java index a16cf1f44..0a94c105c 100644 --- a/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java +++ b/src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java @@ -441,7 +441,7 @@ public SecretKey computeDerivedKey(SecretKey keyDerivationKey, int keySize, Stri // Of course, in reality, trying to stomp these bits out is probably not // realistic because the JIT is likely toing to be smart enough to // optimize this loop away. We probably could try to outsmart it, by - // (say) writing out the overwritten bits to /dev/null, but then even + // (say) writing out the overwritten bits to /dev/null, but even // then we'd still probably have to overwrite with random bits rather // than all null chars. How much is enough? Who knows? But it does point // to a serious limitation in Java and many other languages that one From cc8dba1bc2a14f7c140f16b3536439c23865aee7 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:16:41 +0200 Subject: [PATCH 061/172] PlainText: fix typo --- src/main/java/org/owasp/esapi/crypto/PlainText.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/PlainText.java b/src/main/java/org/owasp/esapi/crypto/PlainText.java index 60fda894c..4866b8048 100644 --- a/src/main/java/org/owasp/esapi/crypto/PlainText.java +++ b/src/main/java/org/owasp/esapi/crypto/PlainText.java @@ -16,7 +16,7 @@ * an {@code UnsupportedEncodingException}. However, UTF-8 encoding * should be a standard encoding for all Java installations, so an * {@code UnsupportedEncodingException} never actually be thrown. Therefore, - * in order to to keep client code uncluttered, any possible + * in order to keep client code uncluttered, any possible * {@code UnsupportedEncodingException}s will be first logged, and then * re-thrown as a {@code RuntimeException} with the original * {@code UnsupportedEncodingException} as the cause. From 03e4f6868867a86e0d04376fc6ddb4fcae0dfe1f Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:20:32 +0200 Subject: [PATCH 062/172] SecurityProviderLoader: fix typo --- .../java/org/owasp/esapi/crypto/SecurityProviderLoader.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/crypto/SecurityProviderLoader.java b/src/main/java/org/owasp/esapi/crypto/SecurityProviderLoader.java index a5cbd708c..dcfa5490c 100644 --- a/src/main/java/org/owasp/esapi/crypto/SecurityProviderLoader.java +++ b/src/main/java/org/owasp/esapi/crypto/SecurityProviderLoader.java @@ -33,7 +33,7 @@ public class SecurityProviderLoader { // Load the table with known providers. We load the (short) JCE name // and the corresponding provider class. We don't 'new' the actual // class name here because that would mean we would have to have all - // these jars. Instead we use reflection and do it dynamically only + // these jars. Instead, we use reflection and do it dynamically only // when SecurityProviderLoader.insertProviderAt() is called because // presumably they will have the jar in their classpath for the // provider they wish to use. From 29ec1d6495d7f718b1d276cc1628f8a5c8fc3d2c Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:23:35 +0200 Subject: [PATCH 063/172] RequestRateThrottleFilter: fix typo --- .../java/org/owasp/esapi/filters/RequestRateThrottleFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java b/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java index ed263e55e..47774b895 100644 --- a/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java +++ b/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java @@ -62,7 +62,7 @@ public void init(FilterConfig filterConfig) * Checks to see if the current session has exceeded the allowed number * of requests in the specified time period. If the threshold has been * exceeded, then a short error message is written to the output stream and - * no further processing is done on the request. Otherwise the request is + * no further processing is done on the request. Otherwise, the request is * processed as normal. * @param request * @param response From 2b0f1790cb938ff8263e16e9a88caf2d92a9488c Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:26:27 +0200 Subject: [PATCH 064/172] SecurityWrapperRequest: fix typo --- .../java/org/owasp/esapi/filters/SecurityWrapperRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java b/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java index 26fa7a7a3..71c74c652 100644 --- a/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java +++ b/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java @@ -628,7 +628,7 @@ public String getRequestURI() { /** * Returns the URL from the HttpServletRequest after canonicalizing and * filtering out any dangerous characters. - * @return The currect request URL + * @return The current request URL */ public StringBuffer getRequestURL() { String url = getHttpServletRequest().getRequestURL().toString(); From ae0be484b4269bf5f181e5d2162e210b99f28fcd Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:27:39 +0200 Subject: [PATCH 065/172] SecurityWrapperResponse: replace length check with isEmpty call --- .../java/org/owasp/esapi/filters/SecurityWrapperResponse.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java index f05682cba..ad04847e6 100644 --- a/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java +++ b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java @@ -92,7 +92,7 @@ public void addCookie(Cookie cookie) { String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false, errors); // if there are no errors, then just set a cookie header - if (errors.size() == 0) { + if (errors.isEmpty()) { String header = createCookieHeader(name, value, maxAge, domain, path, secure); this.addHeader("Set-Cookie", header); return; From 54749678f8297fcd0807512ead6fc4354e8c31e0 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:33:42 +0200 Subject: [PATCH 066/172] SecurityWrapperResponse: replace String concatenation with StringBuilder --- .../esapi/filters/SecurityWrapperResponse.java | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java index ad04847e6..1676829a1 100644 --- a/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java +++ b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java @@ -127,23 +127,24 @@ private String createCookieHeader(String name, String value, int maxAge, String // create the special cookie header instead of creating a Java cookie // Set-Cookie:=[; =][; expires=][; // domain=][; path=][; secure][;HttpOnly - String header = name + "=" + value; + StringBuilder header = new StringBuilder() + .append(name).append("=").append(value); if (maxAge >= 0) { - header += "; Max-Age=" + maxAge; + header.append("; Max-Age=").append(maxAge); } if (domain != null) { - header += "; Domain=" + domain; + header.append("; Domain=").append(domain); } if (path != null) { - header += "; Path=" + path; + header.append("; Path=").append(path); } if ( secure || ESAPI.securityConfiguration().getBooleanProp("HttpUtilities.ForceSecureCookies") ) { - header += "; Secure"; + header.append("; Secure"); } if ( ESAPI.securityConfiguration().getBooleanProp("HttpUtilities.ForceHttpOnlyCookies") ) { - header += "; HttpOnly"; + header.append("; HttpOnly"); } - return header; + return header.toString(); } /** From ebf891d70721da8f16f50f46637f251728654157 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:37:51 +0200 Subject: [PATCH 067/172] CompositeLogScrubber: fix typo --- .../org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java b/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java index 1638ca51f..72da7f2ba 100644 --- a/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java +++ b/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java @@ -21,7 +21,7 @@ * LogScrubber implementation which performs iterative delegate to an ordered * List of LogScrubbers.
    * The results of the delegate list of LogScrubbers is additive, meaning that - * the the original message is passed to the first delegate and its return value + * the original message is passed to the first delegate and its return value * is passed to the second (etc).
    * */ From 0b3e75776cb4b966150aa24f584b8ab649327179 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:38:40 +0200 Subject: [PATCH 068/172] JavaLogBridge: fix typo --- src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java index 078afdf9b..2d1243c05 100644 --- a/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java +++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Logger.EventType; /** - * Contract for translating an ESAPI log event into an Java log event. + * Contract for translating an ESAPI log event into a Java log event. * */ public interface JavaLogBridge { From 0fc8ec350af90fa843b52636851683843e67cc29 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:42:19 +0200 Subject: [PATCH 069/172] Authenticator: fix typo --- src/main/java/org/owasp/esapi/Authenticator.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/Authenticator.java b/src/main/java/org/owasp/esapi/Authenticator.java index e113b0bdd..4e83903d5 100644 --- a/src/main/java/org/owasp/esapi/Authenticator.java +++ b/src/main/java/org/owasp/esapi/Authenticator.java @@ -148,7 +148,7 @@ public interface Authenticator { *

    * WARNING: The implementation of this method as defined in the * default reference implementation class, {@code FileBasedAuthenticator}, - * uses a password hash algorthim that is known to be weak. You are advised + * uses a password hash algorithm that is known to be weak. You are advised * to replace the default reference implementation class with your own custom * implementation that uses a stronger password hashing algorithm. * See class comments in * {@code FileBasedAuthenticator} for further details. From e3227ae81ded7285845948b8b60fda977f80b3ae Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:44:08 +0200 Subject: [PATCH 070/172] Encoder: fix typo --- src/main/java/org/owasp/esapi/Encoder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/Encoder.java b/src/main/java/org/owasp/esapi/Encoder.java index 22ae8f94b..ad4950dc9 100644 --- a/src/main/java/org/owasp/esapi/Encoder.java +++ b/src/main/java/org/owasp/esapi/Encoder.java @@ -519,7 +519,7 @@ public interface Encoder { * * NB: The reference implementation encodes almost everything and may over-encode. * - * The difficulty with XPath encoding is that XPath has no built in mechanism for escaping + * The difficulty with XPath encoding is that XPath has no built-in mechanism for escaping * characters. It is possible to use XQuery in a parameterized way to * prevent injection. * From 8a598ae01cc29c69748300176aba23213f1c0ba9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:47:36 +0200 Subject: [PATCH 071/172] Encryptor: untangle unclear sentence --- src/main/java/org/owasp/esapi/Encryptor.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/Encryptor.java b/src/main/java/org/owasp/esapi/Encryptor.java index 28bb896a3..2333da821 100644 --- a/src/main/java/org/owasp/esapi/Encryptor.java +++ b/src/main/java/org/owasp/esapi/Encryptor.java @@ -162,8 +162,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext) *

    * @param ciphertext The {@code CipherText} object to be decrypted. * @return The {@code PlainText} object resulting from decrypting the specified - * ciphertext. Note that it it is desired to convert the returned - * plaintext byte array to a Java String is should be done using + * ciphertext. Note that the returned plaintext byte array + * should be converted to a Java String using * {@code new String(byte[], "UTF-8");} rather than simply using * {@code new String(byte[]);} which uses native encoding and may * not be portable across hardware and/or OS platforms. @@ -186,8 +186,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext) * @param key The {@code SecretKey} to use for encrypting the plaintext. * @param ciphertext The {@code CipherText} object to be decrypted. * @return The {@code PlainText} object resulting from decrypting the specified - * ciphertext. Note that it it is desired to convert the returned - * plaintext byte array to a Java String is should be done using + * ciphertext. Note that the returned plaintext byte array + * should be converted to a Java String using * {@code new String(byte[], "UTF-8");} rather than simply using * {@code new String(byte[]);} which uses native encoding and may * not be portable across hardware and/or OS platforms. From 8a25f268eb60c2ca1f3ec9905c7d6cf6f9d6dcc9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:49:19 +0200 Subject: [PATCH 072/172] ESAPI: fix typo --- src/main/java/org/owasp/esapi/ESAPI.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/ESAPI.java b/src/main/java/org/owasp/esapi/ESAPI.java index ef389d020..c42a21ff8 100644 --- a/src/main/java/org/owasp/esapi/ESAPI.java +++ b/src/main/java/org/owasp/esapi/ESAPI.java @@ -93,7 +93,7 @@ public static Authenticator authenticator() { } /** - * The ESAPI Encoder is primarilly used to provide output encoding to + * The ESAPI Encoder is primarily used to provide output encoding to * prevent Cross-Site Scripting (XSS). * @return the current ESAPI Encoder object being used to encode and decode data for this application. */ From 5412623160c529325e02fccc476b22f7fa410d25 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:51:13 +0200 Subject: [PATCH 073/172] HTTPUtilities: fix typo --- src/main/java/org/owasp/esapi/HTTPUtilities.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/HTTPUtilities.java b/src/main/java/org/owasp/esapi/HTTPUtilities.java index 9cdfc36b0..651de76e1 100644 --- a/src/main/java/org/owasp/esapi/HTTPUtilities.java +++ b/src/main/java/org/owasp/esapi/HTTPUtilities.java @@ -377,7 +377,7 @@ public interface HTTPUtilities * everything to keey your application and environment secure. Some of the more obvious omissions are the * absence of examining the actual file content to determine the actual file type or running some AV scan * on the uploaded files. You have to add that functionality to you if you want or need that. Some - * reasource that you may find usefule are: + * reasource that you may find useful are: *
      *
    • OWASP File Upload Cheat Sheet
      • *
    • OWASP Denial of Service Cheat Sheet
      • From da38c89beb6902b5927128b725036751f88d39ef Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:51:21 +0200 Subject: [PATCH 074/172] HTTPUtilities: fix typo --- src/main/java/org/owasp/esapi/HTTPUtilities.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/HTTPUtilities.java b/src/main/java/org/owasp/esapi/HTTPUtilities.java index 651de76e1..582f1a1b7 100644 --- a/src/main/java/org/owasp/esapi/HTTPUtilities.java +++ b/src/main/java/org/owasp/esapi/HTTPUtilities.java @@ -377,7 +377,7 @@ public interface HTTPUtilities * everything to keey your application and environment secure. Some of the more obvious omissions are the * absence of examining the actual file content to determine the actual file type or running some AV scan * on the uploaded files. You have to add that functionality to you if you want or need that. Some - * reasource that you may find useful are: + * resource that you may find useful are: *
        *
      • OWASP File Upload Cheat Sheet
        • *
      • OWASP Denial of Service Cheat Sheet
        • From 86c8d173af1832c581538b79296eab31e906bcb3 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:52:13 +0200 Subject: [PATCH 075/172] Logger: fix typo --- src/main/java/org/owasp/esapi/Logger.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java index 288509b92..7974aecbb 100644 --- a/src/main/java/org/owasp/esapi/Logger.java +++ b/src/main/java/org/owasp/esapi/Logger.java @@ -91,7 +91,7 @@ * Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but - * they are also largely usuable out-of-the-box with some additional minimal log configuration. + * they are also largely usable out-of-the-box with some additional minimal log configuration. * * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security From 82a8e72f5d9722f27a9120706c07e8595e90837d Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:52:21 +0200 Subject: [PATCH 076/172] Logger: fix typo --- src/main/java/org/owasp/esapi/Logger.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java index 7974aecbb..b0a5b7ccc 100644 --- a/src/main/java/org/owasp/esapi/Logger.java +++ b/src/main/java/org/owasp/esapi/Logger.java @@ -89,7 +89,7 @@ * the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above. *

        * Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in - * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations + * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI reference implementations * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but * they are also largely usable out-of-the-box with some additional minimal log configuration. * From 157eb29d516c2a979b50c03cee511d03b0677221 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:55:21 +0200 Subject: [PATCH 077/172] SafeFile: remove unnecessary null checks --- src/main/java/org/owasp/esapi/SafeFile.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/SafeFile.java b/src/main/java/org/owasp/esapi/SafeFile.java index e048e9419..da791c6f5 100644 --- a/src/main/java/org/owasp/esapi/SafeFile.java +++ b/src/main/java/org/owasp/esapi/SafeFile.java @@ -62,12 +62,12 @@ public SafeFile(URI uri) throws ValidationException { private void doDirCheck(String path) throws ValidationException { Matcher m1 = DIR_BLACKLIST_PAT.matcher( path ); - if ( null != m1 && m1.find() ) { + if ( m1.find() ) { throw new ValidationException( "Invalid directory", "Directory path (" + path + ") contains illegal character: " + m1.group() ); } Matcher m2 = PERCENTS_PAT.matcher( path ); - if (null != m2 && m2.find() ) { + if ( m2.find() ) { throw new ValidationException( "Invalid directory", "Directory path (" + path + ") contains encoded characters: " + m2.group() ); } From 25827f5ae5a1e88195a02224c71ff3a7b4632bee Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 21:56:10 +0200 Subject: [PATCH 078/172] SecurityConfiguration: fix typo --- src/main/java/org/owasp/esapi/SecurityConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java index 564206de0..e0b529b49 100644 --- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java @@ -179,7 +179,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader { * considered the default key size that ESAPI will use for symmetric * ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, * which is the minimum key size (in bits) that ESAPI will support - * for encryption. (There is no miminimum for decryption.) + * for encryption. (There is no minimum for decryption.) * * @return the key length (in bits) * @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead. From c6ed93062eae6a7f9f328879a2b7745392b93011 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:00:57 +0200 Subject: [PATCH 079/172] StringUtilities: replace with isEmpty call --- src/main/java/org/owasp/esapi/StringUtilities.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java index 55f8c55a3..4af898304 100644 --- a/src/main/java/org/owasp/esapi/StringUtilities.java +++ b/src/main/java/org/owasp/esapi/StringUtilities.java @@ -97,7 +97,7 @@ public static boolean contains(StringBuilder input, char c) { * @return The correct value */ public static String replaceNull( String test, String replace ) { - return test == null || "null".equalsIgnoreCase( test.trim() ) || "".equals( test.trim() ) ? replace : test; + return test == null || "null".equalsIgnoreCase( test.trim() ) || test.trim().isEmpty() ? replace : test; } /** From a5f7706d275a966cb39b44983e4c6107a108de3a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:01:43 +0200 Subject: [PATCH 080/172] StringUtilities: correct javadoc --- src/main/java/org/owasp/esapi/StringUtilities.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java index 4af898304..989f7f78b 100644 --- a/src/main/java/org/owasp/esapi/StringUtilities.java +++ b/src/main/java/org/owasp/esapi/StringUtilities.java @@ -90,7 +90,7 @@ public static boolean contains(StringBuilder input, char c) { } /** - * Returns the replace value if the value of test is null, "null", or "" + * Returns the replace value if the value of test is null, "null" (case-insensitive), or blank * * @param test The value to test * @param replace The replacement value From efcba68ab1096c5cd7e2604f610cb6a46bf8d8af Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:02:44 +0200 Subject: [PATCH 081/172] StringUtilities: replace length check with isEmpty --- src/main/java/org/owasp/esapi/StringUtilities.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java index 989f7f78b..976125e4c 100644 --- a/src/main/java/org/owasp/esapi/StringUtilities.java +++ b/src/main/java/org/owasp/esapi/StringUtilities.java @@ -195,6 +195,6 @@ public static boolean notNullOrEmpty(String str, boolean trim) { * Returns true if String is empty ("") or null. */ public static boolean isEmpty(String str) { - return str == null || str.length() == 0; + return str == null || str.isEmpty(); } } From b01219fe388fecb40f121d128f1b6ff4aea31b7c Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:04:10 +0200 Subject: [PATCH 082/172] StringUtilities: replace with isEmpty call --- src/main/java/org/owasp/esapi/StringUtilities.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java index 976125e4c..24b06e64f 100644 --- a/src/main/java/org/owasp/esapi/StringUtilities.java +++ b/src/main/java/org/owasp/esapi/StringUtilities.java @@ -185,9 +185,9 @@ public static int getLevenshteinDistance (String s, String t) { */ public static boolean notNullOrEmpty(String str, boolean trim) { if ( trim ) { - return !( str == null || str.trim().equals("") ); + return !( str == null || str.trim().isEmpty() ); } else { - return !( str == null || str.equals("") ); + return !( str == null || str.isEmpty() ); } } From 979391bf842a23da96890d57fd612cab6b027d44 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:05:36 +0200 Subject: [PATCH 083/172] User: fix typo --- src/main/java/org/owasp/esapi/User.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/User.java b/src/main/java/org/owasp/esapi/User.java index 6c29b4f59..eeb765d7c 100644 --- a/src/main/java/org/owasp/esapi/User.java +++ b/src/main/java/org/owasp/esapi/User.java @@ -380,7 +380,7 @@ public interface User extends Principal, Serializable { /** * Set the time of the last failed login for this user. * - * @param lastFailedLoginTime the date and time when the user just failed to login correctly. + * @param lastFailedLoginTime the date and time when the user just failed to log in correctly. */ void setLastFailedLoginTime(Date lastFailedLoginTime); From 7ca441b4d4344b5d3eb2c3310f3d4876f0126b18 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:08:48 +0200 Subject: [PATCH 084/172] Validator: fix typo --- src/main/java/org/owasp/esapi/Validator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java index c662daaa1..2e5b23690 100644 --- a/src/main/java/org/owasp/esapi/Validator.java +++ b/src/main/java/org/owasp/esapi/Validator.java @@ -387,7 +387,7 @@ public interface Validator { * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input - * that gets HTML encoded (e.g., a single quote (') might get chaged to """). + * that gets HTML encoded (e.g., a single quote (') might get changed to """). *

        * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your @@ -417,7 +417,7 @@ public interface Validator { * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input - * that gets HTML encoded (e.g., a single quote (') might get chaged to """). + * that gets HTML encoded (e.g., a single quote (') might get changed to """). *

        * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your From b490a316196560b059897722f6e7df1a3b1e18b1 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:10:17 +0200 Subject: [PATCH 085/172] Validator: fix typo --- src/main/java/org/owasp/esapi/Validator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java index 2e5b23690..be16fbf50 100644 --- a/src/main/java/org/owasp/esapi/Validator.java +++ b/src/main/java/org/owasp/esapi/Validator.java @@ -384,7 +384,7 @@ public interface Validator { boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException; /** - * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that + * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input * that gets HTML encoded (e.g., a single quote (') might get changed to """). @@ -414,7 +414,7 @@ public interface Validator { String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException; /** - * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that + * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input * that gets HTML encoded (e.g., a single quote (') might get changed to """). From b173d8518d5fb888b9235b0981361d58ed706a0a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:14:44 +0200 Subject: [PATCH 086/172] CollectionsUtil: fix typo --- .../java/org/owasp/esapi/util/CollectionsUtil.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/owasp/esapi/util/CollectionsUtil.java b/src/main/java/org/owasp/esapi/util/CollectionsUtil.java index 2607f6255..a4284030e 100644 --- a/src/main/java/org/owasp/esapi/util/CollectionsUtil.java +++ b/src/main/java/org/owasp/esapi/util/CollectionsUtil.java @@ -40,9 +40,9 @@ public static Set arrayToSet(char...array) } /** - * Convert a char array to a unmodifiable Set. + * Convert a char array to an unmodifiable Set. * @param array the contents of the new Set - * @return a unmodifiable Set containing the elements in the + * @return an unmodifiable Set containing the elements in the * array. */ public static Set arrayToUnmodifiableSet(char...array) @@ -76,7 +76,7 @@ public static char[] strToChars(String str) /** * Convert a String to a set of characters. * @param str The string to convert - * @return A set containing the characters in str. A empty set + * @return A set containing the characters in str. An empty set * is returned if str is null. */ public static Set strToSet(String str) @@ -92,9 +92,9 @@ public static Set strToSet(String str) } /** - * Convert a String to a unmodifiable set of characters. + * Convert a String to an unmodifiable set of characters. * @param str The string to convert - * @return A set containing the characters in str. A empty set + * @return A set containing the characters in str. An empty set * is returned if str is null. */ public static Set strToUnmodifiableSet(String str) From 054726c8e024a7c541b5b80cd4bb8a5703d5584c Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:18:29 +0200 Subject: [PATCH 087/172] NullSafe: don't reinvent the wheel --- src/main/java/org/owasp/esapi/util/NullSafe.java | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/owasp/esapi/util/NullSafe.java b/src/main/java/org/owasp/esapi/util/NullSafe.java index a0bee5f55..9fc7bec6c 100644 --- a/src/main/java/org/owasp/esapi/util/NullSafe.java +++ b/src/main/java/org/owasp/esapi/util/NullSafe.java @@ -1,5 +1,7 @@ package org.owasp.esapi.util; +import java.util.Objects; + public class NullSafe { /** @@ -17,13 +19,7 @@ private NullSafe() */ public static boolean equals(Object a, Object b) { - if(a==b) // short cut same object - return true; - if(a == null) - return (b == null); - if(b == null) - return false; - return a.equals(b); + return Objects.equals(a, b); } /** From 01d2ab20c3b23708e2791533f26249468520c81a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:19:30 +0200 Subject: [PATCH 088/172] ObjFactory: fix typo --- src/main/java/org/owasp/esapi/util/ObjFactory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/util/ObjFactory.java b/src/main/java/org/owasp/esapi/util/ObjFactory.java index 0e3340894..3faa6a847 100644 --- a/src/main/java/org/owasp/esapi/util/ObjFactory.java +++ b/src/main/java/org/owasp/esapi/util/ObjFactory.java @@ -17,7 +17,7 @@ /** * A generic object factory to create an object of class T. T must be a concrete - * class that has a no-argument public constructor or a implementor of the Singleton pattern + * class that has a no-argument public constructor or an implementor of the Singleton pattern * that has a no-arg static getInstance method. If the class being created has a getInstance * method, it will be used as a singleton and newInstance() will never be called on the * class no matter how many times it comes through this factory. From 915711d2c0fec2337247bc768f9631da64136678 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:20:47 +0200 Subject: [PATCH 089/172] ObjFactory: replace with isEmpty call --- src/main/java/org/owasp/esapi/util/ObjFactory.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/util/ObjFactory.java b/src/main/java/org/owasp/esapi/util/ObjFactory.java index 3faa6a847..0b3215e7a 100644 --- a/src/main/java/org/owasp/esapi/util/ObjFactory.java +++ b/src/main/java/org/owasp/esapi/util/ObjFactory.java @@ -70,10 +70,10 @@ public static T make(String className, String typeName) throws Configuration Object obj = null; String errMsg = null; try { - if (null == className || "".equals(className) ) { + if (null == className || className.isEmpty() ) { throw new IllegalArgumentException("Classname cannot be null or empty."); } - if (null == typeName || "".equals(typeName) ) { + if (null == typeName || typeName.isEmpty() ) { // No big deal...just use "[unknown?]" for this as it's only for an err msg. typeName = "[unknown?]"; // CHECKME: Any better suggestions? } From 7fc83843a3f9b855fb8ea9e7d79c06dd4d383178 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:22:35 +0200 Subject: [PATCH 090/172] ObjFactory: fix typo --- src/main/java/org/owasp/esapi/util/ObjFactory.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/util/ObjFactory.java b/src/main/java/org/owasp/esapi/util/ObjFactory.java index 0b3215e7a..6520dd89e 100644 --- a/src/main/java/org/owasp/esapi/util/ObjFactory.java +++ b/src/main/java/org/owasp/esapi/util/ObjFactory.java @@ -210,8 +210,8 @@ private ObjFactory() { } /** * Wrapped data, contains the method object and the method is static method or not.
        - * The goal to store the boolean value in field staticMethod is reduce the check times: check once, use many times.
        - * The goal to store the exception in field nonStaticException is reduce the cost of new Exception(): create once, use many times. + * The goal to store the boolean value in field staticMethod is to reduce the check times: check once, use many times.
        + * The goal to store the exception in field nonStaticException is to reduce the cost of new Exception(): create once, use many times. */ private static class MethodWrappedInfo { private Method method; From 60a63b85601eec384410bb734caedd1c83ce87a0 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:23:02 +0200 Subject: [PATCH 091/172] BaseEncodeTag: fix typo --- src/main/java/org/owasp/esapi/tags/BaseEncodeTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/BaseEncodeTag.java b/src/main/java/org/owasp/esapi/tags/BaseEncodeTag.java index e52b7402b..bffcc9563 100644 --- a/src/main/java/org/owasp/esapi/tags/BaseEncodeTag.java +++ b/src/main/java/org/owasp/esapi/tags/BaseEncodeTag.java @@ -33,7 +33,7 @@ public abstract class BaseEncodeTag extends BodyTagSupport /** * Encode tag's content. * @param content The tag's content as a String - * @param enc Encoder provided as a convinence. + * @param enc Encoder provided as a convenience. * @return content encoded by the subclass's implementation. */ protected abstract String encode(String content, Encoder enc) throws JspTagException; From fbcc3aeda324cbfebee824a13e6255fa2362ff55 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:24:12 +0200 Subject: [PATCH 092/172] EncodeForBase64Tag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java b/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java index 5551f2251..a9300ffa4 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForBase64Tag.java @@ -7,7 +7,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body using Base64. + * JSP tag that encodes its body using Base64. */ public class EncodeForBase64Tag extends BaseEncodeTag { From 07cfa84f327d3eef003441799f5c139058ed37cf Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:24:32 +0200 Subject: [PATCH 093/172] EncodeForCSSTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java index 1def5ee07..b2e6452cb 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForCSSTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in CSS. + * JSP tag that encodes its body for use in CSS. */ public class EncodeForCSSTag extends BaseEncodeTag { From 2f6ec5de500f23f742346c81c4102ac4f64e58d5 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:24:50 +0200 Subject: [PATCH 094/172] EncodeForHTMLAttributeTag: fix typo --- .../java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java index 5e07d8c7f..969bb0015 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLAttributeTag.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in a HTML attribute. + * JSP tag that encodes its body for use in a HTML attribute. */ public class EncodeForHTMLAttributeTag extends BaseEncodeTag { From 3879e62a95d497fccdf23263993da84265e049ff Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:25:11 +0200 Subject: [PATCH 095/172] EncodeForHTMLTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java index 3cd317557..d9584dffa 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForHTMLTag.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in HTML. + * JSP tag that encodes its body for use in HTML. */ public class EncodeForHTMLTag extends BaseEncodeTag { From 93521084b4344f36d333ff9015e54290049bfcf2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:25:25 +0200 Subject: [PATCH 096/172] EncodeForJavaScriptTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java index fe4d68eb9..b8d3c5483 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForJavaScriptTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in JavaScript. + * JSP tag that encodes its body for use in JavaScript. */ public class EncodeForJavaScriptTag extends BaseEncodeTag { From 58a442904ab44407a33b11910ac9c572fa0b2e1b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:25:42 +0200 Subject: [PATCH 097/172] EncodeForURLTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java index 28b03af7e..ab9a6734c 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForURLTag.java @@ -6,7 +6,7 @@ import org.owasp.esapi.errors.EncodingException; /** - * JSP tag that encode's it's body for use in a URL. + * JSP tag that encodes its body for use in a URL. */ public class EncodeForURLTag extends BaseEncodeTag { From f674f3bb871a2c4d0f3876e4b08e0c2933adc718 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:26:00 +0200 Subject: [PATCH 098/172] EncodeForVBScriptTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java index 43ddee272..033ef06f9 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForVBScriptTag.java @@ -19,7 +19,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in VBScript. + * JSP tag that encodes its body for use in VBScript. */ public class EncodeForVBScriptTag extends BaseEncodeTag { From 8f4c1254c49d7b1e9b8f6f08976eac3f752b542d Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:26:16 +0200 Subject: [PATCH 099/172] EncodeForXMLAttributeTag: fix typo --- .../java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java index 4ad11e87a..7b2a1264c 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForXMLAttributeTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in a XML attribute. + * JSP tag that encodes its body for use in a XML attribute. */ public class EncodeForXMLAttributeTag extends BaseEncodeTag { From 43eca5e0143d6a29e3309fe36095b8b8997f3f6b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:26:41 +0200 Subject: [PATCH 100/172] EncodeForXMLTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java index 320b0484a..f06ad3710 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForXMLTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in XML. + * JSP tag that encodes its body for use in XML. */ public class EncodeForXMLTag extends BaseEncodeTag { From 763364de0df8ff9791a849d48c00b8c364288561 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 22:26:54 +0200 Subject: [PATCH 101/172] EncodeForXPathTag: fix typo --- src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java b/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java index 1ff953880..0a36c32c0 100644 --- a/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java +++ b/src/main/java/org/owasp/esapi/tags/EncodeForXPathTag.java @@ -3,7 +3,7 @@ import org.owasp.esapi.Encoder; /** - * JSP tag that encode's it's body for use in XPath. + * JSP tag that encodes its body for use in XPath. */ public class EncodeForXPathTag extends BaseEncodeTag { From 2847bf60f58e1f7624fb8de89bef924b299fb538 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:14:59 +0200 Subject: [PATCH 102/172] AbstractAccessReferenceMap: fix typo --- .../esapi/reference/AbstractAccessReferenceMap.