You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ce...@apache.org on 2015/12/02 22:47:52 UTC
svn commit: r1717689 - in /poi/trunk: ./ src/ooxml/java/org/apache/poi/poifs/crypt/dsig/ src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/ src/resources/devtools/

Author: centic
Date: Wed Dec  2 21:47:52 2015
New Revision: 1717689

URL: http://svn.apache.org/viewvc?rev=1717689&view=rev
Log:
Add some additional rules for the forbidden-apis-check borrowed from Elasticsearch, also add a separate signature file with more rules for the 'prod' code and fix two newly found issues

Added:
    poi/trunk/src/resources/devtools/forbidden-signatures-prod.txt
Modified:
    poi/trunk/build.xml
    poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
    poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.java
    poi/trunk/src/resources/devtools/forbidden-signatures.txt

Modified: poi/trunk/build.xml
URL: http://svn.apache.org/viewvc/poi/trunk/build.xml?rev=1717689&r1=1717688&r2=1717689&view=diff
==============================================================================
--- poi/trunk/build.xml (original)
+++ poi/trunk/build.xml Wed Dec  2 21:47:52 2015
@@ -1811,6 +1811,8 @@ under the License.
         <taskdef name="forbiddenapis" 
                  classname="de.thetaphi.forbiddenapis.ant.AntTask" 
                  classpath="${forbidden.jar}"/>
+
+        <!-- first check rules that apply to all the source code -->
         <forbiddenapis 
                  internalRuntimeForbidden="true" 
                  classpathref="forbiddenapis.classpath"
@@ -1838,6 +1840,20 @@ under the License.
             <fileset dir="${excelant.output.test.dir}"/>
             -->
         </forbiddenapis>
+
+        <!-- then check some advanced rules which we only apply to the core code and not tests or examples -->
+        <forbiddenapis 
+                 internalRuntimeForbidden="true" 
+                 classpathref="forbiddenapis.classpath"
+                 suppressAnnotation="org.apache.poi.util.SuppressForbidden"
+            >
+            <signaturesFileset file="src/resources/devtools/forbidden-signatures-prod.txt"/>
+            <!-- sources -->
+            <fileset dir="${main.output.dir}"/>
+            <fileset dir="${ooxml.output.dir}"/>
+            <fileset dir="${scratchpad.output.dir}"/>
+            <fileset dir="${excelant.output.dir}"/>
+        </forbiddenapis>
     </target>
 
     <target name="findbugs">

Modified: poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java?rev=1717689&r1=1717688&r2=1717689&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java Wed Dec  2 21:47:52 2015
@@ -659,9 +659,9 @@ public class SignatureInfo implements Si
      * @param other the reference to wrap, if null
      * @return if other is null, an empty lists is returned, otherwise other is returned
      */
-    @SuppressWarnings("unchecked")
     private static <T> List<T> safe(List<T> other) {
-        return other == null ? Collections.EMPTY_LIST : other;
+        List<T> emptyList = Collections.emptyList();
+        return other == null ? emptyList : other;
     }
 
     private void brokenJvmWorkaround(XMLSignContext context) {

Modified: poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.java?rev=1717689&r1=1717688&r2=1717689&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.java Wed Dec  2 21:47:52 2015
@@ -29,6 +29,7 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.math.BigInteger;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.net.URL;
@@ -121,7 +122,7 @@ public class TSPTimeStampService impleme
             URL proxyUrl = new URL(signatureConfig.getProxyUrl());
             String host = proxyUrl.getHost();
             int port = proxyUrl.getPort();
-            proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(host, (port == -1 ? 80 : port)));
+            proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(InetAddress.getByName(host), (port == -1 ? 80 : port)));
         }
         
         HttpURLConnection huc = (HttpURLConnection)new URL(signatureConfig.getTspUrl()).openConnection(proxy);

Added: poi/trunk/src/resources/devtools/forbidden-signatures-prod.txt
URL: http://svn.apache.org/viewvc/poi/trunk/src/resources/devtools/forbidden-signatures-prod.txt?rev=1717689&view=auto
==============================================================================
--- poi/trunk/src/resources/devtools/forbidden-signatures-prod.txt (added)
+++ poi/trunk/src/resources/devtools/forbidden-signatures-prod.txt Wed Dec  2 21:47:52 2015
@@ -0,0 +1,29 @@
+# (C) Copyright Uwe Schindler (Generics Policeman) and others.
+# Parts of this work are licensed to the Apache Software Foundation (ASF)
+# under one or more contributor license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file contains API signatures which are specific to POI.
+# The goal is to minimize implicit defaults
+
+@defaultMessage POI forbidden APIs which are tolerated in non-production code, e.g. in tests and examples
+
+# We have applications which use this to return error codes on invalid commandline parameters...
+#@defaultMessage Please do not terminate the application
+#java.lang.System#exit(int)
+#java.lang.Runtime#exit(int)
+#java.lang.Runtime#halt(int)
+
+@defaultMessage Please do not try to stop the world
+java.lang.System#gc()

