Invalid version attribute in esapi.tld within esapi-2.6.0.0.jar causes deployment failure.

[Afridi76320]

Description

While deploying a web application using esapi-2.6.0.0.jar, the following error is encountered:

Steps to Reproduce

1. Deploy a web application that includes esapi-2.6.0.0.jar in the WEB-INF/lib folder.
2. Start the Tomcat server.
3. Observe the deployment logs.

Expected Behavior

The application should deploy successfully without errors.

Actual Behavior

Deployment fails due to an invalid version attribute value in esapi.tld. The value 2.x is not a valid decimal format.

Suggested Fix

Update the esapi.tld file within esapi-2.6.0.0.jar to use a valid decimal value for the version attribute. For example, replace 2.x with 2.0.

Environment

• Tomcat Version: [10.1.34]
• ESAPI Version: 2.6.0.0
• Java Version: [java17]
• Operating System: [MAC]

Impact

This issue prevents the deployment of applications that depend on the ESAPI library, making the library unusable in its current state.

Additional Information

This issue is reproducible on multiple environments. A quick workaround involves extracting the JAR, editing the esapi.tld file, and re-packaging the JAR. However, an official fix is preferred.

[xeno6696]

So I just spun up a demo project and it ran just fine. From scratch, the only thing I needed to add was ESAPI.properties and validation.properties into src/main/resources/esapi into the main project structure before running.

Can you share a demo project that reproduces the result you're getting?

[xeno6696]

@kwwall validated that the esapi.tld we have checked in doesn't have the "2.x" marking.

But the one packaged at maven central clearly has this:

[kwwall]

Wouldn't the esapi-2.6.0.0-jakarta.jar need to be used with Tomcat 10, since I thought that Tomcat 10 used the new Jarkata Servlet API rather than the older Java EE Servlet API? That may not be the root cause of this problem, but I think that would surely cause the tag library to fail if the regular ESAPI jar were used with Tomcat 10.

[kwwall]

Also

@kwwall validated that the esapi.tld we have checked in doesn't have the "2.x" marking.

Actually, it apparently does:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/resources/META-INF/esapi.tld#L19-L25

So the question is, what SHOULD this be set to? And does it need to be different for Java EE vs Jakarta?

[xeno6696]

I don't see how that's possible, here's the copy I have pulled down:

[xeno6696]

I was the last person to touch that file back in '17. But that was simply moving it from an old location to the current one in META-INF/

[xeno6696]

Just to make sure I'm not insane, I'm up to date with commit history. Last commit was 11-30-2024 with

Author: Kevin W. Wall <[email protected]>  2024-11-30 14:36:35
Committer: GitHub <[email protected]>  2024-11-30 14:36:35
Parent: aa0670ef2f590367e8598d0b62ce075be3618f58 (Modifying pom.xml for next planned release.)
Branch: remotes/upstream/develop
Follows: esapi-2.6.0.0
Precedes: 

    Update SECURITY.md
    
    Note 2.6.0.0 as the current release.

--------------------------------- SECURITY.md ---------------------------------
index a8d99638..4945f733 100644
@@ -12,8 +12,8 @@ but if it is anything but trivial, we would charge a TBD consulting fee.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.5.5.0 (latest) | :white_check_mark: |
-| 2.1.0.1-2.5.4.0 | :x:, upgrade to latest release |
+| 2.6.0.0 (latest) | :white_check_mark: |
+| 2.1.0.1-2.5.5.0 | :x:, upgrade to latest release |
 | <= 1.4.x  | :x:, no longer supported AT ALL |
 
 ## Reporting a Vulnerability

[Afridi76320]

yes, so what we have to change this to decimal because we get severity in catalina.logs.Please help us to resolve this. Attaching the logs ...

org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/mware/jwsAppDetails/vdcs-api/webapps/vdcs-api.war]
07-Jan-2025 16:20:47.118 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Context] failed to set property fallowlin!
ing] to [false]
07-Jan-2025 16:20:58.254 SEVERE [main] org.apache.tomcat.util.digester.Digester.error Parse error at line [25] column [16)
org.xml.sax.SAXParseException; systemld: jar:file:/usr/mware/jwsAppDetails/vdcs-api/webapps/vdcs-api/WEB-INF/lib/esapi-2.6.0.0.jar//META-INF/esapi.t/d
lineNumber: 25; columnNumber: 16; cvc-datatype-valid. 1.2.1: '2.x' is not a valid value for 'decimal".
07-Jan-2025 16:20:58.257 SEVERE [main] org.apache.tomcat.util.digester.Digester.error Parse error at line [25] column [16]
org.xml.sax.SAXParseException; systemid: jar:file:/usr/mware/jwsAppDetails/vdcs-api/webapps/vdcs-api/WEB-INF/lib/esapi-2.6.0.0.jar!/META-INF/esapi.tld;
lineNumber: 25; columnNumber: 16; cvc-attribute.3: The value '2.x' of attribute 'version' on element 'taglib" is not valid with respect to its type, dewey-version Type.

[kwwall]

@Afridi76320 - We can change it, but:

• What is the exact format for this? (Is it just something like 2.0, 2.0.1, 2.0.1.3, etc.?) If you know where this attribute is documented, that would be helpful.
• Does it have to match something else, such as the jar version? Because I'd like to set it once and forget it rather than needing to update it every time we release a new version of ESAPI.

In the meantime, I'd recommend just unjaring it, updating the tld yourself, and rejarring it, as our next release probably is still a few months away. (It's a minor PITA to do a release.)