update for missing a couple possibly unsafe xml parser#902
update for missing a couple possibly unsafe xml parser#902msridhar merged 6 commits intouber:masterfrom Crispy-fried-chicken:master
Conversation
|
|
| } catch (ParserConfigurationException e) { | ||
| log.warn(e); | ||
| } |
There was a problem hiding this comment.
Note that catching and swallowing the exception makes it possible to return a document builder factory which is still vulnerable!
There was a problem hiding this comment.
I've already delete this block, please check it again, thank you!
msridhar
left a comment
There was a problem hiding this comment.
Thanks for this contribution! I have a couple of comments that should be easy to address. Also you will need to agree to the CLA before we can merge this contribution (see the comment on the PR by the bot).
| return new DefaultXMLValueProvider<>(null, klass); | ||
| } | ||
|
|
||
| public DocumentBuilderFactory safeDocumentBuilderFactory() { |
There was a problem hiding this comment.
This method should be static. Also can we add a bit of Javadoc as to its purpose?
There was a problem hiding this comment.
Of course! Thanks for your comment.
| public DocumentBuilderFactory safeDocumentBuilderFactory() { | ||
| DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); | ||
| dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); | ||
| dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); | ||
| dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); | ||
| dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); | ||
| dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false); | ||
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); | ||
| return dbf; | ||
| } | ||
|
|
There was a problem hiding this comment.
Once we make the XMLUtil#safeDocumentBuilderFactory method static, we can get rid of this method, and just call XMLUtil.safeDocumentBuilderFactory() below.
There was a problem hiding this comment.
sure, I've already make the XMLUtil#safeDocumentBuilderFactory method static. please check it again, Thank you!
| * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
| * OUT OF OR IN CONNECTION WITH com.uber.nullaway.fixserializationTHE SOFTWARE OR THE USE OR OTHER DEALINGS IN |
There was a problem hiding this comment.
Can we revert this change? we shouldn't modify license headers unless there's a reason
|
|
||
|
|
There was a problem hiding this comment.
Can you run our configured formatter (./gradlew spotlessApply) on this PR?
We try to be consistent in formatting and these two blank lines don't seem right.
msridhar
left a comment
There was a problem hiding this comment.
In addition to the comment, based on the CI run looks like there are compile errors. You can run ./gradlew compileJava to ensure that all the code compiles
| return new DefaultXMLValueProvider<>(null, klass); | ||
| } | ||
|
|
||
| public static DocumentBuilderFactory safeDocumentBuilderFactory() { |
There was a problem hiding this comment.
Please add Javadoc describing what this method does
There was a problem hiding this comment.
what your project use is jdk 21?
There was a problem hiding this comment.
JDK 21 is required in order to run certain tests. Sorry for the hassle.
There was a problem hiding this comment.
I‘ve already pushed and the ./gradlew spotlessApply is run successfully.
There was a problem hiding this comment.
But the cli ./gradlew compileJava is failed cause it need to use jdk8? I don't know why, but I think it's not caused by the code I've added. Please check it again, and I will try to fix it if you find any error again. Feel sorry to trouble you again.
msridhar
left a comment
There was a problem hiding this comment.
Thanks for the contribution!
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #902 +/- ##
============================================
- Coverage 86.99% 86.98% -0.01%
- Complexity 1958 1959 +1
============================================
Files 77 77
Lines 6319 6330 +11
Branches 1223 1223
============================================
+ Hits 5497 5506 +9
- Misses 418 420 +2
Partials 404 404 ☔ View full report in Codecov by Sentry. |
Thank you for your merge! Considering the possible information leakage consequences of this vulnerability, maybe we can request for a CVE-ID? |
|
Sorry no, I do not believe this deserves a CVE. See my previous comments. |
Fixes #901