diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-10 15:01:14 +0100 | 
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-10 15:01:14 +0100 | 
| commit | 6cebc7aa1aecb1bc8f87443887a90fe851893954 (patch) | |
| tree | 90f9b8b0187a4bb4d033ccd57cc15e72b27791ae /eaaf_core | |
| parent | a126c249b8ed83dce4386331a49d04a42b53e448 (diff) | |
| parent | 360df2054cdc5a8bc194f7701b2bfa5a9c39dd0d (diff) | |
| download | EAAF-Components-6cebc7aa1aecb1bc8f87443887a90fe851893954.tar.gz EAAF-Components-6cebc7aa1aecb1bc8f87443887a90fe851893954.tar.bz2 EAAF-Components-6cebc7aa1aecb1bc8f87443887a90fe851893954.zip | |
Merge branch 'feature/someSmallUpdates' into 'nightlyBuild'
Feature/some small updates
See merge request egiz/eaaf_components!6
Diffstat (limited to 'eaaf_core')
5 files changed, 208 insertions, 157 deletions
| diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..aa11a955 --- /dev/null +++ b/eaaf_core/checks/spotbugs-exclude.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> +    <Match> +      <!-- bPK requires SHA1 from specification --> +      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" /> +      <OR> +        <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />         +      </OR>         +    </Match> +    <Match> +      <!-- only redirects to internal addresses --> +      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/> +      <Method name="performRedirectToItself" /> +      <Bug pattern="UNVALIDATED_REDIRECT" /> +    </Match> +    <Match> +      <!-- only redirects to internal addresses --> +      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/> +      <Method name="forwardToErrorHandler" /> +      <Bug pattern="UNVALIDATED_REDIRECT" /> +    </Match> +    <Match> +      <!-- the ErrorToken is only single-used as same as a CSRF token --> +      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> +      <Method name="errorHandling" /> +      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> +    </Match> +    <Match> +      <!-- Only used to evaluate expressions from pre-compiled process-flows --> +      <OR> +        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/> +        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/> +      </OR> +      <Bug pattern="SPEL_INJECTION" /> +    </Match> +    <Match> +      <!-- URL will be only generated from configuration path--> +      <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/> +      <Bug pattern="PATH_TRAVERSAL_IN" /> +    </Match> +    <Match> +      <!-- Logging of request parameters is allowed for this classes -->    +      <OR> +        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/> +        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> +        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/> +      </OR> +      <Bug pattern="CRLF_INJECTION_LOGS" /> +    </Match> +</FindBugsFilter> diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml index a1eee06e..178b53a3 100644 --- a/eaaf_core/pom.xml +++ b/eaaf_core/pom.xml @@ -1,108 +1,112 @@  <?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> +<project xmlns="http://maven.apache.org/POM/4.0.0" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">    <modelVersion>4.0.0</modelVersion>    <parent> -	<groupId>at.gv.egiz</groupId> -	<artifactId>eaaf</artifactId> -	<version>1.1.11-SNAPSHOT</version> +    <groupId>at.gv.egiz</groupId> +    <artifactId>eaaf</artifactId> +    <version>1.1.11-SNAPSHOT</version>    </parent>    <groupId>at.gv.egiz.eaaf</groupId>    <artifactId>eaaf-core</artifactId>    <name>EAAF core components</name>    <description>Core components for identity managment implementations</description> -      +    <dependencies> -  	<dependency> -  		<groupId>at.gv.egiz.eaaf</groupId> -  		<artifactId>eaaf_core_api</artifactId> -  	</dependency> -  	<dependency> -		<groupId>at.gv.egiz.eaaf</groupId> -  		<artifactId>eaaf_core_utils</artifactId> -  	</dependency> -   -  	<dependency> -  		<groupId>at.gv.egiz.components</groupId> -    	<artifactId>eventlog-api</artifactId> -  	</dependency> -  	<dependency> -  		<groupId>at.gv.egiz.components</groupId> -    	<artifactId>egiz-spring-api</artifactId> -  	</dependency> -  	<dependency> -  		<groupId>javax.annotation</groupId> -    	<artifactId>javax.annotation-api</artifactId> -  	</dependency> -  	<dependency> -  		<groupId>org.springframework</groupId> -		<artifactId>spring-webmvc</artifactId> -        <scope>provided</scope> -  	</dependency> -  	<dependency> -    	<groupId>org.slf4j</groupId> -    	<artifactId>slf4j-api</artifactId> -	</dependency> -	<!