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java b/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java index 242ff3e47..c17109913 100644 --- a/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java +++ b/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java @@ -90,9 +90,9 @@ public AbstractAccessReferenceMap( int initialSize ) { * the direct references * @deprecated This constructor internally calls the abstract method * {@link #getUniqueReference()}. Since this is a constructor, any - * subclass that implements getUniqueReference() has not had it's + * subclass that implements getUniqueReference() has not had its * own constructor run. This leads to strange bugs because subclass - * internal state is initializaed after calls to getUniqueReference() + * internal state is initialized after calls to getUniqueReference() * have already happened. If this constructor is desired in a * subclass, consider running {@link #update(Set)} in the subclass * constructor instead. @@ -108,7 +108,7 @@ public AbstractAccessReferenceMap( Set directReferences ) { * Instantiates a new access reference map with the specified size allotment * and initializes the map with the passed in references. Note that if you pass * in an initialSize that is less than the size of the passed in set, the map will - * need to be resized while it is being loaded with the references so it is + * need to be resized while it is being loaded with the references, so it is * best practice to verify that the size being passed in is always larger than * the size of the set that is being passed in. * @@ -119,9 +119,9 @@ public AbstractAccessReferenceMap( Set directReferences ) { * * @deprecated This constructor internally calls the abstract method * {@link #getUniqueReference()}. Since this is a constructor, any - * subclass that implements getUniqueReference() has not had it's + * subclass that implements getUniqueReference() has not had its * own constructor run. This leads to strange bugs because subclass - * internal state is initializaed after calls to getUniqueReference() + * internal state is initialized after calls to getUniqueReference() * have already happened. If this constructor is desired in a * subclass, consider running {@link #update(Set)} in the subclass * constructor instead. From b42e32a68b1024e8cf6160cde967c802c70ca88a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:19:37 +0200 Subject: [PATCH 103/172] DefaultEncoder: replace length check with isEmpty --- src/main/java/org/owasp/esapi/reference/DefaultEncoder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index 348cb4a4d..411c0dc37 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -370,7 +370,7 @@ public String encodeForDN(String input) { } // TODO: replace with DN codec StringBuilder sb = new StringBuilder(); - if ((input.length() > 0) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) { + if ((!input.isEmpty()) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) { sb.append('\\'); // add the leading backslash if needed } // See discussion of forward slash ('/') in encodeForLDAP() From 19ac3d70625a5aef000c0190aab809c1096ee307 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:22:12 +0200 Subject: [PATCH 104/172] DefaultEncoder: replace == with equals to not rely on java string pool to always use the same String for "-1" --- src/main/java/org/owasp/esapi/reference/DefaultEncoder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index 411c0dc37..01871a567 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -602,7 +602,7 @@ public String getCanonicalizedURI(URI dirtyUri) throws IntrusionException{ } //Check if the port is -1, if it is, omit it from the output. if(seg == UriSegment.PORT){ - if("-1" == parseMap.get(seg)){ + if("-1".equals(parseMap.get(seg))){ value = ""; } } From 0ae5b04a48ce5d07289a6c1700033a5c4f99981a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:24:30 +0200 Subject: [PATCH 105/172] DefaultEncoder: replace with isEmpty call --- src/main/java/org/owasp/esapi/reference/DefaultEncoder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index 01871a567..c5f6d77de 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -620,7 +620,7 @@ public String getCanonicalizedURI(URI dirtyUri) throws IntrusionException{ */ protected String buildUrl(Map parseMap){ StringBuilder sb = new StringBuilder(); - boolean schemePresent = parseMap.get(UriSegment.SCHEME).equals("") ? false : true; + boolean schemePresent = parseMap.get(UriSegment.SCHEME).isEmpty() ? false : true; if(schemePresent) { sb.append(parseMap.get(UriSegment.SCHEME)) From faa6c095d812e2e6f6e38d0e61ab078d40d91243 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:25:02 +0200 Subject: [PATCH 106/172] DefaultEncoder: simplify boolean expression --- src/main/java/org/owasp/esapi/reference/DefaultEncoder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index c5f6d77de..e53449380 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -620,7 +620,7 @@ public String getCanonicalizedURI(URI dirtyUri) throws IntrusionException{ */ protected String buildUrl(Map parseMap){ StringBuilder sb = new StringBuilder(); - boolean schemePresent = parseMap.get(UriSegment.SCHEME).isEmpty() ? false : true; + boolean schemePresent = !parseMap.get(UriSegment.SCHEME).isEmpty(); if(schemePresent) { sb.append(parseMap.get(UriSegment.SCHEME)) From 49ee56e129f8ae1be7f3d0fbd5434d1621d9f008 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:25:48 +0200 Subject: [PATCH 107/172] DefaultEncoder: replace with isEmpty call --- .../java/org/owasp/esapi/reference/DefaultEncoder.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index e53449380..b56c63c42 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -629,11 +629,11 @@ protected String buildUrl(Map parseMap){ //can't use SCHEMESPECIFICPART for this, because we need to canonicalize all the parts of the query. //USERINFO is also deprecated. So we technically have more than we need. - sb.append(parseMap.get(UriSegment.AUTHORITY) == null || parseMap.get(UriSegment.AUTHORITY).equals("") ? "" : parseMap.get(UriSegment.AUTHORITY)) - .append(parseMap.get(UriSegment.PATH) == null || parseMap.get(UriSegment.PATH).equals("") ? "" : parseMap.get(UriSegment.PATH)) - .append(parseMap.get(UriSegment.QUERY) == null || parseMap.get(UriSegment.QUERY).equals("") + sb.append(parseMap.get(UriSegment.AUTHORITY) == null || parseMap.get(UriSegment.AUTHORITY).isEmpty() ? "" : parseMap.get(UriSegment.AUTHORITY)) + .append(parseMap.get(UriSegment.PATH) == null || parseMap.get(UriSegment.PATH).isEmpty() ? "" : parseMap.get(UriSegment.PATH)) + .append(parseMap.get(UriSegment.QUERY) == null || parseMap.get(UriSegment.QUERY).isEmpty() ? "" : "?" + parseMap.get(UriSegment.QUERY)) - .append((parseMap.get(UriSegment.FRAGMENT) == null) || parseMap.get(UriSegment.FRAGMENT).equals("") + .append((parseMap.get(UriSegment.FRAGMENT) == null) || parseMap.get(UriSegment.FRAGMENT).isEmpty() ? "": "#" + parseMap.get(UriSegment.FRAGMENT)) ; return sb.toString(); From 281ee13076bc0a6144072347a8e363737ff3dfe4 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:28:23 +0200 Subject: [PATCH 108/172] DefaultExecutor: use contains instead of indexOf --- src/main/java/org/owasp/esapi/reference/DefaultExecutor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java index 619e633ec..c1eb2b269 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java @@ -66,7 +66,7 @@ public static Executor getInstance() { * Instantiate a new Executor */ private DefaultExecutor() { - if ( System.getProperty("os.name").indexOf("Windows") != -1 ) { + if ( System.getProperty("os.name").contains("Windows") ) { logger.warning( Logger.SECURITY_SUCCESS, "Using WindowsCodec for Executor. If this is not running on Windows this could allow injection" ); codec = new WindowsCodec(); } else { From 00b9e30fc329ca386fb8c9cd7fcbced7eb04a7ad Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:31:03 +0200 Subject: [PATCH 109/172] DefaultExecutor: use replaceAll --- src/main/java/org/owasp/esapi/reference/DefaultExecutor.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java index c1eb2b269..d3a75b5f9 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java @@ -118,10 +118,7 @@ public ExecuteResult executeSystemCommand(File executable, List params, File wor } // escape any special characters in the parameters - for ( int i = 0; i < params.size(); i++ ) { - String param = (String)params.get(i); - params.set( i, ESAPI.encoder().encodeForOS(codec, param)); - } + params.replaceAll(param -> ESAPI.encoder().encodeForOS(codec, (String) param)); // working directory must exist if (!workdir.exists()) { From aabd775fca3a01b3eb0f67567faa633a82130b04 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:32:22 +0200 Subject: [PATCH 110/172] DefaultExecutor: remove unnecessary null check --- src/main/java/org/owasp/esapi/reference/DefaultExecutor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java index d3a75b5f9..19be2ab13 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java @@ -172,7 +172,7 @@ public ExecuteResult executeSystemCommand(File executable, List params, File wor String output = outputBuffer.toString(); String errors = errorsBuffer.toString(); int exitValue = process.exitValue(); - if ( errors != null && errors.length() > 0 ) { + if (errors.length() > 0) { String logErrors = errors; final int MAX_LEN = 256; if (logErrors.length() > MAX_LEN) { From b2bb26183035ab7cac33219487db5630ae42f139 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:33:08 +0200 Subject: [PATCH 111/172] DefaultExecutor: replace length check with isEmpty --- src/main/java/org/owasp/esapi/reference/DefaultExecutor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java index 19be2ab13..638af77c8 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java @@ -172,7 +172,7 @@ public ExecuteResult executeSystemCommand(File executable, List params, File wor String output = outputBuffer.toString(); String errors = errorsBuffer.toString(); int exitValue = process.exitValue(); - if (errors.length() > 0) { + if (!errors.isEmpty()) { String logErrors = errors; final int MAX_LEN = 256; if (logErrors.length() > MAX_LEN) { From fcd5c8fceda1fbb5129d74f08ae4205a418b6913 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:34:21 +0200 Subject: [PATCH 112/172] DefaultHTTPUtilities: replace length check with isEmpty --- .../java/org/owasp/esapi/reference/DefaultHTTPUtilities.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java index 2dabec23c..eaa532039 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java @@ -226,7 +226,7 @@ public void addCookie(HttpServletResponse response, Cookie cookie) { String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false, errors); // if there are no errors, then set the cookie either with a header or normally - if (errors.size() == 0) { + if (errors.isEmpty()) { if ( ESAPI.securityConfiguration().getForceHttpOnlyCookies() ) { String header = createCookieHeader(cookieName, cookieValue, maxAge, domain, path, secure); addHeader(response, "Set-Cookie", header); From 40529533c6c9b6fd81fdc9874d85313c1da4fb8e Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:48:00 +0200 Subject: [PATCH 113/172] DefaultSecurityConfiguration: replace with isEmpty call --- .../org/owasp/esapi/reference/DefaultSecurityConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index 8cba81982..30d5b8015 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -965,7 +965,7 @@ public String setCipherTransformation(String cipherXform) { // Special case... means set it to original value from ESAPI.properties cipherXformCurrent = cipherXformFromESAPIProp; } else { - if ( cipherXform.trim().equals("") ) { + if ( cipherXform.trim().isEmpty() ) { throw new ConfigurationException("Cipher transformation cannot be just white space or empty string"); } cipherXformCurrent = cipherXform; // Note: No other sanity checks!!! From d73223104786d1cae4629e6ef0cd2c83ad1a9c10 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:49:09 +0200 Subject: [PATCH 114/172] DefaultSecurityConfiguration: simplify boolean expression --- .../owasp/esapi/reference/DefaultSecurityConfiguration.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index 30d5b8015..0be8aed83 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -1123,8 +1123,7 @@ public File getUploadTempDirectory() { */ public boolean getDisableIntrusionDetection() { String value = properties.getProperty( DISABLE_INTRUSION_DETECTION ); - if ("true".equalsIgnoreCase(value)) return true; - return false; // Default result + return "true".equalsIgnoreCase(value); } /** From eb7ba9e3d201e29b1548a8dfde83daac37d512f4 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:49:41 +0200 Subject: [PATCH 115/172] DefaultSecurityConfiguration: replace length check with isEmpty --- .../org/owasp/esapi/reference/DefaultSecurityConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index 0be8aed83..bbf6b05f5 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -1138,7 +1138,7 @@ public Threshold getQuota(String eventName) { String[] actionList = actionString.split(","); actions = Arrays.asList(actionList); } - if ( count > 0 && interval > 0 && actions.size() > 0 ) { + if ( count > 0 && interval > 0 && !actions.isEmpty() ) { return new Threshold(eventName, count, interval, actions); } return null; From b00dc08d992d6629f75411f8ffd1f1a99a71544f Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:50:16 +0200 Subject: [PATCH 116/172] DefaultSecurityConfiguration: replace with isEmpty call --- .../org/owasp/esapi/reference/DefaultSecurityConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java index bbf6b05f5..00cf55f2d 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java @@ -1255,7 +1255,7 @@ public Pattern getValidationPattern( String key ) { if ( p != null ) return p; // compile a new pattern - if ( value == null || value.equals( "" ) ) return null; + if ( value == null || value.isEmpty() ) return null; try { Pattern q = Pattern.compile(value); patternCache.put( value, q ); From bb3836c9e2335034516af7abb6813047040c7a1f Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:53:32 +0200 Subject: [PATCH 117/172] DefaultUser: replace with isEmpty call --- src/main/java/org/owasp/esapi/reference/DefaultUser.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultUser.java b/src/main/java/org/owasp/esapi/reference/DefaultUser.java index c9065427b..f8f253d2e 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultUser.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultUser.java @@ -381,7 +381,7 @@ public void lock() { * {@inheritDoc} */ public void loginWithPassword(String password) throws AuthenticationException { - if ( password == null || password.equals("") ) { + if ( password == null || password.isEmpty() ) { setLastFailedLoginTime(new Date()); incrementFailedLoginCount(); throw new AuthenticationLoginException( "Login failed", "Missing password: " + accountName ); From 6737088a5e46cea916d9dd7f6626778f08b9911b Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:56:12 +0200 Subject: [PATCH 118/172] DefaultValidator: replace length check with isEmpty --- .../java/org/owasp/esapi/reference/DefaultValidator.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index fd39858aa..dc2d2c86c 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -1072,7 +1072,7 @@ public void assertValidHTTPRequestParameterSet(String context, HttpServletReques // verify ALL required parameters are present Set missing = new HashSet(required); missing.removeAll(actualNames); - if (missing.size() > 0) { + if (!missing.isEmpty()) { throw new ValidationException( context + ": Invalid HTTP request missing parameters", "Invalid HTTP request missing parameters " + missing + ": context=" + context, context ); } @@ -1080,7 +1080,7 @@ public void assertValidHTTPRequestParameterSet(String context, HttpServletReques Set extra = new HashSet(actualNames); extra.removeAll(required); extra.removeAll(optional); - if (extra.size() > 0) { + if (!extra.isEmpty()) { throw new ValidationException( context + ": Invalid HTTP request extra parameters " + extra, "Invalid HTTP request extra parameters " + extra + ": context=" + context, context ); } } @@ -1347,7 +1347,7 @@ public String safeReadLine(InputStream in, int max) throws ValidationException { * @return boolean response if input is empty or not */ private final boolean isEmpty(String input) { - return (input==null || input.trim().length() == 0); + return (input==null || input.trim().isEmpty()); } /** From ba99b2dccafbabbab23f76415bd836f8f96dbd5c Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Tue, 6 Aug 2024 23:59:07 +0200 Subject: [PATCH 119/172] DefaultValidator: use StringUtilities.isEmpty --- .../org/owasp/esapi/reference/DefaultValidator.java | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index dc2d2c86c..a089932bf 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -36,13 +36,7 @@ import javax.servlet.http.HttpServletRequest; -import org.owasp.esapi.ESAPI; -import org.owasp.esapi.Encoder; -import org.owasp.esapi.Logger; -import org.owasp.esapi.SecurityConfiguration; -import org.owasp.esapi.ValidationErrorList; -import org.owasp.esapi.ValidationRule; -import org.owasp.esapi.Validator; +import org.owasp.esapi.