Modified: poi/trunk/src/resources/devtools/forbidden-signatures.txt
URL: http://svn.apache.org/viewvc/poi/trunk/src/resources/devtools/forbidden-signatures.txt?rev=1717689&r1=1717688&r2=1717689&view=diff
==============================================================================
--- poi/trunk/src/resources/devtools/forbidden-signatures.txt (original)
+++ poi/trunk/src/resources/devtools/forbidden-signatures.txt Wed Dec  2 21:47:52 2015
@@ -32,3 +32,84 @@ java.lang.reflect.AccessibleObject#setAc
 
 java.text.DecimalFormatSymbols#DecimalFormatSymbols() @ use DecimalFormatSymbols.getInstance()
 java.text.DecimalFormatSymbols#DecimalFormatSymbols(Locale) @ use DecimalFormatSymbols.getInstance()
+
+# the following are taken from the Elasticsearch source at https://github.com/elastic/elasticsearch/tree/master/buildSrc/src/main/resources/forbidden
+
+@defaultMessage Convert to URI
+java.net.URL#getPath()
+java.net.URL#getFile()
+
+@defaultMessage Usage of getLocalHost is discouraged
+java.net.InetAddress#getLocalHost()
+
+@defaultMessage Specify a location for the temp file/directory instead.
+java.nio.file.Files#createTempDirectory(java.lang.String,java.nio.file.attribute.FileAttribute[])
+java.nio.file.Files#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute[])
+
+@defaultMessage Specify a location for the temp file/directory instead.
+java.nio.file.Files#createTempDirectory(java.lang.String,java.nio.file.attribute.FileAttribute[])
+java.nio.file.Files#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute[])
+
+@defaultMessage Don't use java serialization - this can break BWC without noticing it
+java.io.ObjectOutputStream
+java.io.ObjectOutput
+java.io.ObjectInputStream
+java.io.ObjectInput
+
+@defaultMessage Resolve hosts explicitly to the address(es) you want with InetAddress.
+java.net.InetSocketAddress#<init>(java.lang.String,int)
+java.net.Socket#<init>(java.lang.String,int)
+java.net.Socket#<init>(java.lang.String,int,java.net.InetAddress,int)
+
+@defaultMessage Don't bind to wildcard addresses. Be specific.
+java.net.DatagramSocket#<init>()
+java.net.DatagramSocket#<init>(int)
+java.net.InetSocketAddress#<init>(int)
+java.net.MulticastSocket#<init>()
+java.net.MulticastSocket#<init>(int)
+java.net.ServerSocket#<init>(int)
+java.net.ServerSocket#<init>(int,int)
+
+@defaultMessage use NetworkAddress format/formatAddress to print IP or IP+ports
+java.net.InetAddress#toString()
+java.net.InetAddress#getHostAddress()
+java.net.Inet4Address#getHostAddress()
+java.net.Inet6Address#getHostAddress()
+java.net.InetSocketAddress#toString()
+
+@defaultMessage avoid DNS lookups by accident: if you have a valid reason, then @SuppressWarnings with that reason so its completely clear
+java.net.InetAddress#getHostName()
+java.net.InetAddress#getCanonicalHostName()
+
+java.net.InetSocketAddress#getHostName() @ Use getHostString() instead, which avoids a DNS lookup
+
+@defaultMessage this method needs special permission
+java.lang.Thread#getAllStackTraces()
+
+@defaultMessage Avoid unchecked warnings by using Collections#empty(List|Map|Set) methods
+java.util.Collections#EMPTY_LIST
+java.util.Collections#EMPTY_MAP
+java.util.Collections#EMPTY_SET
+
+
+@defaultMessage spawns threads with vague names; use a custom thread factory and name threads so that you can tell (by its name) which executor it is associated with
+java.util.concurrent.Executors#newFixedThreadPool(int)
+java.util.concurrent.Executors#newSingleThreadExecutor()
+java.util.concurrent.Executors#newCachedThreadPool()
+java.util.concurrent.Executors#newSingleThreadScheduledExecutor()
+java.util.concurrent.Executors#newScheduledThreadPool(int)
+java.util.concurrent.Executors#defaultThreadFactory()
+java.util.concurrent.Executors#privilegedThreadFactory()
+
+java.lang.Character#codePointBefore(char[],int) @ Implicit start offset is error-prone when the char[] is a buffer and the first chars are random chars
+java.lang.Character#codePointAt(char[],int) @ Implicit end offset is error-prone when the char[] is a buffer and the last chars are random chars
+
+@defaultMessage Only use wait / notify when really needed try to use concurrency primitives, latches or callbacks instead.
+java.lang.Object#wait()
+java.lang.Object#wait(long)
+java.lang.Object#wait(long,int)
+java.lang.Object#notify()
+java.lang.Object#notifyAll()
+
+@defaultMessage Don't interrupt threads use FutureUtils#cancel(Future<T>) instead
+java.util.concurrent.Future#cancel(boolean)



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org