Merge pull request #683 from jeremiahjstacey/java-8

xeno6696 · web-flow · commit fc5558e9426a · 2022-04-23T17:45:41.000-07:00
Java 8 updates
diff --git a/.snyk b/.snyk
@@ -1,7 +1,2 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
 version: v1.14.0
-ignore:
-   SNYK-JAVA-COMMONSIO-1277109:
-     - commons-io:commons-io:
-       reason: ESAPI cannot upgrade past the current commons-io version and still maintain Java 7 compatibility
-       expires: '2025-12-30T00:00:00.000Z'
diff --git a/CONTRIBUTING-TO-ESAPI.txt b/CONTRIBUTING-TO-ESAPI.txt
@@ -46,10 +46,9 @@ Overview:
             autocrlf = input
 
 Required Software:
-    We use Maven for building. Maven 3.1 or later is required. You also need
-    JDK 7 or later. (We generally use JDK 8, but compile ESAPI only to require
-    JDK 7, which means our code can't yet use any features exclusive to Java 8
-    or later.) [Note: If you use JDK 9 or later, there will be multiple
+    We use Maven for building. Maven 3.3.9 or later is required. You also need
+    JDK 8 or later.
+    [Note: If you use JDK 9 or later, there will be multiple
     failures when you try to run 'mvn test' as well as some general warnings.
     See ESAPI GitHub issue #496 for details.]
 
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ You will find that GitHub repository at [https://github.com/ESAPI/esapi-java-leg
 <b>IMPORTANT NOTES:</b>
 The default branch for ESAPI legacy is now the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. will now be done. The 'main' branch is now marked as "protected"; it reflects the latest stable ESAPI release (2.1.0.1 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.
 
-Also, the <i>minimal</i> baseline Java version to use ESAPI is Java 7. (This was changed from Java 6 during the 2.2.0.0 release.)
+Also, the <i>minimal</i> baseline Java version to use ESAPI is Java 8. (This was changed from Java 7 during the 2.4.0.0 release.)
 
 # Where can I find ESAPI 3.x?
 [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java)
diff --git a/pom.xml b/pom.xml
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
@@ -583,39 +583,40 @@ public void update(long pBytesRead, long pContentLength, int pItems) {
 			upload.setProgressListener(progressListener);
 
 			List<FileItem> items = upload.parseRequest(request);
-         for (FileItem item : items)
-         {
-            if (!item.isFormField() && item.getName() != null && !(item.getName().equals("")))
-            {
+			for (FileItem item : items)
+			{
+				if (!item.isFormField() && item.getName() != null && !(item.getName().equals("")))
+				{
 					String[] fparts = item.getName().split("[\\/\\\\]");
 					String filename = fparts[fparts.length - 1];
 
-               if (!ESAPI.validator().isValidFileName("upload", filename, allowedExtensions, false))
-               {
+					if (!ESAPI.validator().isValidFileName("upload", filename, allowedExtensions, false))
+					{
 						throw new ValidationUploadException("Upload only simple filenames with the following extensions " + allowedExtensions, "Upload failed isValidFileName check");
 					}
 
 					logger.info(Logger.SECURITY_SUCCESS, "File upload requested: " + filename);
 					File f = new File(finalDir, filename);
-               if (f.exists())
-               {
+					if (f.exists())
+					{
 						String[] parts = filename.split("\\/.");
 						String extension = "";
-                  if (parts.length > 1)
-                  {
+						if (parts.length > 1)
+						{
 							extension = parts[parts.length - 1];
 						}
 						String filenm = filename.substring(0, filename.length() - extension.length());
 						f = File.createTempFile(filenm, "." + extension, finalDir);
 					}
+
 					item.write(f);
-               newFiles.add(f);
+					newFiles.add(f);
 					// delete temporary file
 					item.delete();
 					logger.fatal(Logger.SECURITY_SUCCESS, "File successfully uploaded: " + f);
-               if (session != null)
-               {
-					    session.setAttribute("progress", Long.toString(0));
+					if (session != null)
+					{
+						session.setAttribute("progress", Long.toString(0));
 					}
 				}
 			}
diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletRequest.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletRequest.java
@@ -24,6 +24,7 @@
 import java.util.Enumeration;
 import java.util.Vector;
 
