Added deprecations, deprecation warnings, and other Javadoc refinements.

Author: kwwall

src/main/java/org/owasp/esapi/Encoder.java

@@ -490,8 +490,14 @@ public interface Encoder {
      *      the text to encode for SQL
      *
      * @return input encoded for use in SQL
+     * @see <a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf">
+     *              ESAPI Security Bulletin #13</a>
+     * @deprecated  This class is considered dangerous and not easily made safe and thus under strong
+     *              consideration to be removed within 1 years time after the 2.7.0.0 release. Please
+     *              see the referenced ESAPI Security Bulletin #13 for further details.
      */
-    String encodeForSQL(Codec codec, String input);
+     @Deprecated
+     String encodeForSQL(Codec codec, String input);
 
     /**
      * Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).

src/main/java/org/owasp/esapi/codecs/DB2Codec.java

@@ -26,7 +26,13 @@
  * @author Sivasankar Tanakala ([email protected])
  * @since October 26, 2010
  * @see org.owasp.esapi.Encoder
+ * @see <a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf">
+ *              ESAPI Security Bulletin #13</a>
+ * @deprecated  This class is considered dangerous and not easily made safe and thus under strong
+ *              consideration to be removed within 1 years time after the 2.7.0.0 release. Please
+ *              see the referenced ESAPI Security Bulletin #13 for further details.
  */
+@Deprecated
 public class DB2Codec extends AbstractCharacterCodec {
 
     public String encodeCharacter(char[] immune, Character c) {

src/main/java/org/owasp/esapi/codecs/MySQLCodec.java

@@ -63,7 +63,13 @@
  * <a href= "https://dev.mysql.com/doc/refman/8.0/en/string-literals.html">MySQL 8.0 String Literals</a>
  * <a href= "https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#MySQL_Escaping">OWASP
  *      SQL_Injection_Prevention_Cheat_Sheet#MySQL_Escaping</a>
+ * @see <a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf">
+ *              ESAPI Security Bulletin #13</a>
+ * @deprecated  This class is considered dangerous and not easily made safe and thus under strong
+ *              consideration to be removed within 1 years time after the 2.7.0.0 release. Please
+ *              see the referenced ESAPI Security Bulletin #13 for further details.
  */
+@Deprecated
 public class MySQLCodec extends AbstractCharacterCodec {
     /**
      * Specifies the SQL Mode the target MySQL Server is running with. For details about MySQL Server Modes

src/main/java/org/owasp/esapi/codecs/OracleCodec.java

@@ -20,20 +20,44 @@
 /**
  * Implementation of the {@link org.owasp.esapi.codecs.Codec} interface for Oracle DB strings. 
  * This function will only protect you from SQLi in limited situations.
- * To improve your chances of success, you made also need to do some
+ * To improve your chances of success, you may also need to do some
  * additional canonicalization and input validation first. Before using this class,
- * please be sure to read the "SECURITY WARNING" in
+ * please be sure to read the "<b>SECURITY WARNING</b>" in
  * {@link org.owasp.esapi.Encoder#encodeForSQL}
  * before using this particular {@link org.owasp.esapi.codecs.Codec} and raising your hope of finding
  * a silver bullet to kill all the SQLi werewolves.
- *
- * @see <a href="http://oraqa.com/2006/03/20/how-to-escape-single-quotes-in-strings/">how-to-escape-single-quotes-in-strings</a>
- *
+ * </p><p>
+ * <b>CAUTION:</b> This class has some known issues. During the investigation of
+ * CVE-2025-5878, it was discovered that since this class' inception in
+ * 2007, that Oracle databases also use \ (backslash) as a default escape char.
+ * That was fundamental in the vulnerability, since the escape character itself
+ * was not being escaped. We had originally planned to address this, but while
+ * researching the issue, we discovered that not only was there a new default
+ * escape character for Oracle SQL*Plus, but that developers could actually
+ * override the default to a character of their choosing. (For details see
+ * <a href="https://www.oreilly.com/library/view/oracle-sqlplus-the/0596007469/re62.html">SET ESCAPE</a>
+ * and <a href="https://techjourney.net/how-to-escape-characters-in-oracle-plsql-queries/">
+ * How to Escape Characters in Oracle PL/SQL Queries</a>.) The second instance is
+ * especially scary, since it illustrates how a developer can potentially can
+ * the default escape character as part of an ordinary SQL statement. We
+ * realized that there is no way we can defend against this, so it seemed
+ * pointless to even bother to try to quote default escape character passed in
+ * as input when {@code OracleCodec} is used with the {@code Encoder.encodeForSQL}
+ * interface. Therefore, you really should not use this, but if dead set in
+ * still using this leg canon, it;s on you. You have been warned.
+ * </p>
+ * @see org.owasp.esapi.Encoder
+ * @see <a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf">
+ *              ESAPI Security Bulletin #13</a>
  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
  * @author Jim Manico ([email protected]) <a href="http://www.manico.net">Manico.net</a>
  * @since June 1, 2007
- * @see org.owasp.esapi.Encoder
+ * @see <a href="http://oraqa.com/2006/03/20/how-to-escape-single-quotes-in-strings/">how-to-escape-single-quotes-in-strings</a>
+ * @deprecated  This class is considered dangerous and not easily made safe and thus under strong
+ *              consideration to be removed within 1 years time after the 2.7.0.0 release. Please
+ *              see the referenced ESAPI Security Bulletin #13 for further details.
  */
+@Deprecated
 public class OracleCodec extends AbstractCharacterCodec {
 
