def __init__(self, codecs=None):
"""
Instantiates a new DefaultEncoder.
@param codecs: : a list of codec instances to use for canonicalization
"""
Encoder.__init__(self)
self.html_codec = HTMLEntityCodec()
self.percent_codec = PercentCodec()
self.javascript_codec = JavascriptCodec()
self.vbscript_codec = VBScriptCodec()
self.css_codec = CSSCodec()
self.ldap_codec = LDAPCodec()
self.ldap_dn_codec = LDAPDNCodec()
self.logger = ESAPI.logger("Encoder")
# Used for canonicalization
self.codecs = []
if codecs is None:
self.codecs.append(self.html_codec)
self.codecs.append(self.percent_codec)
self.codecs.append(self.javascript_codec)
# Leaving out css_codec because it eats / characters
# Leaving out vbscript_codec because it eats " characters
else:
for codec in codecs:
if not isinstance(codec, Codec):
raise TypeError(
_("Codecs in list must be instances of children of Codec"
))
self.codecs.append(codec)
def __init__(self):
Encryptor.__init__(self)
self.logger = ESAPI.logger("DefaultEncryptor")
# Hashing
self.hash_algorithm = ESAPI.security_configuration().get_hash_algorithm()
self.hash_iterations = ESAPI.security_configuration().get_hash_iterations()
# Encryption
self.encrypt_algorithm = ESAPI.security_configuration().get_encryption_algorithm()
if self.encrypt_algorithm not in self.VALID_ENCRYPTION_ALGOS:
raise EncryptionException(
_("Encryption Failure - Unknown algorithm for encryption: %(algorithm)s") %
{'algorithm' : self.encrypt_algorithm} )
self.encryption_key_length = ESAPI.security_configuration().get_encryption_key_length()
self.master_salt = ESAPI.security_configuration().get_master_salt()
# Public key crypto
self.signing_algorithm = ESAPI.security_configuration().get_digital_signature_algorithm()
if self.signing_algorithm not in self.VALID_SIGNING_ALGOS:
raise EncryptionException(
_("Failure to encrypt"),
_("Encryption Failure - Unknown algorithm for signing: %(algorithm)s") %
{'algorithm' : self.signing_algorithm} )
self.signing_key_length = ESAPI.security_configuration().get_digital_signature_key_length()
# Key locations
self.keys_location = os.path.realpath(ESAPI.security_configuration().get_encryption_keys_location()) + '/'
self.keys_symmetric_location = self.keys_location + "symmetric"
self.keys_asymmetric_private_location = self.keys_location + "asymmetric-private"
self.keys_asymmetric_public_location = self.keys_location + "asymmetric-public"
def __init__(self):
self.url_map = {}
self.function_map = {}
self.data_map = {}
self.file_map = {}
self.service_map = {}
self.deny = Rule()
self.logger = ESAPI.logger("AccessController")
def __init__(self):
self.url_map = {}
self.function_map = {}
self.data_map = {}
self.file_map = {}
self.service_map = {}
self.deny = Rule()
self.logger = ESAPI.logger("AccessController")
def __init__(self):
self.logger = ESAPI.logger("Executor")
self.working_dir = ESAPI.security_configuration().get_working_directory()
self.max_running_time = ESAPI.security_configuration().get_max_running_time()
if os.name == "nt":
self.logger.warning(
Logger.SECURITY_SUCCESS,
_("Using WindowsCodec for Executor. If this is not running on Windows, this could allow for injection"),
)
self.codec = WindowsCodec()
else:
self.logger.warning(
Logger.SECURITY_SUCCESS,
_("Using UnixCodec for Executor. If this is not running on Unix, this could allow injection"),
)
self.codec = UnixCodec()
def __init__(self, user_message, log_message, cause=None):
"""
Creates a new instance of IntrusionException.
@param user_message: the message displayed to the user
@param log_message: the message logged
@param cause: the Exception that caused this one
"""
Exception.__init__(self, user_message)
self.user_message = user_message
self.log_message = log_message
self.cause = cause
self.logger = ESAPI.logger("IntrusionException")
self.logger.error(Logger.SECURITY_FAILURE, _("INTRUSION") + " - " + self.log_message)
ESAPI.intrusion_detector().add_exception(self)
def __init__(self):
self.logger = ESAPI.logger("Executor")
self.working_dir = ESAPI.security_configuration(
).get_working_directory()
self.max_running_time = ESAPI.security_configuration(
).get_max_running_time()
if os.name == 'nt':
self.logger.warning(
Logger.SECURITY_SUCCESS,
_("Using WindowsCodec for Executor. If this is not running on Windows, this could allow for injection"
))
self.codec = WindowsCodec()
else:
self.logger.warning(
Logger.SECURITY_SUCCESS,
_("Using UnixCodec for Executor. If this is not running on Unix, this could allow injection"
))
self.codec = UnixCodec()
def __init__(self, user_message, log_message, cause=None):
"""
Creates a new instance of EnterpriseSecurityException. This exception is automatically logged, so that simply by
using this API, applications will generate an extensive security log. In addition, this exception is
automatically registered with the IntrusionDetector, so that quotas can be checked.