*; import org.owasp.esapi.errors.IntrusionException; import org.owasp.esapi.errors.ValidationAvailabilityException; import org.owasp.esapi.errors.ValidationException; @@ -1377,7 +1371,7 @@ private final boolean isEmpty(char[] input) { @Override public boolean isValidURI(String context, String input, boolean allowNull) { boolean isValid = false; - boolean inputIsNullOrEmpty = input == null || "".equals(input); + boolean inputIsNullOrEmpty = StringUtilities.isEmpty(input); Encoder encoder = ESAPI.encoder(); try{ URI compliantURI = null == input ? new URI("") : this.getRfcCompliantURI(input); From 12f5d7b63aca3bdf2d207033494a9892d845eccf Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:01:19 +0200 Subject: [PATCH 120/172] FileBasedAuthenticator: fix typo --- .../java/org/owasp/esapi/reference/FileBasedAuthenticator.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java index 111e3f8be..7309610a9 100644 --- a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java +++ b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java @@ -206,7 +206,7 @@ List getAllHashedPasswords(User user, boolean create) { * Get a List of the specified User's old password hashes. This will not return the User's current * password hash. * - * @param user he user whose old password hashes should be returned + * @param user the user whose old password hashes should be returned * @return the specified User's old password hashes */ List getOldPasswordHashes(User user) { From dcb77ad473ad5dbf5e650d6f45dcd0d0cade0993 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:04:59 +0200 Subject: [PATCH 121/172] FileBasedAuthenticator: use NullSafe.equals --- .../java/org/owasp/esapi/reference/FileBasedAuthenticator.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java index 7309610a9..f98caebb0 100644 --- a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java +++ b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java @@ -17,6 +17,7 @@ import org.owasp.esapi.*; import org.owasp.esapi.errors.*; +import org.owasp.esapi.util.NullSafe; import java.io.*; import java.util.*; @@ -312,7 +313,7 @@ public void changePassword(User user, String currentPassword, if (!currentHash.equals(verifyHash)) { throw new AuthenticationCredentialsException("Password change failed", "Authentication failed for password change on user: " + accountName); } - if (newPassword == null || newPassword2 == null || !newPassword.equals(newPassword2)) { + if (!NullSafe.equals(newPassword, newPassword2)) { throw new AuthenticationCredentialsException("Password change failed", "Passwords do not match for password change on user: " + accountName); } verifyPasswordStrength(currentPassword, newPassword, user); From 5a5542d09622a73d720547d3abf9df197c18de78 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:08:51 +0200 Subject: [PATCH 122/172] FileBasedAuthenticator: replace length check with isEmpty --- .../java/org/owasp/esapi/reference/FileBasedAuthenticator.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java index f98caebb0..55778e1e7 100644 --- a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java +++ b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java @@ -480,7 +480,7 @@ protected void loadUsersImmediately() { reader = new BufferedReader(new FileReader(userDB)); String line; while ((line = reader.readLine()) != null) { - if (line.length() > 0 && line.charAt(0) != '#') { + if (!line.isEmpty() && line.charAt(0) != '#') { DefaultUser user = createUser(line); if (map.containsKey(new Long(user.getAccountId()))) { logger.fatal(Logger.SECURITY_FAILURE, "Problem in user file. Skipping duplicate user: " + user, null); From 2442c92882e25394b6d9704f588c9bf15e340701 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:14:20 +0200 Subject: [PATCH 123/172] FileBasedAuthenticator: use String.join --- .../owasp/esapi/reference/FileBasedAuthenticator.java | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java index 55778e1e7..9f5ffb1c7 100644 --- a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java +++ b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java @@ -659,15 +659,7 @@ private String save(DefaultUser user) { * @return a comma separated list containing the values in c */ private String dump(Collection c) { - StringBuilder sb = new StringBuilder(); - for (String s : c) { - sb.append(s).append(","); - } - if ( c.size() > 0) { - return sb.toString().substring(0, sb.length() - 1); - } - return ""; - + return String.join(",", c); } /** From ff6222d4a8b3f84f42ab894f132792164097de14 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:15:10 +0200 Subject: [PATCH 124/172] FileBasedAuthenticator: use contains instead of indexOf --- .../java/org/owasp/esapi/reference/FileBasedAuthenticator.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java index 9f5ffb1c7..b8d022d94 100644 --- a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java +++ b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java @@ -696,7 +696,7 @@ public void verifyPasswordStrength(String oldPassword, String newPassword, User int length = oldPassword.length(); for (int i = 0; i < length - 2; i++) { String sub = oldPassword.substring(i, i + 3); - if (newPassword.indexOf(sub) > -1) { + if (newPassword.contains(sub)) { throw new AuthenticationCredentialsException("Invalid password", "New password cannot contain pieces of old password"); } } From eef6ced3e2159de1b1adfe776795ecc249e9c0fe Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:17:10 +0200 Subject: [PATCH 125/172] RandomAccessReferenceMap: use containsKey --- .../org/owasp/esapi/reference/RandomAccessReferenceMap.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/RandomAccessReferenceMap.java b/src/main/java/org/owasp/esapi/reference/RandomAccessReferenceMap.java index 1018b64be..047d24ff0 100644 --- a/src/main/java/org/owasp/esapi/reference/RandomAccessReferenceMap.java +++ b/src/main/java/org/owasp/esapi/reference/RandomAccessReferenceMap.java @@ -79,7 +79,7 @@ protected final synchronized String getUniqueReference() { candidate = ESAPI.randomizer().getRandomString(6, EncoderConstants.CHAR_ALPHANUMERICS); } - while (itod.keySet().contains(candidate)); + while (itod.containsKey(candidate)); return candidate; } } From aad3434476d41f25660c4e1544797b67233cd686 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:20:33 +0200 Subject: [PATCH 126/172] DynaBeanACRParameter: LazyDynaMap uses Strings as keys --- .../esapi/reference/accesscontrol/DynaBeanACRParameter.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/DynaBeanACRParameter.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/DynaBeanACRParameter.java index c0d29f382..886accef3 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/DynaBeanACRParameter.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/DynaBeanACRParameter.java @@ -180,10 +180,10 @@ public void lock() { public String toString() { StringBuilder sb = new StringBuilder(); - Iterator keys = policyProperties.getMap().keySet().iterator(); + Iterator keys = policyProperties.getMap().keySet().iterator(); String currentKey; while(keys.hasNext()) { - currentKey = (String)keys.next(); + currentKey = keys.next(); sb.append(currentKey); sb.append("="); sb.append(policyProperties.get(currentKey)); From 7bac60e1eb53d19ed04697157a0fbb3302816257 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:21:45 +0200 Subject: [PATCH 127/172] FileBasedACRs: use contains instead of indexOf --- .../org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index 2e19304f5..e1b21b9e9 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -253,7 +253,7 @@ private Rule searchForRule(Map map, Set roles, String path) { part = part.substring(0, part.length() - 1); } - if (part.indexOf("..") != -1) { + if (part.contains("..")) { throw new IntrusionException("Attempt to manipulate access control path", "Attempt to manipulate access control path: " + path ); } From 48ac095af8b9335a260bc596e8edfd3207f8bfd8 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:25:41 +0200 Subject: [PATCH 128/172] FileBasedACRs: use for loop (uses iterator under the hood) --- .../reference/accesscontrol/FileBasedACRs.java | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index e1b21b9e9..70ef843e4 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -339,9 +339,8 @@ private boolean overlap(Set ruleRoles, Set userRoles) { if (ruleRoles.contains("any")) { return true; } - Iterator i = userRoles.iterator(); - while (i.hasNext()) { - String role = (String) i.next(); + for (Object userRole : userRoles) { + String role = (String) userRole; if (ruleRoles.contains(role)) { return true; } @@ -379,11 +378,11 @@ private boolean overlap( List ruleActions, String action){ */ private List validateRoles(List roles){ List ret = new ArrayList(); - for(int x = 0; x < roles.size(); x++){ - String canonical = ESAPI.encoder().canonicalize(((String)roles.get(x)).trim()); + for (Object role : roles) { + String canonical = ESAPI.encoder().canonicalize(((String) role).trim()); - if(!ESAPI.validator().isValidInput("Validating user roles in FileBasedAccessController", canonical, "RoleName", 20, false)) { - logger.warning( Logger.SECURITY_FAILURE, "Role: " + ((String)roles.get(x)).trim() + " is invalid, so was not added to the list of roles for this Rule."); + if (!ESAPI.validator().isValidInput("Validating user roles in FileBasedAccessController", canonical, "RoleName", 20, false)) { + logger.warning( Logger.SECURITY_FAILURE, "Role: " + ((String) role).trim() + " is invalid, so was not added to the list of roles for this Rule."); } else { ret.add(canonical.trim()); } From 2f048c5939a7fa13a1ac1fa04d5b2d66a549d8ea Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:29:34 +0200 Subject: [PATCH 129/172] FileBasedACRs: use String as generic type --- .../reference/accesscontrol/FileBasedACRs.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index 70ef843e4..8dafa0f94 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -376,13 +376,13 @@ private boolean overlap( List ruleActions, String action){ * a List of roles that are valid according to the criteria stated above. * */ - private List validateRoles(List roles){ - List ret = new ArrayList(); - for (Object role : roles) { - String canonical = ESAPI.encoder().canonicalize(((String) role).trim()); + private List validateRoles(List roles){ + List ret = new ArrayList<>(); + for (String role : roles) { + String canonical = ESAPI.encoder().canonicalize(role.trim()); if (!ESAPI.validator().isValidInput("Validating user roles in FileBasedAccessController", canonical, "RoleName", 20, false)) { - logger.warning( Logger.SECURITY_FAILURE, "Role: " + ((String) role).trim() + " is invalid, so was not added to the list of roles for this Rule."); + logger.warning( Logger.SECURITY_FAILURE, "Role: " + role.trim() + " is invalid, so was not added to the list of roles for this Rule."); } else { ret.add(canonical.trim()); } @@ -420,10 +420,10 @@ private Map loadRules(String ruleset) { // fix Windows paths rule.path = parts[0].trim().replaceAll("\\\\", "/"); - List roles = commaSplit(parts[1].trim().toLowerCase()); + List roles = commaSplit(parts[1].trim().toLowerCase()); roles = validateRoles(roles); for(int x = 0; x < roles.size(); x++) - rule.roles.add(((String)roles.get(x)).trim()); + rule.roles.add(roles.get(x).trim()); String action = parts[2].trim(); rule.allow = action.equalsIgnoreCase("allow"); @@ -515,7 +515,7 @@ private Map loadDataRules(String ruleset) { * @return * a List where each entry was on either side of a ',' in the original String */ - private List commaSplit(String input){ + private List commaSplit(String input){ String[] array = input.split(","); return Arrays.asList(array); } From e8c0d9079ba52923c7d4b9eacc285750dbb22a33 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:31:09 +0200 Subject: [PATCH 130/172] FileBasedACRs: simplify boolean expression --- .../owasp/esapi/reference/accesscontrol/FileBasedACRs.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index 8dafa0f94..eedee1b9c 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -360,9 +360,7 @@ private boolean overlap(Set ruleRoles, Set userRoles) { * true, if any action exists in ruleActions. False otherwise. */ private boolean overlap( List ruleActions, String action){ - if( ruleActions.contains(action) ) - return true; - return false; + return ruleActions.contains(action); } /** From 4bd940586984785f1262ec1f4cd2ad0c736c0225 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:36:33 +0200 Subject: [PATCH 131/172] FileBasedACRs: replace length check with isEmpty --- .../owasp/esapi/reference/accesscontrol/FileBasedACRs.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index eedee1b9c..919c91409 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -412,7 +412,7 @@ private Map loadRules(String ruleset) { is = ESAPI.securityConfiguration().getResourceStream(ruleset); String line = ""; while ((line = ESAPI.validator().safeReadLine(is, 500)) != null) { - if (line.length() > 0 && line.charAt(0) != '#') { + if (!line.isEmpty() && line.charAt(0) != '#') { Rule rule = new Rule(); String[] parts = line.split("\\|"); // fix Windows paths @@ -469,7 +469,7 @@ private Map loadDataRules(String ruleset) { is = ESAPI.securityConfiguration().getResourceStream(ruleset); String line = ""; while ((line = ESAPI.validator().safeReadLine(is, 500)) != null) { - if (line.length() > 0 && line.charAt(0) != '#') { + if (!line.isEmpty() && line.charAt(0) != '#') { Rule rule = new Rule(); String[] parts = line.split("\\|"); rule.clazz = Class.forName(parts[0].trim()); From 44209c46d34b8a56fc63f774ab3c89dbed8158a1 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:37:53 +0200 Subject: [PATCH 132/172] FileBasedACRs: remove unused imports --- .../org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index 919c91409..d99d81ded 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -22,7 +22,6 @@ import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; @@ -31,7 +30,6 @@ import org.owasp.esapi.Logger; import org.owasp.esapi.User; import org.owasp.esapi.errors.AccessControlException; -import org.owasp.esapi.errors.EncodingException; import org.owasp.esapi.errors.IntrusionException; // CHECKME: If this exists for backward compatibility, should this From 6dfdb2effac478551546977ff9f458d6cb7c08bd Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:38:53 +0200 Subject: [PATCH 133/172] FileBasedACRs: use more generic types and for loops --- .../reference/accesscontrol/FileBasedACRs.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java index d99d81ded..bdbf966ca 100644 --- a/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java +++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java @@ -472,14 +472,14 @@ private Map loadDataRules(String ruleset) { String[] parts = line.split("\\|"); rule.clazz = Class.forName(parts[0].trim()); - List roles = commaSplit(parts[1].trim().toLowerCase()); + List roles = commaSplit(parts[1].trim().toLowerCase()); roles = validateRoles(roles); - for(int x = 0; x < roles.size(); x++) - rule.roles.add(((String)roles.get(x)).trim()); + for (String role : roles) + rule.roles.add(role.trim()); - List action = commaSplit(parts[2].trim().toLowerCase()); - for(int x = 0; x < action.size(); x++) - rule.actions.add(((String) action.get(x)).trim()); + List action = commaSplit(parts[2].trim().toLowerCase()); + for (String s : action) + rule.actions.add(s.trim()); if (map.containsKey(rule.path)) { logger.warning( Logger.SECURITY_FAILURE, "Problem in access control file. Duplicate rule ignored: " + rule); @@ -525,7 +525,7 @@ private class Rule { protected String path = ""; - protected Set roles = new HashSet(); + protected Set roles = new HashSet<>(); protected boolean allow = false; @@ -534,7 +534,7 @@ private class Rule { protected Class clazz = null; - protected List actions = new ArrayList(); + protected List actions = new ArrayList<>(); /** * From c0c58ddac9a45127e47f4fde1fcaaf485e19e7ac Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:41:42 +0200 Subject: [PATCH 134/172] DefaultEncryptedProperties: use StringUtilities.isEmpty --- .../esapi/reference/crypto/DefaultEncryptedProperties.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java b/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java index 397088915..afe37da79 100644 --- a/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java +++ b/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java @@ -29,6 +29,7 @@ import org.owasp.esapi.ESAPI; import org.owasp.esapi.Logger; +import org.owasp.esapi.StringUtilities; import org.owasp.esapi.crypto.CipherText; import org.owasp.esapi.crypto.PlainText; import org.owasp.esapi.errors.EncryptionException; @@ -193,10 +194,10 @@ public static void main(String[] args) throws Exception { key = br.readLine(); System.out.print("Enter value: "); String value = br.readLine(); - if (key != null && key.length() > 0 && value != null && value.length() > 0) { + if (!StringUtilities.isEmpty(key) && !StringUtilities.isEmpty(value)) { ep.setProperty(key, value); } - } while (key != null && key.length() > 0); + } while (!StringUtilities.isEmpty(key)); ep.store(out, "Encrypted Properties File"); } finally { // FindBugs and PMD both complain about these next lines, that they may From dce76c9b998a5bc373ce19f3952106a910e1b9e9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:42:53 +0200 Subject: [PATCH 135/172] DefaultEncryptedProperties: use for loop --- .../esapi/reference/crypto/DefaultEncryptedProperties.