Merge pull request #716 from kwwall/log4j-loose-ends

Log4j loose ends

Author: xeno6696

Diff for: documentation/LoggerDesignAndTesting.md

@@ -22,6 +22,6 @@ The general workflow is:
 
     Logger.info/warn/etc(message) -> forwards to LogBridgelog(logger, esapiLevel, type, message) -> forwards to LogHandler.log(...) -> forwards to slf4j Logger implementation with appropriate level and composed message.
 
-So each of the tests for each of the classes verifies data in -> data out based on the Logging API.  The structure for JUL, Log4J, and SLF4J are almost identical.  There are a few differences in the interaction with the underlying Logger interactions and expectations.  As a result, the tests are also almost full duplications (again accounting for differences in the underlying logging API).
+So each of the tests for each of the classes verifies data in -> data out based on the Logging API.  The structure for JUL and SLF4J are almost identical.  There are a few differences in the interaction with the underlying Logger interactions and expectations.  As a result, the tests are also almost full duplications (again accounting for differences in the underlying logging API).
 
 -J

Diff for: pom.xml

@@ -140,7 +140,7 @@
         <version.powermock>2.0.9</version.powermock>
         <version.spotbugs>4.7.1</version.spotbugs>
         <version.findsecbugs>1.12.0</version.findsecbugs>
-        <version.spotbugs.maven>4.7.0.0</version.spotbugs.maven>
+        <version.spotbugs.maven>4.7.1.0</version.spotbugs.maven>
         <version.surefire>3.0.0-M7</version.surefire>
         <project.java.target>1.8</project.java.target>
             <!-- TODO: Be sure to update. Should be date of previous official release -->
@@ -406,7 +406,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-assembly-plugin</artifactId>
-                    <version>3.4.0</version>
+                    <version>3.4.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -538,7 +538,7 @@
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
                     <artifactId>extra-enforcer-rules</artifactId>
-                    <version>1.5.1</version>
+                    <version>1.6.0</version>
                   </dependency>
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>

Diff for: scripts/esapi-release.sh

@@ -64,8 +64,8 @@ USAGE="Usage: $PROG esapi_svn_dir"
 tmpdir="/tmp/$PROG.$RANDOM-$$"
 esapi_release_dir="$tmpdir/esapi_release_dir"
 
-    # This is the directory under esapi_svn_dir where the log4j and ESAPI
-    # properties files are located as well as the $esapiConfig/* config files.
+    # This is the directory under esapi_svn_dir where ESAPI configuration files
+    # such as ESAPI.properties are located as well as the $esapiConfig/* config files.
     # Note that formerly used to be under src/main/resources, but it since
     # has been moved because where it was previously was causing problems with
     # Sonatype's Nexus. That particular problem may have been resolved, but it
@@ -141,7 +141,7 @@ mkdir $jartmpdir
 cd $jartmpdir || exit
 jar xf "$jarfile"
 rm -fr ${esapiConfig:?}
-rm -f properties/* log4j.*
+rm -f properties/*
 rm -f settings.xml owasp-esapi-dev.jks
 # TODO: This part would need some work if we sign or seal the ESAPI jar as
 #       that creates a special MANIFEST.MF file and other special files and

Diff for: scripts/esapi4java-core-TEMPLATE-release-notes.txt

@@ -51,7 +51,7 @@ Issue #         GitHub Issue Title
 @@@@ NOTE any special notes here. Probably leave this one, but I would suggest noting additions BEFORE this.
 [If you have already successfully been using ESAPI 2.2.1.0 or later, you probably can skip this section.]
 
-Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we have deprecated the use of Log4J 1.x because we now support SLF4J and Log4J 1.x is way past its end-of-life. We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
+Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we had deprecated the use of Log4J 1.x because was way past its end-of-life. (Note: As of ESAPI 2.5.0.0, we have officially removed all Log4J 1 dependencies, after it had been deprecated for 2 years as per our deprecation policy.) We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
 
 However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will notice that you need to change ESAPI.Logger and also possibly provide some other properties as well to get the logging behavior that you desire.
 
@@ -87,11 +87,6 @@ If you are using JavaLogFactory, you will also want to ensure that you have the
 See GitHub issue #560 for additional details.
 
 
-Related to that aforemented Log4J 1.x CVE and how it affects ESAPI, be sure to read
-   https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf 
-which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is *NOT* affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
-
-
 Finally, while ESAPI still supports JDK 7 (even though that too is way past end-of-life), the next ESAPI release will move to JDK 8 as the minimal baseline. (We already use Java 8 for development but still to Java 7 source and runtime compatibility.) We need to do this out of necessity because some of our dependencies are no longer doing updates that support Java 7.
 