@param user_message: the message displayed to the user
@param log_message: the message logged
@param cause: the Exception that caused this one
"""
Exception.__init__(self, user_message)
self.user_message = user_message
self.log_message = log_message
self.cause = cause
self.logger = ESAPI.logger("EnterpriseSecurityException")
# Logging is done in add_exception()
ESAPI.intrusion_detector().add_exception(self)
def __init__(self):
Encryptor.__init__(self)
self.logger = ESAPI.logger("DefaultEncryptor")
# Hashing
self.hash_algorithm = ESAPI.security_configuration(
).get_hash_algorithm()
self.hash_iterations = ESAPI.security_configuration(
).get_hash_iterations()
# Encryption
self.encrypt_algorithm = ESAPI.security_configuration(
).get_encryption_algorithm()
if self.encrypt_algorithm not in self.VALID_ENCRYPTION_ALGOS:
raise EncryptionException(
_("Encryption Failure - Unknown algorithm for encryption: %(algorithm)s"
) % {'algorithm': self.encrypt_algorithm})
self.encryption_key_length = ESAPI.security_configuration(
).get_encryption_key_length()
self.master_salt = ESAPI.security_configuration().get_master_salt()
# Public key crypto
self.signing_algorithm = ESAPI.security_configuration(
).get_digital_signature_algorithm()
if self.signing_algorithm not in self.VALID_SIGNING_ALGOS:
raise EncryptionException(
_("Failure to encrypt"),
_("Encryption Failure - Unknown algorithm for signing: %(algorithm)s"
) % {'algorithm': self.signing_algorithm})
self.signing_key_length = ESAPI.security_configuration(
).get_digital_signature_key_length()
# Key locations
self.keys_location = os.path.realpath(ESAPI.security_configuration(
).get_encryption_keys_location()) + '/'
self.keys_symmetric_location = self.keys_location + "symmetric"
self.keys_asymmetric_private_location = self.keys_location + "asymmetric-private"
self.keys_asymmetric_public_location = self.keys_location + "asymmetric-public"
def __init__(self, account_name):
"""
Instantiates a new user.
@param account_name: The name of this user's account.
"""
User.__init__(self)
self._account_name = None
self._set_account_name(account_name)
# Get random numbers until we find an unused account number
# WARNING: This could cause in infinite loop if the number of users equals the keyspace of uids.
while True:
id = ESAPI.randomizer().get_random_integer(1)
if id != 0 and not ESAPI.authenticator().exists(account_id=id):
self._account_id = id
break
self.logger = ESAPI.logger("DefaultUser")
self._screen_name = None
self._csrf_token = self.reset_csrf_token()
self._roles = []
self._locked = False
self._logged_in = False
self._enabled = False
self._last_host_address = None
self._last_password_change_time = None
self._last_login_time = datetime.min
self._last_failed_login_time = datetime.min
self._expiration_time = datetime.max
self._sessions = []
# Security event dictionary, used by the IntrusionDetector
self.event_map = {}
self._failed_login_count = 0
self._locale = None
def __init__(self, account_name):
"""
Instantiates a new user.
@param account_name: The name of this user's account.
"""
User.__init__(self)
self._account_name = None
self._set_account_name(account_name)
# Get random numbers until we find an unused account number
# WARNING: This could cause in infinite loop if the number of users equals the keyspace of uids.
while True:
id = ESAPI.randomizer().get_random_integer(1)
if id != 0 and not ESAPI.authenticator().exists(account_id=id):
self._account_id = id
break
self.logger = ESAPI.logger("DefaultUser")
self._screen_name = None
self._csrf_token = self.reset_csrf_token()
self._roles = []
self._locked = False
self._logged_in = False
self._enabled = False
self._last_host_address = None
self._last_password_change_time = None
self._last_login_time = datetime.min
self._last_failed_login_time = datetime.min
self._expiration_time = datetime.max
self._sessions = []
# Security event dictionary, used by the IntrusionDetector
self.event_map = {}
self._failed_login_count = 0
self._locale = None
def setUp(self):
self.test_logger = ESAPI.logger("test" + str(LoggerTest.test_count))
LoggerTest.test_count += 1
print "Test Logger: " + str(self.test_logger)
def __init__(self):
self.logger = ESAPI.logger("IntrusionDetector")
def __setstate__(self, state):
"""
Restore unpickleable instance attributes like logger.
