summaryrefslogtreecommitdiff
path: root/eaaf_core/src
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-12-09 18:20:56 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-12-09 18:20:56 +0100
commitc4f117e74b8ade8b420f0443955ec6b94f88cee4 (patch)
tree5d8aabd71d2df048bf2a1897a97a7cf13061b29c /eaaf_core/src
parent9e7812cb52bfe64e72855eecbd28a756718ce1e1 (diff)
downloadEAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.gz
EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.bz2
EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.zip
add findSecBugs extension into spotbugs plug-in
Diffstat (limited to 'eaaf_core/src')
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java35
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java1
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java7
3 files changed, 15 insertions, 28 deletions
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 50bf76db..4410267e 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -20,8 +20,6 @@
package at.gv.egiz.eaaf.core.impl.idp.auth.services;
import java.io.IOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
import java.util.HashSet;
import javax.annotation.PostConstruct;
@@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
// write generic message for general exceptions
final String msg =
statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null);
- writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable);
+ writeHtmlErrorResponse(req, resp, msg, "9199", null);
}
@@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,
@NonNull final HttpServletResponse httpResp, @NonNull final String msg,
- @NonNull final String errorCode, @Nullable final Object[] params,
- @NonNull final Exception error) throws EaafException {
+ @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {
try {
final IGuiBuilderConfiguration config =
@@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,
ArrayUtils.toString(errorCodeParams));
- // add stacktrace if debug is enabled
- if (log.isTraceEnabled()) {
- ((ModifyableGuiBuilderConfiguration) config).putCustomParameter(
- AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE,
- getStacktraceFromException(error));
-
- }
-
} else {
log.info(
"Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable ");
@@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
}
- private String getStacktraceFromException(final Exception ex) {
- final StringWriter errors = new StringWriter();
- ex.printStackTrace(new PrintWriter(errors));
- return errors.toString();
-
- }
-
private void internalMoaidExceptionHandler(final HttpServletRequest req,
final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)
throws IOException, EaafException {
if (e instanceof ProtocolNotActiveException) {
- resp.getWriter().write(e.getMessage());
+ resp.getWriter().write(Encode.forHtml(e.getMessage()));
resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);
resp.sendError(HttpServletResponse.SC_FORBIDDEN,
StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage())));
@@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
// write error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
} else if (e instanceof InvalidProtocolRequestException) {
// send error response
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
} else if (e instanceof ConfigurationException) {
// send HTML formated error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
} else if (e instanceof EaafException) {
// send HTML formated error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- ((EaafException) e).getParams(), e);
+ ((EaafException) e).getParams());
} else if (e instanceof ProcessExecutionException) {
// send HTML formated error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
}
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
index 14537d44..edca0fba 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
@@ -101,6 +101,7 @@ public class ProcessDefinitionParser {
// Standard implementation of XMLInputFactory seems not to be thread-safe
final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+ inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
reader = inputFactory.createXMLEventReader(processDefinitionInputStream);
final List<StartElement> transitionElements = new ArrayList<>();
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
index e8d5c294..4b8a7a04 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
@@ -33,6 +33,7 @@ import java.util.Map.Entry;
import java.util.Set;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
-import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
-
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.xerces.parsers.DOMParser;
@@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
+
/**
* Various utility functions for handling XML DOM trees.
*
@@ -785,6 +786,7 @@ public class DomUtils {
throws TransformerException, IOException {
final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
final Transformer transformer = transformerFactory.newTransformer();
final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384);
@@ -1211,6 +1213,7 @@ public class DomUtils {
// StringWriter stringWriter = new StringWriter();
final Result result = new StreamResult(out);
final TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
final Transformer transformer = factory.newTransformer();
transformer.transform(source, result);
return out.toByteArray();