Merge pull request #1 from ESAPI/master

Merge of ESAPI/esapi-java-legacy into demkada/esapi-java-legacy

Author: Kad DEMBELE

src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java

@@ -811,7 +811,7 @@ public void sendForward( String location )  throws AccessControlException,Servle
     public void sendRedirect(HttpServletResponse response, String location) throws AccessControlException, IOException {
         if (!ESAPI.validator().isValidRedirectLocation("Redirect", location, false)) {
             logger.fatal(Logger.SECURITY_FAILURE, "Bad redirect location: " + location);
-            throw new IOException("Redirect failed");
+            throw new AccessControlException("Redirect failed");
         }
         response.sendRedirect(location);
     }

src/main/java/org/owasp/esapi/reference/Log4JLogger.java

@@ -447,7 +447,9 @@ private void log(Level level, EventType type, String message, Throwable throwabl
 		}
 
 		// log the message
-		log(level, "[" + typeInfo + getUserInfo() + " -> " + appInfo + "] " + clean, throwable);
+		// Fix for https://code.google.com/p/owasp-esapi-java/issues/detail?id=268
+		// need to pass callerFQCN so the log is not generated as if it were always generated from this wrapper class
+		log(Log4JLogger.class.getName(), level, "[" + typeInfo + getUserInfo() + " -> " + appInfo + "] " + clean, throwable);
 	}
 
 	/**

src/main/java/org/owasp/esapi/reference/validation/BaseValidationRule.java

@@ -89,7 +89,7 @@ public final void setEncoder( Encoder encoder ) {
      * {@inheritDoc}
 	 */
 	public void assertValid( String context, String input ) throws ValidationException {
-		getValid( context, input, null );
+		getValid( context, input );
 	}
 
     /**
@@ -100,7 +100,11 @@ public Object getValid( String context, String input, ValidationErrorList errorL
 		try {
 			valid = getValid( context, input );
 		} catch (ValidationException e) {
-			errorList.addError(context, e);
+			if( errorList == null) { 
+				throw e;
+			} else {
+				errorList.addError(context, e);
+			}
 		}
 		return valid;
 	}

src/test/java/org/owasp/esapi/reference/Log4JLoggerTest.java

@@ -15,20 +15,24 @@
  */
 package org.owasp.esapi.reference;
 
-import java.io.IOException;
-import java.util.Arrays;
-
 import junit.framework.Test;
 import junit.framework.TestCase;
 import junit.framework.TestSuite;
-
+import org.apache.log4j.Appender;
+import org.apache.log4j.Layout;
+import org.apache.log4j.WriterAppender;
+import org.apache.log4j.spi.LoggingEvent;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.errors.AuthenticationException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.http.MockHttpServletRequest;
 import org.owasp.esapi.http.MockHttpServletResponse;
 
+import java.io.IOException;
+import java.io.StringWriter;
+import java.util.Arrays;
+
 /**
  * The Class LoggerTest.
  * 
@@ -460,4 +464,37 @@ public void testAlways() {
         }
 	}
 
+	/**
+	 * Validation for issue: https://code.google.com/p/owasp-esapi-java/issues/detail?id=268
+	 * Line number must be the line of the caller and not of the wrapper.
+	 */
+	public void testLine() {
+		final String message = "testing only";
+		StringWriter sw = new StringWriter();
+		Layout layout = new Layout() {
+			@Override
+			public String format(LoggingEvent event) {
+				assertEquals("the calling class is this test class", Log4JLoggerTest.class.getName(),event.getLocationInformation().getClassName());
+				return message;
+			}
+
+			@Override
+			public boolean ignoresThrowable() {
+				return false;
+			}
+
+			@Override
+			public void activateOptions() {
+
+			}
+		};
+		Appender appender = new WriterAppender(layout, sw);
+		log4JLogger.addAppender(appender);
+		try {
+			log4JLogger.fatal("testLine");
+			assertEquals("message not generated as expected", message, sw.toString());
+		} finally {
+			log4JLogger.removeAppender(appender);
+		}
+	}
 }

src/test/java/org/owasp/esapi/reference/ValidatorTest.java

@@ -323,7 +323,7 @@ public void testIsInvalidFilename() {
     public void testIsValidDate() {
         System.out.println("isValidDate");
         Validator instance = ESAPI.validator();
-        DateFormat format = SimpleDateFormat.getDateInstance();
+        DateFormat format = SimpleDateFormat.getDateInstance(SimpleDateFormat.MEDIUM, Locale.US);
         assertTrue(instance.isValidDate("datetest1", "September 11, 2001", format, true));
         assertFalse(instance.isValidDate("datetest2", null, format, false));
         assertFalse(instance.isValidDate("datetest3", "", format, false));

src/test/java/org/owasp/esapi/reference/validation/BaseValidationRuleTest.java

@@ -0,0 +1,101 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @author Ben Sleek <a href="http://www.spartasystems.com">Sparta Systems</a>
+ * @created 2015
+ */
+package org.owasp.esapi.reference.validation;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+import org.owasp.esapi.Encoder;
+import org.owasp.esapi.errors.ValidationException;
+
+public class BaseValidationRuleTest extends TestCase {
+
+	/**
+	 * Instantiates a new base validation rule test.
+	 * 
+	 * @param testName
+	 *            the test name
+	 */
+	public BaseValidationRuleTest(String testName) {
+		super(testName);
+	}
+
+	/**
+	 * {@inheritDoc}
+	 * 
+	 * @throws Exception
+	 */
+	protected void setUp() throws Exception {
+		// none
+	}
+
+	/**
+	 * {@inheritDoc}
+	 * 
+	 * @throws Exception
+	 */
+	protected void tearDown() throws Exception {
+		// none
+	}
+
+	/**
+	 * Suite.
+	 * 
+	 * @return the test
+	 */
+	public static Test suite() {
+		TestSuite suite = new TestSuite(BaseValidationRuleTest.class);
+		return suite;
+	}
+
+	/**
+	 * Verifies assertValid throws ValidationException on invalid input
+	 * Validates fix for Google issue #195
+	 * 
+	 * @throws ValidationException
+	 */
+	public void testAssertValid() throws ValidationException {
+		SampleValidationRule rule = new SampleValidationRule("UnitTest");
+		try {
+			rule.assertValid("testcontext", "badinput");
+			fail();
+		} catch (ValidationException e) {
+			// success
+		}
+	}
+
+	public class SampleValidationRule extends BaseValidationRule {
+
+		public SampleValidationRule(String typeName, Encoder encoder) {
+			super(typeName, encoder);
+		}
+
+		public SampleValidationRule(String typeName) {
+			super(typeName);
+		}
+
+		@Override
+		protected Object sanitize(String context, String input) {
+			return null;
+		}
+
+		public Object getValid(String context, String input) throws ValidationException {
+			throw new ValidationException("Demonstration Exception", "Demonstration Exception");
+		}
+
+	}
+}