Override ESAPI OWASP methods java - owasp

I am trying to override an existing method in ESAPI OWASP library, by using ESAPI.override(). Somehow it does not work, do you know why?
Here my code:
public class AntiSamyDOMScannerExpansion extends AbstractAntiSamyScanner {
//...
public CleanResults scan(String html, String inputEncoding, String outputEncoding) throws ScanException {
ESAPI.override(new DefaultSecurityConfiguration());
//...

ESAPI.override() is used only to override the configuration. In order to expand other kind of methods, in my case AntiSamy.scan, it is needed to extend every class in the call structure.
This is because of a inflexible implementation. For instance we find in HTMLValidationRule.java:
private String invokeAntiSamy( String context, String input ) throws ValidationException {
// CHECKME should this allow empty Strings? " " us IsBlank instead?
if ( StringUtilities.isEmpty(input) ) {
if (allowNull) {
return null;
}
throw new ValidationException( context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context );
}
String canonical = super.getValid( context, input );
try {
AntiSamy as = new AntiSamy();
CleanResults test = as.scan(canonical, antiSamyPolicy);
List<String> errors = test.getErrorMessages();
if ( !errors.isEmpty() ) {
LOGGER.info( Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors );
}
return test.getCleanHTML().trim();
} catch (ScanException e) {
throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context );
} catch (PolicyException e) {
throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context );
}
}
Due to AntiSamy as = new AntiSamy(); we can not make it usable in a custom implementation.

Related

Using websockets through the simple websockets for webgl asset in unity3d, can connect but can't transmit messages

Just having a problem on my mac trying to send strings over web sockets using this https://www.assetstore.unity3d.com/en/#!/content/38367
Lots of adapted code below from here mainly http://www.codepool.biz/how-to-implement-a-java-websocket-server-for-image-transmission-with-jetty.html and the web socket sharp echotest example.
I can connect but there is no sign of strings in my Jetty server console window (on a ws server running in java(eclipse)).
Iā€™m basically just trying to send a ā€œ1ā€ to my server over a websocket connection with the unity editor (5) at the moment, to prompt the server to start sending PNG files encoded as byte arrays, so I can put them back together in a C# script and apply them to a texture.
this is the script, I want to attach it to a game object like a plane or a cube and display the updating images sent over the web socket from my Jetty server, but at the moment I'm just stuck trying to send a message and see it pop up in my eclipse console window.
using UnityEngine;
using System.Collections;
using System;
public class socketTexture : MonoBehaviour {
// Use this for initialization
IEnumerator Start () {
WebSocket w = new WebSocket(new Uri("ws://192.168.0.149:8080/"));
yield return StartCoroutine(w.Connect());
Debug.Log ("Connected");
w.SendString("I'm client");
w.SendString("1");
while (true)
{
byte[] reply = w.Recv();
if (reply != null)
{
Debug.Log ("Received: "+reply);
var tex = new Texture2D(300, 300, TextureFormat.PVRTC_RGBA4, false);
// Load data into the texture and upload it to the GPU.
tex.LoadRawTextureData(reply);
tex.Apply();
// Assign texture to renderer's material.
GetComponent<Renderer>().material.mainTexture = tex;
}
if (w.Error != null)
{
Debug.LogError ("Error: "+w.Error);
break;
}
yield return 0;
}
w.Close();
}
}
