How to suppress messages output by ESAPI library

Question

Does anyone know how to suppress the following noisy messages output by the ESAPI library?

System property [org.owasp.esapi.opsteam] is not setAttempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.

System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.

I added the library to my web application (including embedded Tomcat) and ESAPI validation works but noisy messages are output.

Java code:

writer.write(ESAPI.encoder().encodeForHTML("<test>"));

Dependency of ESAPI:

<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>2.1.0.1</version>
</dependency>

ESAPI.properties:

https://github.com/k-tamura/embtest/blob/master/src/main/resources/ESAPI.properties

Steps to reproduce:

(1) Run the commands:

$ git clone https://github.com/k-tamura/embtest.git
$ cd embtest
$ mvn clean install

(2) Access to http://localhost:8080/ping -> The above logs are shown on console.

Environment (my local machine):

$ mvn -version
Apache Maven 3.2.2 (45f7c06d68e745d05611f7fd14efb6594181933e; 2014-06-17T22:51:42+09:00)
Maven home: c:\apache-maven-3.2.2
Java version: 1.8.0_121, vendor: Oracle Corporation
Java home: c:\Program Files\Java\jdk1.8.0_121\jre
Default locale: ja_JP, platform encoding: MS932
OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"

Kohei TAMURA · Accepted Answer · 2017-08-26T14:24:43.160

3

I can work around this issue to add the InitializationListener by referring to @avgvstvs's answer:

import java.io.OutputStream;
import java.io.PrintStream;

import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.annotation.WebListener;

import org.owasp.esapi.ESAPI;

@WebListener
public class InitializationListener implements ServletContextListener {
    public void contextInitialized(ServletContextEvent event) {

        /* Suppress noisy messages output by the ESAPI library. */
        PrintStream original = System.out;
        try (PrintStream out = new PrintStream(new OutputStream() {
            @Override
            public void write(int b) {
                // Do nothing
            }
        })) {
            System.setOut(out);
            System.setErr(out);
            ESAPI.encoder();
        } catch (Exception e) {
            // Do nothing
        } finally {
            System.setOut(original);
        }
    }

    @Override
    public void contextDestroyed(ServletContextEvent sce) {
        // Do nothing
    }
}

edited Aug 26 '17 at 14:24

answered Aug 25 '17 at 01:57

Kohei TAMURA

4,970
7
25
49

1

To add to what Matt said, in the next ESAPI release (which we are hoping to release in _at least_a few months from now, hopefully sooner), you will be able to subclass DefaultSecurityConfiguration, override the (now 'protected') logSpecial() method to not log at all. The reason it can't go to a logger it 1) it can't switch logging types mid-stream (choices are JUL or log4j), and 2) it doesn't know the preferred logger until it finds it in your ESAPI.properties file. You will have to do an additional call too, to ESAPI.initialize() with the name of your subclass though. – Kevin W. Wall Aug 25 '17 at 03:34
OTOH, not to make light of this, but most people just redirect stdout and stderr to a file web their Java application server is started and by comparision to everything that Tomcat / WebSphere / WebLogic Server, etc. emit to stdout and stderr, this is but a drop in the bucket. Most people would prefer too much logging than not enough though. – Kevin W. Wall Aug 25 '17 at 03:37
That new ESAPI release is still on its way? – Rüdiger Schulz Jun 22 '18 at 16:01
You forgot to set back Err in there ! – Jonathan Drapeau May 17 '19 at 14:43
@KevinW.Wall In my case everything is logged in console in json format and send into a centralized log manager. Annoying to wreck part of the logs cause of this. – Jonathan Drapeau May 17 '19 at 14:47
It's work in my project. This Q/A save my Day. – Onic Team Dec 08 '21 at 06:00
This is a very heavy handed approach. There may be other classes that are expected to write to the console besides ESAPI. – Charlie Reitzel Jan 18 '22 at 19:21
@KevinW.Wall, Your solution is not working for me. I'm using esapi.2.2.0.0. I'm confussed, those System.setOut(), System.setErr() are to suppress the esapi log message or print the esapi logs. I'm looking for solution to remove all those noisy espi log messages from my springboot console application. – Ravi Sep 02 '22 at 08:44
Ignore the answer about messing with System.setOut() / System.setErr(). Instead set the System property that @avgvstvs mentioned on 2019-01-19, below. I am going to post it as a new answer (even though it is a comment as the second answer) so it is easier to find and not buried in a comment. – Kevin W. Wall Sep 03 '22 at 16:26
Correction: the comment from @avgvstvs was made on 2022-01-22, not 2019-01-19. I have posted a "new" answer and noted this there. Sorry for any confusion. – Kevin W. Wall Sep 03 '22 at 16:47

score 2 · Answer 2 · answered Aug 24 '17 at 23:54

2

You're getting bit by a chicken-and-egg scenario. Those statements are coming from a combo of System.out.println() and System.err.println().

