esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard
verified publisher icon ESAPI

ESAPI.properties file not being built / deployed as part of production downloads

Open meg23 opened this issue 11 years ago • 6 comments

From [email protected] on October 22, 2013 13:04:40

The 'configuration/esapi/ESAPI.properties' file and all other files under the 'configuration/esapi' directory are missing from the ESAPI production builds. (E.g., it is missing from the 2.1.0 release.)

This is causing some to use the ESAPI.properties file found in 'src/test/resources/esapi/ESAPI.properties' which has some (intentionally) insecure additional property values (e.g., Encryptor.cipher_modes.additional_allowed=CBC,ECB -- ECB mode is normally not there). It also increases the likelihood that developers are using the test versions of Encryptor.MasterKey and Encryptor.MasterSalt property values.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=309

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on May 20, 2014 01:43:47

Agreed.

I started using the test properties file until during setup I realised it was definitely needing production tweaks before use.

Are these production files available anywhere else?

Many thanks for the product guys.

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on May 20, 2014 02:17:22

I also can't seem to see the files here. https://owasp-esapi-java.googlecode.com/svn/tags/esapi-2.1.0/src/main/ https://owasp-esapi-java.googlecode.com/svn/branches/2.1/ Not sure if I am looking in the right area, but this seems that the production files are not even committed to the version control?

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on May 20, 2014 21:47:02

You can find the latest configuration files under 'trunk/configuration/esapi'. If you want to use SVN from the command line, svn checkout https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi esapi-config-files

should work. If you want to directly browse for them, start here: https://code.google.com/p/owasp-esapi-java/source/browse/#svn%2Ftrunk%2Fconfiguration%2Fesapi Hope that helps. And if you know how to fix this issue, I'm all ears. -kevin wall

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on May 20, 2014 22:27:52

Hi Kevin

Many thanks for the reply and info, will go and check it out right now.

Thanks again.

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on July 17, 2014 17:13:33

Pretty sure you can fix this by updating your dist.xml file under src/main/assembly. Currently your looking for configuration/.esapi instead of configuration/esapi like it is in source.

configuration configuration .esapi/**/* log4j.dtd log4j.xml properties/**/*

meg23 avatar Nov 13 '14 18:11 meg23

As near as I can tell, this seems to be a duplicate of issue #341 and if not, I think commit 068cecb fixes this issue as well.

Short of actually deploying a new production release to Maven Central, is there a way that I can test this via a Maven command line? E.g., some mvn goal that would create these artifacts that I can inspect?

kwwall avatar Dec 27 '18 19:12 kwwall