...And the relevant code from the jetty server, but this works, I've tested it with some javascript and I can load the PNGs back into the browser window, so I'm definitely doing something wrong in Unity
#OnWebSocketMessage //part request from websocket client (remote browser)
public void onMessage( String message) {
System.out.println("message");
if (message.equals("1") || message.equals("2") || message.equals("3") || message.equals("4") ) {
System.out.println("Part " + message + " joined");
System.out.println( UIMain.usersPath + "/" + message + ".png" );
final String testVar = ( UIMain.usersPath + "/" + message + ".png" );
task = new FileWatcher( new File(testVar) ) {
protected void onChange( File file ) {
// here we code the action on a change
System.out.println( "File "+ file.getName() +" has changed!" );
try {
File f = new File(testVar);
BufferedImage bi = ImageIO.read(f);
ByteArrayOutputStream out = new ByteArrayOutputStream();
ImageIO.write(bi, "png", out);
ByteBuffer byteBuffer = ByteBuffer.wrap(out.toByteArray());
mSession.getRemote().sendBytes(byteBuffer);
out.close();
byteBuffer.clear();
}
catch (IOException e) {
e.printStackTrace();
}
}
};
Timer timer1 = new Timer(); {
timer1.schedule(task , new Date(), 40 );
}
}
else if (message.equals( "0")) {
zerocounter = zerocounter + 1;
if (zerocounter >= 2) {
task.cancel();
}
}
else if (message.equals( "Hi there, client here")) {
System.out.println( "Client says: " + message );
}
}
Any help would be really appreciated, been lurking on here for years, hopefully getting to the stage soon where I can help out others a bit too.
Benedict
Edit:
This is my console error message in Unity
FormatException: Invalid length. System.Convert.FromBase64String
(System.String s) (at
/Users/builduser/buildslave/mono-runtime-and-classlibs/build/mcs/class/corlib/System/Convert.cs:146)
EchoTest+c__Iterator0.MoveNext () (at
Assets/Example/EchoTest.cs:11)
I'm pretty sure the problem arises from websocket sharp for webgl. I need to send the message as a byte array.
OK So Joakim Erdfelt was right, the server was not configured to handle Byte[] messages. Here's what I added to fix it:
#OnWebSocketMessage
public void onMessage(byte[] buffer, int offset, int length) throws UnsupportedEncodingException {
System.out.println(buffer);
String sFclientOutStr = new String(buffer, "UTF-8");
sFclientOut = Integer.parseInt(sFclientOutStr);
System.out.println(sFclientOut);
if ((sFclientOut > 0) & (sFclientOut < 500)) {
System.out.println("Part " + sFclientOut + " joined");
System.out.println( UIMain.usersPath + "/" + sFclientOutStr + ".png" );
final String testVar = ( UIMain.usersPath + "/" + sFclientOutStr + ".png" );
task = new FileWatcher( new File(testVar) ) {
protected void onChange( File file ) {
// here we code the action on a change
System.out.println( "File "+ file.getName() +" has changed!" );
try {
File f = new File(testVar);
BufferedImage bi = ImageIO.read(f);
ByteArrayOutputStream out = new ByteArrayOutputStream();
ImageIO.write(bi, "png", out);
ByteBuffer byteBuffer = ByteBuffer.wrap(out.toByteArray());
mSession.getRemote().sendBytes(byteBuffer);
out.close();
byteBuffer.clear();
}
catch (IOException e) {
e.printStackTrace();
}
}
};
Timer timer1 = new Timer(); {
timer1.schedule(task , new Date(), 40 );
}
}
else if (sFclientOutStr.equals("0")) {
zerocounter = zerocounter + 1;
if (zerocounter >= 2) {
task.cancel();
}
}
else if (sFclientOutStr.equals( "I'm client")) {
System.out.println( "Client says: " + sFclientOutStr );
}
}
These links helped explain it for me http://www.programcreek.com/java-api-examples/index.php?api=org.eclipse.jetty.websocket.api.annotations.OnWebSocketMessage
http://www.eclipse.org/jetty/documentation/current/jetty-websocket-api-annotations.html

