From c4f117e74b8ade8b420f0443955ec6b94f88cee4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 9 Dec 2020 18:20:56 +0100
Subject: add findSecBugs extension into spotbugs plug-in

---
 eaaf_core/checks/spotbugs-exclude.xml              |  50 ++++
 eaaf_core/pom.xml                                  | 272 +++++++++++----------
 .../services/ProtocolAuthenticationService.java    |  35 +--
 .../impl/idp/process/ProcessDefinitionParser.java  |   1 +
 .../at/gv/egiz/eaaf/core/impl/utils/DomUtils.java  |   7 +-
 5 files changed, 208 insertions(+), 157 deletions(-)
 create mode 100644 eaaf_core/checks/spotbugs-exclude.xml

(limited to 'eaaf_core')

diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..aa11a955
--- /dev/null
+++ b/eaaf_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+    <Match>
+      <!-- bPK requires SHA1 from specification -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" />
+      <OR>
+        <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />        
+      </OR>        
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/>
+      <Method name="performRedirectToItself" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- only redirects to internal addresses -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/>
+      <Method name="forwardToErrorHandler" />
+      <Bug pattern="UNVALIDATED_REDIRECT" />
+    </Match>
+    <Match>
+      <!-- the ErrorToken is only single-used as same as a CSRF token -->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+      <Method name="errorHandling" />
+      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+    </Match>
+    <Match>
+      <!-- Only used to evaluate expressions from pre-compiled process-flows -->
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/>
+      </OR>
+      <Bug pattern="SPEL_INJECTION" />
+    </Match>
+    <Match>
+      <!-- URL will be only generated from configuration path-->
+      <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/>
+      <Bug pattern="PATH_TRAVERSAL_IN" />
+    </Match>
+    <Match>
+      <!-- Logging of request parameters is allowed for this classes -->   
+      <OR>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/>
+      </OR>
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+    </Match>
+</FindBugsFilter>
diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml
index a1eee06e..178b53a3 100644
--- a/eaaf_core/pom.xml
+++ b/eaaf_core/pom.xml
@@ -1,108 +1,112 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <parent>
-	<groupId>at.gv.egiz</groupId>
-	<artifactId>eaaf</artifactId>
-	<version>1.1.11-SNAPSHOT</version>
+    <groupId>at.gv.egiz</groupId>
+    <artifactId>eaaf</artifactId>
+    <version>1.1.11-SNAPSHOT</version>
   </parent>
 
   <groupId>at.gv.egiz.eaaf</groupId>
   <artifactId>eaaf-core</artifactId>
   <name>EAAF core components</name>
   <description>Core components for identity managment implementations</description>
-     
+
   <dependencies>
-  	<dependency>
-  		<groupId>at.gv.egiz.eaaf</groupId>
-  		<artifactId>eaaf_core_api</artifactId>
-  	</dependency>
-  	<dependency>
-		<groupId>at.gv.egiz.eaaf</groupId>
-  		<artifactId>eaaf_core_utils</artifactId>
-  	</dependency>
-  
-  	<dependency>
-  		<groupId>at.gv.egiz.components</groupId>
-    	<artifactId>eventlog-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>at.gv.egiz.components</groupId>
-    	<artifactId>egiz-spring-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>javax.annotation</groupId>
-    	<artifactId>javax.annotation-api</artifactId>
-  	</dependency>
-  	<dependency>
-  		<groupId>org.springframework</groupId>
-		<artifactId>spring-webmvc</artifactId>
-        <scope>provided</scope>
-  	</dependency>
-  	<dependency>
-    	<groupId>org.slf4j</groupId>
-    	<artifactId>slf4j-api</artifactId>
-	</dependency>
-	<!-- dependency>
-    	<groupId>org.slf4j</groupId>
-    	<artifactId>slf4j-log4j12</artifactId>
-	</dependency-->
-	<dependency>
-		<groupId>commons-codec</groupId>
-    	<artifactId>commons-codec</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-lang3</artifactId>
-	</dependency>	
-    <dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-collections4</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.commons</groupId>
-    	<artifactId>commons-text</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>commons-fileupload</groupId>
-    	<artifactId>commons-fileupload</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>javax.servlet</groupId>
-		<artifactId>javax.servlet-api</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>org.apache.velocity</groupId>
-		<artifactId>velocity</artifactId>
-	</dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.eaaf</groupId>
+      <artifactId>eaaf_core_utils</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>at.gv.egiz.components</groupId>
+      <artifactId>eventlog-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>at.gv.egiz.components</groupId>
+      <artifactId>egiz-spring-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.annotation</groupId>
+      <artifactId>javax.annotation-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-webmvc</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> 
+      </dependency -->
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-collections4</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-fileupload</groupId>
+      <artifactId>commons-fileupload</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.velocity</groupId>
+      <artifactId>velocity</artifactId>
+    </dependency>
     <dependency>
       <groupId>commons-collections</groupId>
-      <artifactId>commons-collections</artifactId>
-    </dependency>
- 	<dependency>
-		<groupId>jaxen</groupId>
-    	<artifactId>jaxen</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>xerces</groupId>
-    	<artifactId>xercesImpl</artifactId>
-	</dependency>
-	<dependency>
-		<groupId>xalan</groupId>
-	    <artifactId>xalan</artifactId>
-	</dependency>
-		
+      <artifactId>commons-collections</artifactId>      
+    </dependency>
+    <dependency>
+      <groupId>org.owasp.encoder</groupId>
+      <artifactId>encoder</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jaxen</groupId>
+      <artifactId>jaxen</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xerces</groupId>
+      <artifactId>xercesImpl</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xalan</groupId>
+      <artifactId>xalan</artifactId>
+    </dependency>
+
     <!-- For testing -->
-	<dependency>
-		<groupId>junit</groupId>
-      	<artifactId>junit</artifactId>
-      	<scope>test</scope>
-	</dependency>
-	<dependency>
-		<groupId>org.springframework</groupId>
-		<artifactId>spring-test</artifactId>
-		<scope>test</scope>
-	</dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>at.gv.egiz.eaaf</groupId>
       <artifactId>eaaf_core_utils</artifactId>
@@ -110,10 +114,10 @@
       <type>test-jar</type>
     </dependency>
   </dependencies>
-  
-   <build>
+
+  <build>
     <finalName>eaaf_core</finalName>
-    
+
     <plugins>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
@@ -124,44 +128,54 @@
           <target>1.8</target>
         </configuration>
         <executions>
-        	<execution>
-        		<goals>
-        			<goal>compile</goal>
-        			<goal>testCompile</goal>
-        		</goals>
-        	</execution>
+          <execution>
+            <goals>
+              <goal>compile</goal>
+              <goal>testCompile</goal>
+            </goals>
+          </execution>
         </executions>
       </plugin>
       <plugin>
-    	<groupId>org.apache.maven.plugins</groupId>
-    	<artifactId>maven-jar-plugin</artifactId>
-    	<version>3.1.0</version>
-    	<executions>
-        	<execution>
-            	<goals>
-                	<goal>test-jar</goal>
-            	</goals>
-        	</execution>
-    	</executions>
-	  </plugin>
-      
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
       <!-- enable co-existence of testng and junit -->
-			<plugin>
-				<artifactId>maven-surefire-plugin</artifactId>
-				<version>${surefire.version}</version>
-				<configuration>
-					<threadCount>1</threadCount>
-				</configuration>
-				<dependencies>
-					<dependency>
-						<groupId>org.apache.maven.surefire</groupId>
-						<artifactId>surefire-junit47</artifactId>
-						<version>${surefire.version}</version>
-					</dependency>
-				</dependencies>
-			</plugin>
-      
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${surefire.version}</version>
+        <configuration>
+          <threadCount>1</threadCount>
+        </configuration>
+        <dependencies>
+          <dependency>
+            <groupId>org.apache.maven.surefire</groupId>
+            <artifactId>surefire-junit47</artifactId>
+            <version>${surefire.version}</version>
+          </dependency>
+        </dependencies>
+      </plugin>
+
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>${spotbugs-maven-plugin.version}</version>
+        <configuration>
+          <failOnError>true</failOnError>
+          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
-  
+
 </project>
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 50bf76db..4410267e 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -20,8 +20,6 @@
 package at.gv.egiz.eaaf.core.impl.idp.auth.services;
 
