Using ESAPI for spring boot project

[Jason Novotny]

Hi,

I'm tasked with fixing vulnerabilities found by Veracode and a major issue is

Improper Output Neutralization for Logs (CWE ID 117)

The app is using SLF4J and logback e.g.

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

private final Logger logger = LoggerFactory.getLogger(getClass());

logger.info("Getting transaction fee amount for accountId : {}, programId : {}, transactionType : {} and amount : {}", account.getAccountId(),
program.getProgramId(), transactionType, txnAmount);

Following online resources I added a ESAPI.properties file and replaced the ESAPI.Logger line to be:

ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory

And added the library dependency implementation 'org.owasp.esapi:esapi:2.2.3.1' to build.gradle

However I can't tell if it is now using ESAPI I set breakpoints in the

org.owasp.esapi.logging.slf4j.Slf4JLogFactory class in the getLogger methods but the code doesn't appear to stop.

Any ideas om what I might be doing wrong?

Thanks, Jason

[Kevin W. Wall]

Are you sure it is finding your ESAPI.properties file? There ought to be some output to stout that shows the progression of ESAPI looking for its properties file. Make sure it is finding the one you want your application to use. 

That is the first thing that I would check. 

If that doesn't solve your problem, drop us another email here.

-kevin

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/1e822621-5d9f-4bd1-a330-1029cf236fa7n%40owasp.org.