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java b/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java index afe37da79..29c1779a8 100644 --- a/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java +++ b/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java @@ -206,9 +206,8 @@ public static void main(String[] args) throws Exception { try { if ( out != null ) out.close(); } catch( Exception e ) {} } - Iterator i = ep.keySet().iterator(); - while (i.hasNext()) { - String k = (String) i.next(); + for (Object o : ep.keySet()) { + String k = (String) o; String value = ep.getProperty(k); System.out.println(" " + k + "=" + value); } From 653e6753f06b3c627a097a47f6a3cf4ba90e5826 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:45:50 +0200 Subject: [PATCH 136/172] EncryptedPropertiesUtils: use StringUtilities.isEmpty --- .../esapi/reference/crypto/EncryptedPropertiesUtils.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/crypto/EncryptedPropertiesUtils.java b/src/main/java/org/owasp/esapi/reference/crypto/EncryptedPropertiesUtils.java index dee385ff1..8414b8a37 100644 --- a/src/main/java/org/owasp/esapi/reference/crypto/EncryptedPropertiesUtils.java +++ b/src/main/java/org/owasp/esapi/reference/crypto/EncryptedPropertiesUtils.java @@ -10,7 +10,7 @@ import java.io.OutputStream; import java.util.Properties; -import org.owasp.esapi.EncryptedProperties; +import org.owasp.esapi.StringUtilities; /** * Command line utilities for reading, writing and creating encrypted properties files. @@ -102,7 +102,7 @@ public static void main(String[] args) throws Exception { addProperty(props, key, value); - } while (key != null && key.length() > 0); + } while (!StringUtilities.isEmpty(key)); //save output file storeProperties(outFile, props, @@ -203,7 +203,7 @@ public static void storeProperties(String outFile, Properties props, String mess * @return The previous value of the property, or null if it is newly added. */ public static Object addProperty(Properties props, String key, String value) { - if (props != null && key != null && key.length() > 0 && value != null && value.length() > 0) { + if (props != null && !StringUtilities.isEmpty(key) && !StringUtilities.isEmpty(value)) { return props.setProperty(key, value); } return null; From 59b9e4cc55422ba722dfa524001659108e8fe0d2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:47:39 +0200 Subject: [PATCH 137/172] JavaEncryptor: use for loop --- .../esapi/reference/crypto/JavaEncryptor.java | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java index 81ff5b0e5..d6c5d04d2 100644 --- a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java +++ b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java @@ -183,22 +183,19 @@ public static void main( String[] args ) throws Exception { // contained in this provider, but Set seems // more appropriate. But that's why we need the cast below. System.out.println("===== Provider " + i + ":" + providers[i].getName() + " ======"); - Iterator it = providers[i].keySet().iterator(); - while (it.hasNext()) { - String key = (String)it.next(); - String value = providers[i].getProperty( key ); + for (Object o : providers[i].keySet()) { + String key = (String) o; + String value = providers[i].getProperty(key); tm.put(key, value); - System.out.println("\t\t " + key + " -> "+ value ); + System.out.println("\t\t " + key + " -> " + value); } } Set< Entry > keyValueSet = tm.entrySet(); - Iterator> it = keyValueSet.iterator(); - while( it.hasNext() ) { - Map.Entry entry = it.next(); + for (Entry entry : keyValueSet) { String key = entry.getKey(); String value = entry.getValue(); - System.out.println( " " + key + " -> "+ value ); + System.out.println(" " + key + " -> " + value); } } else { // Used to print a similar line to use '-print' even when it was specified. From 3b2d0f5318c80cf53adb59b0aec2c631729d27c9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:51:11 +0200 Subject: [PATCH 138/172] BaseValidationRule: fix typo and add link --- .../owasp/esapi/reference/validation/BaseValidationRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/validation/BaseValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/BaseValidationRule.java index b9251198c..ecf1690f1 100644 --- a/src/main/java/org/owasp/esapi/reference/validation/BaseValidationRule.java +++ b/src/main/java/org/owasp/esapi/reference/validation/BaseValidationRule.java @@ -123,7 +123,7 @@ public Object getSafe( String context, String input ) { } /** - * The method is similar to ValidationRuile.getSafe except that it returns a + * The method is similar to {@link ValidationRule#getSafe} except that it returns a * harmless object that may or may not have any similarity to the original * input (in some cases you may not care). In most cases this should be the * same as the getSafe method only instead of throwing an exception, return From 72609e463efda33b1fabb63291ec6dddc91e2b06 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:52:08 +0200 Subject: [PATCH 139/172] CreditCardValidationRule: fix typo --- .../esapi/reference/validation/CreditCardValidationRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/validation/CreditCardValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/CreditCardValidationRule.java index 1e82c0e9a..51a1c3988 100644 --- a/src/main/java/org/owasp/esapi/reference/validation/CreditCardValidationRule.java +++ b/src/main/java/org/owasp/esapi/reference/validation/CreditCardValidationRule.java @@ -87,7 +87,7 @@ public String getValid( String context, String input ) throws ValidationExceptio } /** - * Performs additional validation on the card nummber. + * Performs additional validation on the card number. * This implementation performs Luhn algorithm checking * @param ccNum number to be validated * @return true if the ccNum passes the Luhn Algorithm From 5c5e5764ce75e60cc6c225c6485d2d8598497467 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:53:56 +0200 Subject: [PATCH 140/172] StringValidationRule: fix typo --- .../esapi/reference/validation/StringValidationRule.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java index 740db8c7d..f6f578ff8 100644 --- a/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java +++ b/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java @@ -194,7 +194,7 @@ private String checkBlacklist(String context, String input) throws ValidationExc * checks input lengths * @param context The context to include in exception messages * @param input the input to check - * @param orig A origional input to include in exception + * @param orig An original input to include in exception * messages. This is not included if it is the same as * input. * @return input upon a successful check @@ -229,7 +229,7 @@ private String checkLength(String context, String input) throws ValidationExcept * checks input emptiness * @param context The context to include in exception messages * @param input the input to check - * @param orig A origional input to include in exception + * @param orig An original input to include in exception * messages. This is not included if it is the same as * input. * @return input upon a successful check From 3af86fa6650dfe88803874219808c764a546191a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 00:57:18 +0200 Subject: [PATCH 141/172] AddHTTPOnlyFlagRule: use for loop --- .../java/org/owasp/esapi/waf/rules/AddHTTPOnlyFlagRule.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/AddHTTPOnlyFlagRule.java b/src/main/java/org/owasp/esapi/waf/rules/AddHTTPOnlyFlagRule.java index 21395cb5e..72a8871a2 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/AddHTTPOnlyFlagRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/AddHTTPOnlyFlagRule.java @@ -50,9 +50,8 @@ public Action check(HttpServletRequest request, public boolean doesCookieMatch(String cookieName) { - for(int i=0;i Date: Wed, 7 Aug 2024 00:57:45 +0200 Subject: [PATCH 142/172] AddSecureFlagRule: use for loop --- .../java/org/owasp/esapi/waf/rules/AddSecureFlagRule.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/AddSecureFlagRule.java b/src/main/java/org/owasp/esapi/waf/rules/AddSecureFlagRule.java index 515840196..b8e6dd416 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/AddSecureFlagRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/AddSecureFlagRule.java @@ -50,9 +50,8 @@ public Action check(HttpServletRequest request, public boolean doesCookieMatch(String cookieName) { - for(int i=0;i Date: Wed, 7 Aug 2024 01:00:54 +0200 Subject: [PATCH 143/172] BeanShellRule: chain append calls --- src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java b/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java index 7d0310796..c0a04fc50 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java @@ -106,7 +106,7 @@ private String getFileContents(File f) throws IOException { br = new BufferedReader(new FileReader(f)); String line; while ((line = br.readLine()) != null) { - sb.append(line + System.getProperty("line.separator")); + sb.append(line).append(System.getProperty("line.separator")); } } finally { From 8fae5782bc25fa86352c02c2bcebbcaa520fd418 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:01:16 +0200 Subject: [PATCH 144/172] BeanShellRule: use System.lineSeparator --- src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java b/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java index c0a04fc50..d695d7f85 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/BeanShellRule.java @@ -106,7 +106,7 @@ private String getFileContents(File f) throws IOException { br = new BufferedReader(new FileReader(f)); String line; while ((line = br.readLine()) != null) { - sb.append(line).append(System.getProperty("line.separator")); + sb.append(line).append(System.lineSeparator()); } } finally { From 0ebe2a1258c92e99b8c371fdb6c9804426460060 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:03:01 +0200 Subject: [PATCH 145/172] IPRule: concatenating empty String is not necessary as String is immutable --- src/main/java/org/owasp/esapi/waf/rules/IPRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/IPRule.java b/src/main/java/org/owasp/esapi/waf/rules/IPRule.java index eaa534ebe..62d907e78 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/IPRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/IPRule.java @@ -62,7 +62,7 @@ public Action check(HttpServletRequest request, if ( (!useExactPath && path.matcher(uri).matches()) || ( useExactPath && exactPath.equals(uri)) ) { - String sourceIP = request.getRemoteAddr() + ""; + String sourceIP = request.getRemoteAddr(); if ( ipHeader != null ) { sourceIP = request.getHeader(ipHeader); From f418d842262199228ae2cd808e9607e75dd228ae Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:05:07 +0200 Subject: [PATCH 146/172] Rule: use StringUtilities.isEmpty --- src/main/java/org/owasp/esapi/waf/rules/Rule.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/Rule.java b/src/main/java/org/owasp/esapi/waf/rules/Rule.java index 26adc95b9..9c95d88fe 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/Rule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/Rule.java @@ -21,6 +21,7 @@ import org.owasp.esapi.ESAPI; import org.owasp.esapi.Logger; +import org.owasp.esapi.StringUtilities; import org.owasp.esapi.waf.actions.Action; import org.owasp.esapi.waf.configuration.AppGuardianConfiguration; import org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse; @@ -43,7 +44,7 @@ public void log( HttpServletRequest request, String message ) { } protected void setId(String id) { - if ( id == null || "".equals(id) ) + if ( StringUtilities.isEmpty(id) ) return; this.id = id; From a191170bb72b5292cee6b63f722d582414b104ef Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:06:46 +0200 Subject: [PATCH 147/172] RuleUtil: use for loop --- src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java b/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java index 3b22edbe7..461ace279 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java +++ b/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java @@ -31,11 +31,9 @@ public class RuleUtil { public static boolean isInList(Map m, String s) { - Iterator it = m.keySet().iterator(); - - while( it.hasNext() ) { - String key = (String)it.next(); - if ( key.equals(s) ) { + for (Object o : m.keySet()) { + String key = (String) o; + if (key.equals(s)) { return true; } } From eb3455374c7a3053f8e7c1e8c582954c2313964f Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:08:30 +0200 Subject: [PATCH 148/172] InterceptingHTTPServletResponse: simplify boolean expression --- .../esapi/waf/internal/InterceptingHTTPServletResponse.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java index 37bf402ca..788454ecf 100644 --- a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java +++ b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java @@ -80,7 +80,7 @@ public InterceptingServletOutputStream getInterceptingServletOutputStream() { } public ServletOutputStream getOutputStream() throws IllegalStateException, IOException { - if ( alreadyCalledWriter == true ) { + if (alreadyCalledWriter) { throw new IllegalStateException(); } @@ -90,7 +90,7 @@ public ServletOutputStream getOutputStream() throws IllegalStateException, IOExc } public PrintWriter getWriter() throws IOException { - if ( alreadyCalledOutputStream == true ) { + if (alreadyCalledOutputStream) { throw new IllegalStateException(); } alreadyCalledWriter = true; From 9268ac9f800863c9e80256c3091c180e45669812 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:07:50 +0200 Subject: [PATCH 149/172] InterceptingHTTPServletResponse: use for loop --- .../InterceptingHTTPServletResponse.java | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java index 788454ecf..32334f5d4 100644 --- a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java +++ b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java @@ -61,12 +61,11 @@ public InterceptingHTTPServletResponse(HttpServletResponse response, boolean buf addSecureFlagRules = new ArrayList(); addHTTPOnlyFlagRules = new ArrayList(); - for(int i=0;i Date: Wed, 7 Aug 2024 01:11:40 +0200 Subject: [PATCH 150/172] InterceptingHTTPServletResponse: use StringBuilder --- .../internal/InterceptingHTTPServletResponse.java | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java index 32334f5d4..19ed21b52 100644 --- a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java +++ b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletResponse.java @@ -156,28 +156,29 @@ private String createCookieHeader(String name, String value, int maxAge, String // create the special cookie header instead of creating a Java cookie // Set-Cookie:=[; =][; expires=][; // domain=][; path=][; secure][;HttpOnly - String header = name + "=" + value; + StringBuilder header = new StringBuilder() + .append(name).append("=").append(value); if ( ! isTemporary ) { - header += "; Max-Age=" + maxAge; + header.append("; Max-Age=").append(maxAge); } if (domain != null) { - header += "; Domain=" + domain; + header.append("; Domain=").append(domain); } if (path != null) { - header += "; Path=" + path; + header.append("; Path=").append(path); } if ( secure ) { - header += "; Secure"; + header.append("; Secure"); } if (httpOnly) { - header += "; HttpOnly"; + header.append("; HttpOnly"); } - return header; + return header.toString(); } } From 9bd4b318024b87ba477840abbf76b9d4e477f2ad Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 01:17:30 +0200 Subject: [PATCH 151/172] ObjFactory: use StringUtilities.isEmpty --- src/main/java/org/owasp/esapi/util/ObjFactory.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/esapi/util/ObjFactory.java b/src/main/java/org/owasp/esapi/util/ObjFactory.java index 6520dd89e..15e97c2ff 100644 --- a/src/main/java/org/owasp/esapi/util/ObjFactory.java +++ b/src/main/java/org/owasp/esapi/util/ObjFactory.java @@ -9,6 +9,7 @@ */ package org.owasp.esapi.util; +import org.owasp.esapi.StringUtilities; import org.owasp.esapi.errors.ConfigurationException; import java.lang.reflect.Method; @@ -70,10 +71,10 @@ public static T make(String className, String typeName) throws Configuration Object obj = null; String errMsg = null; try { - if (null == className || className.isEmpty() ) { + if (StringUtilities.isEmpty(className) ) { throw new IllegalArgumentException("Classname cannot be null or empty."); } - if (null == typeName || typeName.isEmpty() ) { + if (StringUtilities.isEmpty(typeName) ) { // No big deal...just use "[unknown?]" for this as it's only for an err msg. typeName = "[unknown?]"; // CHECKME: Any better suggestions? } From e1716ed22c9bfa0cd200ec16fdc2006f41fb8df7 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:04:31 +0200 Subject: [PATCH 152/172] DefaultEncoder: use StringUtilities.isEmpty --- .../org/owasp/esapi/reference/DefaultEncoder.