diff options
16 files changed, 339 insertions, 219 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 37ca635e..ef026155 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,7 +13,6 @@ variables: include: - template: Dependency-Scanning.gitlab-ci.yml - - template: Security/SAST.gitlab-ci.yml - template: Secret-Detection.gitlab-ci.yml - template: Code-Quality.gitlab-ci.yml diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..aa11a955 --- /dev/null +++ b/eaaf_core/checks/spotbugs-exclude.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- bPK requires SHA1 from specification --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" /> + <OR> + <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" /> + </OR> + </Match> + <Match> + <!-- only redirects to internal addresses --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/> + <Method name="performRedirectToItself" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> + <Match> + <!-- only redirects to internal addresses --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/> + <Method name="forwardToErrorHandler" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> + <Match> + <!-- the ErrorToken is only single-used as same as a CSRF token --> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> + <Method name="errorHandling" /> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> + <Match> + <!-- Only used to evaluate expressions from pre-compiled process-flows --> + <OR> + <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/> + </OR> + <Bug pattern="SPEL_INJECTION" /> + </Match> + <Match> + <!-- URL will be only generated from configuration path--> + <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </Match> + <Match> + <!-- Logging of request parameters is allowed for this classes --> + <OR> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> + <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/> + </OR> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml index a1eee06e..178b53a3 100644 --- a/eaaf_core/pom.xml +++ b/eaaf_core/pom.xml @@ -1,108 +1,112 @@ <?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> - <groupId>at.gv.egiz</groupId> - <artifactId>eaaf</artifactId> - <version>1.1.11-SNAPSHOT</version> + <groupId>at.gv.egiz</groupId> + <artifactId>eaaf</artifactId> + <version>1.1.11-SNAPSHOT</version> </parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf-core</artifactId> <name>EAAF core components</name> <description>Core components for identity managment implementations</description> - + <dependencies> - <dependency> - <groupId>at.gv.egiz.eaaf</groupId> - <artifactId>eaaf_core_api</artifactId> - </dependency> - <dependency> - <groupId>at.gv.egiz.eaaf</groupId> - <artifactId>eaaf_core_utils</artifactId> - </dependency> - - <dependency> - <groupId>at.gv.egiz.components</groupId> - <artifactId>eventlog-api</artifactId> - </dependency> - <dependency> - <groupId>at.gv.egiz.components</groupId> - <artifactId>egiz-spring-api</artifactId> - </dependency> - <dependency> - <groupId>javax.annotation</groupId> - <artifactId>javax.annotation-api</artifactId> - </dependency> - <dependency> - <groupId>org.springframework</groupId> - <artifactId>spring-webmvc</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <!-- dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-log4j12</artifactId> - </dependency--> - <dependency> - <groupId>commons-codec</groupId> - <artifactId>commons-codec</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-lang3</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-collections4</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-text</artifactId> - </dependency> - <dependency> - <groupId>commons-fileupload</groupId> - <artifactId>commons-fileupload</artifactId> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.velocity</groupId> - <artifactId>velocity</artifactId> - </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_api</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_utils</artifactId> + </dependency> + + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>eventlog-api</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>egiz-spring-api</artifactId> + </dependency> + <dependency> + <groupId>javax.annotation</groupId> + <artifactId>javax.annotation-api</artifactId> + </dependency> + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </dependency> + <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> + </dependency --> + <dependency> + <groupId>commons-codec</groupId> + <artifactId>commons-codec</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-lang3</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-collections4</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-text</artifactId> + </dependency> + <dependency> + <groupId>commons-fileupload</groupId> + <artifactId>commons-fileupload</artifactId> + </dependency> + <dependency> + <groupId>javax.servlet</groupId> + <artifactId>javax.servlet-api</artifactId> + </dependency> + <dependency> + <groupId>org.apache.velocity</groupId> + <artifactId>velocity</artifactId> + </dependency> <dependency> <groupId>commons-collections</groupId> - <artifactId>commons-collections</artifactId> - </dependency> - <dependency> - <groupId>jaxen</groupId> - <artifactId>jaxen</artifactId> - </dependency> - <dependency> - <groupId>xerces</groupId> - <artifactId>xercesImpl</artifactId> - </dependency> - <dependency> - <groupId>xalan</groupId> - <artifactId>xalan</artifactId> - </dependency> - + <artifactId>commons-collections</artifactId> + </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + </dependency> + <dependency> + <groupId>jaxen</groupId> + <artifactId>jaxen</artifactId> + </dependency> + <dependency> + <groupId>xerces</groupId> + <artifactId>xercesImpl</artifactId> + </dependency> + <dependency> + <groupId>xalan</groupId> + <artifactId>xalan</artifactId> + </dependency> + <!