Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update for missing a couple possibly unsafe xml parser #902

Merged
merged 6 commits into from
Feb 2, 2024
Merged

update for missing a couple possibly unsafe xml parser #902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b6bb504
update for missing a couple possibly unsafe xml parser
Crispy-fried-chicken Jan 31, 2024
4f29605
delete try catch block
Crispy-fried-chicken Jan 31, 2024
0daa7c2
changes the method to static
Crispy-fried-chicken Feb 1, 2024
705a3c6
update
Crispy-fried-chicken Feb 1, 2024
59ee9c1
update for javadoc and fix some bugs
Crispy-fried-chicken Feb 2, 2024
dcafa95
fix formatting
msridhar Feb 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion nullaway/src/main/java/com/uber/nullaway/fixserialization/FixSerializationConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ public FixSerializationConfig(
public FixSerializationConfig(String configFilePath, int serializationVersion) {
Document document;
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory factory = XMLUtil.safeDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(Files.newInputStream(Paths.get(configFilePath)));
document.normalize();
Expand Down
25 changes: 24 additions & 1 deletion nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@

import java.io.File;
import javax.annotation.Nullable;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
Expand Down Expand Up @@ -94,14 +95,36 @@
return new DefaultXMLValueProvider<>(null, klass);
}

/**
* Returns a secure DocumentBuilderFactory object for parsing XML documents. By setting a series
* of security features, it helps prevent common XML injection attacks and enhances the security
* of XML document parsing.
*
* @return A secure DocumentBuilderFactory object
*/
public static DocumentBuilderFactory safeDocumentBuilderFactory() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add Javadoc describing what this method does

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what your project use is jdk 21?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JDK 21 is required in order to run certain tests. Sorry for the hassle.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I‘ve already pushed and the ./gradlew spotlessApply is run successfully.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the cli ./gradlew compileJava is failed cause it need to use jdk8? I don't know why, but I think it's not caused by the code I've added. Please check it again, and I will try to fix it if you find any error again. Feel sorry to trouble you again.

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false);
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
throw new RuntimeException("Error happened in build doc.", e);

Check warning on line 115 in nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java

View check run for this annotation

Codecov / codecov/patch

nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java#L114-L115 

Added lines #L114 - L115 were not covered by tests
}
return dbf;
}

/**
* Writes the {@link FixSerializationConfig} in {@code XML} format.
*
* @param config Config file to write.
* @param path Path to write the config at.
*/
public static void writeInXMLFormat(FixSerializationConfig config, String path) {
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory docFactory = safeDocumentBuilderFactory();
try {
DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
Document doc = docBuilder.newDocument();
Expand Down
Loading