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index b56c63c42..e3b41719d 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -34,6 +34,7 @@ import org.owasp.esapi.Encoder; import org.owasp.esapi.Logger; import org.owasp.esapi.SecurityConfiguration; +import org.owasp.esapi.StringUtilities; import org.owasp.esapi.codecs.Base64; import org.owasp.esapi.codecs.CSSCodec; import org.owasp.esapi.codecs.Codec; @@ -629,12 +630,10 @@ protected String buildUrl(Map parseMap){ //can't use SCHEMESPECIFICPART for this, because we need to canonicalize all the parts of the query. //USERINFO is also deprecated. So we technically have more than we need. - sb.append(parseMap.get(UriSegment.AUTHORITY) == null || parseMap.get(UriSegment.AUTHORITY).isEmpty() ? "" : parseMap.get(UriSegment.AUTHORITY)) - .append(parseMap.get(UriSegment.PATH) == null || parseMap.get(UriSegment.PATH).isEmpty() ? "" : parseMap.get(UriSegment.PATH)) - .append(parseMap.get(UriSegment.QUERY) == null || parseMap.get(UriSegment.QUERY).isEmpty() - ? "" : "?" + parseMap.get(UriSegment.QUERY)) - .append((parseMap.get(UriSegment.FRAGMENT) == null) || parseMap.get(UriSegment.FRAGMENT).isEmpty() - ? "": "#" + parseMap.get(UriSegment.FRAGMENT)) + sb.append(StringUtilities.isEmpty(parseMap.get(UriSegment.AUTHORITY)) ? "" : parseMap.get(UriSegment.AUTHORITY)) + .append(StringUtilities.isEmpty(parseMap.get(UriSegment.PATH)) ? "" : parseMap.get(UriSegment.PATH)) + .append(StringUtilities.isEmpty(parseMap.get(UriSegment.QUERY)) ? "" : "?" + parseMap.get(UriSegment.QUERY)) + .append(StringUtilities.isEmpty(parseMap.get(UriSegment.FRAGMENT)) ? "": "#" + parseMap.get(UriSegment.FRAGMENT)) ; return sb.toString(); } From 35195689766877b24eb3c397123c2a7ff5d3a0bb Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:18:09 +0200 Subject: [PATCH 153/172] DefaultEncoder: buildUrl: refactor to optimize String building process --- .../owasp/esapi/reference/DefaultEncoder.java | 36 ++++++++++++------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java index e3b41719d..a857d521b 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java @@ -620,21 +620,31 @@ public String getCanonicalizedURI(URI dirtyUri) throws IntrusionException{ * @return The canonicalized URL. */ protected String buildUrl(Map parseMap){ - StringBuilder sb = new StringBuilder(); - boolean schemePresent = !parseMap.get(UriSegment.SCHEME).isEmpty(); - - if(schemePresent) { - sb.append(parseMap.get(UriSegment.SCHEME)) - .append("://"); - } - //can't use SCHEMESPECIFICPART for this, because we need to canonicalize all the parts of the query. //USERINFO is also deprecated. So we technically have more than we need. - sb.append(StringUtilities.isEmpty(parseMap.get(UriSegment.AUTHORITY)) ? "" : parseMap.get(UriSegment.AUTHORITY)) - .append(StringUtilities.isEmpty(parseMap.get(UriSegment.PATH)) ? "" : parseMap.get(UriSegment.PATH)) - .append(StringUtilities.isEmpty(parseMap.get(UriSegment.QUERY)) ? "" : "?" + parseMap.get(UriSegment.QUERY)) - .append(StringUtilities.isEmpty(parseMap.get(UriSegment.FRAGMENT)) ? "": "#" + parseMap.get(UriSegment.FRAGMENT)) - ; + + StringBuilder sb = new StringBuilder(); + + String scheme = parseMap.get(UriSegment.SCHEME); + if(!scheme.isEmpty()) { + sb.append(scheme).append("://"); + } + String authority = parseMap.get(UriSegment.AUTHORITY); + if(!StringUtilities.isEmpty(authority)) { + sb.append(authority); + } + String path = parseMap.get(UriSegment.PATH); + if(!StringUtilities.isEmpty(path)) { + sb.append(path); + } + String query = parseMap.get(UriSegment.QUERY); + if(!StringUtilities.isEmpty(query)) { + sb.append("?").append(query); + } + String fragment = parseMap.get(UriSegment.FRAGMENT); + if(!StringUtilities.isEmpty(fragment)) { + sb.append("#").append(fragment); + } return sb.toString(); } From e673b20d5fa146535ef06342957ccb06e811fc67 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:22:46 +0200 Subject: [PATCH 154/172] DefaultValidator: replace with single class imports --- .../java/org/owasp/esapi/reference/DefaultValidator.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index a089932bf..691c757bf 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -36,7 +36,14 @@ import javax.servlet.http.HttpServletRequest; -import org.owasp.esapi.*; +import org.owasp.esapi.ESAPI; +import org.owasp.esapi.Encoder; +import org.owasp.esapi.Logger; +import org.owasp.esapi.SecurityConfiguration; +import org.owasp.esapi.StringUtilities; +import org.owasp.esapi.ValidationErrorList; +import org.owasp.esapi.ValidationRule; +import org.owasp.esapi.Validator; import org.owasp.esapi.errors.IntrusionException; import org.owasp.esapi.errors.ValidationAvailabilityException; import org.owasp.esapi.errors.ValidationException; From 8963c838d4a04a288edc73b985ff46c0a92285c2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:27:31 +0200 Subject: [PATCH 155/172] DefaultValidator: remove redundant boxing --- src/main/java/org/owasp/esapi/reference/DefaultValidator.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index 691c757bf..d71a5d380 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -746,9 +746,7 @@ public boolean isValidNumber(String context, String input, long minValue, long m */ @Override public Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull) throws ValidationException, IntrusionException { - Double minDoubleValue = new Double(minValue); - Double maxDoubleValue = new Double(maxValue); - return getValidDouble(context, input, minDoubleValue.doubleValue(), maxDoubleValue.doubleValue(), allowNull); + return getValidDouble(context, input, (double) minValue, (double) maxValue, allowNull); } /** From 9a563b0ef7396e256f08ee1d78df78080b097301 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:24:01 +0200 Subject: [PATCH 156/172] DefaultValidator: use for loop --- .../java/org/owasp/esapi/reference/DefaultValidator.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index d71a5d380..1f48fcb25 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -28,7 +28,6 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; @@ -688,9 +687,7 @@ public String getValidFileName(String context, String input, List allowe } // verify extensions - Iterator i = allowedExtensions.iterator(); - while (i.hasNext()) { - String ext = i.next(); + for (String ext : allowedExtensions) { if (input.toLowerCase().endsWith(ext.toLowerCase())) { return canonical; } From 8e952b8d3e8c0126e7ea4b0b0b1c25cc1b73fd31 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:42:47 +0200 Subject: [PATCH 157/172] Base64: read: refactor code --- .../java/org/owasp/esapi/codecs/Base64.java | 150 +++++++++--------- 1 file changed, 75 insertions(+), 75 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 000c1b1ef..49e7b135c 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -1267,81 +1267,10 @@ public InputStream( java.io.InputStream in, int options ) public int read() throws java.io.IOException { // Do we need to get data? - if( position < 0 ) - { - if( encode ) - { - byte[] b3 = new byte[3]; - int numBinaryBytes = 0; - for( int i = 0; i < 3; i++ ) - { - try - { - int b = in.read(); - - // If end of stream, b is -1. - if( b >= 0 ) - { - b3[i] = (byte)b; - numBinaryBytes++; - } // end if: not end of stream - - } // end try: read - catch( java.io.IOException e ) - { - // Only a problem if we got no data at all. - if( i == 0 ) - throw e; - - } // end catch - } // end for: each needed input byte - - if( numBinaryBytes > 0 ) - { - encode3to4( b3, 0, numBinaryBytes, buffer, 0, options ); - position = 0; - numSigBytes = 4; - } // end if: got data - else - { - return -1; - } // end else - } // end if: encoding - - // Else decoding - else - { - byte[] b4 = new byte[4]; - int i = 0; - for( i = 0; i < 4; i++ ) - { - // Read four "meaningful" bytes: - int b = 0; - do{ b = in.read(); } - while( b >= 0 && decodabet[ b & 0x7f ] <= WHITE_SPACE_ENC ); - - if( b < 0 ) - break; // Reads a -1 if end of stream - - b4[i] = (byte)b; - } // end for: each needed input byte - - if( i == 4 ) - { - numSigBytes = decode4to3( b4, 0, buffer, 0, options ); - position = 0; - } // end if: got four characters - else if( i == 0 ){ - return -1; - } // end else if: also padded correctly - else - { - // Must have broken out from above. - throw new java.io.IOException( "Improperly padded Base64 input." ); - } // end - - } // end else: decode - } // end else: get data + if( position < 0 ) { + Integer data = encode ? encode() : decode(); + if (data != null) return data; + } // Got data? if( position >= 0 ) @@ -1379,6 +1308,77 @@ else if( i == 0 ){ } // end else } // end read + private Integer encode() throws java.io.IOException { + byte[] b3 = new byte[3]; + int numBinaryBytes = 0; + for( int i = 0; i < 3; i++ ) + { + try + { + int b = in.read(); + + // If end of stream, b is -1. + if( b >= 0 ) + { + b3[i] = (byte)b; + numBinaryBytes++; + } // end if: not end of stream + + } // end try: read + catch( java.io.IOException e ) + { + // Only a problem if we got no data at all. + if( i == 0 ) + throw e; + + } // end catch + } // end for: each needed input byte + + if( numBinaryBytes > 0 ) + { + encode3to4( b3, 0, numBinaryBytes, buffer, 0, options ); + position = 0; + numSigBytes = 4; + } // end if: got data + else + { + return -1; + } // end else + return null; + } + + private Integer decode() throws java.io.IOException { + byte[] b4 = new byte[4]; + int i = 0; + for( i = 0; i < 4; i++ ) + { + // Read four "meaningful" bytes: + int b = 0; + do{ b = in.read(); } + while( b >= 0 && decodabet[ b & 0x7f ] <= WHITE_SPACE_ENC ); + + if( b < 0 ) + break; // Reads a -1 if end of stream + + b4[i] = (byte)b; + } // end for: each needed input byte + + if( i == 4 ) + { + numSigBytes = decode4to3( b4, 0, buffer, 0, options ); + position = 0; + } // end if: got four characters + else if( i == 0 ){ + return -1; + } // end else if: also padded correctly + else + { + // Must have broken out from above. + throw new java.io.IOException( "Improperly padded Base64 input." ); + } // end + return null; + } + /** * Calls {@link #read()} repeatedly until the end of stream * is reached or len bytes are read. From 18951ce65b785c2baee00513179e5460f1eb5c73 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 19:48:12 +0200 Subject: [PATCH 158/172] Base64: write: refactor code --- .../java/org/owasp/esapi/codecs/Base64.java | 91 ++++++++++--------- 1 file changed, 48 insertions(+), 43 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 49e7b135c..361e89af7 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -3,6 +3,8 @@ import org.owasp.esapi.ESAPI; import org.owasp.esapi.Logger; +import java.io.IOException; + // CHECKME: Version at http://iharder.net/base64 is up to v2.3.3. Some semantic changes // starting with v2.3. Should we upgrade and then add ESAPI logging or stay at 2.2.2 base? // I think that really depends on how much OWASP ESAPI plans on tracking changes to this @@ -1498,55 +1500,58 @@ public OutputStream( java.io.OutputStream out, int options ) * @throws java.io.IOException * @since 1.3 */ - public void write(int theByte) throws java.io.IOException - { - // Encoding suspended? - if( suspendEncoding ) - { + public void write(int theByte) throws java.io.IOException { + if( suspendEncoding ) { super.out.write( theByte ); return; - } // end if: supsended + } - // Encode? - if( encode ) - { - buffer[ position++ ] = (byte)theByte; - if( position >= bufferLength ) // Enough to encode. - { - out.write( encode3to4( b4, buffer, bufferLength, options ) ); + if( encode ) { + encode(theByte); + } else { + decode(theByte); + } + } // end write - lineLength += 4; - if( breakLines && lineLength >= MAX_LINE_LENGTH ) - { - out.write( NEW_LINE ); - lineLength = 0; - } // end if: end of line + private void encode(int theByte) throws IOException { + buffer[ position++ ] = (byte) theByte; - position = 0; - } // end if: enough to output - } // end if: encoding + if (position < bufferLength) { + // not enough to encode. + return; + } - // Else, Decoding - else - { - // Meaningful Base64 character? - if( decodabet[ theByte & 0x7f ] > WHITE_SPACE_ENC ) - { - buffer[ position++ ] = (byte)theByte; - if( position >= bufferLength ) // Enough to output. - { - int len = Base64.decode4to3( buffer, 0, b4, 0, options ); - out.write( b4, 0, len ); - //out.write( Base64.decode4to3( buffer ) ); - position = 0; - } // end if: enough to output - } // end if: meaningful base64 character - else if( decodabet[ theByte & 0x7f ] != WHITE_SPACE_ENC ) - { - throw new java.io.IOException( "Invalid character in Base64 data." ); - } // end else: not white space either - } // end else: decoding - } // end write + out.write( encode3to4( b4, buffer, bufferLength, options ) ); + + lineLength += 4; + if( breakLines && lineLength >= MAX_LINE_LENGTH ) { + out.write( NEW_LINE ); + lineLength = 0; + } + + position = 0; + } + + private void decode(int theByte) throws IOException { + // Meaningful Base64 character? + if(decodabet[ theByte & 0x7f ] < WHITE_SPACE_ENC) { + throw new IOException( "Invalid character in Base64 data." ); + } + + if (decodabet[theByte & 0x7f] == WHITE_SPACE_ENC) { + return; + } + + buffer[ position++ ] = (byte) theByte; + if (position < bufferLength) { + // not enough to output + return; + } + int len = Base64.decode4to3( buffer, 0, b4, 0, options ); + out.write( b4, 0, len ); + //out.write( Base64.decode4to3( buffer ) ); + position = 0; + } /** * Calls {@link #write(int)} repeatedly until len From 4e4da2f7289f54fd9e7bcfeee81e49b0b50d5288 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:03:42 +0200 Subject: [PATCH 159/172] Base64: flushBase64: refactor code --- .../java/org/owasp/esapi/codecs/Base64.java | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 361e89af7..ce1ee794a 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -1586,18 +1586,16 @@ public void write( byte[] theBytes, int off, int len ) throws java.io.IOExceptio */ public void flushBase64() throws java.io.IOException { - if( position > 0 ) - { - if( encode ) - { - out.write( encode3to4( b4, buffer, position, options ) ); - position = 0; - } // end if: encoding - else - { - throw new java.io.IOException( "Base64 input not properly padded." ); - } // end else: decoding - } // end if: buffer partially full + if (position <= 0) { + // buffer partially full + return; + } + if( encode ) { + out.write( encode3to4( b4, buffer, position, options ) ); + position = 0; + } else { + throw new java.io.IOException( "Base64 input not properly padded." ); + } } // end flush From b88c0e64ad01a219111db44946adc5a51f7a06fd Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:08:32 +0200 Subject: [PATCH 160/172] Base64: decode: refactor code --- .../java/org/owasp/esapi/codecs/Base64.java | 42 +++++++++---------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index ce1ee794a..99464f423 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -832,34 +832,32 @@ public static byte[] decode( byte[] source, int off, int len, int options ) int i = 0; byte sbiCrop = 0; byte sbiDecode = 0; - for( i = off; i < off+len; i++ ) - { + for (i = off; i < off+len; i++) { sbiCrop = (byte)(source[i] & 0x7f); // Only the low seven bits sbiDecode = DECODABET[ sbiCrop ]; - if( sbiDecode >= WHITE_SPACE_ENC ) // White space, Equals sign or better - { - if( sbiDecode >= EQUALS_SIGN_ENC ) - { - b4[ b4Posn++ ] = sbiCrop; - if( b4Posn > 3 ) - { - outBuffPosn += decode4to3( b4, 0, outBuff, outBuffPosn, options ); - b4Posn = 0; + if (sbiDecode < WHITE_SPACE_ENC) { + logger.error( Logger.SECURITY_FAILURE, "Bad Base64 input character at " + i + ": " + source[i] + "(decimal)" ); + return null; + } + + if (sbiDecode < EQUALS_SIGN_ENC) { + continue; + } - // If that was the equals sign, break out of 'for' loop - if( sbiCrop == EQUALS_SIGN ) - break; - } // end if: quartet built + b4[ b4Posn++ ] = sbiCrop; + if (b4Posn <= 3) { + continue; + } - } // end if: equals sign or better + outBuffPosn += decode4to3( b4, 0, outBuff, outBuffPosn, options ); + b4Posn = 0; + + // If that was the equals sign, break out of 'for' loop + if (sbiCrop == EQUALS_SIGN) { + break; + } - } // end if: white space, equals sign or better - else - { - logger.error( Logger.SECURITY_FAILURE, "Bad Base64 input character at " + i + ": " + source[i] + "(decimal)" ); - return null; - } // end else: } // each input character byte[] out = new byte[ outBuffPosn ]; From 8cdc97b42d4a32b2291841e2650d45e256f307d9 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:12:54 +0200 Subject: [PATCH 161/172] Base64: read: refactor code --- .../java/org/owasp/esapi/codecs/Base64.java | 51 +++++++++---------- 1 file changed, 23 insertions(+), 28 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java index 99464f423..00bae0c43 100644 --- a/src/main/java/org/owasp/esapi/codecs/Base64.java +++ b/src/main/java/org/owasp/esapi/codecs/Base64.java @@ -1273,39 +1273,34 @@ public int read() throws java.io.IOException } // Got data? - if( position >= 0 ) - { - // End of relevant data? - if( /*!encode &&*/ position >= numSigBytes ) - return -1; + if (position < 0) { + // When JDK1.4 is more accepted, use an assertion here. + throw new IOException( "Error in Base64 code reading stream." ); + } - if( encode && breakLines && lineLength >= MAX_LINE_LENGTH ) - { - lineLength = 0; - return '\n'; - } // end if - else - { - lineLength++; // This isn't important when decoding - // but throwing an extra "if" seems - // just as wasteful. + // End of relevant data? + if (/*!encode &&*/ position >= numSigBytes) { + return -1; + } - int b = buffer[ position++ ]; + if (encode && breakLines && lineLength >= MAX_LINE_LENGTH) { + lineLength = 0; + return '\n'; + } - if( position >= bufferLength ) - position = -1; + lineLength++; // This isn't important when decoding + // but throwing an extra "if" seems + // just as wasteful. - return b & 0xFF; // This is how you "cast" a byte that's - // intended to be unsigned. - } // end else - } // end if: position >= 0 + int b = buffer[ position++ ]; + + if (position >= bufferLength) { + position = -1; + } + + return b & 0xFF; // This