esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard
verified publisher icon ESAPI

Need to clean up logging related code in ESAPI's WAF

Open kwwall opened this issue 4 years ago • 0 comments

Way back when (perhaps ESAPI 1.4, but maybe even earlier), it seems as though the ESAPI WAF code (under in the package org.owasp.esapi.waf and its sub-packages) was using Apache Log4J 1.x and then later was updated to use ESAPI 2.x's Logger instead. Many of those WAF methods are deprecated and no longer actually used (or, at least are no longer needed) and probably have been deprecated over 2 years, so they should be flat out be deleted from the ESAPI 2.x code base.

Furthermore, there are still references to org.apache.log4j packages in the following ESAPI WAF classes:

  • org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter
  • org.owasp.esapi.waf.configuration.AppGuardianConfiguration
  • org.owasp.esapi.waf.configuration.ConfigurationParser

Furthermore, the ESAPIWebApplicationFirewallFilter class has references to deprecated AppGuardianConfiguration methods related to logging and that code probably can be eliminated as well. (Lines 146-154.)

The bottom line is all this obsolete code should be deleted, any documentation (especially Javadoc) be cleaned up as needed, and (possibly) new unit tests need to be added or altered to make sure nothing breaks.

kwwall avatar Feb 19 '21 22:02 kwwall