Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #178

rzanner · 2023-02-14T11:11:36Z

rzanner
Feb 14, 2023

When using the print feature of the CsrfGuard, either by activating it in csrfguard.properties (org.owasp.csrfguard.Config.Print = true) or in web.xml (set context parameter "Owasp.CsrfGuard.Config.Print" to true), you get the following stacktrace, complaining that the "java.util.regex" package is not accessible via reflection:

java.lang.reflect.InaccessibleObjectException: Unable to make field static final boolean java.util.regex.Pattern.$assertionsDisabled accessible: module java.base does not "opens java.util.regex" to unnamed module @45ed3a9b
	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
	at java.base/java.lang.reflect.Field.checkCanSetAccessible(Field.java:178)
	at java.base/java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:130)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.appendFieldsIn(ReflectionToStringBuilder.java:645)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:840)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:313)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:166)
	at org.apache.commons.lang3.builder.RecursiveToStringStyle.appendDetail(RecursiveToStringStyle.java:73)
	at org.apache.commons.lang3.builder.ToStringStyle.appendInternal(ToStringStyle.java:579)
	at org.apache.commons.lang3.builder.ToStringStyle.append(ToStringStyle.java:466)
	at org.apache.commons.lang3.builder.ToStringBuilder.append(ToStringBuilder.java:860)
	at org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder.append(CsrfGuardPropertiesToStringBuilder.java:186)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.appendFieldsIn(ReflectionToStringBuilder.java:654)
	at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:840)
	at org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder.toString(CsrfGuardPropertiesToStringBuilder.java:68)
	at org.owasp.csrfguard.CsrfGuard.toString(CsrfGuard.java:281)
	at java.base/java.lang.String.valueOf(String.java:4218)
	at java.base/java.lang.StringBuilder.append(StringBuilder.java:173)
	at org.owasp.csrfguard.CsrfGuardServletContextListener.printConfigIfConfigured(CsrfGuardServletContextListener.java:131)
	at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:155)
	...

Currently the only work-around is to not log the config, which should be fixed, I believe.

I think the field "javascriptRefererPattern" of the org.owasp.csrfguard.config.PropertiesConfigurationProvider needs to be added to the "FIELDS_TO_EXCLUDE" constant array in org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder to prevent at least this error.

Probably other fields of the PropertiesConfigurationProvider are also affected, like "pageTokenSynchronizationTolerance" (java.time.Duration) or "prng" (java.security.SecureRandom).

How can I get this fixed ? :-)

Answered by forgedhallpass

May 5, 2023

Related ticket: #179

View full answer

forgedhallpass · 2023-05-05T20:53:15Z

forgedhallpass
May 5, 2023
Maintainer

Related ticket: #179

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #178

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #178

rzanner Feb 14, 2023

Replies: 1 comment

forgedhallpass May 5, 2023 Maintainer

rzanner
Feb 14, 2023

forgedhallpass
May 5, 2023
Maintainer