1

i am facing trust boundary violation issue in my application for this using below method but applciation is not working!

public static  String[] getValidInput(String[] input) {
        Log4j.log("info", "Enter Into getValidInput() ESAPI"+Arrays.toString(input));
        if(input==null) {
            return input;
            }
        List<String> res = new ArrayList<>();
        try {
        for(String str :input) {
            String output= ESAPI.validator().getValidInput("Validationofinput", str, "SafeString", 1000, false);
            res.add(output);
        }
        return res.toArray(new String[0]);
}

public String getRqst(HttpServletRequest request, String param) {
    String[] reqs = Validate.getValidInput(request.getParameterValues(param)); -> here i amgetting trust boundary violation in session variables for this issue i am using ESAPI

SafeString : ^[.\p{Alnum}\p{Space}_-]{0,1024}$

added two below jars to application not working commons-fileupload-1.4, commons-io-2.4

Prasad
  • 11
  • 4
  • Duplicate of https://stackoverflow.com/questions/34413/why-am-i-getting-a-noclassdeffounderror-in-java – avgvstvs Jun 26 '23 at 14:48
  • Does this answer your question? [Why am I getting a NoClassDefFoundError in Java?](https://stackoverflow.com/questions/34413/why-am-i-getting-a-noclassdeffounderror-in-java) – avgvstvs Jun 26 '23 at 14:48

2 Answers2

0

The default implementation class for ESAPI's Validator interface is DefaultValidator. That in turn eventually pulls in the DefaultHTTPUtilities class which references the Apache Commons FileUpload.

However, without additional information (e.g., details of the dependencies in your pom.xml or build.gradle, etc.), I can't help very much beyond that aside from describing what could cause this. If you want assistance, you will need to supply us with those details. I'd suggest by creating a toy program that uses Apache Commons FileUpload 1.4. Will it compile? Will it run?

Unless you (in your application build file, e.g., pom.xml, build.gradle, etc.) are doing something to exclude Apache Commons FileUpload or your company is blocking Maven Central (many do), it should work. But many companies block Maven Central and they require you to pulling dependencies from something like a local JFrog Artifactory instance. If that is the case, it is possible that FileUpload 1.4 is not present there either. The 1.4 version could be getting blocked because there is a known unpatched vulnerability in FileUpload 1.4 (specifically, CVE-2023-24998; fixed [sort of] in 1.5). So the 1.4 version could be blocked by an SCA "firewall". [Note: If you use ESAPI 2.5.2.0, it will automatically use Apache Commons FileUpload 1.5 unless you did something to change it.]

Anyhow, I need more details before I can help any further.

Kevin W. Wall
  • 1,347
  • 7
  • 7
  • In My Application No Pom.xml or maven It is Old project Developed with Servlets and JSP and HTML java only it is a simple we application using .jar files only i am adding in build path or inputLIB – Prasad Jun 27 '23 at 10:27
  • Oh, wow. Okay. I will post another answer then because I think it will be longer than what are allowed for comments. – Kevin W. Wall Jun 30 '23 at 03:59
0

Okay, well if you are are doing this the hard way and not using something like Maven or Gradle that automagically pulls down all the dependencies for them and configures them for your classpath, unless you want to play whack-a-mole while you are using ESAPI, let me refer you to a list of all the direct and transitive dependencies for the ESAPI 2.5.2.0 release, which you can find here in the 2.5.2.0 release notes. You can ignore those marked 'test' and only need to pull down and include those marked 'compile' into your classpath. (The ones marked as 'provided' should be provided by your startup scripts for your servlet engine such as Tomcat or Jetty, etc.)

Since there are so many, you may wish to dump them in your Java's 'java.ext.dirs' system property (which I think defaults to $JAVA_HOME/jre/lib/ext) or fiddle with the '-extdirs' argument to 'javac' and 'java'. Or if you are hard-code and want to use the minimal set, you try eliminating dependencies and transitive dependencies one at a time until you get to some minimal set. Doing that for build-time wouldn't be a chore as none of the transitive dependencies are needed for compiling. But flushing all that out at runtime is tedious and error prone. That's the whack-a-mole scenario I was describing.

Hopefully, that's enough to get you started. If you are using something like 'ant', there are likely FOSS programs that will allow you to convert that to Maven or Gradle which you will find much easier to use once you get the hang of it. It may require restructuring your code directories a bit, but IMO, it's worth it.

Good luck.

Kevin W. Wall
  • 1,347
  • 7
  • 7