You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ki...@apache.org on 2019/12/01 02:05:51 UTC
svn commit: r1870657 - in /poi/trunk/src: java/org/apache/poi/hssf/record/
java/org/apache/poi/poifs/crypt/ java/org/apache/poi/util/
ooxml/java/org/apache/poi/xssf/extractor/
Author: kiwiwings
Date: Sun Dec 1 02:05:51 2019
New Revision: 1870657
URL: http://svn.apache.org/viewvc?rev=1870657&view=rev
Log:
Sonar Fixes - fix/annotate type "vulnerability" / severity "blocker"
Modified:
poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java
poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java
poi/trunk/src/java/org/apache/poi/util/StaxHelper.java
poi/trunk/src/java/org/apache/poi/util/XMLHelper.java
poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
Modified: poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java?rev=1870657&r1=1870656&r2=1870657&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java (original)
+++ poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java Sun Dec 1 02:05:51 2019
@@ -102,6 +102,7 @@ public final class RecordFactoryInputStr
_lastRecord = rec;
}
+ @SuppressWarnings({"squid:S2068"})
public RecordInputStream createDecryptingStream(InputStream original) {
String userPassword = Biff8EncryptionKey.getCurrentUserPassword();
if (userPassword == null) {
Modified: poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java?rev=1870657&r1=1870656&r2=1870657&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java (original)
+++ poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java Sun Dec 1 02:05:51 2019
@@ -101,6 +101,7 @@ public class CryptoFunctions {
* if false the n-1 hash value is applied first
* @return the hashed password
*/
+ @SuppressWarnings({"squid:S2068"})
public static byte[] hashPassword(String password, HashAlgorithm hashAlgorithm, byte[] salt, int spinCount, boolean iteratorFirst) {
// If no password was given, use the default
if (password == null) {
Modified: poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java?rev=1870657&r1=1870656&r2=1870657&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java (original)
+++ poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java Sun Dec 1 02:05:51 2019
@@ -33,6 +33,7 @@ import org.apache.poi.poifs.filesystem.P
import org.apache.poi.util.GenericRecordUtil;
public abstract class Decryptor implements Cloneable, GenericRecord {
+ @SuppressWarnings({"squid:S2068"})
public static final String DEFAULT_PASSWORD="VelvetSweatshop";
public static final String DEFAULT_POIFS_ENTRY="EncryptedPackage";
Modified: poi/trunk/src/java/org/apache/poi/util/StaxHelper.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/util/StaxHelper.java?rev=1870657&r1=1870656&r2=1870657&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/util/StaxHelper.java (original)
+++ poi/trunk/src/java/org/apache/poi/util/StaxHelper.java Sun Dec 1 02:05:51 2019
@@ -17,6 +17,8 @@
package org.apache.poi.util;
+import java.util.function.Consumer;
+
import javax.xml.stream.XMLEventFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
@@ -28,17 +30,19 @@ import javax.xml.stream.XMLOutputFactory
public final class StaxHelper {
private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class);
- private StaxHelper() {}
+ private StaxHelper() {
+ }
/**
* Creates a new StAX XMLInputFactory, with sensible defaults
*/
+ @SuppressWarnings({"squid:S2755"})
public static XMLInputFactory newXMLInputFactory() {
XMLInputFactory factory = XMLInputFactory.newInstance();
- trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
- trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
- trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
- trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ trySet(XMLInputFactory.IS_NAMESPACE_AWARE, (n) -> factory.setProperty(n, true));
+ trySet(XMLInputFactory.IS_VALIDATING, (n) -> factory.setProperty(n, false));
+ trySet(XMLInputFactory.SUPPORT_DTD, (n) -> factory.setProperty(n, false));
+ trySet(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, (n) -> factory.setProperty(n, false));
return factory;
}
@@ -47,7 +51,7 @@ public final class StaxHelper {
*/
public static XMLOutputFactory newXMLOutputFactory() {
XMLOutputFactory factory = XMLOutputFactory.newInstance();
- trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true);
+ trySet(XMLOutputFactory.IS_REPAIRING_NAMESPACES, (n) -> factory.setProperty(n, true));
return factory;
}
@@ -58,24 +62,14 @@ public final class StaxHelper {
// this method seems safer on Android than getFactory()
return XMLEventFactory.newInstance();
}
-
- private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
- try {
- factory.setProperty(feature, flag);
- } catch (Exception e) {
- logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
- } catch (AbstractMethodError ame) {
- logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
- }
- }
- private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) {
+ private static void trySet(String name, Consumer<String> securityFeature) {
try {
- factory.setProperty(feature, flag);
+ securityFeature.accept(name);
} catch (Exception e) {
- logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
+ logger.log(POILogger.WARN, "StAX Property unsupported", name, e);
} catch (AbstractMethodError ame) {
- logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+ logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", name, ame);
}
}
}
Modified: poi/trunk/src/java/org/apache/poi/util/XMLHelper.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/util/XMLHelper.java?rev=1870657&r1=1870656&r2=1870657&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/util/XMLHelper.java (original)
+++ poi/trunk/src/java/org/apache/poi/util/XMLHelper.java Sun Dec 1 02:05:51 2019
@@ -19,37 +19,47 @@ package org.apache.poi.util;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
/**
* Helper methods for working with javax.xml classes.
