Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179
Description
First opened as discussion: in #178
Describe the bug
When using the print feature of the CsrfGuard, either by activating it in csrfguard.properties (org.owasp.csrfguard.Config.Print = true) or in web.xml (set context parameter "Owasp.CsrfGuard.Config.Print" to true), you get the following stacktrace, complaining that the "java.util.regex" package is not accessible via reflection:
java.lang.reflect.InaccessibleObjectException: Unable to make field static final boolean java.util.regex.Pattern.$assertionsDisabled accessible: module java.base does not "opens java.util.regex" to unnamed module @45ed3a9b
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
at java.base/java.lang.reflect.Field.checkCanSetAccessible(Field.java:178)
at java.base/java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:130)
at org.apache.commons.lang3.builder.ReflectionToStringBuilder.appendFieldsIn(ReflectionToStringBuilder.java:645)
at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:840)
at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:313)
at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:166)
at org.apache.commons.lang3.builder.RecursiveToStringStyle.appendDetail(RecursiveToStringStyle.java:73)
at org.apache.commons.lang3.builder.ToStringStyle.appendInternal(ToStringStyle.java:579)
at org.apache.commons.lang3.builder.ToStringStyle.append(ToStringStyle.java:466)
at org.apache.commons.lang3.builder.ToStringBuilder.append(ToStringBuilder.java:860)
at org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder.append(CsrfGuardPropertiesToStringBuilder.java:186)
at org.apache.commons.lang3.builder.ReflectionToStringBuilder.appendFieldsIn(ReflectionToStringBuilder.java:654)
at org.apache.commons.lang3.builder.ReflectionToStringBuilder.toString(ReflectionToStringBuilder.java:840)
at org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder.toString(CsrfGuardPropertiesToStringBuilder.java:68)
at org.owasp.csrfguard.CsrfGuard.toString(CsrfGuard.java:281)
at java.base/java.lang.String.valueOf(String.java:4218)
at java.base/java.lang.StringBuilder.append(StringBuilder.java:173)
at org.owasp.csrfguard.CsrfGuardServletContextListener.printConfigIfConfigured(CsrfGuardServletContextListener.java:131)
at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:155)
...
Currently the only work-around is to not log the config. :-(
To Reproduce
Steps to reproduce the behavior:
- Enable printing the configuration via csrfguard.properties (org.owasp.csrfguard.Config.Print = true)
- Start the application
- See error
Expected behavior
Normal logging of the app, no stacktrace.
Additional context
I think the field "javascriptRefererPattern" of the org.owasp.csrfguard.config.PropertiesConfigurationProvider needs to be added to the "FIELDS_TO_EXCLUDE" constant array in org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder to prevent at least this error.
Probably other fields of the PropertiesConfigurationProvider are also affected, like "pageTokenSynchronizationTolerance" (java.time.Duration) or "prng" (java.security.SecureRandom).