From a38b4b8eebc8423578ce27de182036539f4948bc Mon Sep 17 00:00:00 2001
From: Steve Abbott <sabbott1877@gmail.com>
Date: Tue, 15 Jul 2025 22:07:50 -0400
Subject: [PATCH] Fixes #894. Remove outdated commons-lang and
 commons-configuration dependencies with problematic CVEs.

---
 pom.xml                                       | 32 +++++++++++++++----
 .../DefaultSecurityConfiguration.java         |  5 ++-
 .../policyloader/ACRParameterLoader.java      |  2 +-
 .../ACRParameterLoaderHelper.java             |  2 +-
 .../policyloader/ACRPolicyFileLoader.java     | 21 +++++++++---
 .../DynaBeanACRParameterLoader.java           |  2 +-
 6 files changed, 46 insertions(+), 18 deletions(-)

diff --git a/pom.xml b/pom.xml
index f0bc96e7b..c0b9b3402 100644
--- a/pom.xml
+++ b/pom.xml
@@ -194,15 +194,19 @@
                  -->
         </dependency>
         <dependency>
-            <groupId>commons-configuration</groupId>
-            <artifactId>commons-configuration</artifactId>
-            <version>1.10</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+            <version>2.12.0</version>
             <exclusions>
-                <!-- excluded because multiple dependencies import newer version. -->
+                <!-- excluded because dependencies import newer versions. -->
                 <exclusion>
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
                 <!-- Note: Because the following dependency is marked as provided to commons-configuration,
                      this exclusion doesn't actually do anything. But we include it so the convergence report
                      will report 100% convergence. Deleting this does not cause the convergence check to fail.
@@ -214,9 +218,23 @@
             </exclusions>
         </dependency>
         <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.6</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.18.0</version>
+            <scope>runtime</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.13.1</version>
+            <exclusions>
+                <!-- excluded because it has a CVE, and we've imported the newer version for runtime above. -->
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>commons-fileupload</groupId>
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
index 7b622c32d..f7f7ec8c3 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -33,9 +33,8 @@
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
 
-import org.apache.commons.lang.text.StrTokenizer;
+import org.apache.commons.text.StringTokenizer;
 import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.Logger;
 import org.owasp.esapi.PropNames;   // <== Actual property names moved to here. Eventually we'll do static import.
 import org.owasp.esapi.PropNames.DefaultSearchPath;
 import org.owasp.esapi.SecurityConfiguration;
@@ -651,7 +650,7 @@ protected void loadConfiguration() throws IOException {
 
             if(multivalued){
                 // the following cast warning goes away if the apache commons lib is updated to current version
-                validationPropFileNames = StrTokenizer.getCSVInstance(validationPropValue);
+                validationPropFileNames = StringTokenizer.getCSVInstance(validationPropValue);
             } else {
                 validationPropFileNames = Collections.singletonList(validationPropValue).iterator();
             }
diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoader.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoader.java
index a0ae77f95..e6c679a5c 100644
--- a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoader.java
+++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoader.java
@@ -1,6 +1,6 @@
 package org.owasp.esapi.reference.accesscontrol.policyloader;
 
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.XMLConfiguration;
 
 
 public interface ACRParameterLoader <T> {
diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoaderHelper.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoaderHelper.java
index d0846fc2a..816730d57 100644
--- a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoaderHelper.java
+++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRParameterLoaderHelper.java
@@ -1,6 +1,6 @@
 package org.owasp.esapi.reference.accesscontrol.policyloader;
 
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.XMLConfiguration;
 
 final public class ACRParameterLoaderHelper {
 
diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRPolicyFileLoader.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRPolicyFileLoader.java
index 9a7f5955b..30f08c471 100644
--- a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRPolicyFileLoader.java
+++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/ACRPolicyFileLoader.java
@@ -3,8 +3,12 @@
 import java.io.File;
 import java.util.Collection;
 
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.builder.FileBasedConfigurationBuilder;
+import org.apache.commons.configuration2.builder.fluent.Parameters;
+import org.apache.commons.configuration2.convert.DefaultConversionHandler;
+import org.apache.commons.configuration2.convert.LegacyListDelimiterHandler;
+import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.XMLConfiguration;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.errors.AccessControlException;
@@ -15,15 +19,22 @@ final public class ACRPolicyFileLoader {
     public PolicyDTO load() throws AccessControlException {
         PolicyDTO policyDTO = new PolicyDTO();
         XMLConfiguration config;
-        File file = ESAPI.securityConfiguration().getResourceFile("ESAPI-AccessControlPolicy.xml");
+        final String configFileName = "ESAPI-AccessControlPolicy.xml";
+        File file = ESAPI.securityConfiguration().getResourceFile(configFileName);
         try
         {
-            config = new XMLConfiguration(file);
+            final DefaultConversionHandler conversionHandler = new DefaultConversionHandler();
+            conversionHandler.setListDelimiterHandler(new LegacyListDelimiterHandler(','));
+            config = new FileBasedConfigurationBuilder<>(XMLConfiguration.class)
+                    .configure(new Parameters().xml()
+                            .setConversionHandler(conversionHandler)
+                            .setFile(file)
+                            .setFileName(configFileName)).getConfiguration();
         }
         catch(ConfigurationException cex)
         {
             if(file == null) {
-                throw new AccessControlException("Unable to load configuration file for the following: " + "ESAPI-AccessControlPolicy.xml", "", cex);
+                throw new AccessControlException("Unable to load configuration file for the following: " + configFileName, "", cex);
             }
             throw new AccessControlException("Unable to load configuration file from the following location: " + file.getAbsolutePath(), "", cex);
         }
diff --git a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/DynaBeanACRParameterLoader.java b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/DynaBeanACRParameterLoader.java
index 14174625d..84866c464 100644
--- a/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/DynaBeanACRParameterLoader.java
+++ b/src/main/java/org/owasp/esapi/reference/accesscontrol/policyloader/DynaBeanACRParameterLoader.java
@@ -1,6 +1,6 @@
 package org.owasp.esapi.reference.accesscontrol.policyloader;
 
-import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.commons.configuration2.XMLConfiguration;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.reference.accesscontrol.DynaBeanACRParameter;