*/
-public final class XMLHelper
-{
+public final class XMLHelper {
private static POILogger logger = POILogFactory.getLogger(XMLHelper.class);
-
+
+ @FunctionalInterface
+ private interface SecurityFeature {
+ void accept(String name) throws ParserConfigurationException;
+ }
+
/**
* Creates a new DocumentBuilderFactory, with sensible defaults
+ *
+ * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE</a>
*/
+ @SuppressWarnings({"squid:S2755"})
public static DocumentBuilderFactory getDocumentBuilderFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setExpandEntityReferences(false);
- trySetSAXFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
- trySetSAXFeature(factory, "http://xml.org/sax/features/external-general-entities", false);
- trySetSAXFeature(factory, "http://xml.org/sax/features/external-parameter-entities", false);
- trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
- trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+ trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
+ trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setAttribute(n, ""));
+ trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setAttribute(n, ""));
+ trySet("http://xml.org/sax/features/external-general-entities", (n) -> factory.setFeature(n, false));
+ trySet("http://xml.org/sax/features/external-parameter-entities", (n) -> factory.setFeature(n, false));
+ trySet("http://apache.org/xml/features/nonvalidating/load-external-dtd", (n) -> factory.setFeature(n, false));
+ trySet("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", (n) -> factory.setFeature(n, false));
+ trySet("http://apache.org/xml/features/disallow-doctype-decl", (n) -> factory.setFeature(n, true));
+ trySet("XIncludeAware", (n) -> factory.setXIncludeAware(false));
return factory;
}
-
- private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
+
+ private static void trySet(String name, SecurityFeature feature) {
try {
- documentBuilderFactory.setFeature(feature, enabled);
+ feature.accept(name);
} catch (Exception e) {
- logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e);
+ logger.log(POILogger.WARN, "SAX Feature unsupported", name, e);
} catch (AbstractMethodError ame) {
- logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+ logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", name, ame);
}
}
-
-
}
Modified: poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java?rev=1870657&r1=1870656&r2=1870657&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java Sun Dec 1 02:05:51 2019
@@ -39,10 +39,10 @@ import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
+import org.apache.poi.ooxml.util.DocumentHelper;
import org.apache.poi.ooxml.util.TransformerHelper;
import org.apache.poi.ss.usermodel.CellType;
import org.apache.poi.ss.usermodel.DateUtil;
-import org.apache.poi.ooxml.util.DocumentHelper;
import org.apache.poi.util.LocaleUtil;
import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger;
@@ -82,6 +82,13 @@ import org.xml.sax.SAXException;
public class XSSFExportToXml implements Comparator<String>{
private static final POILogger LOG = POILogFactory.getLogger(XSSFExportToXml.class);
+
+ @FunctionalInterface
+ private interface SecurityFeature {
+ void accept(String name) throws SAXException;
+ }
+
+
private XSSFMap map;
private final HashMap<String, Integer> indexMap = new HashMap<>();
/**
@@ -240,11 +247,13 @@ public class XSSFExportToXml implements
* @return true, if document is valid
* @throws SAXException If validating the document fails
*/
+ @SuppressWarnings({"squid:S2755"})
private boolean isValid(Document xml) throws SAXException{
try {
- String language = "http://www.w3.org/2001/XMLSchema";
- SchemaFactory factory = SchemaFactory.newInstance(language);
- trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+ trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
+ trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setProperty(n,""));
+ trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setProperty(n,""));
Source source = new DOMSource(map.getSchema());
Schema schema = factory.newSchema(source);
@@ -537,13 +546,13 @@ public class XSSFExportToXml implements
return complexTypeNode;
}
- private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
+ private static void trySet(String name, SecurityFeature securityFeature) {
try {
- sf.setFeature(feature, enabled);
+ securityFeature.accept(name);
} catch (Exception e) {
- LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
+ LOG.log(POILogger.WARN, "SchemaFactory feature unsupported", name, e);
} catch (AbstractMethodError ame) {
- LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
+ LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", name, ame);
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org