3

I've upgraded my log4j from 1.X to 2.3. The logging works fine. However, I'm using ESAPI and it is giving me errors now.

This is my ESAPI import statement:

import org.owasp.esapi.ESAPI;

This is how I'm using ESAPI:

ESAPI.encoder().encodeForHTML(somevalue)

The exception I'm receiving is:

exception org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) ~[esapi-2.1.0.jar:2.1.0]
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99) ~[esapi-2.1.0.jar:2.1.0]

I'm using Eclipse and I'm using log4j-api-2.3.jar and log4j-core-2.3.jar

rajah9
  • 11,645
  • 5
  • 44
  • 57
AspUser7724
  • 109
  • 2
  • 10
  • If you take out the log4j, do you still get the esapi error? – rajah9 Jun 28 '16 at 21:23
  • @rajah9 it would be hard for me to check as it is nested deep in an application. Removing log4j would cause a great number of errors. I can tell you, however, that using log4j1.2.9 worked fine. – AspUser7724 Jun 28 '16 at 21:39
  • FYI:. Newest version of ESAPI is 2.1.0.1 – avgvstvs Jun 29 '16 at 20:00
  • I tried using ESAPI 2.1.0.1 and I get the following error: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception. – AspUser7724 Jun 29 '16 at 20:27

3 Answers3

2

I migrated log4j 1 to 2 and fixed this error just changed the next line in the ESAPI.properties file: ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

zerocesar
  • 21
  • 2
1

Do you have log4j-1.2-api-2.3.jar? I am suspecting that it isn't finding any bindings for the Log4j 1.2 API it is using.

An alternative would be to LogFactory and Logger implementations for Log4j 2 for ESAPI to use, but I suspect that is more work than you probably want to do.

rgoers
  • 8,696
  • 1
  • 22
  • 24
  • I am using log4j-1.2-api-2.3.jar and log4j-api-2.3.jar and log4j-core-2.3.jar. I've added all these to my project. – AspUser7724 Jun 28 '16 at 22:06
  • OK - that should be all you need. If it was me I would download the ESAPI source and step through ObjFactory.make by placing breakpoints in the DefaultEncoder class so that you can see what is failing when the object is being constructed. This is always a bit tricky as you have to put a breakpoint in the actual class that is getting the exception. DefaultEncoder is just the victim. – rgoers Jun 28 '16 at 22:11
  • can you point me in the direction of and example for "LogFactory and Logger implementations for Log4j 2"? I'm not sure what you meant by this. – AspUser7724 Jun 29 '16 at 16:18
  • 1
    If you go to https://github.com/ESAPI/esapi-java-legacy/tree/develop/src/main/java/org/owasp/esapi/reference you will see 3 classes that implement the ESAPI LogFactory and Logger interfaces. You could create versions of those to bind ESAPI to Log4j 2 by configuring ESAPI to use your implementations. – rgoers Jun 29 '16 at 23:09
1

I was able to get my project working by using the Log4j-2 to SLF4J adapter, and configuring ESAPI to use SLF4J.

https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J

Additionally, I needed to add the ESAPI properties required for SLF4J.

https://github.com/OWASP/owasp-java-encoder/blob/main/esapi/src/test/resources/.esapi/ESAPI.properties

You may also want to explicitly exclude log4j 1.x in your build (depending on your build method) if you're looking to eliminate it from showing up as a vulnerability.

Xtopher
  • 103
  • 1
  • 5
  • The ESAPI Java Legacy wiki link has been updated to refer to log4j-core-2.16.0 instead of the vulnerable log4j-core-2.13.3. – nagu Dec 16 '21 at 11:04