diff options
Diffstat (limited to 'connector')
| -rw-r--r-- | connector/checks/spotbugs-exclude.xml | 22 | ||||
| -rw-r--r-- | connector/pom.xml | 9 | ||||
| -rw-r--r-- | connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java | 7 |
3 files changed, 35 insertions, 3 deletions
diff --git a/connector/checks/spotbugs-exclude.xml b/connector/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..5d4fd515 --- /dev/null +++ b/connector/checks/spotbugs-exclude.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- Write only application status into response. Should be removed if we switch to Spring Actuator --> + <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" /> + <Method name="startSingleTests" /> + <Bug pattern="XSS_SERVLET" /> + </Match> + <Match> + <!-- CSFR protection is implemented by pendingRequestId that is an one-time token + Endpoint for Metadata generation can be unrestrected by design --> + <OR> + <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" /> + <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" /> + </OR> + <OR> + <Method name="performGenericAuthenticationProcess" /> + <Method name="pvpMetadataRequest" /> + </OR> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> +</FindBugsFilter> diff --git a/connector/pom.xml b/connector/pom.xml index 6621fb0f..3c2ddf07 100644 --- a/connector/pom.xml +++ b/connector/pom.xml @@ -156,6 +156,15 @@ </executions> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java index aa45c836..f2d9fc8c 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java @@ -34,6 +34,7 @@ import org.apache.commons.text.StringEscapeUtils; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.CloseableHttpClient; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -250,9 +251,9 @@ public class MonitoringController { } // create HTTP client - // TODO: update if we switch to openSAML3 - CloseableHttpClient httpClient = httpClientFactory.getHttpClient(); - HttpUriRequest request = new HttpGet(urlString); + CloseableHttpClient httpClient = httpClientFactory.getHttpClient(); + URIBuilder uriBuilder = new URIBuilder(urlString); + HttpUriRequest request = new HttpGet(uriBuilder.build()); final CloseableHttpResponse respCode = httpClient.execute(request); if (respCode.getStatusLine().getStatusCode() != 200) { |