 import java.io.IOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
 import java.util.HashSet;
 
 import javax.annotation.PostConstruct;
@@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
       // write generic message for general exceptions
       final String msg =
           statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null);
-      writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable);
+      writeHtmlErrorResponse(req, resp, msg, "9199", null);
 
     }
 
@@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,
       @NonNull final HttpServletResponse httpResp, @NonNull final String msg,
-      @NonNull final String errorCode, @Nullable final Object[] params,
-      @NonNull final Exception error) throws EaafException {
+      @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {
 
     try {
       final IGuiBuilderConfiguration config =
@@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
             AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,
             ArrayUtils.toString(errorCodeParams));
 
-        // add stacktrace if debug is enabled
-        if (log.isTraceEnabled()) {
-          ((ModifyableGuiBuilderConfiguration) config).putCustomParameter(
-              AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE,
-              getStacktraceFromException(error));
-
-        }
-
       } else {
         log.info(
             "Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable ");
@@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
   }
 
-  private String getStacktraceFromException(final Exception ex) {
-    final StringWriter errors = new StringWriter();
-    ex.printStackTrace(new PrintWriter(errors));
-    return errors.toString();
-
-  }
-
   private void internalMoaidExceptionHandler(final HttpServletRequest req,
       final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)
       throws IOException, EaafException {
     if (e instanceof ProtocolNotActiveException) {
-      resp.getWriter().write(e.getMessage());
+      resp.getWriter().write(Encode.forHtml(e.getMessage()));
       resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);
       resp.sendError(HttpServletResponse.SC_FORBIDDEN,
           StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage())));
@@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
 
       // write error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof InvalidProtocolRequestException) {
       // send error response
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof ConfigurationException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     } else if (e instanceof EaafException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          ((EaafException) e).getParams(), e);
+          ((EaafException) e).getParams());
 
     } else if (e instanceof ProcessExecutionException) {
       // send HTML formated error message
       writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
-          null, e);
+          null);
 
     }
 
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
index 14537d44..edca0fba 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
@@ -101,6 +101,7 @@ public class ProcessDefinitionParser {
 
       // Standard implementation of XMLInputFactory seems not to be thread-safe
       final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+      inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
       reader = inputFactory.createXMLEventReader(processDefinitionInputStream);
 
       final List<StartElement> transitionElements = new ArrayList<>();
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
index e8d5c294..4b8a7a04 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
@@ -33,6 +33,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.Vector;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
-import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
-
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.xerces.parsers.DOMParser;
@@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
+
 /**
  * Various utility functions for handling XML DOM trees.
  *
@@ -785,6 +786,7 @@ public class DomUtils {
       throws TransformerException, IOException {
 
     final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = transformerFactory.newTransformer();
     final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384);
 
@@ -1211,6 +1213,7 @@ public class DomUtils {
     // StringWriter stringWriter = new StringWriter();
     final Result result = new StreamResult(out);
     final TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     final Transformer transformer = factory.newTransformer();
     transformer.transform(source, result);
     return out.toByteArray();
-- 
cgit v1.2.3