Working on new ESAPI release to update to new AntiSamy 1.7.4 release

24 views
Skip to first unread message

Kevin W. Wall

unread,
Oct 7, 2023, 12:06:30 PM10/7/23
to esapi-project-users, Matt Seil, Jeremiah J. Stacey
AntiSamy just released a new release 1.7.4 yesterday that addresses some CVEs, one in a dependency (batik-css) and another (CVE-2023-43643) in the AntiSamy code base.

So before anyone starts creating GitHub issues for this or starts "screaming at me" that I need to fix it, I just want to tell you that I'm aware. I have also been working with the AntiSamy team for the past 2 months or so and have confirmed that because ESAPI's default AntiSamy policy file is much stricter than any that AntiSamy releases with. As a result, ESAPI is not affected by this XSS vulnerability, CVE-2023-43643. (I have tested ESAPI 2.5.2.0 with all of the new AntiSamy test cases and then some.)

Unfortunately, as of this moment, CVE-2023-43643 is not yet visible in NVD (nor does AntiSamy 1.7.4 show up in Maven Central searches). I would advise you to read the GitHub Advisory on it:
https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2

Again, this does not affect ESAPI users if you are using our default antisamy-esapi.xml AntiSamy policy file.

-kevin
--
Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

Kevin W. Wall

unread,
Oct 9, 2023, 11:41:10 PM10/9/23
to esapi-project-users, Matt Seil, Jeremiah J. Stacey
This is taking longer than I thought because I am getting a completely unexpected and unrelated failure in a bunch of JUnit tests in EncryptedPropertiesUtilsTest.

For example,

[ERROR] Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.014 s <<< FAILURE! - in org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest
[ERROR] org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt  Time elapsed: 0.005 s  <<< ERROR!
java.lang.UnsupportedOperationException: This method has been removed for security.
        at org.owasp.esapi.reference.crypto.ReferenceEncryptedProperties.entrySet(ReferenceEncryptedProperties.java:244)
        at java.base/java.util.Properties.store0(Properties.java:935)
        at java.base/java.util.Properties.store(Properties.java:921)
        at org.owasp.esapi.reference.crypto.EncryptedPropertiesUtils.storeProperties(EncryptedPropertiesUtils.java:189)
        at org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt(EncryptedPropertiesUtilsTest.java:131)
     ...

That and I've felt like I've been coming down with the flu for the past 2 days, so this is running behind and I also have to convert my BSides Columbus slide deck to official OWASP AppSec DC format with a PPT template that doesn't play nicely with LibreOffice Impress so I am running a lot behind.

The good news is that the official NVD description https://nvd.nist.gov/vuln/detail/CVE-2023-43643 is now up and it confirms exactly why ESAPI is not susceptible. It's because our AntiSamy policy file, antisamy-esapi.xml does not have the 'preseveComments' directive enabled.

So, if your management starts complaining because your SCA tools are squawking about this, point them to this email.

-kevin

Jeffrey Walton

unread,
Oct 10, 2023, 12:40:26 AM10/10/23
to Kevin W. Wall, esapi-project-users, Matt Seil, Jeremiah J. Stacey
On Mon, Oct 9, 2023 at 11:41 PM Kevin W. Wall <kevin....@gmail.com> wrote:
>
> This is taking longer than I thought because I am getting a completely unexpected and unrelated failure in a bunch of JUnit tests in EncryptedPropertiesUtilsTest.
>
> For example,
>
> [ERROR] Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.014 s <<< FAILURE! - in org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest
> [ERROR] org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt Time elapsed: 0.005 s <<< ERROR!
> java.lang.UnsupportedOperationException: This method has been removed for security.
> at org.owasp.esapi.reference.crypto.ReferenceEncryptedProperties.entrySet(ReferenceEncryptedProperties.java:244)
> at java.base/java.util.Properties.store0(Properties.java:935)
> at java.base/java.util.Properties.store(Properties.java:921)
> at org.owasp.esapi.reference.crypto.EncryptedPropertiesUtils.storeProperties(EncryptedPropertiesUtils.java:189)
> at org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt(EncryptedPropertiesUtilsTest.java:131)
> ...

Also see <https://github.com/ESAPI/esapi-java-legacy/pull/730>. I
don't know why Files Changed is 0. I guess it's another Git
misfeature.

The short of it is, test storeProperties and set a flag. If supported
(no exception), continue with the self tests. Otherwise (caught
UnsupportedOperationException), skip the self tests for
storeProperties.

Jeff

Kevin W. Wall

unread,
Oct 18, 2023, 11:35:02 PM10/18/23
to esapi-project-users, Matt Seil, Jeremiah J. Stacey
An update:
  • Good news: That one test bizarrely just started working when I re-cloned and then copied the updated files I had to the newly cloned directory.
  • Bad news: I haven't worked on this since last Wed, 10/11, since I came down with the flu, or at least flu-like symptoms. It's not getting better and I can barely concentrate.
Bottom line, it will get done when it does. How soon depends on how soon my health improves.

-kevin
Reply all
Reply to author
Forward
0 new messages