esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard
verified publisher icon ESAPI

Four tests failing with "UnsupportedOperation This method has been removed for security."

Open wilx opened this issue 5 months ago • 2 comments

I have been looking at 2.4.0.0 that we us in our old product and I have tried running tests. Four tests are failing:

[ERROR]   EncryptedPropertiesUtilsTest.testCreateNew:93 » UnsupportedOperation This method has been removed for security.
[ERROR]   EncryptedPropertiesUtilsTest.testLoadEncryptedAndAdd:165 » UnsupportedOperation This method has been removed for security.
[ERROR]   EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt:131 » UnsupportedOperation This method has been removed for security.
[ERROR]   ReferenceEncryptedPropertiesTest.testStoreLoad:160 » UnsupportedOperation This method has been removed for security.

The exception for one of the tests is always about entrySet:

java.lang.UnsupportedOperationException: This method has been removed for security.

	at org.owasp.esapi.reference.crypto.ReferenceEncryptedProperties.entrySet(ReferenceEncryptedProperties.java:244)
	at java.base/java.util.Properties.store0(Properties.java:935)
	at java.base/java.util.Properties.store(Properties.java:921)
	at org.owasp.esapi.reference.crypto.ReferenceEncryptedPropertiesTest.testStoreLoad(ReferenceEncryptedPropertiesTest.java:160)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
	at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
	at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:231)
	at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:55)

The entrySet is overridden in org.owasp.esapi.reference.crypto.ReferenceEncryptedProperties but the Properties.store() is using it.

Should the tests be removed if they are expected to fail?

wilx avatar Jul 09 '25 08:07 wilx

#721 is related.

wilx avatar Jul 09 '25 08:07 wilx

This happens when you use something later than Java 8 to run the tests. For instance, if you run the tests with OpenJDK 8, they all pass. If you were to use OpenJDK 11, you get the failures that you mentioned. I looked at this back when #721 was first reported and concluded that it's failing because in (at least) Java 11 and later, Java's Properties.store method has apparently been removed:

...
[ERROR] Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.005 s <<< FAILURE! -- in org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest
[ERROR] org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt -- Time elapsed: 0.002 s <<< ERROR!
java.lang.UnsupportedOperationException: This method has been removed for security.
	at org.owasp.esapi.reference.crypto.ReferenceEncryptedProperties.entrySet(ReferenceEncryptedProperties.java:244)
	at java.base/java.util.Properties.store0(Properties.java:938)
	at java.base/java.util.Properties.store(Properties.java:924)
	at org.owasp.esapi.reference.crypto.EncryptedPropertiesUtils.storeProperties(EncryptedPropertiesUtils.java:189)
	at org.owasp.esapi.reference.crypto.EncryptedPropertiesUtilsTest.testLoadPlaintextAndEncrypt(EncryptedPropertiesUtilsTest.java:131)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
...

Which seems odd since Oracle's Javadoc for Properties.store(OutputStream,String) still shows it and it isn't even deprecated there.

Until then, we run our unit tests using Java 8 (where there is no problem) since that is the minimally supported JDK that ESAPI has said we would support. (At some point soon, in the not too distant future--although no date has been set--we will move the minimal JDK to whatever is the oldest LTS JDK version.).

The root cause though may go deeper than that. On the surface at least, it appears it may be related to what is described in this 'Fixing "UnsupportedOperationException": A Comprehensive Guide with Examples' article. I also noticed that there is a note in java.util.Dictionary, which is a superclass of java.util.Hashtable, from which java.util.Properties is derived, has this note: "NOTE: This class is obsolete. New implementations should implement the Map interface, rather than extending this class."

Regardless, I suppose that it bears further investigation and that we should either rewrite some of those methods or deprecate them. However, I still think between that notice in java.utils.Dictionary and this behavior, they would either deprecate the Properties.store methods or rewrite it to fix this.

kwwall avatar Jul 09 '25 15:07 kwwall