update for missing a couple possibly unsafe xml parser #902
Conversation
|
|
| } catch (ParserConfigurationException e) { | ||
| log.warn(e); | ||
| } |
There was a problem hiding this comment.
Note that catching and swallowing the exception makes it possible to return a document builder factory which is still vulnerable!
There was a problem hiding this comment.
I've already delete this block, please check it again, thank you!
| @@ -94,14 +94,25 @@ public static <T> DefaultXMLValueProvider<T> getValueFromTag( | |||
| return new DefaultXMLValueProvider<>(null, klass); | |||
| } | |||
|
|
|||
| public DocumentBuilderFactory safeDocumentBuilderFactory() { | |||
There was a problem hiding this comment.
This method should be static. Also can we add a bit of Javadoc as to its purpose?
There was a problem hiding this comment.
Of course! Thanks for your comment.
| public DocumentBuilderFactory safeDocumentBuilderFactory() { | ||
| DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); | ||
| dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); | ||
| dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); | ||
| dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); | ||
| dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); | ||
| dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false); | ||
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); | ||
| return dbf; | ||
| } | ||
|
|
There was a problem hiding this comment.
Once we make the XMLUtil#safeDocumentBuilderFactory method static, we can get rid of this method, and just call XMLUtil.safeDocumentBuilderFactory() below.
There was a problem hiding this comment.
sure, I've already make the XMLUtil#safeDocumentBuilderFactory method static. please check it again, Thank you!
| @@ -16,7 +16,7 @@ | |||
| * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | |||
| * OUT OF OR IN CONNECTION WITH com.uber.nullaway.fixserializationTHE SOFTWARE OR THE USE OR OTHER DEALINGS IN | |||
There was a problem hiding this comment.
Can we revert this change? we shouldn't modify license headers unless there's a reason
|
|
||
|
|
There was a problem hiding this comment.
Can you run our configured formatter (./gradlew spotlessApply) on this PR?
We try to be consistent in formatting and these two blank lines don't seem right.
| @@ -94,14 +94,25 @@ public static <T> DefaultXMLValueProvider<T> getValueFromTag( | |||
| return new DefaultXMLValueProvider<>(null, klass); | |||
| } | |||
|
|
|||
| public static DocumentBuilderFactory safeDocumentBuilderFactory() { | |||
There was a problem hiding this comment.
Please add Javadoc describing what this method does
There was a problem hiding this comment.
what your project use is jdk 21?
There was a problem hiding this comment.
JDK 21 is required in order to run certain tests. Sorry for the hassle.
There was a problem hiding this comment.
I‘ve already pushed and the ./gradlew spotlessApply is run successfully.
There was a problem hiding this comment.
But the cli ./gradlew compileJava is failed cause it need to use jdk8? I don't know why, but I think it's not caused by the code I've added. Please check it again, and I will try to fix it if you find any error again. Feel sorry to trouble you again.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #902 +/- ##
============================================
- Coverage 86.99% 86.98% -0.01%
- Complexity 1958 1959 +1
============================================
Files 77 77
Lines 6319 6330 +11
Branches 1223 1223
============================================
+ Hits 5497 5506 +9
- Misses 418 420 +2
Partials 404 404 ☔ View full report in Codecov by Sentry. |
Thank you for your merge! Considering the possible information leakage consequences of this vulnerability, maybe we can request for a CVE-ID? |
|
Sorry no, I do not believe this deserves a CVE. See my previous comments. |
Fixes #901