 

src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

@@ -43,29 +43,59 @@
 import org.owasp.esapi.errors.ConfigurationException;
 
 /**
- * The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
- * implementation, resources can be put in several locations, which are searched in the following order:
+ * Thse reference implementation class for {@code SecurityConfiguration} manages all the settings used by the ESAPI
+ * in a single place. In this reference implementation, resources can be put in several locations, which are
+ * searched in the following order:
  * <p>
- * 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
- * <p>
- * 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
+ * <ol>
+ * <li>
+ * Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
+ * </p><p>
+ * <b>CAUTION:</b> Generally this technique should be avoided if you are
+ * using ESAPI in a resusable library, as it makes it very difficult for an
+ * application using your library to use its own version of
+ * <b>ESAPI.properties</b>.
+ * </p><p>
+ * The only exception might be if you are writing a wrapper library for ESAPI
+ * and wish to provide a set of ESAPI properties that the application cannot <i>accidentally</i>
+ * change. However, selecting this option won't intentionally prevent changing <b>ESAPI.properties</b>
+ * unless you are signing the jar * and somehow forcing the verifiction of its digital signature at
+ * runtime. That's because it's easy enough to unjar your library, edit the <b>ESAPI.properties</b>
+ * file and then re-jar the library.
+ * </p><p>
+ * This option was probably more intended for use by web applications by embedding
+ * them as resources in .war or .ear files, possibly with the intent of
+ * dissauding operations staff from making "improvements", a practice which
+ * makes much less--if any--sense in the era of DevOps and DevSecOps.
+ * </p>
+ * </li>
+ * <li>
+ * Inside the {@code System.getProperty( "org.owasp.esapi.resources" )} directory.
  * You can set this on the java command line as follows (for example):
  * <pre>
- *         java -Dorg.owasp.esapi.resources="C:\temp\resources"
+ *
+ *         java -Dorg.owasp.esapi.resources="C:\apps\myApp\resources"
  * </pre>
  * You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
  * in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
- * <p>
- * 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
+ * </li>
+ * <li>
+ * Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
  * inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
- * <p>
- * 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
- * <p>
- * Once the Configuration is initialized with a resource directory, you can edit it to set things like master
- * keys and passwords, logging locations, error thresholds, and allowed file extensions.
- * <p>
- * WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
- * <p>
+ * </li>
+ * <li>
+ * The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
+ * </li>
+ * </ol>
+ * </p><p>
+ * Once the ESAPI configuration is initialized with a resource directory, you can edit it to set things like master
+ * keys and passwords, logging locations, error thresholds, and allowed file extensions. (But see the above cautionary
+ * note if you are using ESAPI in a reusable library.)
+ * </p><p>
+ * <b>WARNING:</b> Do not forget to update ESAPI.properties to change the master key and other security critical settings
+ * as well as reviewing changes in the <code>esapi-&lt;<i>vers</i>-configuration.jar</code> for differences
+ * with your current version to see if any important properties were added or removed.
+ * </p><p>
  * <b>DEPRECATION WARNING</b>: All of the variables of the type '{@code public static final String}'
  * are now declared and defined in the {@code org.owasp.esapi.PropNames}. These public fields
  * representing property names and values in <i>this</i> class <i>will</i> be eventually deleted and