diff options
Diffstat (limited to 'eidas_modules')
4 files changed, 38 insertions, 19 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..375f73f4 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- Do not check code generated by Apache CXF framework --> + <Class name="~szrservices.SZRException"/> + </Match> + <Match> + <!-- Logging of SAML2 responses in case of errors or for debugging is allowed --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" /> + <Method name="getPendingRequestId" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> + <Match> + <!-- CSFR protection is implemented by pendingRequestId that is an one-time token --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" /> + <Method name="restoreEidasAuthProcess" /> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> + <Match> + <!-- File path is only loaded from configuration --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry" /> + <Method name="initialize" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </Match> + <Match> + <!-- Redirect URL is only loaded from configuration --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask" /> + <Method name="execute" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> +</FindBugsFilter> diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml index b2e841fb..ddd2723c 100644 --- a/eidas_modules/authmodule-eIDAS-v2/pom.xml +++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml @@ -251,18 +251,9 @@ <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> - <executions> - <execution> - <id>spotbugs_validate</id> - <phase>test</phase> - <goals> - <goal>check</goal> - </goals> - </execution> - </executions> + <version>${spotbugs-maven-plugin.version}</version> <configuration> - <failOnError>true</failOnError> - <excludeFilterFile>spotbugs_exclude.xml</excludeFilterFile> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> </configuration> </plugin> diff --git a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml b/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml deleted file mode 100644 index 90d418ff..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml +++ /dev/null @@ -1,6 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<FindBugsFilter> - <Match> - <Class name="~szrservices.SZRException"/> - </Match> -</FindBugsFilter>
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 69b993a4..067825d8 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -45,6 +45,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.Marshaller; import javax.xml.namespace.QName; @@ -58,8 +59,6 @@ import javax.xml.ws.BindingProvider; import javax.xml.ws.Dispatch; import javax.xml.ws.handler.Handler; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.lang3.StringUtils; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.endpoint.Client; @@ -75,6 +74,9 @@ import org.springframework.stereotype.Service; import org.w3c.dom.Document; import org.w3c.dom.Element; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; @@ -488,6 +490,7 @@ public class SzrClient { private byte[] sourceToByteArray(Source result) throws TransformerException { final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = factory.newTransformer(); transformer.setOutputProperty("omit-xml-declaration", "yes"); transformer.setOutputProperty("method", "xml"); |