Using canonicalize throws error

marceld · April 19, 2021, 8:57pm

I use the function canonicilize to detect suspicious requests, but using it against a form variable using a simple UUID it throws an error:

form[key] = canonicalize(form[key], true, true);

Below stacktrace shows it has casting issues with the logger (Caused by:
java.lang.ClassCastException: org.owasp.esapi.reference.Log4JLogger cannot be
cast to org.owasp.esapi.Logger at
org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:88) at
), although I’m not sure if that is causing it. Any idea?

java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
StackTrace	
string	lucee.runtime.exp.NativeException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception. at 
org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99) at org.lucee.extension.esapi.functions.ESAPIEncode.canonicalize(ESAPIEncode.java:147) at org.lucee.extension.esapi.functions.Canonicalize.call(Canonicalize.java:29) at sun.reflect.GeneratedMethodAccessor165.invoke(Unknown Source) at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at lucee.runtime.reflection.pairs.MethodInstance.invoke(MethodInstance.java:56) at lucee.runtime.reflection.Reflector.callStaticMethod(Reflector.java:951) at lucee.runtime.functions.BIFProxy.invoke(BIFProxy.java:41) at lucee.runtime.functions.FunctionHandlerPool.invoke(FunctionHandlerPool.java:40) at 
corehandling_cfm$cf$3b.call(/core/coreHandling.cfm:103) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:945) at 
lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:837) at 
lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:818) at 
application_cfc$cf.udfCall(/core/Application.cfc:57) at 
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:106) at 
lucee.runtime.type.UDFImpl._call(UDFImpl.java:344) at 
lucee.runtime.type.UDFImpl.call(UDFImpl.java:217) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:680) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:568) at 
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1898) at 
lucee.runtime.listener.ModernAppListener.call(ModernAppListener.java:436) at 
lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:215) at 
lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:42) at 
lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2416) at 
lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2406) at 
lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2381) at 
lucee.runtime.engine.Request.exe(Request.java:43) at 
lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1170) at 
lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1116) at 
lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:10
2) at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:62) at 
javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
ava:303) at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208
) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
ava:241) at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208
) at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:2
20) at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122
) at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:50
4) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.ja
va:1074) at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProt
ocol.java:611) at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:6
1) at java.lang.Thread.run(Thread.java:748) Caused by: 
org.owasp.esapi.errors.ConfigurationException: 
java.lang.reflect.InvocationTargetException Encoder class 
(org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception. ... 53 more 
Caused by: java.lang.reflect.InvocationTargetException at 
sun.reflect.GeneratedMethodAccessor166.invoke(Unknown Source) at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav
a:43) at java.lang.reflect.Method.invoke(Method.java:498) at 
org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ... 52 more Caused by: 
java.lang.ClassCastException: **org.owasp.esapi.reference.Log4JLogger cannot be 
cast to org.owasp.esapi.Logger** at 
org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:88) at 

org.owasp.esapi.ESAPI.getLogger(ESAPI.java:153) at 
org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:83) at 
org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:67)

Zackster · April 19, 2021, 9:44pm

Which version of Lucee, esapi extension and java are you running?

marceld · April 19, 2021, 10:07pm

This is Lucee 5.3.7.48, Java 1.8.0_152 (Oracle Corporation) and esapi 2.2.0.0-SNAPSHOT.

Thanks.

cfmitrah · April 20, 2021, 10:37am

@marceld I checked this with my local it works fine in the latest OWASP extension, Once I downgraded that means it throws the same error as you said. But after a restart, the error was gone. Can you try restart lucee?

Some related topics: https://lucee.daemonite.io/t/error-with-esapi-functions-esapi-properties-could-not-be-loaded-by-any-means/5513/5

marceld · April 20, 2021, 5:12pm

I can confirm that a restart did the job. Thanks for the suggestion. So it must have been the version of Esapi.

Updating the extensions is a bit confusing btw in the admin, since the label ‘update me’ also appears when you already have the latest version. And I noticed that it does not appear for postgres, although I was not at the latest version. Maybe this is a bug. At least it is not clear to me.

cfmitrah · April 21, 2021, 5:50am

Yeah, and already have a ticket for that issue in JIRA LDEV-3150