I am dealing with the log forging issue for the code :
log.error("Request: " + req.getRequestURL() + " raised " + exception);
This element’s value (req.getRequestURL()) flows through the code without being properly
sanitized or validated, and is eventually used in writing an audit log in handleError
I tried to remove the \n\r characters but with no success.
I have gone through different sites searching for the same but did not find the helpful content.
Can anyone please explain the solution for this or a small guide to fix it.
Thanks
Use ESAPI library to protect log forging attack. Refer to
http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/ for code reference.
String clean = message.replace( '\n', '_' ).replace( '\r', '_' );
if ( ESAPI.securityConfiguration().getLogEncodingRequired() ) {
clean = ESAPI.encoder().encodeForHTML(message);
if (!message.equals(clean)) {
clean += " (Encoded)";
}
}
Related
I'm looking for a way to set status on test steps and then on Scenarios that will be displayed in an HTML report using extent report. I'm using now Cucumber Java TestNG & Extent Reports and I set the status using Assertions:
Assert.fail(msg)
the issue for assert is that he throws Assertion Exceptions and I didn't found a way to suppress exceptions so I would like to set the status using extent like:
extentTest.log(Status.FAIL, msg);
The issue here is that you need to create the feature/scenario/test and I didn't found any documentation on this.
Hope you are looking for some methods which would print messages based on your requirement in HTML Reports generated by Extent. If so, then you would need to customize or write down method as per your need. I am attaching screen shot of HTML also a piece of code to give you vision how shall you proceed.
Like below method would add screen and message as well based on test failure. You can simply change testReport.get().fail to pass or warning based on your need.
public static synchronized void logFailed(String message) {
try {
testReport.get().fail("<details>" + "<summary>" + "<b>" + "<font color=" + "red>" + "Exception Occured : Click on the link to see message"
+ "</font>" + "</b >" + "</summary>" + "<br>" + "<h6>" + "<b>" + BasePage.returnLocator(message) + "</b>"+ "</h6>" + "</br>" + message.replaceAll(",", "<br>")+"</details>"+" \n");
addScreenShotsOnFailure();
}
catch(Exception e) {
}
}
im haveing a problem running a setline command
witch i want to set the line of a sign with..
it isn't doing anything
This is the part of the code that has the setline method in it it will run with a few other things when the player will give the input (the "if (SignEvent.isNumericArray(times))" is true for sure and the code is running i did check that )
if (SignEvent.isNumericArray(times)){
double uses = Double.parseDouble(times);
uses = uses -1;
sign.setLine(2 , uses + "/" + str[1] + parts[1]);
if (uses <= 0){
sign.setLine(0, ChatColor.STRIKETHROUGH + "StartPayment");
}
}
i did check a few things :
no errors in console or eclipse error list
object sign is type Sign imported from import org.bukkit.block.Sign
object sign is the right sign (checked by doing e.getPlayer().sendMessage(sign.getLine(0)); it worked..
no matter what the string is it isn't working
no matter where i put this line of code its not working
the this line is running
i just have no idea what could i do to fix it i tried a lot of things and im pretty sure the problem is in the
sign.setLine(2 , uses + "/" + str[1] + parts[1]); line
any one have any idea for what did i do wrong ?
Note: no matter where in this method i put the setline method or with what string/lineIndex ,it isn't doing anything
I think you have to execute sign.update(); after a modification to apply changes.
So I'm having trouble formulating the correct syntax for selecting this element from a webpage. Here is what the path looks like on the Inspect Element Interface on Firefox
And here's what my current code looks like:
Element prices = doc.select("body[class =en page-type-search page-type-group-shelf og ress] " +
"div#wrap " +
"div#main-wrap " +
"div#jalapeno-template " +
"div[class=zone zone3 wgrid-10of12 wgrid-6of8 wgrid-4of4] " +
"section#shelf-page " +
"div#shelf-thumbs " +
"div.shelf-thumbs " +
"div.price-current " +
"span.product-price-analytics").first();
String priceOne = prices.attr("data-analytics-value");
And just to be incredibly clear, the attribute that I'm wanting is the 'data-analytics-value' because it gives an exact price.