is how you "cast" a byte that's + // intended to be unsigned. - // Else error - else - { - // When JDK1.4 is more accepted, use an assertion here. - throw new java.io.IOException( "Error in Base64 code reading stream." ); - } // end else } // end read private Integer encode() throws java.io.IOException { From 669e5a349ddc3a24a961ae39e7b88517dbc12ccf Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:21:21 +0200 Subject: [PATCH 162/172] JavaScriptCodec: use switch --- .../owasp/esapi/codecs/JavaScriptCodec.java | 34 +++++++------------ 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java b/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java index 39f2d6406..69efe91ac 100644 --- a/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java @@ -112,27 +112,19 @@ public Character decodeCharacter( PushbackSequence input ) { // \0 collides with the octal decoder and is non-standard // if ( second.charValue() == '0' ) { // return Character.valueOf( (char)0x00 ); - if (second == 'b' ) { - return 0x08; - } else if (second == 't' ) { - return 0x09; - } else if (second == 'n' ) { - return 0x0a; - } else if (second == 'v' ) { - return 0x0b; - } else if (second == 'f' ) { - return 0x0c; - } else if (second == 'r' ) { - return 0x0d; - } else if (second == '\"' ) { - return 0x22; - } else if (second == '\'' ) { - return 0x27; - } else if (second == '\\' ) { - return 0x5c; - - // look for \\xXX format - } else if ( Character.toLowerCase( second.charValue() ) == 'x' ) { + switch (second) { + case 'b': return 0x08; + case 't': return 0x09; + case 'n': return 0x0a; + case 'v': return 0x0b; + case 'f': return 0x0c; + case 'r': return 0x0d; + case '\"': return 0x22; + case '\'': return 0x27; + case '\\': return 0x5c; + } + + if ( Character.toLowerCase( second.charValue() ) == 'x' ) { // Search for exactly 2 hex digits following StringBuilder sb = new StringBuilder(); for ( int i=0; i<2; i++ ) { From 7c612566700dddb165f96994358166cb9b8a9388 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:24:50 +0200 Subject: [PATCH 163/172] MySQLCodec: use switch --- .../org/owasp/esapi/codecs/MySQLCodec.java | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java index c507b0362..45033c853 100644 --- a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java @@ -174,19 +174,20 @@ private String encodeCharacterANSI( Character c ) { * Encoded Character */ private String encodeCharacterMySQL( Character c ) { - char ch = c.charValue(); - if ( ch == 0x00 ) return "\\0"; - if ( ch == 0x08 ) return "\\b"; - if ( ch == 0x09 ) return "\\t"; - if ( ch == 0x0a ) return "\\n"; - if ( ch == 0x0d ) return "\\r"; - if ( ch == 0x1a ) return "\\Z"; - if ( ch == 0x22 ) return "\\\""; - if ( ch == 0x25 ) return "\\%"; - if ( ch == 0x27 ) return "\\'"; - if ( ch == 0x5c ) return "\\\\"; - if ( ch == 0x5f ) return "\\_"; - return "\\" + c; + switch (c) { + case 0x00: return "\\0"; + case 0x08: return "\\b"; + case 0x09: return "\\t"; + case 0x0a: return "\\n"; + case 0x0d: return "\\r"; + case 0x1a: return "\\Z"; + case 0x22: return "\\\""; + case 0x25: return "\\%"; + case 0x27: return "\\'"; + case 0x5c: return "\\\\"; + case 0x5f: return "\\_"; + default: return "\\" + c; + } } /** From c7ecb76dafad3a36531d636a9028605333101659 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:27:34 +0200 Subject: [PATCH 164/172] MySQLCodec: use switch --- .../org/owasp/esapi/codecs/MySQLCodec.java | 37 +++++++------------ 1 file changed, 13 insertions(+), 24 deletions(-) diff --git a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java index 45033c853..12bbe3d9e 100644 --- a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java +++ b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java @@ -272,30 +272,19 @@ private Character decodeCharacterMySQL( PushbackSequence input ) { return null; } - if ( second.charValue() == '0' ) { - return Character.valueOf( (char)0x00 ); - } else if ( second.charValue() == 'b' ) { - return Character.valueOf( (char)0x08 ); - } else if ( second.charValue() == 't' ) { - return Character.valueOf( (char)0x09 ); - } else if ( second.charValue() == 'n' ) { - return Character.valueOf( (char)0x0a ); - } else if ( second.charValue() == 'r' ) { - return Character.valueOf( (char)0x0d ); - } else if ( second.charValue() == 'Z' ) { - return Character.valueOf( (char)0x1a ); - } else if ( second.charValue() == '\"' ) { - return Character.valueOf( (char)0x22 ); - } else if ( second.charValue() == '%' ) { - return Character.valueOf( (char)0x25 ); - } else if ( second.charValue() == '\'' ) { - return Character.valueOf( (char)0x27 ); - } else if ( second.charValue() == '\\' ) { - return Character.valueOf( (char)0x5c ); - } else if ( second.charValue() == '_' ) { - return Character.valueOf( (char)0x5f ); - } else { - return second; + switch (second) { + case '0': return (char) 0x00; + case 'b': return (char) 0x08; + case 't': return (char) 0x09; + case 'n': return (char) 0x0a; + case 'r': return (char) 0x0d; + case 'Z': return (char) 0x1a; + case '\"': return (char) 0x22; + case '%': return (char) 0x25; + case '\'': return (char) 0x27; + case '\\': return (char) 0x5c; + case '_': return (char) 0x5f; + default: return second; } } From 9567f59140f372822164de5c02d681e94c62f6ab Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:34:15 +0200 Subject: [PATCH 165/172] CryptoHelper: isCipherTextMACvalid: invert 'if' condition --- .../org/owasp/esapi/crypto/CryptoHelper.java | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java index a665449b5..018f3ff8d 100644 --- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java +++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java @@ -266,21 +266,22 @@ public static boolean isMACRequired(CipherText ct) { */ public static boolean isCipherTextMACvalid(SecretKey sk, CipherText ct) { - if ( CryptoHelper.isMACRequired( ct ) ) { - try { - KeyDerivationFunction kdf = new KeyDerivationFunction( ct.getKDF_PRF() ); - SecretKey authKey = kdf.computeDerivedKey(sk, ct.getKeySize(), "authenticity"); - boolean validMAC = ct.validateMAC( authKey ); - return validMAC; - } catch (Exception ex) { - // Error on side of security. If this fails and can't verify MAC - // assume it is invalid. Note that CipherText.toString() does not - // print the actual ciphertext. - logger.warning(Logger.SECURITY_FAILURE, "Unable to validate MAC for ciphertext " + ct, ex); - return false; - } + if (!CryptoHelper.isMACRequired(ct)) { + return true; + } + + try { + KeyDerivationFunction kdf = new KeyDerivationFunction( ct.getKDF_PRF() ); + SecretKey authKey = kdf.computeDerivedKey(sk, ct.getKeySize(), "authenticity"); + boolean validMAC = ct.validateMAC( authKey ); + return validMAC; + } catch (Exception ex) { + // Error on side of security. If this fails and can't verify MAC + // assume it is invalid. Note that CipherText.toString() does not + // print the actual ciphertext. + logger.warning(Logger.SECURITY_FAILURE, "Unable to validate MAC for ciphertext " + ct, ex); + return false; } - return true; } /** From d37245be75acb8d7cd8e4de2191915fee48191b3 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:38:50 +0200 Subject: [PATCH 166/172] EnforceHTTPSRule: use for loop --- .../owasp/esapi/waf/rules/EnforceHTTPSRule.java | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java b/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java index bd31562c3..69ccde416 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java @@ -58,18 +58,14 @@ public Action check(HttpServletRequest request, if ( path.matcher(request.getRequestURI()).matches() ) { - Iterator it = exceptions.iterator(); + for (Object o : exceptions) { - while(it.hasNext()){ - - Object o = it.next(); - - if ( o instanceof String ) { - if ( ((String)o).equalsIgnoreCase(request.getRequestURI()) ) { + if (o instanceof String) { + if (((String) o).equalsIgnoreCase(request.getRequestURI())) { return new DoNothingAction(); } - } else if ( o instanceof Pattern ) { - if ( ((Pattern)o).matcher(request.getRequestURI()).matches() ) { + } else if (o instanceof Pattern) { + if (((Pattern) o).matcher(request.getRequestURI()).matches()) { return new DoNothingAction(); } } From 23e3eb7495ab2470338b82f6ceb571d46fe31fc6 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:40:49 +0200 Subject: [PATCH 167/172] EnforceHTTPSRule: check: refactor --- .../esapi/waf/rules/EnforceHTTPSRule.java | 43 ++++++++----------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java b/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java index 69ccde416..b852284c0 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/EnforceHTTPSRule.java @@ -54,38 +54,33 @@ public Action check(HttpServletRequest request, InterceptingHTTPServletResponse response, HttpServletResponse httpResponse) { - if ( ! request.isSecure() ) { - - if ( path.matcher(request.getRequestURI()).matches() ) { - - for (Object o : exceptions) { + if (request.isSecure() || !path.matcher(request.getRequestURI()).matches()) { + return new DoNothingAction(); + } - if (o instanceof String) { - if (((String) o).equalsIgnoreCase(request.getRequestURI())) { - return new DoNothingAction(); - } - } else if (o instanceof Pattern) { - if (((Pattern) o).matcher(request.getRequestURI()).matches()) { - return new DoNothingAction(); - } - } + for (Object o : exceptions) { + if (o instanceof String) { + if (((String) o).equalsIgnoreCase(request.getRequestURI())) { + return new DoNothingAction(); } - - log(request,"Insecure request to resource detected in URL: '" + request.getRequestURL() + "'"); - - if ( "redirect".equals(action) ) { - RedirectAction ra = new RedirectAction(); - ra.setRedirectURL(request.getRequestURL().toString().replaceFirst("http", "https")); - return ra; + } else if (o instanceof Pattern) { + if (((Pattern) o).matcher(request.getRequestURI()).matches()) { + return new DoNothingAction(); } + } + + } - return new DefaultAction(); + log(request,"Insecure request to resource detected in URL: '" + request.getRequestURL() + "'"); - } + if ( "redirect".equals(action) ) { + RedirectAction ra = new RedirectAction(); + ra.setRedirectURL(request.getRequestURL().toString().replaceFirst("http", "https")); + return ra; } - return new DoNothingAction(); + return new DefaultAction(); } } From 033e6c36fbaf8674092011590a59ae5dd9795ac2 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:43:53 +0200 Subject: [PATCH 168/172] HTTPMethodRule: check: invert 'if' condition --- .../owasp/esapi/waf/rules/HTTPMethodRule.java | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/HTTPMethodRule.java b/src/main/java/org/owasp/esapi/waf/rules/HTTPMethodRule.java index 1c8e8e1dd..98f20b74b 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/HTTPMethodRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/HTTPMethodRule.java @@ -53,23 +53,23 @@ public Action check(HttpServletRequest request, String uri = request.getRequestURI(); String method = request.getMethod(); - if ( path == null || path.matcher(uri).matches() ) { - /* - * Order allow, deny. - */ - - if ( allowedMethods != null && allowedMethods.matcher(method).matches() ) { - return new DoNothingAction(); - } else if ( allowedMethods != null ) { - log(request,"Disallowed HTTP method '" + request.getMethod() + "' found for URL: " + request.getRequestURL()); - return new DefaultAction(); - } + if (path != null && !path.matcher(uri).matches()) { + return new DoNothingAction(); + } + /* + * Order allow, deny. + */ - if ( deniedMethods != null && deniedMethods.matcher(method).matches() ) { - log(request,"Disallowed HTTP method '" + request.getMethod() + "' found for URL: " + request.getRequestURL()); - return new DefaultAction(); - } + if ( allowedMethods != null && allowedMethods.matcher(method).matches() ) { + return new DoNothingAction(); + } else if ( allowedMethods != null ) { + log(request,"Disallowed HTTP method '" + request.getMethod() + "' found for URL: " + request.getRequestURL()); + return new DefaultAction(); + } + if ( deniedMethods != null && deniedMethods.matcher(method).matches() ) { + log(request,"Disallowed HTTP method '" + request.getMethod() + "' found for URL: " + request.getRequestURL()); + return new DefaultAction(); } return new DoNothingAction(); From 8e956c10461fcc812c1a123da01edd30a633b182 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:56:52 +0200 Subject: [PATCH 169/172] MustMatchRule: check: refactor --- .../owasp/esapi/waf/rules/MustMatchRule.java | 388 ++++++++++-------- 1 file changed, 207 insertions(+), 181 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/MustMatchRule.java b/src/main/java/org/owasp/esapi/waf/rules/MustMatchRule.java index 9b0c42ff5..9c5306472 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/MustMatchRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/MustMatchRule.java @@ -64,273 +64,299 @@ public Action check(HttpServletRequest req, String uri = request.getRequestURI(); if ( ! path.matcher(uri).matches() ) { - return new DoNothingAction(); + } - } else { + /* + * First check if we're going to be dealing with request parameters + */ + if ( variable.startsWith( REQUEST_PARAMETERS ) ) { - String target = null; + Action x = dealWithRequestParameters(request); + if (x != null) return x; - /* - * First check if we're going to be dealing with request parameters - */ - if ( variable.startsWith( REQUEST_PARAMETERS ) ) { + } else if ( variable.startsWith( REQUEST_HEADERS ) ) { - if ( operator == AppGuardianConfiguration.OPERATOR_EXISTS ) { + Action x = dealWithRequestHeaders(request); + if (x != null) return x; - target = variable.substring(REQUEST_PARAMETERS.length()); + } else if ( variable.startsWith(SESSION_ATTRIBUTES) ) { - if ( request.getParameter(target) != null ) { - return new DoNothingAction(); - } + Action x = dealWithSessionAttributes(request); + if (x != null) return x; - } else if ( operator == AppGuardianConfiguration.OPERATOR_IN_LIST ) { + } else if ( variable.equals( REQUEST_URI ) ) { - /* - * This doesn't make sense. The variable to test is a request parameter - * but the rule is looking for a List. Let the control fall through - * to the bottom where we'll return false. - */ + Action x = dealWithRequestUri(request); + if (x != null) return x; - } else if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { + } else if ( variable.equals( REQUEST_URL ) ) { - /** - * Working with request parameters. If we detect - * simple regex characters, we treat it as a regex. - * Otherwise we treat it as a single parameter. - */ - target = variable.substring(REQUEST_PARAMETERS.length()); + Action x = dealWithRequestUrl(request); + if (x != null) return x; + } - if ( target.contains("*") || target.contains("?") ) { + log(request, "MustMatch rule failed close on URL '" + request.getRequestURL() + "'"); + return new DefaultAction(); - target = target.replaceAll("*", ".*"); - Pattern p = Pattern.compile(target); + } - Enumeration e = request.getParameterNames(); + private Action dealWithRequestParameters(InterceptingHTTPServletRequest request) { + String target; + if ( operator == AppGuardianConfiguration.OPERATOR_EXISTS ) { - while(e.hasMoreElements()) { - String param = (String)e.nextElement(); + target = variable.substring(REQUEST_PARAMETERS.length()); - if ( p.matcher(param).matches() ) { - String s = request.getParameter(param); - if ( ! RuleUtil.testValue(s, value, operator) ) { - log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "' parameter='"+param+"'"); - return new DefaultAction(); - } - } - } + if ( request.getParameter(target) != null ) { + return new DoNothingAction(); + } - } else { + } else if ( operator == AppGuardianConfiguration.OPERATOR_IN_LIST ) { - String s = request.getParameter(target); + /* + * This doesn't make sense. The variable to test is a request parameter + * but the rule is looking for a List. Let the control fall through + * to the bottom where we'll return false. + */ + + } else if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { + + /** + * Working with request parameters. If we detect + * simple regex characters, we treat it as a regex. + * Otherwise we treat it as a single parameter. + */ + target = variable.substring(REQUEST_PARAMETERS.length()); + + if ( target.contains("*") || target.contains("?") ) { + target = target.replaceAll("*", ".*"); + Pattern p = Pattern.compile(target); + + Enumeration e = request.getParameterNames(); + + while(e.hasMoreElements()) { + String param = (String)e.nextElement(); + + if ( p.matcher(param).matches() ) { + String s = request.getParameter(param); if ( ! RuleUtil.testValue(s, value, operator) ) { - log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "', parameter='"+target+"'"); + log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "' parameter='"+param+"'"); return new DefaultAction(); } - } } - } else if ( variable.startsWith( REQUEST_HEADERS ) ) { - - /** - * Do the same for request headers. - */ + } else { - if ( operator == AppGuardianConfiguration.OPERATOR_EXISTS ) { + String s = request.getParameter(target); - target = variable.substring(REQUEST_HEADERS.length()); + if ( ! RuleUtil.testValue(s, value, operator) ) { + log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "', parameter='"+target+"'"); + return new DefaultAction(); + } - if ( request.getHeader(target) != null ) { - return new DoNothingAction(); - } + } + } + return null; + } - } else if ( operator == AppGuardianConfiguration.OPERATOR_IN_LIST ) { + private Action dealWithRequestHeaders(InterceptingHTTPServletRequest request) { + String target; + /** + * Do the same for request headers. + */ - /* - * This doesn't make sense. The variable to test is a request header - * but the rule is looking for a List. Let the control fall through - * to the bottom where we'll return false. - */ + if ( operator == AppGuardianConfiguration.OPERATOR_EXISTS ) { - } else if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { + target = variable.substring(REQUEST_HEADERS.length()); - target = variable.substring(REQUEST_HEADERS.length()); + if ( request.getHeader(target) != null ) { + return new DoNothingAction(); + } - if ( target.contains("*") || target.contains("?") ) { + } else if ( operator == AppGuardianConfiguration.OPERATOR_IN_LIST ) { - target = target.replaceAll("*", ".