java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

StackOverflow https://stackoverflow.com/questions/13925508

Pregunta

I'm a newbie to ESAPIm and I've been looking for answers for days. I got the following error: 

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Documents and Settings\Administrator\Desktop\TEM - Workspace\testSecurity\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Found in 'user.home' directory: C:\Documents and Settings\Administrator\esapi\ESAPI.properties
Loaded 'ESAPI.properties' properties file
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Documents and Settings\Administrator\Desktop\TEM - Workspace\testSecurity\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Found in 'user.home' directory: C:\Documents and Settings\Administrator\esapi\validation.properties
Loaded 'validation.properties' properties file
java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

Hoping to find real answers as soon as possible. This is my code for login using ESAPI:

/* throws SQLExceptions */
public void login(String username, String password)
{
    try
    {
        if(con == null)
            connect();
        if(con != null)
        {
            Codec ORACLE_CODEC = new OracleCodec();

            String query = "SELECT * FROM tblmember where username = '"+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, username) +"'AND password '"+ESAPI.encoder().encodeForSQL(ORACLE_CODEC, password)+"' FROM ";

            stm = con.createStatement();
            rs = stm.executeQuery(query);

            if(rs.next())
            {
                System.out.println(rs.getString("address"));
                System.out.println(ESAPI.encoder().encodeForSQL(ORACLE_CODEC,"address"));
            }
        }
        else
        {
            System.out.println("Not Connected!");
        }
    }
    catch(Exception ex)
    {
        System.out.println(ex.getMessage() + " login");
    }           
}

public static void main(String[] args) throws SQLException 
{
    SQLInjection sq = new SQLInjection();
    sq.login("username", "password");
}

Thank you very much for your response :)

¿Fue útil?

Solución

Just to give you a tip on using APIs, always make sure that you read the documentation(s) included. There you may find information that will give you an aid in using the API. I believe this was a dependency issue. You can check it here.

Hope this helps.

Otros consejos

You are using the wrong API for this. Java already provides for you the correct mechanism to avoid escaping input in your queries using prepared statements. ESAPI is alright for validating the input, but you still don't want to concatenate string to do this. Frankly I don't like all the libraries ESAPI has to load in order to work.

public void login(String username, String password)/*throws SQLExceptions*/{
    try{
        if(con == null)
            connect();
        if(con != null){

            String query = "SELECT * FROM tblmember where username = ? AND password = ? FROM usertable";

            stm = con.prepreStatment(query);
            stm.setString(1, username);
            stm.setString(2, password);
            rs = stm.executeQuery(query);

            if(rs.next()){
                System.out.println(rs.getString("address"));                    
            }
        }else
            System.out.println("No user found with that username and password.");
        }
    }catch(Exception ex){
        System.out.println(ex.getMessage() + " login");
    }

}
public static void main(String[] args) throws SQLException {
    SQLInjection sq = new SQLInjection();

    sq.login("username", "password");
}

Hiro2K is absolutely right. The OracleCodec and other similar SQL DB codecs are not intended to be a substitute for parameterized types (in Java, using PrepareStatements). Rather, they are intended for those (hopefully very few) niche cases where you may not be able to use a PrepareStatement. One example might be where you have to call some third party API which you know calls an Oracle JDBC driver under the hood but you aren't sure whether that API is using parameterized types.

However, that said, I don't see anything that you did in how you called ESAPI that would have resulted in the DefaultEncoder CTOR throwing an InvocationTargetException. That is something that I've not seen before. It may be related to something in your ESAPI.properties file (for instance, if you tried to use an ESAPI 1.4 ESAPI.properties file with ESAPI 2.0.x).

Could you post your exception stack trace so I can take a look at it? You may have found a bug.

Thanks,

-kevin wall

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top