+import javax.servlet.ReadListener;
 import javax.servlet.ServletInputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
@@ -171,18 +172,37 @@ public Enumeration getDictionaryParameterNames() {
 	private class RAFInputStream extends ServletInputStream {
 		
 		RandomAccessFile raf;
+		boolean isDone = false;
 		
 		public RAFInputStream(RandomAccessFile raf) throws IOException {
 			this.raf = raf;
 			this.raf.seek(0);
 		}
 
 		public int read() throws IOException {
-			return raf.read();
+			int rval = raf.read();
+			isDone = rval == -1;
+			return rval;
 		}
 		
 		public synchronized void reset() throws IOException {
 			raf.seek(0);
+			isDone=false;
+		}
+
+		@Override
+		public boolean isFinished() {
+			return isDone;
+		}
+
+		@Override
+		public boolean isReady() {
+			return false;
+		}
+
+		@Override
+		public void setReadListener(ReadListener readListener) {
+			//NO-OP.  Unused in this scope
 		}
 	}
 	
diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingServletOutputStream.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingServletOutputStream.java
@@ -21,6 +21,7 @@
 import java.io.RandomAccessFile;
 
 import javax.servlet.ServletOutputStream;
+import javax.servlet.WriteListener;
 
 /**
  * This class was inspired by ModSecurity for Java by Ivan Ristic. We hook
@@ -161,4 +162,14 @@ public void close() throws IOException {
 
     }
 
+	@Override
+	public boolean isReady() {
+		return os.isReady();
+	}
+
+	@Override
+	public void setWriteListener(WriteListener writeListener) {
+		os.setWriteListener(writeListener);
+	}
+
 }
diff --git a/src/test/java/org/owasp/esapi/http/MockHttpServletRequest.java b/src/test/java/org/owasp/esapi/http/MockHttpServletRequest.java
@@ -46,6 +46,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
+import javax.servlet.http.HttpUpgradeHandler;
 import javax.servlet.http.Part;
 
 /**
@@ -737,4 +738,19 @@ public DispatcherType getDispatcherType() {
         throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
     }
 
+	@Override
+	public long getContentLengthLong() {
+		throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+	}
+
+	@Override
+	public String changeSessionId() {
+		throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+	}
+
+	@Override
+	public <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException {
+		throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+	}
+
 }
diff --git a/src/test/java/org/owasp/esapi/http/MockHttpServletResponse.java b/src/test/java/org/owasp/esapi/http/MockHttpServletResponse.java
@@ -24,6 +24,7 @@
 import java.util.Locale;
 
 import javax.servlet.ServletOutputStream;
+import javax.servlet.WriteListener;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
@@ -279,6 +280,16 @@ public ServletOutputStream getOutputStream() throws IOException {
 			public void write(int b) throws IOException {
 				body.append((char)b);
 			}
+
+			@Override
+			public boolean isReady() {
+				return false;
+			}
+
+			@Override
+			public void setWriteListener(WriteListener writeListener) {
+				//NO-OP
+			}
 		};
 	}
 
@@ -369,5 +380,10 @@ public void dump() {
     public Collection<String> getHeaders(String string) {
         throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
     }
+
+	@Override
+	public void setContentLengthLong(long len) {
+		throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+	}
 	
 }
diff --git a/src/test/java/org/owasp/esapi/http/MockServletContext.java b/src/test/java/org/owasp/esapi/http/MockServletContext.java
@@ -693,4 +693,9 @@ public ClassLoader getClassLoader() {
     public void declareRoles(String... strings) {
         throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
     }
+
+	@Override
+	public String getVirtualServerName() {
+		throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+	}
 }
diff --git a/src/test/java/org/owasp/esapi/http/MockServletInputStream.java b/src/test/java/org/owasp/esapi/http/MockServletInputStream.java
@@ -15,6 +15,7 @@
  */
 package org.owasp.esapi.http;
 
+import javax.servlet.ReadListener;
 import javax.servlet.ServletInputStream;
 import java.io.IOException;
 
@@ -28,6 +29,7 @@ public class MockServletInputStream extends ServletInputStream {
 
     private int next;
 
