Prep 2.2.1.0 (#557)

* Delete the release notes that prevents me from doing a 'git pull origin' from my fork.

* Add note referring to minimal Java 7 baseline.

* Close #542 - final release notes for 2.2.1.0.

* Close #556 - Add some final additional 'see also' refs.

* Close #554

* Close #555

* Added issue 521 which should have been closed per PR 535. Issue now closed.

* Close #558

* Update to reflect fix to issue #558

* Find/fix dependency causing java.lang.OutOfMemoryError: PermGen space
that only occurs on Mac with Java 7. Apparently it was the surefire plugin.

Co-authored-by: davewichers <[email protected]>

Author: kwwall

README.md

@@ -17,9 +17,11 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
 # What does Legacy mean?
 <p>This is the legacy branch of ESAPI which means it is an actively maintained branch of the project, however feature development for this branch will not be done. Features that have already been scheduled for the 2.x branch will move forward, but the main focus will be working on the ESAPI 3.x branch. 
 
-<b>IMPORTANT NOTE:</b>
+<b>IMPORTANT NOTES:</b>
 The default branch for ESAPI legacy is now the 'develop' branch (rather than the 'master' branch), where future development, bug fixes, etc. will now be done. The 'master' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.1.0.1 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.
 
+Also, the <i>minimal</i> baseline Java version to use ESAPI is Java 7. (This was changed from Java 6 during the 2.2.0.0 release.)
+
 # Where can I find ESAPI 3.x?
 https://github.com/ESAPI/esapi-java
 

documentation/esapi4java-core-2.2.1.0-release-notes.txt

@@ -135,7 +135,10 @@
         <version.jmh>1.23</version.jmh>
         <version.powermock>2.0.7</version.powermock>
         <version.spotbugs>4.0.4</version.spotbugs>
-        <version.surefire>3.0.0-M5</version.surefire>
+        <!-- Upgrading to 3.0.0-M3+ causes this test case error:
+             org.owasp.esapi.reference.DefaultValidatorInputStringAPITest.getValidInputNullAllowedPassthrough  Time elapsed: 2.057 s  <<< ERROR!
+             java.lang.OutOfMemoryError: PermGen space -->
+        <version.surefire>3.0.0-M2</version.surefire>
     </properties>
 
     <dependencies>

pom.xml

@@ -149,6 +149,9 @@
  * </li>
  * </ul>
  * 
+ * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">OWASP Cross-Site Scripting Prevention Cheat Sheet</a>.
+ * @see <a href="https://owasp.org/www-project-proactive-controls/v3/en/c4-encode-escape-data">OWASP Proactive Controls: C4: Encode and Escape Data</a>
+ * @see <a href="https://www.onwebsecurity.com/security/properly-encoding-and-escaping-for-the-web.html">Properly encoding and escaping for the web.</a>
  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
  *         href="http://www.aspectsecurity.com">Aspect Security</a>
  * @since June 1, 2007

src/main/java/org/owasp/esapi/Encoder.java

@@ -352,7 +352,15 @@ public static void copyByteArray(final byte[] src, byte[] dest)
 	 */
     @Deprecated
 	public static boolean arrayCompare(byte[] b1, byte[] b2) {
-        // Note: See GitHub issue #246
+        // Note: See GitHub issue #246 and #554.
+        // If we make Java 8 the minimal ESAPI baseline before we remove this
+        // method, we can at least remove these next 6 lines. (Issue 554.)
+        if ( b1 == null && b2 == null ) {   // Must test this first!
+            return true;    // Prevent NPE; compatibility with Java 8 and later.
+        }
+        if ( b1 == null || b2 == null ) {
+            return false;    // Prevent NPE; compatibility with Java 8 and later.
+        }
         return java.security.MessageDigest.isEqual(b1, b2);
 	}
 

src/main/java/org/owasp/esapi/crypto/CryptoHelper.java

@@ -131,7 +131,13 @@ public final void testArrayCompare() {
 //        stop = System.nanoTime();
 //        diff = stop - start;
 //        System.out.println("diff: " + diff + " nanosec");
-        
+ 
+//        start = System.nanoTime();
+        assertFalse(CryptoHelper.arrayCompare(null, ba1));
+//        stop = System.nanoTime();
+//        diff = stop - start;
+//        System.out.println("diff: " + diff + " nanosec");
+ 
         ba2 = ba1;
 //        start = System.nanoTime();
         assertTrue(CryptoHelper.arrayCompare(ba1, ba2));
@@ -186,4 +192,4 @@ private boolean checkByteArray(byte[] ba, byte b) {
     public static junit.framework.Test suite() {
         return new JUnit4TestAdapter(CryptoHelperTest.class);
     }
-}
+}

src/test/java/org/owasp/esapi/crypto/CryptoHelperTest.java

@@ -226,7 +226,7 @@ public void testIsAuthorizedForData() {
 			userRW = Class.forName("java.lang.String");
 			anyR = Class.forName("java.io.BufferedReader");
 			userAdminR = Class.forName("java.util.Random");
-			userAdminRW = Class.forName("java.awt.event.MouseWheelEvent");
+			userAdminRW = Class.forName("javax.crypto.Cipher");
 			undefined = Class.forName("java.io.FileWriter");
 
 		}catch(ClassNotFoundException cnf){

src/test/java/org/owasp/esapi/reference/AccessControllerTest.java

@@ -350,7 +350,13 @@ public void testIsValidDirectoryPath() throws IOException {
 
             // Unix specific paths should pass
             assertTrue(instance.isValidDirectoryPath("test", "/", parent, false));         // Root directory
-            assertTrue(instance.isValidDirectoryPath("test", "/etc", parent, false));      // Always exist directory
+                // Unfortunately, on MacOS both "/etc" and "/var" are symlinks
+                // to "/private/etc" and "/private/var" respectively, and "/sbin"
+                // and "/bin" sometimes are symlinks on certain *nix OSs, so we need
+                // to special case MacOS here.
+            boolean isMac = System.getProperty("os.name").toLowerCase().contains("mac");
+            String testDirNotSymLink = isMac ? "/private" : "/etc";
+            assertTrue(instance.isValidDirectoryPath("test", testDirNotSymLink, parent, false));      // Always exist directory
 
             // Unix specific paths that should not exist or work
             assertFalse(instance.isValidDirectoryPath("test", "/bin/sh", parent, false));   // Standard shell, not dir

src/test/java/org/owasp/esapi/reference/ValidatorTest.java

@@ -4,6 +4,6 @@ java.io.BufferedReader             | any         | read        | default deny
 java.lang.String                   | User        | read, write |
 java.lang.Math                     | Admin       | read, write |
 java.util.ArrayList                | Admin       | read        |
-java.awt.event.MouseWheelEvent     | Admin, User | write, read |
+javax.crypto.Cipher                | Admin, User | write, read |
 java.util.Date                     | User        | write       |
-java.util.Random                   | User, Admin | read        |
+java.util.Random                   | User, Admin | read        |