GWT-RPC method returns empty list on success

I am creating a webpage having CellTable.I need to feed this table with data from hbase table.
I have written a method to retrieve data from hbase table and tested it.
But when I call that method as GWT asynchronous RPC method then rpc call succeeds but it returns nothing.In my case it returns empty list.The alert box show list's size as 0.
Following is the related code.
Please help.
greetingService.getDeviceIDData(new AsyncCallback<List<DeviceDriverBean>>(){
public void onFailure(Throwable caught) {
// Show the RPC error message to the user
System.out.println("RPC Call failed");
Window.alert("Data : RPC call failed");
}
public void onSuccess(List<DeviceDriverBean> result) {
//on success do something
Window.alert("Data : RPC call successful");
//deviceDataList.addAll(result);
Window.alert("Result size: " +result.size());
// Add a text column to show the driver name.
TextColumn<DeviceDriverBean> nameColumn = new TextColumn<DeviceDriverBean>() {
#Override
public String getValue(DeviceDriverBean object) {
Window.alert(object.getName());
return object.getName();
}
};
table.addColumn(nameColumn, "Name");
// Add a text column to show the device id
TextColumn<DeviceDriverBean> deviceidColumn = new TextColumn<DeviceDriverBean>() {
#Override
public String getValue(DeviceDriverBean object) {
return object.getDeviceId();
}
};
table.addColumn(deviceidColumn, "Device ID");
table.setRowCount(result.size(), true);
// more code here to add columns in celltable
// Push the data into the widget.
table.setRowData(0, result);
SimplePager pager = new SimplePager();
pager.setDisplay(table);
VerticalPanel vp = new VerticalPanel();
vp.add(table);
vp.add(pager);
// Add it to the root panel.
RootPanel.get("datagridContainer").add(vp);
}
});
Code to retrieve data from hbase (server side code)
public List<DeviceDriverBean> getDeviceIDData()
throws IllegalArgumentException {
List<DeviceDriverBean> deviceidList = new ArrayList<DeviceDriverBean>();
// Escape data from the client to avoid cross-site script
// vulnerabilities.
/*
* input = escapeHtml(input); userAgent = escapeHtml(userAgent);
*
* return "Hello, " + input + "!<br><br>I am running " + serverInfo +
* ".<br><br>It looks like you are using:<br>" + userAgent;
*/
try {
Configuration config = HbaseConnectionSingleton.getInstance()
.HbaseConnect();
HTable testTable = new HTable(config, "driver_details");
byte[] family = Bytes.toBytes("details");
Scan scan = new Scan();
int cnt = 0;
ResultScanner rs = testTable.getScanner(scan);
for (Result r = rs.next(); r != null; r = rs.next()) {
DeviceDriverBean deviceDriverBean = new DeviceDriverBean();
byte[] rowid = r.getRow(); // Category, Date, Sentiment
NavigableMap<byte[], byte[]> map = r.getFamilyMap(family);
Iterator<Entry<byte[], byte[]>> itrt = map.entrySet()
.iterator();
deviceDriverBean.setDeviceId(Bytes.toString(rowid));
while (itrt.hasNext()) {
Entry<byte[], byte[]> entry = itrt.next();
//cnt++;
//System.out.println("Count : " + cnt);
byte[] qual = entry.getKey();
byte[] val = entry.getValue();
if (Bytes.toString(qual).equalsIgnoreCase("account_number")) {
deviceDriverBean.setAccountNo(Bytes.toString(val));
} else if (Bytes.toString(qual).equalsIgnoreCase("make")) {
deviceDriverBean.setMake(Bytes.toString(val));
} else if (Bytes.toString(qual).equalsIgnoreCase("model")) {
deviceDriverBean.setModel(Bytes.toString(val));
} else if (Bytes.toString(qual).equalsIgnoreCase("driver_name")) {
deviceDriverBean.setName(Bytes.toString(val));
} else if (Bytes.toString(qual).equalsIgnoreCase("premium")) {
deviceDriverBean.setPremium(Bytes.toString(val));
} else if (Bytes.toString(qual).equalsIgnoreCase("year")) {
deviceDriverBean.setYear(Bytes.toString(val));
} else {
System.out.println("No match found");
}
/*
* System.out.println(Bytes.toString(rowid) + " " +
* Bytes.toString(qual) + " " + Bytes.toString(val));
*/
}
deviceidList.add(deviceDriverBean);
}
}
catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
catch (Exception e) {
// System.out.println("Message: "+e.getMessage());
e.printStackTrace();
}
return deviceidList;
}
Could this be lazy fetching on the server side by hbase. This means if you return the list hbase won't get a trigger to actually read the list and you will simple get an empty list. I don't know a correct solution, in the past I've seen a similar problem on GAE. This could by solved by simply asking the size of the list just before returning it to the client.
I don't have the exact answer, but I have an advise. In similar situation I put my own trace to check every step in my program.
On the server side before return put : System.out.println("size of table="+deviceidList.size());
You can put this trace in the loop for deviceidList;

Getting FormPanel's field values

I'm having problems with getting the value of the fields coming from a FormPanel. Theonly thing I get is the image included in the form here is the servlet code, I'm using Apache Commons:
// Create a new file upload handler
ServletFileUpload upload1 = new ServletFileUpload();
// Parse the request
FileItemIterator iter;
try {
iter = upload1.getItemIterator(req);
while (iter.hasNext()) {
FileItemStream item = iter.next();
String name = item.getFieldName();
InputStream stream = item.openStream();
if (item.isFormField()) {
System.out.println("Form field " + name + " with value "
+ Streams.asString(stream) + " detected.");
} else {
System.out.println("File field " + name + " with file name "
+ item.getName() + " detected.");
// Process the input stream
}
}
} catch (FileUploadException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
I have seen this post but it didn't really explain what to do
Like #Colin Alworth said, the name property must be set for each field!
TextBox lastName = new TextBox();
lastName.setName("LastName");