+    private boolean isDone = false;
     /**
      * constructor
      * @param body
@@ -45,7 +47,23 @@ public int read() throws IOException {
         if (next < body.length) {
             return body[next++];
         } else {
+        	isDone = true;
             return -1;
         }
     }
+
+	@Override
+	public boolean isFinished() {
+		return isDone;
+	}
+
+	@Override
+	public boolean isReady() {
+		return false;
+	}
+
+	@Override
+	public void setReadListener(ReadListener readListener) {
+		//NO_OP
+	}
 }
diff --git a/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java b/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java
@@ -206,7 +206,7 @@ public void testChangeSessionIdentifier() throws EnterpriseSecurityException {
 	 * Test of formatHttpRequestForLog method, of class org.owasp.esapi.HTTPUtilities.
 	 * @throws IOException 
 	 */
-	public void testGetFileUploads() throws IOException {
+	public void testGetFileUploads() throws Exception {
 		File home = null;
 
 		try
@@ -227,37 +227,24 @@ public void testGetFileUploads() throws IOException {
 			MockHttpServletRequest request2 = new MockHttpServletRequest("/test", content.getBytes(response.getCharacterEncoding()));
 			request2.setContentType( "multipart/form-data; boundary=ridiculous");
 			ESAPI.httpUtilities().setCurrentHTTP(request2, response);
+			List<File> response2 = new ArrayList<>();
 			try {
-				List<?> list = ESAPI.httpUtilities().getFileUploads(request2, home);
-				Iterator<?> i = list.iterator();
-				while ( i.hasNext() ) {
-					File f = (File)i.next();
-					System.out.println( "  " + f.getAbsolutePath() );
-				}
-				assertTrue( list.size() > 0 );
-			} catch (ValidationException e) {
-				System.out.println("ERROR in testGetFileUploads() request2: " + e.toString());
-				e.printStackTrace();
-				fail();
+				response2 = ESAPI.httpUtilities().getFileUploads(request2, home);
+				assertTrue( response2.size() > 0 );
+			} finally {
+				response2.forEach(file -> file.delete());
 			}
 
 			MockHttpServletRequest request4 = new MockHttpServletRequest("/test", content.getBytes(response.getCharacterEncoding()));
 			request4.setContentType( "multipart/form-data; boundary=ridiculous");
 			ESAPI.httpUtilities().setCurrentHTTP(request4, response);
 			System.err.println("UPLOAD DIRECTORY: " + ESAPI.securityConfiguration().getUploadDirectory());
+			List<File> response4 = new ArrayList<>();
 			try {
-				List<?> list = ESAPI.httpUtilities().getFileUploads(request4, home);
-				Iterator<?> i = list.iterator();
-				while ( i.hasNext() ) {
-					File f = (File)i.next();
-					System.out.println( "  " + f.getAbsolutePath() );
-				}
-				assertTrue( list.size() > 0 );
-			} catch (ValidationException e) {
-				// TODO: This test cases if failing when we upgrade to commons-fileupload;commons-fileupload:1.4 because of a duplicate file error. Need to figure out why.
-				System.out.println("ERROR in testGetFileUploads() request4: " + e.toString());
-				e.printStackTrace();
-				fail();
+			    response4 = ESAPI.httpUtilities().getFileUploads(request4, home);
+			    assertTrue( response4.size() > 0 );
+			} finally {
+			    response4.forEach(file -> file.delete());
 			}
 
 			MockHttpServletRequest request3 = new MockHttpServletRequest("/test", content.replaceAll("txt", "ridiculous").getBytes(response.getCharacterEncoding()));
diff --git a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
diff --git a/suppressions.xml b/suppressions.xml
diff --git a/versionRuleset.xml b/versionRuleset.xml

Original file line number	Diff line number	Diff line change
`@@ -693,4 +693,9 @@ public ClassLoader getClassLoader() {`
`693`	`693`	`public void declareRoles(String... strings) {`
`694`	`694`	`throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools \| Templates.`
`695`	`695`	`}`
	`696`	`+`
	`697`	`+ @Override`
	`698`	`+ public String getVirtualServerName() {`
	`699`	`+ throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools \| Templates.`
	`700`	`+ }`
`696`	`701`	`}`