On our server we are getting errors when using ESAPI functions such as encodeforHTML (randomly, more or less once a week, restarting the server helps as a workaround)
The error message is: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
I attached a screenshot from the stack trace which indicates that there is a problem loading the standard Lucee ESAPI.properties file
org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means.
Fail. at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:443) at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:226) at
org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:252) at
org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:67) ... 58 more Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. at
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:682) at
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:440) ... 61 more
I was tried encodeforhtml(),ESAPIEncode() & ESAPIDecode() in lucee 5.3.1.103 with the ESAPI Extension 2.1.0.16. Both of them works & doesn’t throw any error. I made this check in Windows 10 & my java version is 1.8.0_212 (Oracle Corporation) 64bit. Once i got a issue I’ll post it here.
As I wrote, this happens only from time to time, more or less once a week, my java version is 1.8.0_202 (AdoptOpenJdk) 64bit btw. Thanks for keeping an eye on this
If this runs before an encodeForX() runs, then we get these errors.
Our fix at the moment is that the healthcheck that runs to set the server up, specifically calls encodeForHTML() to output something; this then allows our CFC to init and for other calls to encodeForHTML() to work.
lol, after a many restarts, scratching my head, scouring the internet, Downgrading the ESAPI extension, re-upping the extension.
Determined that if the error stated that it couldn’t read the property files I’d check to see how ACF uses them and where they’re stored and copied them over. Reverted my code to the same state that works in ACF restarted Tomcat and voila success; working assess to the ESAPI encoder methods.