*"); - Pattern p = Pattern.compile(target); + /* + * This doesn't make sense. The variable to test is a request header + * but the rule is looking for a List. Let the control fall through + * to the bottom where we'll return false. + */ - Enumeration e = request.getHeaderNames(); + } else if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { - while(e.hasMoreElements()) { - String header = (String)e.nextElement(); - if ( p.matcher(header).matches() ) { - String s = request.getHeader(header); - if ( ! RuleUtil.testValue(s, value, operator) ) { - log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "', header='"+header+"'"); - return new DefaultAction(); - } - } - } + target = variable.substring(REQUEST_HEADERS.length()); - return new DoNothingAction(); + if ( target.contains("*") || target.contains("?") ) { - } else { + target = target.replaceAll("*", ".*"); + Pattern p = Pattern.compile(target); - String s = request.getHeader(target); + Enumeration e = request.getHeaderNames(); - if ( s == null || ! RuleUtil.testValue(s, value, operator) ) { - log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "', header='"+target+"'"); + while(e.hasMoreElements()) { + String header = (String)e.nextElement(); + if ( p.matcher(header).matches() ) { + String s = request.getHeader(header); + if ( ! RuleUtil.testValue(s, value, operator) ) { + log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "', header='"+header+"'"); return new DefaultAction(); } - - return new DoNothingAction(); - } - } - } else if ( variable.startsWith(SESSION_ATTRIBUTES) ) { + return new DoNothingAction(); + + } else { + + String s = request.getHeader(target); - /** - * Do the same for session attributes. Can't possibly match - * ANY rule if there is no session object. - */ - if ( request.getSession(false) == null ) { + if ( s == null || ! RuleUtil.testValue(s, value, operator) ) { + log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', input='" + s + "', header='"+target+"'"); return new DefaultAction(); } - target = variable.substring(SESSION_ATTRIBUTES.length()+1); + return new DoNothingAction(); - if ( operator == AppGuardianConfiguration.OPERATOR_IN_LIST ) { + } - /* - * Want to check if the List/Enumeration/whatever stored - * in "target" contains the value in "value". - */ + } + return null; + } - Object o = request.getSession(false).getAttribute(target); + private Action dealWithSessionAttributes(InterceptingHTTPServletRequest request) { + String target; + /** + * Do the same for session attributes. Can't possibly match + * ANY rule if there is no session object. + */ + if ( request.getSession(false) == null ) { + return new DefaultAction(); + } - if ( o instanceof Collection ) { - if ( RuleUtil.isInList((Collection)o, value) ) { - return new DoNothingAction(); - } else { - log(request, "MustMatch rule failed - looking for value='" + value + "', in session Collection attribute '" + target + "']"); - return new DefaultAction(); - } - } else if ( o instanceof Map ) { - if ( RuleUtil.isInList((Map)o, value) ) { - return new DoNothingAction(); - } else { - log(request, "MustMatch rule failed - looking for value='" + value + "', in session Map attribute '" + target + "']"); - return new DefaultAction(); - } - } else if ( o instanceof Enumeration ) { - if ( RuleUtil.isInList((Enumeration)o, value) ) { - return new DoNothingAction(); - } else { - log(request, "MustMatch rule failed - looking for value='" + value + "', in session Enumeration attribute '" + target + "']"); - return new DefaultAction(); - } - } + target = variable.substring(SESSION_ATTRIBUTES.length()+1); - /* - * The attribute was not a common list-type of Java object s - * let the control fall through to the bottom where it will - * fail. - */ + if ( operator == AppGuardianConfiguration.OPERATOR_IN_LIST ) { - } else if ( operator == AppGuardianConfiguration.OPERATOR_EXISTS) { + /* + * Want to check if the List/Enumeration/whatever stored + * in "target" contains the value in "value". + */ - Object o = request.getSession(false).getAttribute(target); + Object o = request.getSession(false).getAttribute(target); - if ( o != null ) { - return new DoNothingAction(); - } else { - log(request, "MustMatch rule failed - couldn't find required session attribute='" + target + "'"); - return new DefaultAction(); - } + if ( o instanceof Collection ) { + if ( RuleUtil.isInList((Collection)o, value) ) { + return new DoNothingAction(); + } else { + log(request, "MustMatch rule failed - looking for value='" + value + "', in session Collection attribute '" + target + "']"); + return new DefaultAction(); + } + } else if ( o instanceof Map ) { + if ( RuleUtil.isInList((Map)o, value) ) { + return new DoNothingAction(); + } else { + log(request, "MustMatch rule failed - looking for value='" + value + "', in session Map attribute '" + target + "']"); + return new DefaultAction(); + } + } else if ( o instanceof Enumeration ) { + if ( RuleUtil.isInList((Enumeration)o, value) ) { + return new DoNothingAction(); + } else { + log(request, "MustMatch rule failed - looking for value='" + value + "', in session Enumeration attribute '" + target + "']"); + return new DefaultAction(); + } + } - } else if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { + /* + * The attribute was not a common list-type of Java object s + * let the control fall through to the bottom where it will + * fail. + */ + + } else if ( operator == AppGuardianConfiguration.OPERATOR_EXISTS) { - if ( target.contains("*") || target.contains("?") ) { + Object o = request.getSession(false).getAttribute(target); - target = target.replaceAll("\\*", ".*"); - Pattern p = Pattern.compile(target); + if ( o != null ) { + return new DoNothingAction(); + } else { + log(request, "MustMatch rule failed - couldn't find required session attribute='" + target + "'"); + return new DefaultAction(); + } - Enumeration e = request.getSession(false).getAttributeNames(); + } else if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { - while(e.hasMoreElements()) { + if ( target.contains("*") || target.contains("?") ) { - String attr = (String)e.nextElement(); + target = target.replaceAll("\\*", ".*"); + Pattern p = Pattern.compile(target); - if (p.matcher(attr).matches() ) { + Enumeration e = request.getSession(false).getAttributeNames(); - Object o = request.getSession(false).getAttribute(attr); + while(e.hasMoreElements()) { - if ( ! RuleUtil.testValue((String)o, value, operator) ) { - log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', session attribute='" + attr + "', attribute value='"+(String)o+"'"); - return new DefaultAction(); - } else { - return new DoNothingAction(); - } - } - } + String attr = (String)e.nextElement(); - } else { + if (p.matcher(attr).matches() ) { - Object o = request.getSession(false).getAttribute(target); + Object o = request.getSession(false).getAttribute(attr); if ( ! RuleUtil.testValue((String)o, value, operator) ) { - log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', session attribute='" + target + "', attribute value='"+(String)o+"'"); + log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', session attribute='" + attr + "', attribute value='"+(String)o+"'"); return new DefaultAction(); } else { return new DoNothingAction(); } - - } - - } - - } else if ( variable.equals( REQUEST_URI ) ) { - - if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { - if ( RuleUtil.testValue(request.getRequestURI(), value, operator) ) { - return new DoNothingAction(); - } else { - log(request, "MustMatch rule on request URI failed (operator="+operator+"), requestURI='" + request.getRequestURI() + "', value='" + value+ "'"); - return new DefaultAction(); } } - /* - * Any other operator doesn't make sense. - */ + } else { - } else if ( variable.equals( REQUEST_URL ) ) { + Object o = request.getSession(false).getAttribute(target); - if ( operator == AppGuardianConfiguration.OPERATOR_EQ || operator == AppGuardianConfiguration.OPERATOR_CONTAINS ) { - if ( RuleUtil.testValue(request.getRequestURL().toString(), value, operator) ) { - return new DoNothingAction(); - } else { - log(request, "MustMatch rule on request URL failed (operator="+operator+"), requestURL='" + request.getRequestURL() + "', value='" + value+ "'"); - return new DefaultAction(); - } + if ( ! RuleUtil.testValue((String)o, value, operator) ) { + log(request, "MustMatch rule failed (operator="+operator+"), value='" + value + "', session attribute='" + target + "', attribute value='"+(String)o+"'"); + return new DefaultAction(); + } else { + return new DoNothingAction(); } - /* - * Any other operator doesn't make sense. - */ } } + return null; + } - log(request, "MustMatch rule failed close on URL '" + request.getRequestURL() + "'"); - return new DefaultAction(); + private Action dealWithRequestUri(InterceptingHTTPServletRequest request) { + if (operator != AppGuardianConfiguration.OPERATOR_EQ && operator != AppGuardianConfiguration.OPERATOR_CONTAINS) { + /* + * Any other operator doesn't make sense. + */ + return null; + } + if ( RuleUtil.testValue(request.getRequestURI(), value, operator) ) { + return new DoNothingAction(); + } else { + log(request, "MustMatch rule on request URI failed (operator="+operator+"), requestURI='" + request.getRequestURI() + "', value='" + value+ "'"); + return new DefaultAction(); + } } + private Action dealWithRequestUrl(InterceptingHTTPServletRequest request) { + if (operator != AppGuardianConfiguration.OPERATOR_EQ && operator != AppGuardianConfiguration.OPERATOR_CONTAINS) { + /* + * Any other operator doesn't make sense. + */ + return null; + } + + if ( RuleUtil.testValue(request.getRequestURL().toString(), value, operator) ) { + return new DoNothingAction(); + } else { + log(request, "MustMatch rule on request URL failed (operator="+operator+"), requestURL='" + request.getRequestURL() + "', value='" + value+ "'"); + return new DefaultAction(); + } + } } From e88ef178f11d40ec648a8176e36a552efb30539a Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:58:06 +0200 Subject: [PATCH 170/172] RuleUtil: replace for with while --- src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java b/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java index 461ace279..ce09c2c14 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java +++ b/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java @@ -90,7 +90,7 @@ public static boolean isInList(Collection c, String s) { */ public static boolean isInList(Enumeration en, String s) { - for(; en.hasMoreElements();) { + while (en.hasMoreElements()) { Object o = en.nextElement(); From 8d0c4eb4747268da79c1592e06c35a94eecd46ee Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 20:59:06 +0200 Subject: [PATCH 171/172] RuleUtil: replace while with for --- .../org/owasp/esapi/waf/rules/RuleUtil.java | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java b/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java index ce09c2c14..7d4d930eb 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java +++ b/src/main/java/org/owasp/esapi/waf/rules/RuleUtil.java @@ -43,41 +43,40 @@ public static boolean isInList(Map m, String s) { public static boolean isInList(Collection c, String s) { - Iterator it = c.iterator(); + for (Object o : c) { - while(it.hasNext()) { + if (o instanceof String) { - Object o = it.next(); - - if ( o instanceof String ) { - - if ( s.equals((String)o)) { + if (s.equals((String) o)) { return true; } - } else if ( o instanceof Integer ) { + } else if (o instanceof Integer) { try { - if ( Integer.parseInt(s) == ((Integer)o).intValue() ) { + if (Integer.parseInt(s) == ((Integer) o).intValue()) { return true; } - } catch (Exception e) {} + } catch (Exception e) { + } - } else if ( o instanceof Long ) { + } else if (o instanceof Long) { try { - if ( Long.parseLong(s) == ((Long)o).longValue() ) { + if (Long.parseLong(s) == ((Long) o).longValue()) { return true; } - } catch (Exception e) {} + } catch (Exception e) { + } - } else if ( o instanceof Double ) { + } else if (o instanceof Double) { try { - if ( Double.compare(Double.parseDouble(s), ((Double)o).doubleValue()) == 0 ) { + if (Double.compare(Double.parseDouble(s), ((Double) o).doubleValue()) == 0) { return true; } - } catch (Exception e) {} + } catch (Exception e) { + } } } From 8a95734f3b504c3a5ab77543b3994c55c5e5c1b0 Mon Sep 17 00:00:00 2001 From: Dario Viva Date: Wed, 7 Aug 2024 21:01:02 +0200 Subject: [PATCH 172/172] SimpleVirtualPatchRule: remove redundant else --- .../waf/rules/SimpleVirtualPatchRule.java | 111 +++++++++--------- 1 file changed, 54 insertions(+), 57 deletions(-) diff --git a/src/main/java/org/owasp/esapi/waf/rules/SimpleVirtualPatchRule.java b/src/main/java/org/owasp/esapi/waf/rules/SimpleVirtualPatchRule.java index 44c8e181b..8e6c53854 100644 --- a/src/main/java/org/owasp/esapi/waf/rules/SimpleVirtualPatchRule.java +++ b/src/main/java/org/owasp/esapi/waf/rules/SimpleVirtualPatchRule.java @@ -61,77 +61,74 @@ public Action check(HttpServletRequest req, return new DoNothingAction(); - } else { - - /* - * Decide which parameters/headers to act on. - */ - String target = null; - Enumeration en = null; - boolean parameter = true; + } - if ( variable.startsWith(REQUEST_PARAMETERS)) { + /* + * Decide which parameters/headers to act on. + */ + String target = null; + Enumeration en = null; + boolean parameter = true; - target = variable.substring(REQUEST_PARAMETERS.length()); - en = request.getParameterNames(); + if ( variable.startsWith(REQUEST_PARAMETERS)) { - } else if ( variable.startsWith(REQUEST_HEADERS) ) { + target = variable.substring(REQUEST_PARAMETERS.length()); + en = request.getParameterNames(); - parameter = false; - target = variable.substring(REQUEST_HEADERS.length()); - en = request.getHeaderNames(); + } else if ( variable.startsWith(REQUEST_HEADERS) ) { - } else { - log(request, "Patch failed (improperly configured variable '" + variable + "')"); - return new DefaultAction(); - } + parameter = false; + target = variable.substring(REQUEST_HEADERS.length()); + en = request.getHeaderNames(); - /* - * If it contains a regex character, it's a regex. Loop through elements and grab any matches. - */ - if ( target.contains("*") || target.contains("?") ) { - - target = target.replaceAll("\\*", ".*"); - Pattern p = Pattern.compile(target); - while (en.hasMoreElements() ) { - String s = (String)en.nextElement(); - String value = null; - if ( p.matcher(s).matches() ) { - if ( parameter ) { - value = request.getDictionaryParameter(s); - } else { - value = request.getHeader(s); - } - if ( value != null && ! valid.matcher(value).matches() ) { - log(request, "Virtual patch tripped on variable '" + variable + "' (specifically '" + s + "'). User input was '" + value + "' and legal pattern was '" + valid.pattern() + "': " + message); - return new DefaultAction(); - } - } - } - - return new DoNothingAction(); - - } else { + } else { + log(request, "Patch failed (improperly configured variable '" + variable + "')"); + return new DefaultAction(); + } - if ( parameter ) { - String value = request.getDictionaryParameter(target); - if ( value == null || valid.matcher(value).matches() ) { - return new DoNothingAction(); + /* + * If it contains a regex character, it's a regex. Loop through elements and grab any matches. + */ + if ( target.contains("*") || target.contains("?") ) { + + target = target.replaceAll("\\*", ".*"); + Pattern p = Pattern.compile(target); + while (en.hasMoreElements() ) { + String s = (String)en.nextElement(); + String value = null; + if ( p.matcher(s).matches() ) { + if ( parameter ) { + value = request.getDictionaryParameter(s); } else { - log(request, "Virtual patch tripped on parameter '" + target + "'. User input was '" + value + "' and legal pattern was '" + valid.pattern() + "': " + message); - return new DefaultAction(); + value = request.getHeader(s); } - } else { - String value = request.getHeader(target); - if ( value == null || valid.matcher(value).matches() ) { - return new DoNothingAction(); - } else { - log(request, "Virtual patch tripped on header '" + target + "'. User input was '" + value + "' and legal pattern was '" + valid.pattern() + "': " + message); + if ( value != null && ! valid.matcher(value).matches() ) { + log(request, "Virtual patch tripped on variable '" + variable + "' (specifically '" + s + "'). User input was '" + value + "' and legal pattern was '" + valid.pattern() + "': " + message); return new DefaultAction(); } } } + return new DoNothingAction(); + + } + + if ( parameter ) { + String value = request.getDictionaryParameter(target); + if ( value == null || valid.matcher(value).matches() ) { + return new DoNothingAction(); + } else { + log(request, "Virtual patch tripped on parameter '" + target + "'. User input was '" + value + "' and legal pattern was '" + valid.pattern() + "': " + message); + return new DefaultAction(); + } + } else { + String value = request.getHeader(target); + if ( value == null || valid.matcher(value).matches() ) { + return new DoNothingAction(); + } else { + log(request, "Virtual patch tripped on header '" + target + "'. User input was '" + value + "' and legal pattern was '" + valid.pattern() + "': " + message); + return new DefaultAction(); + } } }