"""
self.__dict__.update(state)
self.logger = ESAPI.logger("DefaultUser")
def __init__(self):
self.logger = ESAPI.logger("IntrusionDetector")
def __init__(self):
self.logger = ESAPI.logger("HTTPUtilities")
self.current_request = None
self.current_response = None
def __init__(self):
Randomizer.__init__(self)
self.secure_random = SystemRandom()
self.logger = ESAPI.logger("Randomizer")
def __init__(self):
self.logger = ESAPI.logger("HTTPUtilities")
self.current_request = None
self.current_response = None
def __init__(self):
Randomizer.__init__(self)
self.secure_random = SystemRandom()
self.logger = ESAPI.logger("Randomizer")
def test_set_level(self):
"""
Test of set_level method of the inner class
esapi.reference.PythonLogger that is defined in
esapi.reference.PythonLogFactory.
"""
# First, test all the different logging levels
self.test_logger.set_level(Logger.ALL)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertTrue(self.test_logger.is_debug_enabled())
self.assertTrue(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.TRACE)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertTrue(self.test_logger.is_debug_enabled())
self.assertTrue(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.DEBUG)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertTrue(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.INFO)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.WARNING)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.ERROR)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.FATAL)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertFalse(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.OFF)
self.assertFalse(self.test_logger.is_fatal_enabled())
self.assertFalse(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
# Now test to see if a change to the logging level in one log affects other logs
new_logger = ESAPI.logger("test_num2")
self.test_logger.set_level(Logger.OFF)
new_logger.set_level(Logger.INFO)
self.assertFalse(self.test_logger.is_fatal_enabled())
self.assertFalse(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.assertTrue(new_logger.is_fatal_enabled())
self.assertTrue(new_logger.is_error_enabled())
self.assertTrue(new_logger.is_warning_enabled())
self.assertTrue(new_logger.is_info_enabled())
self.assertFalse(new_logger.is_debug_enabled())
self.assertFalse(new_logger.is_trace_enabled())
def setUp(self):
self.test_logger = ESAPI.logger("test" + str(LoggerTest.test_count))
LoggerTest.test_count += 1
print "Test Logger: " + str(self.test_logger)
def __setstate__(self, state):
"""
Restore unpickleable instance attributes like logger.
"""
self.__dict__.update(state)
self.logger = ESAPI.logger("DefaultUser")
def test_set_level(self):
"""
Test of set_level method of the inner class
esapi.reference.PythonLogger that is defined in
esapi.reference.PythonLogFactory.
"""
# First, test all the different logging levels
self.test_logger.set_level(Logger.ALL)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertTrue(self.test_logger.is_debug_enabled())
self.assertTrue(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.TRACE)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertTrue(self.test_logger.is_debug_enabled())
self.assertTrue(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.DEBUG)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertTrue(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.INFO)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertTrue(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.WARNING)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertTrue(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.ERROR)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertTrue(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.FATAL)
self.assertTrue(self.test_logger.is_fatal_enabled())
self.assertFalse(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.test_logger.set_level(Logger.OFF)
self.assertFalse(self.test_logger.is_fatal_enabled())
self.assertFalse(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
# Now test to see if a change to the logging level in one log affects other logs
new_logger = ESAPI.logger("test_num2")
self.test_logger.set_level(Logger.OFF)
new_logger.set_level(Logger.INFO)
self.assertFalse(self.test_logger.is_fatal_enabled())
self.assertFalse(self.test_logger.is_error_enabled())
self.assertFalse(self.test_logger.is_warning_enabled())
self.assertFalse(self.test_logger.is_info_enabled())
self.assertFalse(self.test_logger.is_debug_enabled())
self.assertFalse(self.test_logger.is_trace_enabled())
self.assertTrue(new_logger.is_fatal_enabled())
self.assertTrue(new_logger.is_error_enabled())
self.assertTrue(new_logger.is_warning_enabled())
self.assertTrue(new_logger.is_info_enabled())
self.assertFalse(new_logger.is_debug_enabled())
self.assertFalse(new_logger.is_trace_enabled())