-- For testing --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.springframework</groupId> - <artifactId>spring-test</artifactId> - <scope>test</scope> - </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-test</artifactId> + <scope>test</scope> + </dependency> <dependency> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_utils</artifactId> @@ -110,10 +114,10 @@ <type>test-jar</type> </dependency> </dependencies> - - <build> + + <build> <finalName>eaaf_core</finalName> - + <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> @@ -124,44 +128,54 @@ <target>1.8</target> </configuration> <executions> - <execution> - <goals> - <goal>compile</goal> - <goal>testCompile</goal> - </goals> - </execution> + <execution> + <goals> + <goal>compile</goal> + <goal>testCompile</goal> + </goals> + </execution> </executions> </plugin> <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - <version>3.1.0</version> - <executions> - <execution> - <goals> - <goal>test-jar</goal> - </goals> - </execution> - </executions> - </plugin> - + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-jar-plugin</artifactId> + <version>3.1.0</version> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> + <!-- enable co-existence of testng and junit --> - <plugin> - <artifactId>maven-surefire-plugin</artifactId> - <version>${surefire.version}</version> - <configuration> - <threadCount>1</threadCount> - </configuration> - <dependencies> - <dependency> - <groupId>org.apache.maven.surefire</groupId> - <artifactId>surefire-junit47</artifactId> - <version>${surefire.version}</version> - </dependency> - </dependencies> - </plugin> - + <plugin> + <artifactId>maven-surefire-plugin</artifactId> + <version>${surefire.version}</version> + <configuration> + <threadCount>1</threadCount> + </configuration> + <dependencies> + <dependency> + <groupId>org.apache.maven.surefire</groupId> + <artifactId>surefire-junit47</artifactId> + <version>${surefire.version}</version> + </dependency> + </dependencies> + </plugin> + + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> - + </project> diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java index 50bf76db..4410267e 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java @@ -20,8 +20,6 @@ package at.gv.egiz.eaaf.core.impl.idp.auth.services; import java.io.IOException; -import java.io.PrintWriter; -import java.io.StringWriter; import java.util.HashSet; import javax.annotation.PostConstruct; @@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.text.StringEscapeUtils; +import org.owasp.encoder.Encode; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer // write generic message for general exceptions final String msg = statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null); - writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable); + writeHtmlErrorResponse(req, resp, msg, "9199", null); } @@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq, @NonNull final HttpServletResponse httpResp, @NonNull final String msg, - @NonNull final String errorCode, @Nullable final Object[] params, - @NonNull final Exception error) throws EaafException { + @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException { try { final IGuiBuilderConfiguration config = @@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS, ArrayUtils.toString(errorCodeParams)); - // add stacktrace if debug is enabled - if (log.isTraceEnabled()) { - ((ModifyableGuiBuilderConfiguration) config).putCustomParameter( - AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE, - getStacktraceFromException(error)); - - } - } else { log.info( "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable "); @@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer } - private String getStacktraceFromException(final Exception ex) { - final StringWriter errors = new StringWriter(); - ex.printStackTrace(new PrintWriter(errors)); - return errors.toString(); - - } - private void internalMoaidExceptionHandler(final HttpServletRequest req, final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog) throws IOException, EaafException { if (e instanceof ProtocolNotActiveException) { - resp.getWriter().write(e.getMessage()); + resp.getWriter().write(Encode.forHtml(e.getMessage())); resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8); resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage()))); @@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer // write error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } else if (e instanceof InvalidProtocolRequestException) { // send error response writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } else if (e instanceof ConfigurationException) { // send HTML formated