Nokia Forms not showing text

I only wish Nokia documentation was more helpful. Its search on developer documentation totally sucks.
public class UpdateJourney extends Form implements CommandListener, Runnable {
private LocationProvider myLocation;
private Criteria myCriteria;
private Location myCurrentLocation;
private HomeScreen helloScreen;
private Command exitCommand;
private Thread getLocationThread = new Thread(this);;
public UpdateJourney(HomeScreen helloScreen) {
super("Taxeeta");
this.helloScreen = helloScreen;
getLocationThread.start();
}
public void run() {
myCriteria = new Criteria();
myCriteria.setHorizontalAccuracy(500);
try {
myLocation = LocationProvider.getInstance(myCriteria);
myCurrentLocation = myLocation.getLocation(60);
} catch (LocationException e) {
e.printStackTrace();
System.out
.println("Error : Unable to initialize location provider");
return;
} catch (InterruptedException e) {
e.printStackTrace();
System.out.println("Error: Waited enough for location to return");
return;
}
System.out.println("Location returned Lat:"
+ myCurrentLocation.getQualifiedCoordinates().getLatitude()
+ " Lng:"
+ myCurrentLocation.getQualifiedCoordinates().getLongitude());
String helloText = new String("Location returned Lat:"
+ myCurrentLocation.getQualifiedCoordinates().getLatitude()
+ " Lng:"
+ myCurrentLocation.getQualifiedCoordinates().getLongitude());
super.append(helloText);
exitCommand = new Command("Location returned Lat:"
+ myCurrentLocation.getQualifiedCoordinates().getLatitude()
+ " Lng:"
+ myCurrentLocation.getQualifiedCoordinates().getLongitude(),
Command.EXIT, 1);
addCommand(exitCommand);
setCommandListener(this);
}
}
do you mean not showing from this command?:
System.out.println("Location returned Lat:"
+ myCurrentLocation.getQualifiedCoordinates().getLatitude()
+ " Lng:"
+ myCurrentLocation.getQualifiedCoordinates().getLongitude());
It's not showing to phone screen. Instead it will show on console (IDE / debugging).
to showing text on Form.. you need to use somethings like:
form.addComponent(new Label("hi...");
hope it helps.

primefaces (3.2) autocomplete pojo

I am trying to implement PF Autocomplete component (v3.2) with POJO. Things work fine when a user selects an entry from the possible drop down options provided. However, the scenario where a user enters some text into the input field and simply hits enter does not work well for me.
If a user simply enters some text to the autocomplete input box and hits enter, all I have to do is redirect them to a new page with 1 query parameter. I noticed that if I hit enter before AutoComplete has a chance to show suggestions, then the redirect happens just fine. Once drop down suggestions are shown, hitting enter simply clears the input box.
I would expect something like this to work just fine, so I must be doing something silly.
<h:form>
<p:autoComplete id="globalAutoComplete" value="#{autoCompleteBackingBean.selectedResult}" completeMethod="#{autoCompleteBackingBean.globalSearch}" var="aResult" itemValue="#{aResult}" converter="autoCompleteConverter" queryDelay="200" maxResults="6" minQueryLength="3">
<p:column>
#{aResult.label} <br/> #{aResult.desc} <span class='ui-icon #{aResult.icon} autocompleteResultsIcon'/>
</p:column>
</p:autoComplete>
<p:commandButton id="submitAutoComplete" type="submit" icon="ui-icon-suitcase" action="#{autoCompleteBackingBean.doRedirect}"/>
</h:form>
Converter:
public Object getAsObject(FacesContext fc, UIComponent uic, String value) {
if (value == null || value.length() == 0 ) {
return null;
}
Object obj = null;
try {
List<AutoComplete> results = AutoCompleteBackingBean.getResults();
for (AutoComplete aResult : results){
if((aResult.getDreRef()).equals(value))
return aResult;
}
} catch (Exception e) {
System.err.println("AutoCompleteConverter getAsObject Error: " + e);
}
if (obj == null) {
AutoComplete empty = new AutoComplete();
empty.setDreRef(value);
return empty;
}
return obj;
}
public String getAsString(FacesContext fc, UIComponent uic, Object object) {
if (object == null) {
return null;
}
Class entityClass = getEntityClass();
String value = null;
if (entityClass.isInstance(object)) {
try {
value = ((AutoComplete)object).getDreRef();
}catch (Exception e){
System.err.println("AutoCompleteConverter getAsString Error: " + e);
value = "Unable to obtain String from Object";
}
}
else {
value = "AutoCompleteConverter.getAsString(): Object " + object + " is of type "
+ object.getClass().getSimpleName() + "; expected type: "
+ entityClass.getSimpleName();
throw new ConverterException(new FacesMessage(FacesMessage.SEVERITY_ERROR, value, null));
}
return value;
}
Backing bean:
private AutoComplete selectedResult = null;
//getter and setter
public String doRedirect() {
System.out.println("doRedirect()");
return "entities.jsf?query=" + selectedResult.getDreRef() + "&faces-redirect=true";
}