add findSecBugs extension into spotbugs plug-in

3 files changed, 15 insertions, 28 deletions

diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 50bf76db..4410267e 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -20,8 +20,6 @@
 package at.gv.egiz.eaaf.core.impl.idp.auth.services;
 
 import java.io.IOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
 import java.util.HashSet;
 
 import javax.annotation.PostConstruct;
@@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
       // write generic message for general exceptions
       final String msg =
           statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null);
-      writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable);
+      writeHtmlErrorResponse(req, resp, msg, "9199", null);
 
     }
 
@@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,
       @NonNull final HttpServletResponse httpResp, @NonNull final String msg,
-      @NonNull final String errorCode, @Nullable final Object[] params,
-      @NonNull final Exception error) throws EaafException {
+      @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {
 
     try {
       final IGuiBuilderConfiguration config =
@@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
             AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,
             ArrayUtils.toString(errorCodeParams));
 
-        // add stacktrace if debug is enabled
-        if (log.isTraceEnabled()) {
-          ((ModifyableGuiBuilderConfiguration) config).putCustomParameter(
-              AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE,
-              getStacktraceFromException(error));
-
-        }
-
       } else {
         log.info(
             "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable ");
@@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   }
 
-  private String getStacktraceFromException(final Exception ex) {
-    final StringWriter errors = new StringWriter();
-    ex.printStackTrace(new PrintWriter(errors));
-    return errors.toString();
-
-  }
-
   private void internalMoaidExceptionHandler(final HttpServletRequest req,
       final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)
       throws IOException, EaafException {
     if (e instanceof ProtocolNotActiveException) {
-      resp.getWriter().write(e.getMessage());
+      resp.getWriter().write(Encode.forHtml(e.getMessage()));
       resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);
       resp.sendError(HttpServletResponse.SC_FORBIDDEN,
           StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage())));
@@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
       // write error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof InvalidProtocolRequestException) {
       // send error response
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof ConfigurationException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof EaafException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          ((EaafException) e).getParams(), e);
+          ((EaafException) e).getParams());
 
     } else if (e instanceof ProcessExecutionException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     }
 
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
index 14537d44..edca0fba 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
@@ -101,6 +101,7 @@ public class ProcessDefinitionParser {
 
       // Standard implementation of XMLInputFactory seems not to be thread-safe
       final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+      inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
       reader = inputFactory.createXMLEventReader(processDefinitionInputStream);
 
       final List<StartElement> transitionElements = new ArrayList<>();
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
index e8d5c294..4b8a7a04 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
@@ -33,6 +33,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.Vector;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
-import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
-
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.xerces.parsers.DOMParser;
@@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
+
 /**
  * Various utility functions for handling XML DOM trees.
  *
@@ -785,6 +786,7 @@ public class DomUtils {
       throws TransformerException, IOException {
 
     final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = transformerFactory.newTransformer();
     final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384);
 
@@ -1211,6 +1213,7 @@ public class DomUtils {
     // StringWriter stringWriter = new StringWriter();
     final Result result = new StreamResult(out);
     final TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = factory.newTransformer();
     transformer.transform(source, result);
     return out.toByteArray();