error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } else if (e instanceof EaafException) { // send HTML formated error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - ((EaafException) e).getParams(), e); + ((EaafException) e).getParams()); } else if (e instanceof ProcessExecutionException) { // send HTML formated error message writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e), - null, e); + null); } diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java index 14537d44..edca0fba 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java @@ -101,6 +101,7 @@ public class ProcessDefinitionParser { // Standard implementation of XMLInputFactory seems not to be thread-safe final XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); reader = inputFactory.createXMLEventReader(processDefinitionInputStream); final List<StartElement> transitionElements = new ArrayList<>(); diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java index e8d5c294..4b8a7a04 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java @@ -33,6 +33,7 @@ import java.util.Map.Entry; import java.util.Set; import java.util.Vector; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; -import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; - import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringUtils; import org.apache.xerces.parsers.DOMParser; @@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler; import org.xml.sax.InputSource; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; + /** * Various utility functions for handling XML DOM trees. * @@ -785,6 +786,7 @@ public class DomUtils { throws TransformerException, IOException { final TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = transformerFactory.newTransformer(); final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384); @@ -1211,6 +1213,7 @@ public class DomUtils { // StringWriter stringWriter = new StringWriter(); final Result result = new StreamResult(out); final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = factory.newTransformer(); transformer.transform(source, result); return out.toByteArray(); diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java index b20efe3d..3343a089 100644 --- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java +++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java @@ -19,9 +19,6 @@ package at.gv.egiz.eaaf.core.exceptions; -import java.io.PrintStream; -import java.io.PrintWriter; - /** * An exception occurred evaluating an XPath. * @@ -56,32 +53,4 @@ public class XPathException extends RuntimeException { return wrapped; } - /** - * Print error message. - * - * @see java.lang.Throwable#printStackTrace(java.io.PrintStream) - */ - @Override - public void printStackTrace(final PrintStream s) { - super.printStackTrace(s); - if (getWrapped() != null) { - s.print("Caused by: "); - getWrapped().printStackTrace(s); - } - } - - /** - * Print error message. - * - * @see java.lang.Throwable#printStackTrace(java.io.PrintWriter) - */ - @Override - public void printStackTrace(final PrintWriter s) { - super.printStackTrace(s); - if (getWrapped() != null) { - s.print("Caused by: "); - getWrapped().printStackTrace(s); - } - } - } diff --git a/eaaf_core_utils/checks/spotbugs-exclude.xml b/eaaf_core_utils/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..b42f34c2 --- /dev/null +++ b/eaaf_core_utils/checks/spotbugs-exclude.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <Class name="at.gv.egiz.eaaf.core.impl.utils.EaafSerializationUtils" /> + <OR> + <Bug pattern="OBJECT_DESERIALIZATION" /> + </OR> + </Match> + <Match> + <!-- Paths and URLs only loaded from configuration --> + <Class name="at.gv.egiz.eaaf.core.impl.utils.FileUtils" /> + <OR> + <Bug pattern="URLCONNECTION_SSRF_FD" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </OR> + </Match> + <Match> + <!-- Paths and URLs only loaded from configuration --> + <Class name="at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils" /> + <OR> + <Bug pattern="URLCONNECTION_SSRF_FD" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </OR> + </Match> +</FindBugsFilter>
\ No newline at end of file diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml index 947faf4b..c7cefa8d 100644 --- a/eaaf_core_utils/pom.xml +++ b/eaaf_core_utils/pom.xml @@ -181,6 +181,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java index 8ec5f3a8..cfb4ed88 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java @@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.core.impl.utils; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; import java.util.Base64; import javax.annotation.PostConstruct; @@ -109,7 +109,8 @@ public class SecurePendingRequestIdGenerationStrategy log.trace("Checking HMAC from externalPendingReqId ... "); final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]); final byte[] refDigist = calculateHmac(buildInternalToken(internalPendingReqId, timeStamp)); - if (!Arrays.equals(tokenDigest, refDigist)) { + + if (!MessageDigest.isEqual(refDigist,tokenDigest)) { log.warn("Digest of Token does NOT match"); log.debug("Token: {} | Ref: {}", tokenDigest, refDigist); throw new PendingReqIdValidationException(null, "internal.pendingreqid.04"); diff --git a/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..b1d216dc --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- allow logging of SAML2 message on trace level --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder"/> + <Method name="getBase64DecodedMessage" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> + <Match> + <!