esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard
verified publisher icon ESAPI

Determine way to deal with OS specific path names in ESAPI.properties

Open kwwall opened this issue 7 years ago • 1 comments

There are at least these 2 properties in the ESAPI.properties file that are OS-specific path names:

# Default file upload location (remember to escape backslashes with \\)
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
HttpUtilities.UploadTempDir=C:\\temp

(There as also these specific properties, but their defaults have been removed:

Executor.WorkingDirectory=
Executor.ApprovedExecutables=

as they refer generally refer to full path names, but must be explicitly set if they need to be used.)

Ideally, we ESAPI should determine the OS at runtime using the System property os.name and then use that to construct appropriate path names. That would allow us to chose an ESAPI property for Windows and for *nix / MacOS and choose the appropriate one at runtime.

For example, rather than:

HttpUtilities.UploadTempDir=C:\\temp

we might use:

HttpUtilities.UploadTempDir.windows=C:\\temp
HttpUtilities.UploadTempDir.unix=/tmp

and from that, choose the appropriate HttpUtilities.UploadTempDir at runtime, but it would allow ESAPI to still provide reasonable default settings for each.

kwwall avatar Jan 27 '19 02:01 kwwall

I am concerned about whether this is something we should provide.

It feels like the reason we would make this change would be to allow ESAPI to run a single configuration on multiple OS instances. I believe that this is already provided by the configuration files offered by ESAPI.

I feel this is the reason for configuration.

At most, I would see potentially maintaining separate test-scope ESAPI.properties for each OS and allow the individual running the system to choose the appropriate one.

In the case of the File path references, we can help users identify issues sooner by adding configuration checks in the SecurityConfiguration to fail faster.

       /**
	 * {@inheritDoc}
	 */
    public File getUploadDirectory() {
    	String dir = getESAPIProperty( UPLOAD_DIRECTORY, "UploadDir");
    	File uploadDir =  new File( dir );
    	if (!uploadDir.exists()) {
    	    //Perhaps make a new property to 'createOnMissing'?
    	    throw new ConfigurationException(String.format("Upload Directory Location does not exist on the filesystem:  %s = %s", UPLOAD_DIRECTORY));
    	} else if (!uploadDir.isDirectory()) {
    	    throw new ConfigurationException(String.format("Configured Upload Directory is not a directory:  %s = %s", UPLOAD_DIRECTORY));
    	}
    	return uploadDir;
    }

jeremiahjstacey avatar Jan 27 '19 11:01 jeremiahjstacey