Search code examples
javaspring-bootlog4jesapi

ESAPI Logger throwing org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type


Using the below code in my application for generating an excel file as a attachment to the API Response header.

App Code:

ESAPI.httpUtilities().setHeader(response,"Content-Disposition", "attachment;filename=" + fileName + "");

After changing to ESAPI 2.2.3.1 and excluding log4J due to the vulnerability issues and added the below lines in ESAPI.Properties ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory Logger.UserInfo=false Logger.ClientInfo=false i'm getting below error in my app. I have the same ESAPI.properties with ESAPI version 2.0.1 which is working fine for the above app code. Error Message:

org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type] with root cause
org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.getIntProp(DefaultSecurityConfiguration.java:1265)
    at org.owasp.esapi.reference.DefaultHTTPUtilities.setHeader(DefaultHTTPUtilities.java:890)
    at com.caremore.togetherness.controller.ExportDataController.getMemberReferralData(ExportDataController.java:93)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)

Solution

  • I think you have missed a property in your esapi.properties file in your project which is required in the latest dependency of org.owasp.esapi 2.2.3.1 library/jar Once you update the esapi.properties file to include the missing entry

    HttpUtilities.MaxHeaderNameSize=256
    

    Which I have noticed in this link. It might workout as expected.