首页

ESAPI - Get NoClassDefFoundError (LoggerFactory) with banned dependency

java maven dependencies esapi
2022-09-05 00:01:57

我正在使用espaiESAPI对字符串值进行编码,以解决跨站点脚本问题,如下所示(代码片段)。

String encodedString = ESAPI.encoder().encodeForHTML(value);

异常跟踪 

org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
<bold>Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/spi/LoggerFactory</bold>
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:190)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
    at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:59)
    ... 71 more
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.spi.LoggerFactory
    at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:297)
    at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:270)
    at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:64)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:358)

Maven repository pom.xml

<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>${org.owasp.esapi.version}</version>
    <exclusions>
        <exclusion>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
        </exclusion>
        <exclusion>
            <groupId>xercesImpl</groupId>
            <artifactId>xercesImpl</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
        </exclusion>
        <exclusion>
            <groupId>xml-apis</groupId>
            <artifactId>xml-apis</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-digester</groupId>
            <artifactId>commons-digester</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-codec</groupId>
            <artifactId>commons-codec</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.owasp.antisamy</groupId>
            <artifactId>antisamy</artifactId>
        </exclusion>
        <exclusion>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
        </exclusion>
    </exclusions>
</dependency>

如果我不排除log4j,那么它将引发依赖关系收敛错误,因为log4j是在maven禁止的依赖关系中声明的,如下所示

<executions>
    <execution>
        <id>enforce</id>
        <configuration>
            <rules>
                <requireJavaVersion>
                    <version>${java.version}</version>
                </requireJavaVersion>
                <requireMavenVersion>
                    <version>3.0</version>
                </requireMavenVersion>
                <DependencyConvergence />
                <bannedDependencies>
                    <excludes>
                        <!-- This should not exist as it will force SLF4J calls to be 
                            delegated to log4j -->
                        <exclude>org.slf4j:slf4j-log4j12</exclude>
                        <!-- This should not exist as it will force SLF4J calls to be 
                            delegated to jul -->
                        <exclude>org.slf4j:slf4j-jdk14</exclude>
                        <!-- Ensure only the slf4j binding for logback is on the classpath -->
                        <exclude>log4j:log4j</exclude>
                        <!-- As recommended from the slf4j guide, exclude commons-logging -->
                        <exclude>commons-logging:commons-logging</exclude>
                    </excludes>                                     
                </bannedDependencies>
            </rules>
        </configuration>
        <goals>
            <goal>enforce</goal>
        </goals>
    </execution>
</executions>

如能在这方面提供帮助,将不胜感激。如果您需要更多详细信息,请告诉我。提前致谢!


答案 1

我升级到最新版本,我需要添加两个额外的属性(除了@Carlo指出的属性之外):2.2.1.1ESAPI.properties

ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Logger.UserInfo=false
Logger.ClientInfo=false

答案 2

ESAPI 不支持 SLF4J,即使它反过来支持 log4j。ESAPI 的日志记录选择是 log4j 或 java.util.logging,通过 ESAPI.properties 中的 ESAPI.logger 属性进行控制。如果您决定使用log4j(即ESAPI。Logger=org.owasp.esapi.reference.Log4JLogFactory),然后你需要 log4j.jar以及类路径中的 log4j.xml 或 log4j.properties,具体取决于您使用的 log4j 版本。或者,您可以通过设置 ESAPI 来使用 java.util.logging。Logger=org.owasp.esapi.reference.JavaLogFactory in your ESAPI.properties file.

我看到你似乎在为富国银行做这件事。如果您还有其他问题,请在Teamworks中查找“Kevin W. Wall”,并向我发送电子邮件,因为我是那里的安全代码审查团队的一员以及ESAPI的项目负责人,因此,如果有更多的背景信息,我也许可以提出其他可能性。

-凯文


推荐
更多 »
标签
更多 »
php pass-by-reference optional-parameters default-value javascript arrays dom function string object serialization tostring visibility syntax jslint use-strict operators equality equality-operator identity-operator datetime timestamp date-arithmetic redirect angularjs loops foreach iteration scope variables
推荐
更多 »