The problem is that we need to load the properties files in order to determine what logger to load, but on initialization... we don't have a logger instantiated.

So we default to the only other option, which is console output.

In the past we had removed it, but then the mailing list got inundated by "My application won't start, HEEEEELP!"

So they're back and they're not going anywhere: Feature not a bug.

If you are THAT determined to get rid of the file hunting messages, I suggest redirecting output streams like they do here.

OutputStream output = new FileOutputStream("/dev/null");
PrintStream printOut = new PrintStream(output);

System.setOut(printOut);

Disclaimer: I'm one of the ESAPI-java co-leads.

answered Aug 24 '17 at 23:54

avgvstvs

6,196
6
43
74

Thank you for your advice (I voted +1). I can work around this issue (See also my answer). However, I think there is room for improvement on the loading processing of ESAPI. – Kohei TAMURA Aug 25 '17 at 01:59
By all means @KoheiTAMURA -- Right now there's only two of us on the project! We can use assistance! – avgvstvs Aug 25 '17 at 02:14
@avgvstvs Suggest you adopt SLF4J and defer log configuration and initialization to it. Slf4j has a reasonable solution to the chicken and egg log config problem. I would suggest, also, that ESAPI use DEBUG level to log the use of default properties and document how to get configuration logging turned on for client applications (i.e. the class name(s) to configure with DEBUG logging). That will get rid of all the noise on stdout/stderr while actually improving the ease of use for ESAPI logging for applications. hth – Charlie Reitzel Jan 18 '22 at 19:19
@CharlieReitzel Thanks for the advice, but we're not touching this in ESAPI 2.X. If you want it changed before 3.X we accept PRs here: https://github.com/ESAPI/esapi-java-legacy As for "But when 3.X," maybe Q4 2023. – avgvstvs Jan 19 '22 at 20:28
@avgvstvs Fair enough. Tbh, it probably won't annoy me enough to actually do anything about it :--) – Charlie Reitzel Jan 20 '22 at 00:06
2

@CharlieReitzel actually I spoke too soon: the property java -Dorg.owasp.esapi.logSpecial.discard=true silences them. I should have remembered that. – avgvstvs Jan 20 '22 at 01:59
@avgvstvs Thanks much, I'll give it a go – Charlie Reitzel Jan 20 '22 at 15:00
@CharlieReitzel FWIW--> ESAPI has to be the first library loaded: We defer to the chosen log implementation as we boot up. But while we're searching for those configuration files, there's no logger initialized. We are implemented as singletons so we can't do as you suggest. Once a logger is loaded it is locked and can't be swapped. This will be changed in 3.X (no more singletons.) – avgvstvs Jan 21 '22 at 18:23

score 1 · Answer 3 · answered Sep 03 '22 at 16:44

First off, I want to note that @avgvstvs correctly referenced this in a comment made to @CharlieReitzel on 2022-01-20. I am not trying to take credit for his correct answer (we are both ESAPI project co-leads), but rather trying to get his answer unburied. As noted by made by @ravi-kumar-b yesterday, this buried comment was not found. Hopefully, this will help uncover the proper way to approach it. So shout out to @avgvstvs for mentioning it.

The correct way to suppress ESAPI output to stdout similar to this

System property [org.owasp.esapi.opsteam] is not set.
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
...

is by setting the System property, org.owasp.esapi.logSpecial.discard to true when you invoke your application server, Spring Boot, etc. E.g.,

    java -Dorg.owasp.esapi.logSpecial.discard=true ...

That will work as long as you are using ESAPI 2.2.0.0 or later.

However, please note that there are 2 ESAPI vulnerabilities in ESAPI 2.2.0.0 itself (and many others via dependencies) so you are strongly encouraged to upgrade to a later version (ideally release 2.5.0.0).

Thanks for the separate answer. I have upvoted :). This is working for me. Yes, I have upgraded ESAPI from 2.2.0.0 to 2.5.0.0 — Ravi, Sep 14 '22 at 05:41

How to suppress messages output by ESAPI library

3 Answers3