 -----------------------------------------------------------------------------
@@ -127,11 +122,6 @@ Another problem is if you run 'mvn test' from the 'cmd' prompt (and possibly Pow
 
 We believe these failures is because the maven-surefire-plugin is by default not forking a new JVM process for each test class. We are looking into this. For now, we have only have observed this behavior on Windows 10. If you see this error, please do NOT report it as a GitHub issue unless you know a fix for it. (And yes, we are aware of '<reuseForks>false</reuseForks>' in the pom for the maven-surefire-plugin, but that causes other tests to fail that we haven't had time to fix.)
 
-
-Lastly, some SCA services may continue to flag vulnerabilties in ESAPI ${VERSION} related to log4j 1.2.17 (e.g., CVE-2020-9488). We do not believe the way that ESAPI uses log4j in a manner that leads to any exploitable behavior.  See the security bulletins
-   https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf 
-for additional details.
-
 -----------------------------------------------------------------------------
 
         Other changes in this release, some of which not tracked via GitHub issues

Diff for: src/examples/java/DisplayEncryptedProperties.java

@@ -8,7 +8,7 @@
 //          that were encrypted using ESAPI's EncryptedProperties class.
 //
 // Usage: java -classpath <cp> DisplayEncryptedProperties encryptedPropFileName
-//        where <cp> is proper classpath, which minimally include esapi.jar & log4j.jar
+//        where <cp> is proper classpath, which minimally includes the esapi.jar.
 public class DisplayEncryptedProperties {
 
     public DisplayEncryptedProperties() {

Diff for: src/examples/java/ESAPILogging.java

@@ -4,7 +4,7 @@
 // Purpose: Short code snippet to show how ESAPI logging works.
 //
 // Usage: java -classpath <cp> ESAPILogging
-//        where <cp> is proper classpath, which minimally include esapi.jar & log4j.jar
+//        where <cp> is proper classpath, which minimally includes the esapi.jar.
 public class ESAPILogging {
 
     public static void main(String[] args) {

Diff for: src/examples/scripts/encryptProperties.sh

@@ -49,8 +49,7 @@ cd ../java
 if [[ "$action" == "-display" ]]
 then
     set -x
-    java -Dlog4j.configuration="file:$log4j_properties" \
-         -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+    java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
          -classpath "$esapi_classpath" \
          DisplayEncryptedProperties "$filename"
 else
@@ -65,8 +64,7 @@ else
     echo
     echo "Hit <Enter> to continue..."; read GO
     set -x
-    java -Dlog4j.configuration="file:$log4j_properties" \
-         -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+    java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
          -classpath "$esapi_classpath" \
       org.owasp.esapi.reference.crypto.DefaultEncryptedProperties "$filename" &&
       echo "Output of encrypted properties in file: $filename"

Diff for: src/examples/scripts/persistEncryptedData.sh

@@ -23,7 +23,6 @@ set -x
 # Since this is just an illustration, we will use the test ESAPI.properties in
 # $esapi_resources_test. That way, it won't matter if the user has neglected
 # to run the 'setMasterKey.sh' example before running this one.
-java -Dlog4j.configuration="file:$log4j_properties" \
-    -Dorg.owasp.esapi.resources="$esapi_resources_test" \
-    -ea -classpath "$esapi_classpath" \
-    PersistedEncryptedData "$@"
+java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+     -ea -classpath "$esapi_classpath" \
+     PersistedEncryptedData "$@"

Diff for: src/examples/scripts/runClass.sh

@@ -19,10 +19,8 @@ then echo >2&1 "Can't find class file: ${className}.class"
      exit 1
 fi
 echo "Your ESAPI.properties file: ${esapi_resources_test:?}/ESAPI.properties"
-echo "Your log4j properties file: ${log4j_properties:?}"
 echo
 set -x
-java -Dlog4j.configuration="file:$log4j_properties" \
-     -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
      -classpath "$esapi_classpath" \
      ${className} "$@"

Diff for: src/examples/scripts/setMasterKey.sh

@@ -16,7 +16,6 @@ echo
 # set -x
 # This should use the real ESAPI.properties in $esapi_resources that does
 # not yet have Encryptor.MasterKey and Encryptor.MasterSalt yet set.
-java -Dlog4j.configuration="file:$log4j_properties" \
-     -Dorg.owasp.esapi.resources="$esapi_resources" \
+java -Dorg.owasp.esapi.resources="$esapi_resources" \
      -classpath "$esapi_classpath" \
      org.owasp.esapi.reference.crypto.JavaEncryptor "$@"