-- allow logging of SAML2 relaystate on debug level --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder"/> + <Method name="doDecode" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml index a0eee0e6..45819787 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml @@ -172,6 +172,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..855f39bd --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- allow SHA-1, because transient SubjectNameIDs should have the same pattern as bPKs --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder"/> + <Method name="buildAssertion" /> + <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" /> + </Match> + <Match> + <!-- allow logging of SAML2 request parameters --> + <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPvp2XProtocol"/> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> +</FindBugsFilter> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml index 3840c8d9..b92d0f56 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml @@ -91,6 +91,16 @@ </dependencies> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <failOnError>true</failOnError> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java index b7b18f0f..d2ed2c11 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java @@ -26,26 +26,6 @@ import java.util.List; import javax.naming.ConfigurationException; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; -import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; -import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException; -import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException; -import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; @@ -79,6 +59,26 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.springframework.util.Base64Utils; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException; +import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + @Service("PVP2AssertionBuilder") public class Pvp2AssertionBuilder implements PvpConstants { @@ -11,7 +11,7 @@ <name>EGIZ EAAF components</name> - <properties> + <properties> <!-- General project properties --> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <java.version>1.8</java.version> @@ -68,6 +68,7 @@ <joda-time.version>2.10.8</joda-time.version> <jsr305.version>3.0.2</jsr305.version> <com.google.guava.version>30.0-jre</com.google.guava.version> + <org.owasp.encoder.version>1.2.3</org.owasp.encoder.version> <httpclient.version>4.5.13</httpclient.version> <httpcore.version>4.4.14</httpcore.version> @@ -92,6 +93,7 @@ <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version> <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version> <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version> + <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version> <dependency-check-maven.version>6.0.3</dependency-check-maven.version> <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory> @@ -107,7 +109,7 @@ <repository> <id>gitlab-localbuild</id> <url>https://gitlab.iaik.tugraz.at/api/v4/groups/119/-/packages/maven</url> - </repository> + </repository> <repository> <id>egiz-commons</id> <url>https://apps.egiz.gv.at/maven/</url> @@ -197,7 +199,7 @@ </plugin> </plugins> </build> - </profile> + </profile> </profiles> <modules> @@ -356,7 +358,7 @@ <groupId>javax.annotation</groupId> <artifactId>javax.annotation-api</artifactId> <version>${javax.annotation-api}</version> - </dependency> + </dependency> <dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> @@ -433,11 +435,12 @@ <version>${org.apache.santuario.xmlsec.version}</version> </dependency> <dependency> - <!-- Set newer version, because 1.1.3 from openSAML dependency has an CVE-2020-7226 --> + <!-- Set newer version, because 1.1.3 from openSAML dependency has + an CVE-2020-7226 --> <groupId>org.cryptacular</groupId> <artifactId>cryptacular</artifactId> <version>${org.cryptacular.version}</version> - </dependency> + </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15to18</artifactId> @@ -446,7 +449,7 @@ <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bctls-jdk15to18</artifactId> - <version>${org.bouncycastle.bctls-jdk15to18.version}</version> + <version>${org.bouncycastle.bctls-jdk15to18.version}</version> </dependency> <dependency> @@ -488,6 +491,12 @@ </dependency> <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>${org.owasp.encoder.version}</version> + </dependency> + + <dependency> <groupId>joda-time</groupId> <artifactId>joda-time</artifactId> <version>${joda-time.version}</version> @@ -534,7 +543,7 @@ <artifactId>okhttp-tls</artifactId> <version>${com.squareup.okhttp3.version}</version> <scope>test</scope> - </dependency> + </dependency> <dependency> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_utils</artifactId> @@ -723,6 +732,13 @@ </executions> <configuration> <failOnError>true</failOnError> + <plugins> + <plugin> + <groupId>com.h3xstream.findsecbugs</groupId> + <artifactId>findsecbugs-plugin</artifactId> + <version>${findsecbugs-plugin.version}</version> + </plugin> + </plugins> </configuration> </plugin> |