ESAPI日志注入

huangapple
go评论72阅读模式
英文:

ESAPI log injection

问题

I included ESAPI in project due to possibility of log injection.

The only thing that I am using it for is sth like this:

    message = message.replace("\n", ERROR_MESS)
                .replace("\r", ERROR_MESS)
                .replace("\t", ERROR_MESS);
    message = ESAPI.encoder().encodeForHTML(message);

However, I get plenty of logs displayed such as:

    ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
    ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
    ...

I have two questions:

  1. Is there a possibility to turn off these logs? If there is, how to do it? I found a way to do it by creating a new class, however, I am looking to do it by setting it in the ESAPI.properties file.
  2. Is it really needed to use ESAPI.properties only for that one method? Is there any chance to delete it, and it will still work?
英文:

I included ESAPI in project due to possibility of log injection.

The only thing that I am using it for is sth like this:

message = message.replace("\n", ERROR_MESS)
            .replace("\r", ERROR_MESS)
            .replace("\t", ERROR_MESS);
message = ESAPI.encoder().encodeForHTML(message);

However, I get plenty of logs displayed such as:

ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
...

I have two questions:

  1. Is there a possibility to turn off this logs? If there is, how to do it? I found a way to it by creating new class, however I am looking for more like setting it in ESAPI.properties file.
  2. Is it really needed to use ESAPI.properties only for that one method? Is there any chance to delete it and it will be working as well?

答案1

得分: 1

  1. 目前不行,但随时欢迎您前来协助我们。只需提交您希望添加的功能的PR。

  2. 没有validation.propertiesesapi.properties,ESAPI将无法加载。这是按设计的要求。

我是esapi-java项目的共同领导者。

英文:

  1. Not at present, but you're welcome to come over and help us out at any time. Just submit a PR for whatever features you desire.

  2. ESAPI will not load without validation.properties or esapi.properties. This is by design.

I am the esapi-java project co-lead.

huangapple
  • 本文由 发表于 2020年4月8日 23:05:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/61103865.html
  • esapi
  • java
  • logging
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定