How to suppress messages output by ESAPI library

Question

Does anyone know how to suppress the following noisy messages output by the ESAPI library?

System property [org.owasp.esapi.opsteam] is not setAttempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.

System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.

I added the library to my web application (including embedded Tomcat) and ESAPI validation works but noisy messages are output.

Java code:

writer.write(ESAPI.encoder().encodeForHTML("<test>"));

Dependency of ESAPI:

<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>2.1.0.1</version>
</dependency>

ESAPI.properties:

https://github.com/k-tamura/embtest/blob/master/src/main/resources/ESAPI.properties

Steps to reproduce:

(1) Run the commands:

$ git clone https://github.com/k-tamura/embtest.git
$ cd embtest
$ mvn clean install

(2) Access to http://localhost:8080/ping -> The above logs are shown on console.

Environment (my local machine):

$ mvn -version
Apache Maven 3.2.2 (45f7c06d68e745d05611f7fd14efb6594181933e; 2014-06-17T22:51:42+09:00)
Maven home: c:\apache-maven-3.2.2
Java version: 1.8.0_121, vendor: Oracle Corporation
Java home: c:\Program Files\Java\jdk1.8.0_121\jre
Default locale: ja_JP, platform encoding: MS932
OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"

Answer 1

I can work around this issue to add the InitializationListener by referring to @avgvstvs's answer:

import java.io.OutputStream;
import java.io.PrintStream;

import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.annotation.WebListener;

import org.owasp.esapi.ESAPI;

@WebListener
public class InitializationListener implements ServletContextListener {
    public void contextInitialized(ServletContextEvent event) {

        /* Suppress noisy messages output by the ESAPI library. */
        PrintStream original = System.out;
        try (PrintStream out = new PrintStream(new OutputStream() {
            @Override
            public void write(int b) {
                // Do nothing
            }
        })) {
            System.setOut(out);
            System.setErr(out);
            ESAPI.encoder();
        } catch (Exception e) {
            // Do nothing
        } finally {
            System.setOut(original);
        }
    }

    @Override
    public void contextDestroyed(ServletContextEvent sce) {
        // Do nothing
    }
}

Answer 2

First off, I want to note that @avgvstvs correctly referenced this in a comment made to @CharlieReitzel on 2022-01-20. I am not trying to take credit for his correct answer (we are both ESAPI project co-leads), but rather trying to get his answer unburied. As noted by made by @ravi-kumar-b yesterday, this buried comment was not found. Hopefully, this will help uncover the proper way to approach it. So shout out to @avgvstvs for mentioning it.

The correct way to suppress ESAPI output to stdout similar to this

System property [org.owasp.esapi.opsteam] is not set.
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\Desktop\embtest-master\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
...

is by setting the System property, org.owasp.esapi.logSpecial.discard to true when you invoke your application server, Spring Boot, etc. E.g.,

    java -Dorg.owasp.esapi.logSpecial.discard=true ...

That will work as long as you are using ESAPI 2.2.0.0 or later.

However, please note that there are 2 ESAPI vulnerabilities in ESAPI 2.2.0.0 itself (and many others via dependencies) so you are strongly encouraged to upgrade to a later version (ideally release 2.5.0.0).