Diff for: src/examples/scripts/setenv-svn.sh

@@ -9,23 +9,17 @@
 #           where '$' represents the shell command line prompt.
 ###########################################################################
 
-# IMPORTANT NOTE:  Since you may have multiple (say) log4j jars under
-#                  your Maven2 repository under $HOME/.m2/respository, we
-#                  look for the specific versions that ESAPI was using as of
-#                  ESAPI 2.0_RC10 release on 2010/10/18. If these versions
-#                  changed, they will have to be reflected here.
-#
+# IMPORTANT NOTE:  These dependency versions may need updated. Should match
+#                  what is in ESAPI's pom.xml.
 esapi_classpath=".:\
 ../../../target/classes:\
 $(ls ../../../target/esapi-*.jar 2>&- || echo .):\
-$(./findjar.sh log4j-1.2.17.jar):\
-$(./findjar.sh commons-fileupload-1.3.1.jar):\
-$(./findjar.sh servlet-api-2.5.jar)"
+$(./findjar.sh commons-fileupload-1.4.jar):\
+$(./findjar.sh servlet-api-3.1.0.jar)"
 
 esapi_resources="$(\cd ../../../configuration/esapi >&- 2>&- && pwd)"
 esapi_resources_test="$(\cd ../../../src/test/resources/esapi >&- 2>&- && pwd)"
 
-log4j_properties="../../../src/test/resources/log4j.xml"
 
 if [[ ! -r "$esapi_resources"/ESAPI.properties ]]
 then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources"
@@ -37,16 +31,10 @@ then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources_t
      return 1   # Don't use 'exit' here or it will kill their current shell.
 fi
 
-if [[ ! -r "$log4j_properties" ]]
-then echo 2>&1 "setenv-svn.sh: Can't read log4j.xml: $log4j_properties"
-     return 1   # Don't use 'exit' here or it will kill their current shell.
-fi
-
 echo ############################################################
 echo "esapi_resources=$esapi_resources"
 echo "esapi_resources_test=$esapi_resources_test"
-echo "log4j_properties=$log4j_properties"
 echo "esapi_classpath=$esapi_classpath"
 echo ############################################################
 
-export esapi_classpath esapi_resources esapi_resources_test log4j_properties
+export esapi_classpath esapi_resources esapi_resources_test

Diff for: src/examples/scripts/setenv-zip.sh

@@ -12,18 +12,15 @@
 # Here we don't look for the specific versions of the dependent libraries
 # since the specific version of the library is delivered as part of the
 # ESAPI zip file. In this manner, we do not have to update this if these
-# versions change. For the record, at the time of this writing, these were
-# log4j-1.2.17.jar, commons-fileupload-1.3.1.jar, and servlet-api-2.5.jar.
+# versions change.
 esapi_classpath=".:\
 $(ls ../../../esapi*.jar):\
-$(./findjar.sh -start ../../../libs log4j-*.jar):\
 $(./findjar.sh -start ../../../libs commons-fileupload-*.jar):\
 $(./findjar.sh -start ../../../libs servlet-api-*.jar)"
 
 esapi_resources="$(\cd ../../../configuration/esapi >&- 2>&- && pwd)"
 esapi_resources_test="$(\cd ../../../src/test/resources/esapi >&- 2>&- && pwd)"
 
-log4j_properties="../../../src/test/resources/log4j.xml"
 
 if [[ ! -r "$esapi_resources"/ESAPI.properties ]]
 then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources"
@@ -35,16 +32,11 @@ then echo 2>&1 "setenv-svn.sh: Can't read ESAPI.properties in $esapi_resources_t
      return 1   # Don't use 'exit' here or it will kill their current shell.
 fi
 
-if [[ ! -r "$log4j_properties" ]]
-then echo 2>&1 "setenv-svn.sh: Can't read log4j.xml: $log4j_properties"
-     return 1   # Don't use 'exit' here or it will kill their current shell.
-fi
 
 echo ############################################################
 echo "esapi_resources=$esapi_resources"
 echo "esapi_resources_test=$esapi_resources_test"
-echo "log4j_properties=$log4j_properties"
 echo "esapi_classpath=$esapi_classpath"
 echo ############################################################
 
-export esapi_classpath esapi_resources esapi_resources_test log4j_properties
+export esapi_classpath esapi_resources esapi_resources_test

Diff for: src/main/assembly/dist.xml

@@ -38,8 +38,6 @@
             <outputDirectory>configuration</outputDirectory>
             <includes>
                 <include>esapi/**/*</include>
-                <include>log4j.dtd</include>
-                <include>log4j.xml</include>
                 <include>properties/**/*</include>
             </includes>
         </fileSet>