Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Error with ESAPI functions - CTOR threw exception - ESAPI.properties could not be loaded by any means

Description

Using ESAPI functions as encodeForHTML, encodeForHTMLAttribute or ESAPIEncode causes the following error on our system

java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.

Stack Trace (see attached screenshot) indicates there is a problem loading the standard Lucee ESAPI.properties file:

Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:682) at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:440) ... 59 more

This might be caused by the following code in Application.cfc (onApplicationStart):

<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI")>

see also https://dev.lucee.org/t/error-with-esapi-functions-esapi-properties-could-not-be-loaded-by-any-means/5513

Environment

Ubuntu 18.04 LTS
ESAPI Extension 2.1.0.16
Java 1.8.0_202 (AdoptOpenJdk) 64bit

Attachments

3
  • 23 Jan 2024, 03:24 pm
  • 26 May 2019, 04:22 pm
  • 23 May 2019, 06:13 am

Activity

Show:

Harry Klein 23 January 2024 at 15:24

I encountered this issue in Lucee 6.0.0.585 today. After server restart:

Type: org.owasp.esapi.errors.ConfigurationException
Message: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
Detail: (ID:FA1C41F9-8B7B-422C-927ABE3CBD3E32DB)
Extended Info:
Tag Context: ...\loginform.cfm:145

Stopped/restarted the server and it magically worked again.

Also one of our customers reported this issue on Lucee 5.4.3.16, same code but other error message:

Pothys - MitrahSoft 12 December 2023 at 05:27
Edited

Thanks for your test, we have a ticket related to this canonicalize issue on esapi.https://luceeserver.atlassian.net/browse/LDEV-4743

Scott O'Connell 11 December 2023 at 23:22

I will chime in that we have just seen this error for the first time. We were having trouble with upgrading our Lucee version to 5.4.4.38. There seemed to be a bug in the latest ESAPI extension 2.2.4.15, and so we downgraded that to 2.2.4.13 but we see this error in both.

Not all strings throw it, however, this reliably reproduces the error for us.

v = 'Versioning Test ~!@$%^&*()_+ =-` {}|:"<>? ,./;[]\ Test 1'; x = ESAPIDecode('url', v);

I know that v is not a URL in this test, and when using ESAPIDecode('html', v) it works. Also using URLDecode(v)works, which is the solution we have.

Perhaps this will help you track down the error, even though I may be “using it wrong” in the above example.

PS: I don’t know if this is related or not, but the problem that caused us to downgrade the ESAPI extension was something else. It was that the canonicalize function was erroring. I haven’t found a ticket for this yet. With ESAPI extension version 2.2.4.15 this throws the error “URLDecoder: Incomplete trailing escape (%) pattern":

canonicalize("hello%",true,true)

You can see this error in the lucee docs script runner as well but only engine 5

Chris Duehrsen 17 August 2022 at 00:00

Thanks! I’ll give that a go

Steven Gauthier 16 August 2022 at 13:38
Edited

correct, I simply overwrote the files I had previously placed into “/lucee/tomcat/lib/” with those from the ESAPI extension GitHub. Your milage may vary. Just note this was done on a Development server that was rolled to test 5.3.9.141 against our services, and I cannot speak to wether those properties files are Production ready - only that by using them in my case they resolved those specific errors and allowed Lucee to function.

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 23 May 2019 at 06:30
Updated last month

Flag notifications