i am getting below error when i am running my application
WARNING: [SECURITY FAILURE Anonymous:null#unknown -> 127.0.0.1:8080/ExampleApplication/SecurityWrapperResponse] Attempt to set invalid header denied
org.owasp.esapi.errors.ValidationException: setHeader: Invalid input. The maximum length of 20 characters was exceeded.
at org.owasp.esapi.reference.validation.StringValidationRule.checkLength(StringValidationRule.java:214)
at org.owasp.esapi.reference.validation.StringValidationRule.checkLength(StringValidationRule.java:229)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:281)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185)
at org.owasp.esapi.filters.SecurityWrapperResponse.setHeader(SecurityWrapperResponse.java:447)
i have tried by changing below property but it did not work
Validator.HTTPHeaderName=^[a-zA-Z0-9\-_]{1,32}$ have changed 32 to 50 but it is still throwing same error
my header is response.setHeader("Access-Control-Allow-Origin", "*"); it is working when i comment this line, can you please help me how to change header name length in esapi.properties file
Package contained hard coded length values in SecurityWrapperResponse class, so i have solved the problem by overriding the class and changing the new length.
It is working.
Related
I have a Feign client which I use to get information from SonarQube and when I'm trying to test request with wrong component name I have an issue with displaying apostrophes as unicode (/u0027).
Here's the test code:
void measuresSearchHistoryUnknownTest() {
assertThatExceptionOfType(FeignException.NotFound.class)
.isThrownBy(() -> sonarFeignClient.measuresSearchHistory(
"badProject",
String.join(",",
EnumUtils.getJsonValue(SonarMetric.BLOCKER_VIOLATIONS),
EnumUtils.getJsonValue(SonarMetric.CRITICAL_VIOLATIONS)
),
1,
10
)).withMessageContaining("Component key 'badProject' not found");
// )).withMessageContaining("Component key \\u0027badProject\\u0027 not found");
}
This test works only if use last line (commented line with "\u0027badProject\u0027"), but it fails if I use previous line (with common apostrophes):
Expecting throwable message:
<"[404] during [GET] to [*******/sonar/api/measures/search_history?component=badProject&metrics=blocker_violations%2Ccritical_violations&p=1&ps=10] [SonarFeignClient#measuresSearchHistory(String,String,int,int)]: [{"errors":[{"msg":"Component key \u0027badProject\u0027 not found"}]}]">
to contain:
<"Component key 'badProject' not found">
but did not.
Throwable that failed the check:
feign.FeignException$NotFound: [404] during [GET] to [*******/sonar/api/measures/search_history?component=badProject&metrics=blocker_violations%2Ccritical_violations&p=1&ps=10] [SonarFeignClient#measuresSearchHistory(String,String,int,int)]: [{"errors":[{"msg":"Component key \u0027badProject\u0027 not found"}]}]
If I look this link in a browser SonarQube shows me JSON with error message and common apostrophes (not unicode), so I think an issue somewhere in Feign.
I use "spring-cloud-starter-openfeign:3.0.1"
Maybe someone can help me with that? How can I prevent parsing of apostrophes to Unicode?
When using Tomcat 8
Getting Error :
java.lang.IllegalArgumentException: An invalid character [44] was present in the Cookie value
at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateCookieValue(Rfc6265CookieProcessor.java:182)
at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:115)
at org.apache.catalina.connector.Response.generateCookieString(Response.java:986)
at org.apache.catalina.connector.Response.addCookie(Response.java:934)
at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
The character 0x44 is comma character and it is not allowed in cookies:
This string is a sequence of characters excluding semi-colon, comma and white space.
The reference comes from here.
I also had the same error in my project with Tomcat 8 and 9. The easiest but less optimal solution was to change to Tomcat 7, but when this version of Tomcat is deprecated or updated on the server I will have to go find all the commas and replace them in the cookie setting.
Schema.xml has all fields mentioned to be indexed. it was working all this time and i am facing this issue all of a sudden. What is wrong. Please advise.
Error :
Line 2458: WARN - 2016-10-10 19:53:56.757; [ iccCore]
org.apache.solr.handler.dataimport.EntityProcessorWrapper; transformer
threw error Line 2459:
org.apache.solr.handler.dataimport.DataImportHandlerException: Error
invoking script for entity icMetadataProcessed Processing Document #
2594 Line 2472: Caused by: javax.script.ScriptException: TypeError:
null has no such function "split" in <eval> at line number 8 Line
2478: Caused by: <eval>:8 TypeError: null has no such function "split"
Looks like a Javascript error in your custom script. Possibly about the script expecting a string (to split) and getting null. I would fix the javascript to ignore that field or add debug to see which record is causing that problem, must likely by missing a value.
I am getting this strange error while executing the following code.
EncoderRequest encoderRequest = new EncoderRequest(sid,appTxnId,pfid,transactionType,"",isUpdatetype9,true);
I have checked all the parameter values are valid. I am using java7 plateform.
can any one have come across this situation, please help.
following is the part of stacktrace i am getting.
Caused by: java.lang.ClassFormatError: Illegal local variable table length 48 in method com.cmc.facts.encoder.EncoderRequest.<init>(JLjava/lang/String;Ljava/lang/Long;Lcom/cmc/facts/enums/TransactionType;Ljava/lang/String;ZZ)V at com.cmc.facts.nist.NistReaderModel.preprossingOfNistFile(NistReaderModel.java:180) at com.cmc.facts.action.interstate.InterStateAction.uploadFIIF(InterStateAction.java:645) ... 115 more
There have been previous reports of the same error, on Junit tests and similar..
For them, adding the JVM arg -XX:-UseSplitVerifier seemed to work
Have a look at this article
You can also do this config :
Add -noverify in your jvg args
For ant config you can do : <jvmarg value="-noverify"/>
You can follow the link for more details on why we need to do this.
We are using htmlunit for our functioal test and it works very well. One of the issue I have seen is in build, it generates some warning messages:
ERROR [main] (StrictErrorReporter.java:80) - runtimeError: message=[An
invalid or illegal selector was specified (selector: '.page-container
.order-completed-selector[data-product-number=0022002]' error: Invalid
selectors: .page-container
.order-completed-selector[data-product-number=0022002]).]
sourceName=[http://localhost/resources/scripts/lib/jquery-1.7.2.js]
line=[5138] lineSource=[null] lineOffset=[0]
I am not sure what is the exact reason since it works fine at browser level and tests also pass. But it looks to me that it doesn't like attribute [data-product-number=0022002]. Does anybody know what can be the reason for the same?
You need to put the number into quotes:
[data-product-number='0022002']
(I think both, " and ' should be correct by CSS specification.)