-- dependency> -    	<groupId>org.slf4j</groupId> -    	<artifactId>slf4j-log4j12</artifactId> -	</dependency--> -	<dependency> -		<groupId>commons-codec</groupId> -    	<artifactId>commons-codec</artifactId> -	</dependency> -	<dependency> -		<groupId>org.apache.commons</groupId> -    	<artifactId>commons-lang3</artifactId> -	</dependency>	 -    <dependency> -		<groupId>org.apache.commons</groupId> -    	<artifactId>commons-collections4</artifactId> -	</dependency> -	<dependency> -		<groupId>org.apache.commons</groupId> -    	<artifactId>commons-text</artifactId> -	</dependency> -	<dependency> -		<groupId>commons-fileupload</groupId> -    	<artifactId>commons-fileupload</artifactId> -	</dependency> -	<dependency> -		<groupId>javax.servlet</groupId> -		<artifactId>javax.servlet-api</artifactId> -	</dependency> -	<dependency> -		<groupId>org.apache.velocity</groupId> -		<artifactId>velocity</artifactId> -	</dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_core_api</artifactId> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_core_utils</artifactId> +    </dependency> + +    <dependency> +      <groupId>at.gv.egiz.components</groupId> +      <artifactId>eventlog-api</artifactId> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.components</groupId> +      <artifactId>egiz-spring-api</artifactId> +    </dependency> +    <dependency> +      <groupId>javax.annotation</groupId> +      <artifactId>javax.annotation-api</artifactId> +    </dependency> +    <dependency> +      <groupId>org.springframework</groupId> +      <artifactId>spring-webmvc</artifactId> +      <scope>provided</scope> +    </dependency> +    <dependency> +      <groupId>org.slf4j</groupId> +      <artifactId>slf4j-api</artifactId> +    </dependency> +    <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId>  +      </dependency --> +    <dependency> +      <groupId>commons-codec</groupId> +      <artifactId>commons-codec</artifactId> +    </dependency> +    <dependency> +      <groupId>org.apache.commons</groupId> +      <artifactId>commons-lang3</artifactId> +    </dependency> +    <dependency> +      <groupId>org.apache.commons</groupId> +      <artifactId>commons-collections4</artifactId> +    </dependency> +    <dependency> +      <groupId>org.apache.commons</groupId> +      <artifactId>commons-text</artifactId> +    </dependency> +    <dependency> +      <groupId>commons-fileupload</groupId> +      <artifactId>commons-fileupload</artifactId> +    </dependency> +    <dependency> +      <groupId>javax.servlet</groupId> +      <artifactId>javax.servlet-api</artifactId> +    </dependency> +    <dependency> +      <groupId>org.apache.velocity</groupId> +      <artifactId>velocity</artifactId> +    </dependency>      <dependency>        <groupId>commons-collections</groupId> -      <artifactId>commons-collections</artifactId> -    </dependency> - 	<dependency> -		<groupId>jaxen</groupId> -    	<artifactId>jaxen</artifactId> -	</dependency> -	<dependency> -		<groupId>xerces</groupId> -    	<artifactId>xercesImpl</artifactId> -	</dependency> -	<dependency> -		<groupId>xalan</groupId> -	    <artifactId>xalan</artifactId> -	</dependency> -		 +      <artifactId>commons-collections</artifactId>       +    </dependency> +    <dependency> +      <groupId>org.owasp.encoder</groupId> +      <artifactId>encoder</artifactId> +    </dependency> +    <dependency> +      <groupId>jaxen</groupId> +      <artifactId>jaxen</artifactId> +    </dependency> +    <dependency> +      <groupId>xerces</groupId> +      <artifactId>xercesImpl</artifactId> +    </dependency> +    <dependency> +      <groupId>xalan</groupId> +      <artifactId>xalan</artifactId> +    </dependency> +      <!-- For testing --> -	<dependency> -		<groupId>junit</groupId> -      	<artifactId>junit</artifactId> -      	<scope>test</scope> -	</dependency> -	<dependency> -		<groupId>org.springframework</groupId> -		<artifactId>spring-test</artifactId> -		<scope>test</scope> -	</dependency> +    <dependency> +      <groupId>junit</groupId> +      <artifactId>junit</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.springframework</groupId> +      <artifactId>spring-test</artifactId> +      <scope>test</scope> +    </dependency>      <dependency>        <groupId>at.gv.egiz.eaaf</groupId>        <artifactId>eaaf_core_utils</artifactId> @@ -110,10 +114,10 @@        <type>test-jar</type>      </dependency>    </dependencies> -   -   <build> + +  <build>      <finalName>eaaf_core</finalName> -     +      <plugins>        <plugin>          <groupId>org.apache.maven.plugins</groupId> @@ -124,44 +128,54 @@            <target>1.8</target>          </configuration>          <executions> -        	<execution> -        		<goals> -        			<goal>compile</goal> -        			<goal>testCompile</goal> -        		</goals> -        	</execution> +          <execution> +            <goals> +              <goal>compile</goal> +              <goal>testCompile</goal> +            </goals> +          </execution>          </executions>        </plugin>        <plugin> -    	<groupId>org.apache.maven.plugins</groupId> -    	<artifactId>maven-jar-plugin</artifactId> -    	<version>3.1.0</version> -    	<executions> -        	<execution> -            	<goals> -                	<goal>test-jar</goal> -            	</goals> -        	</execution> -    	</executions> -	  </plugin> -       +        <groupId>org.apache.maven.plugins</groupId> +        <artifactId>maven-jar-plugin</artifactId> +        <version>3.1.0</version> +        <executions> +          <execution> +            <goals> +              <goal>test-jar</goal> +            </goals> +          </execution> +        </executions> +      </plugin> +        <!-- enable co-existence of testng and junit --> -			<plugin> -				<artifactId>maven-surefire-plugin</artifactId> -				<version>${surefire.version}</version> -				<configuration> -					<threadCount>1</threadCount> -				</configuration> -				<dependencies> -					<dependency> -						<groupId>org.apache.maven.surefire</groupId> -						<artifactId>surefire-junit47</artifactId> -						<version>${surefire.version}</version> -					</dependency> -				</dependencies> -			</plugin> -       +      <plugin> +        <artifactId>maven-surefire-plugin</artifactId> +        <version>${surefire.version}</version> +        <configuration> +          <threadCount>1</threadCount> +        </configuration> +        <dependencies> +          <dependency> +            <groupId>org.apache.maven.surefire</groupId> +            <artifactId>surefire-junit47</artifactId> +            <version>${surefire.version}</version> +          </dependency> +        </dependencies> +      </plugin> + +      <plugin> +        <groupId>com.github.spotbugs</groupId> +        <artifactId>spotbugs-maven-plugin</artifactId> +        <version>${spotbugs-maven-plugin.version}</version> +        <configuration> +          <failOnError>true</failOnError> +          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> +        </configuration> +      </plugin> +      </plugins>    </build> -   +  </project> diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java index 50bf76db..4410267e 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java @@ -20,8 +20,6 @@  package at.gv.egiz.eaaf.core.impl.idp.auth.services;  import java.io.IOException; -import java.io.PrintWriter; -import java.io.StringWriter;  import java.util.HashSet;  import javax.annotation.PostConstruct; @@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;  import org.apache.commons.lang3.ArrayUtils;  import org.apache.commons.lang3.StringUtils;  import org.apache.commons.text.StringEscapeUtils; +import org.owasp.encoder.Encode;  import org.slf4j.Logger;  import org.slf4j.LoggerFactory;  import org.springframework.beans.factory.annotation.Autowired; @@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer        // write generic message for general exceptions        final String msg =            statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null); -      writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable); +      writeHtmlErrorResponse(req, resp, msg, "9199", null);      } @@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer    private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,        @NonNull final HttpServletResponse httpResp, @NonNull final String msg, -      @NonNull final String errorCode, @Nullable final Object[] params, -      @NonNull final Exception error) throws EaafException { +      @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {      try {        final IGuiBuilderConfiguration config = @@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer              AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,              ArrayUtils.toString(errorCodeParams)); -        // add stacktrace if debug is enabled -        if (log.isTraceEnabled()) { -          ((ModifyableGuiBuilderConfiguration) config).putCustomParameter( -              AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE, -              getStacktraceFromException(error)); - -        } -        } else {          log.info(              "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable "); @@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer    } -  private String getStacktraceFromException(final Exception ex) { -    final StringWriter errors = new StringWriter(); -    ex.printStackTrace(new PrintWriter(errors)); -    return errors.toString(); - -  } -    private void internalMoaidExceptionHandler(final HttpServletRequest req,        final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)        throws IOException, EaafException {      if (e instanceof ProtocolNotActiveException) { -      resp.getWriter().write(e.getMessage()); +      resp.getWriter().write(Encode.forHtml(e.getMessage()));        resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);        resp.sendError(HttpServletResponse.SC_FORBIDDEN,            StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage()))); @@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer        // write error message        writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), -          null, e); +          null);      } else if (e instanceof InvalidProtocolRequestException) {        // send error response        writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), -          null, e); +          null);      } else if (e instanceof ConfigurationException) {        // send HTML formated error message        writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), -          null, e); +          null);      } else if (e instanceof EaafException) {        // send HTML formated error message        writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), -          ((EaafException) e).getParams(), e); +          ((EaafException) e).getParams());      } else if (e instanceof ProcessExecutionException) {        // send HTML formated error message        writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), -          null, e); +          null);      } diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java index 14537d44..edca0fba 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java @@ -101,6 +101,7 @@ public class ProcessDefinitionParser {        // Standard implementation of XMLInputFactory seems not to be thread-safe        final XMLInputFactory inputFactory = XMLInputFactory.newInstance(); +      inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);        reader = inputFactory.createXMLEventReader(processDefinitionInputStream);        final List<StartElement> transitionElements = new ArrayList<>(); diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java index e8d5c294..4b8a7a04 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java @@ -33,6 +33,7 @@ import java.util.Map.Entry;  import java.util.Set;  import java.util.Vector; +import javax.xml.XMLConstants;  import javax.xml.parsers.DocumentBuilder;  import javax.xml.parsers.DocumentBuilderFactory;  import javax.xml.parsers.ParserConfigurationException; @@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;  import javax.xml.transform.dom.DOMSource;  import javax.xml.transform.stream.StreamResult; -import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; -  import org.apache.commons.io.IOUtils;  import org.apache.commons.lang3.StringUtils;  import org.apache.xerces.parsers.DOMParser; @@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;  import org.xml.sax.InputSource;  import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; +  /**   * Various utility functions for handling XML DOM trees.   * @@ -785,6 +786,7 @@ public class DomUtils {        throws TransformerException, IOException {      final TransformerFactory transformerFactory = TransformerFactory.newInstance(); +    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);      final Transformer transformer = transformerFactory.newTransformer();      final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384); @@ -1211,6 +1213,7 @@ public class DomUtils {      // StringWriter stringWriter = new StringWriter();      final Result result = new StreamResult(out);      final TransformerFactory factory = TransformerFactory.newInstance(); +    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);      final Transformer transformer = factory.newTransformer();      transformer.transform(source, result);      return out.toByteArray(); | 
