diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-09 18:20:56 +0100 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-09 18:20:56 +0100 |
| commit | c4f117e74b8ade8b420f0443955ec6b94f88cee4 (patch) | |
| tree | 5d8aabd71d2df048bf2a1897a97a7cf13061b29c /eaaf_core_utils | |
| parent | 9e7812cb52bfe64e72855eecbd28a756718ce1e1 (diff) | |
| download | EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.gz EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.tar.bz2 EAAF-Components-c4f117e74b8ade8b420f0443955ec6b94f88cee4.zip | |
add findSecBugs extension into spotbugs plug-in
Diffstat (limited to 'eaaf_core_utils')
3 files changed, 38 insertions, 2 deletions
diff --git a/eaaf_core_utils/checks/spotbugs-exclude.xml b/eaaf_core_utils/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..b42f34c2 --- /dev/null +++ b/eaaf_core_utils/checks/spotbugs-exclude.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <Class name="at.gv.egiz.eaaf.core.impl.utils.EaafSerializationUtils" /> + <OR> + <Bug pattern="OBJECT_DESERIALIZATION" /> + </OR> + </Match> + <Match> + <!-- Paths and URLs only loaded from configuration --> + <Class name="at.gv.egiz.eaaf.core.impl.utils.FileUtils" /> + <OR> + <Bug pattern="URLCONNECTION_SSRF_FD" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </OR> + </Match> + <Match> + <!-- Paths and URLs only loaded from configuration --> + <Class name="at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils" /> + <OR> + <Bug pattern="URLCONNECTION_SSRF_FD" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </OR> + </Match> +</FindBugsFilter>
\ No newline at end of file diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml index 947faf4b..c7cefa8d 100644 --- a/eaaf_core_utils/pom.xml +++ b/eaaf_core_utils/pom.xml @@ -181,6 +181,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java index 8ec5f3a8..cfb4ed88 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java @@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.core.impl.utils; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; import java.util.Base64; import javax.annotation.PostConstruct; @@ -109,7 +109,8 @@ public class SecurePendingRequestIdGenerationStrategy log.trace("Checking HMAC from externalPendingReqId ... "); final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]); final byte[] refDigist = calculateHmac(buildInternalToken(internalPendingReqId, timeStamp)); - if (!Arrays.equals(tokenDigest, refDigist)) { + + if (!MessageDigest.isEqual(refDigist,tokenDigest)) { log.warn("Digest of Token does NOT match"); log.debug("Token: {} | Ref: {}", tokenDigest, refDigist); throw new PendingReqIdValidationException(null, "internal.pendingreqid.04"); |