I think that I have all the correct syntax so what am I doing wrong? When I run the program it gives me a nullPointerException. Any help is appreciated!
[Update] I changed princeOne to doc.toString() and its saying the the web browser is not running javascript and that JavaScript is required to view the walmart website, any work arounds?
After trying with no luck using Android's WebView, I accidentally found a solution in setting my userAgent, all I did was change the
Jsoup.connect(url).get();
line to
Jsoup.connect(url).userAgent("YOUR_USER_AGENT_HERE").get();
and it worked like a charm. Thanks for the reply anyway Fred!
I ran appScan on my application. I can see most of the Validation.Required issues for String objects. But, not sure what validation the appscan is expecting here. we have tried with null and empty check still there is no use. Please any one let me know what validation appscan expects on a string object.
String tableName = this.request.getParameter(TABLE_NAME);
session.setAttribute(tableName + "_" + parentTableName + "_editColumnMap", editableColumnsMap);
Please let me know if you need any more information
The major goal of mitigating Validatoin.required finding is to validate against malicious input. Check in your code if any variable can be set to a value that can be controlled by a malicious user. Any input taking from outside of your system should be validated or sanitized using white-listing: https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#White_List_Input_Validation
I got a recommendation to use this syntax when logging in java:
if (logger.isLoggable(Log.FINE))
{
logger.fine("bla"+" bla"+" bla");
}
The reason for this is to avoid the redundant construction of the parameter string incase the logging level is lower than "FINE". (in the example above - 5 redundant string object. (" bla"X3, " bla bla" and "bla bla bla").
I'd like to hear what others are doing about this or if you think that this is necessary at all.
Thanks!!
Some newer logging frameworks allow you to specify arguments as parameters, and won't evaluate them if there's no logging.
The example I found is LogBack, the successor to Log4j. Here's the info: http://www.infoq.com/news/2007/08/logback
This gives you the best of both worlds, so to speak. Elegant syntax yet good performance.
Log4j code example:
if( logger.isDebugEnabled() ) {
logger.debug( "User with account " +
user.getAccount() + " failed authentication; " +
"supplied crypted password " + user.crypt(password) +
" does not match." );
}
Equivalent LogBack code:
logger.debug( "User with account {} failed authentication; " +
"supplied crypted password {} does not match.",
user.getAccount(), user.crypt(password) );
This defers the cost of message assembly until LOGBack has ascertained whether or not this message will be viewed. It doesn't defer the cost of retrieving expensive parameters, such as the password crypting in the above example.
String objects are immutable, and repeated concatenation is therefore an expensive operation. It requires repeated memory allocation, object creation and iteration. Considering that some logging calls at the finer log levels can be invoked thousands or millions of times per minute, it might be a considerable performance gain to do as you illustrate. Though, for a smaller application, it might not be worth the extra effort.
As a side note: You can save even more performance, where this is truly critical by using a constant such as this:
public static final boolean DEBUG = false;
If you now wrap the logging code in an if-block such as this, the JVM will be able to completely optimize away the debug calls when running in product mode. This is as close as you get to a C #ifdef.
if (Globals.DEBUG) {
// Logging call
}
Absolutely necessary for debug type logging. It something like 10x quicker to check the log level first than create the string and throw it away.
This is an improvement (good) but it can be improved on a little.
Set up final flags for each logging level (FINE, etc) in a global object used as config, then use a StringBuffer to build up your debugging output -- you can even format numbers into the stream at the same time.
public class MyAppConfig {
public final boolean FINE=true;
// ... other fields
}
public class MyApp {
void someFunction() {
...
int imagesProcessed;
imagesProcessed = processImages();
if (MyAppConfig.FINE) logger.fine(new StringBuffer(35).
append("Count of images processed: ").append(imagesProcessed).toString());
...
}
}
Here the string buffer is set up with an 'initial capacity' of 35 characters. If you know how many characters are going to be generated you can provide hints to StringBuffer.