How to suppress messages output by ESAPI library

Question

Does anyone know how to suppress the following noisy messages output by the ESAPI library?

System property [org.owasp.esapi.opsteam] is not setAttempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.

System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.

I added the library to my web application (including embedded Tomcat) and ESAPI validation works but noisy messages are output.

Java code:

writer.write(ESAPI.encoder().encodeForHTML("<test>"));

Dependency of ESAPI:

<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>2.1.0.1</version>
</dependency>

ESAPI.properties:

https://github.com/k-tamura/embtest/blob/master/src/main/resources/ESAPI.properties

Steps to reproduce:

(1) Run the commands:

$ git clone https://github.com/k-tamura/embtest.git
$ cd embtest
$ mvn clean install

(2) Access to http://localhost:8080/ping -> The above logs are shown on console.

Environment (my local machine):

$ mvn -version
Apache Maven 3.2.2 (45f7c06d68e745d05611f7fd14efb6594181933e; 2014-06-17T22:51:42+09:00)
Maven home: c:\apache-maven-3.2.2
Java version: 1.8.0_121, vendor: Oracle Corporation
Java home: c:\Program Files\Java\jdk1.8.0_121\jre
Default locale: ja_JP, platform encoding: MS932
OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"

Answer 1

I can work around this issue to add the InitializationListener by referring to @avgvstvs's answer:

import java.io.OutputStream;
import java.io.PrintStream;

import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.annotation.WebListener;

import org.owasp.esapi.ESAPI;

@WebListener
public class InitializationListener implements ServletContextListener {
    public void contextInitialized(ServletContextEvent event) {

        /* Suppress noisy messages output by the ESAPI library. */
        PrintStream original = System.out;
        try (PrintStream out = new PrintStream(new OutputStream() {
            @Override
            public void write(int b) {
                // Do nothing
            }
        })) {
            System.setOut(out);
            System.setErr(out);
            ESAPI.encoder();
        } catch (Exception e) {
            // Do nothing
        } finally {
            System.setOut(original);
        }
    }

    @Override
    public void contextDestroyed(ServletContextEvent sce) {
        // Do nothing
    }
}

Answer 2

You're getting bit by a chicken-and-egg scenario. Those statements are coming from a combo of System.out.println() and System.err.println().

The problem is that we need to load the properties files in order to determine what logger to load, but on initialization... we don't have a logger instantiated.

So we default to the only other option, which is console output.

In the past we had removed it, but then the mailing list got inundated by "My application won't start, HEEEEELP!"

So they're back and they're not going anywhere: Feature not a bug.

If you are THAT determined to get rid of the file hunting messages, I suggest redirecting output streams like they do here.

OutputStream output = new FileOutputStream("/dev/null");
PrintStream printOut = new PrintStream(output);

System.setOut(printOut);

Disclaimer: I'm one of the ESAPI-java co-leads.

Answer 3

First off, I want to note that @avgvstvs correctly referenced this in a comment made to @CharlieReitzel on 2022-01-20. I am not trying to take credit for his correct answer (we are both ESAPI project co-leads), but rather trying to get his answer unburied. As noted by made by @ravi-kumar-b yesterday, this buried comment was not found. Hopefully, this will help uncover the proper way to approach it. So shout out to @avgvstvs for mentioning it.

The correct way to suppress ESAPI output to stdout similar to this

System property [org.owasp.esapi.opsteam] is not set.
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
...

is by setting the System property, org.owasp.esapi.logSpecial.discard to true when you invoke your application server, Spring Boot, etc. E.g.,

    java -Dorg.owasp.esapi.logSpecial.discard=true ...

That will work as long as you are using ESAPI 2.2.0.0 or later.

However, please note that there are 2 ESAPI vulnerabilities in ESAPI 2.2.0.0 itself (and many others via dependencies) so you are strongly encouraged to upgrade to a later version (ideally release 2.5.0.0).