Issue 536 (#537)

* Variable Scope Increase

Reducing duplication by updating common strings to package-protected.

* SecurityWrapperResponse setHeader updates

Updating implementation to independently test the header and the
value method params.  Additional Logging has been added to identify each
unique case of ValidationException offense.

Tests have been updated and extended to verify the setHeader method.

* SecurityWrapperResponse addHeader updates

Updating addHeader behavior and testing to be inline with setHeader
updates requested in issue.

Tests have been updated and extended to verify the addHeader method.

* SecurityWrapperRepsonse addHeader log update

Copy/Pasta "set" context -- now corrected to "add"

* SecurityWrapperResponse Header Log Improvements

Appending the input header name to log messages when ValidationExceptions
occur.

Author: jeremiahjstacey

src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java

@@ -173,16 +173,28 @@ public void addDateHeader(String name, long date) {
      * @param value
      */
     public void addHeader(String name, String value) {
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
+        String strippedName = StringUtilities.stripControls(name);
+        String strippedValue = StringUtilities.stripControls(value);
+        String safeName = null;
+        String safeValue = null;
         try {
-            // TODO: make stripping a global config
-            SecurityConfiguration sc = ESAPI.securityConfiguration();
-            String strippedName = StringUtilities.stripControls(name);
-            String strippedValue = StringUtilities.stripControls(value);
-            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
-            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
-            getHttpServletResponse().addHeader(safeName, safeValue);
+            safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
         } catch (ValidationException e) {
-            logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
+            logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header NAME denied: HTTPHeaderName:"+ name, e);
+        }
+        
+        try {
+            safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
+        } catch (ValidationException e) {
+            logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header VALUE denied: HTTPHeaderName:"+ name, e);
+        }
+        
+        boolean validName = StringUtilities.notNullOrEmpty(safeName, true);
+        boolean validValue = StringUtilities.notNullOrEmpty(safeValue, true);
+        
+        if (validName && validValue) {
+            getHttpServletResponse().addHeader(safeName, safeValue);
         }
     }
 
@@ -483,15 +495,28 @@ public void setDateHeader(String name, long date) {
      * @param value
      */
     public void setHeader(String name, String value) {
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
+        String strippedName = StringUtilities.stripControls(name);
+        String strippedValue = StringUtilities.stripControls(value);
+        String safeName = null;
+        String safeValue = null;
         try {
-            String strippedName = StringUtilities.stripControls(name);
-            String strippedValue = StringUtilities.stripControls(value);
-            SecurityConfiguration sc = ESAPI.securityConfiguration();
-            String safeName = ESAPI.validator().getValidInput("setHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
-            String safeValue = ESAPI.validator().getValidInput("setHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
-            getHttpServletResponse().setHeader(safeName, safeValue);
+            safeName = ESAPI.validator().getValidInput("setHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
         } catch (ValidationException e) {
-            logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header denied", e);
+            logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header NAME denied: HTTPHeaderName:"+ name, e);
+        }
+        
+        try {
+            safeValue = ESAPI.validator().getValidInput("setHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
+        } catch (ValidationException e) {
+            logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header VALUE denied: HTTPHeaderName:"+ name, e);
+        }
+        
+        boolean validName = StringUtilities.notNullOrEmpty(safeName, true);
+        boolean validValue = StringUtilities.notNullOrEmpty(safeValue, true);
+        
+        if (validName && validValue) {
+            getHttpServletResponse().setHeader(safeName, safeValue);
         }
     }
 

src/test/java/org/owasp/esapi/filters/SecurityWrapperRequestTest.java

@@ -18,8 +18,8 @@
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 // A hack for now; eventually, I plan to move this into a new org.owasp.esapi.PropNames class. -kww
@@ -41,7 +41,6 @@
 import org.mockito.stubbing.Answer;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
-import org.owasp.esapi.Logger.EventType;
 import org.owasp.esapi.SecurityConfiguration;
 import org.owasp.esapi.Validator;
 import org.owasp.esapi.errors.ValidationException;
@@ -61,15 +60,15 @@
 @RunWith(PowerMockRunner.class)
 @PrepareForTest(ESAPI.class)
 public class SecurityWrapperRequestTest {
-	private static final String ESAPI_VALIDATOR_GETTER_METHOD_NAME = "validator";
-	private static final String ESAPI_GET_LOGGER_METHOD_NAME = "getLogger";
-    private static final String ESAPY_SECURITY_CONFIGURATION_GETTER_METHOD_NAME = "securityConfiguration";
-    private static final String SECURITY_CONFIGURATION_QUERY_STRING_LENGTH_KEY_NAME = "HttpUtilities.URILENGTH";
-    private static final String SECURITY_CONFIGURATION_PARAMETER_STRING_LENGTH_KEY_NAME = "HttpUtilities.httpQueryParamValueLength";
+    protected static final String ESAPI_VALIDATOR_GETTER_METHOD_NAME = "validator";
+	protected static final String ESAPI_GET_LOGGER_METHOD_NAME = "getLogger";
+	protected static final String ESAPY_SECURITY_CONFIGURATION_GETTER_METHOD_NAME = "securityConfiguration";
+    protected static final String SECURITY_CONFIGURATION_QUERY_STRING_LENGTH_KEY_NAME = "HttpUtilities.URILENGTH";
+    protected static final String SECURITY_CONFIGURATION_PARAMETER_STRING_LENGTH_KEY_NAME = "HttpUtilities.httpQueryParamValueLength";
     private static final String SECURITY_CONFIGURATION_HEADER_NAME_LENGTH_KEY_NAME = "HttpUtilities.MaxHeaderNameSize";
     private static final String SECURITY_CONFIGURATION_HEADER_VALUE_LENGTH_KEY_NAME = "HttpUtilities.MaxHeaderValueSize";
 
-    private static final int SECURITY_CONFIGURATION_TEST_LENGTH = 255;
+    protected static final int SECURITY_CONFIGURATION_TEST_LENGTH = 255;
 
     private static final String QUERY_STRING_CANONCALIZE_TYPE_KEY = "HTTPQueryString";
     private static final String PARAMETER_STRING_CANONCALIZE_TYPE_KEY = "HTTPParameterValue";