You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2021/06/22 18:09:54 UTC
[jackrabbit-filevault] branch master updated: JCRVLT-476 fix
remaining blocker vulnerabilities
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
The following commit(s) were added to refs/heads/master by this push:
new 9d6e3e1 JCRVLT-476 fix remaining blocker vulnerabilities
9d6e3e1 is described below
commit 9d6e3e101250d543ac9b8e3a2035a0a58907c668
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Tue Jun 22 20:08:33 2021 +0200
JCRVLT-476 fix remaining blocker vulnerabilities
---
.../vault/fs/impl/io/AbstractArtifactHandler.java | 16 +++++++++++++
.../vault/fs/impl/io/FileArtifactHandler.java | 27 ++++------------------
.../vault/fs/impl/io/GenericArtifactHandler.java | 11 +--------
.../spi/impl/AdvancedFilterValidator.java | 1 +
4 files changed, 23 insertions(+), 32 deletions(-)
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/AbstractArtifactHandler.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/AbstractArtifactHandler.java
index 59f2383..4cf7f94 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/AbstractArtifactHandler.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/AbstractArtifactHandler.java
@@ -22,6 +22,10 @@ import java.io.IOException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
import org.apache.jackrabbit.vault.fs.api.Aggregate;
import org.apache.jackrabbit.vault.fs.api.ArtifactHandler;
@@ -34,6 +38,9 @@ import org.apache.jackrabbit.vault.fs.impl.ArtifactSetImpl;
import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
import org.apache.jackrabbit.vault.fs.spi.ACLManagement;
import org.apache.jackrabbit.vault.fs.spi.ServiceProviderFactory;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.helpers.DefaultHandler;
/**
* {@code AbstractArtifactHandler}...
@@ -150,4 +157,13 @@ public abstract class AbstractArtifactHandler implements ArtifactHandler, Dumpab
ctx.println(isLast, getClass().getSimpleName());
}
+ protected void parseXmlWithSaxHandler(InputSource source, DefaultHandler handler) throws ParserConfigurationException, SAXException, IOException {
+ SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setNamespaceAware(true);
+ factory.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
+ SAXParser parser = factory.newSAXParser();
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ parser.parse(source, handler);
+ }
}
\ No newline at end of file
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/FileArtifactHandler.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/FileArtifactHandler.java
index 46839d6..6baaa84 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/FileArtifactHandler.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/FileArtifactHandler.java
@@ -28,10 +28,7 @@ import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.nodetype.NodeType;
-import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
import org.apache.jackrabbit.util.Text;
import org.apache.jackrabbit.vault.fs.api.Artifact;
@@ -232,17 +229,9 @@ public class FileArtifactHandler extends AbstractArtifactHandler {
DocViewSAXImporter handler = new DocViewSAXImporter(newParent, newName, newSet, wspFilter);
handler.setAclHandling(getAcHandling());
handler.setCugHandling(getCugHandling());
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
- factory.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
- SAXParser parser = factory.newSAXParser();
- parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
- parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
- parser.parse(file.getInputSource(), handler);
+ parseXmlWithSaxHandler(file.getInputSource(), handler);
info.merge(handler.getInfo());
- } catch (ParserConfigurationException e) {
- throw new RepositoryException(e);
- } catch (SAXException e) {
+ } catch (ParserConfigurationException|SAXException e) {
throw new RepositoryException(e);
}
} else {
@@ -335,17 +324,11 @@ public class FileArtifactHandler extends AbstractArtifactHandler {
handler.setAclHandling(getAcHandling());
handler.setCugHandling(getCugHandling());
try {
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
- factory.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
- SAXParser parser = factory.newSAXParser();
- parser.parse(source, handler);
+ parseXmlWithSaxHandler(source, handler);
return handler.getInfo();
- } catch (ParserConfigurationException e) {
- throw new RepositoryException(e);
- } catch (SAXException e) {
+ } catch (ParserConfigurationException|SAXException e) {
throw new RepositoryException(e);
- }
+ }
}
private boolean importNtResource(ImportInfo info, Node content, Artifact artifact)
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/GenericArtifactHandler.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/GenericArtifactHandler.java
index 4af46b7..b8763b9 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/GenericArtifactHandler.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/GenericArtifactHandler.java
@@ -21,10 +21,7 @@ import java.io.IOException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
-import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
import org.apache.jackrabbit.vault.fs.api.Artifact;
import org.apache.jackrabbit.vault.fs.api.ImportMode;
@@ -94,13 +91,7 @@ public class GenericArtifactHandler extends AbstractArtifactHandler {
DocViewSAXImporter handler = new DocViewSAXImporter(parent, name, artifacts, wspFilter);
handler.setAclHandling(getAcHandling());
handler.setCugHandling(getCugHandling());
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
- factory.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
- SAXParser parser = factory.newSAXParser();
- parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
- parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
- parser.parse(source, handler);
+ parseXmlWithSaxHandler(source, handler);
info.merge(handler.getInfo());
} catch (ParserConfigurationException e) {
throw new RepositoryException(e);
diff --git a/vault-validation/src/main/java/org/apache/jackrabbit/vault/validation/spi/impl/AdvancedFilterValidator.java b/vault-validation/src/main/java/org/apache/jackrabbit/vault/validation/spi/impl/AdvancedFilterValidator.java
index 5f22015..1f099de 100644
--- a/vault-validation/src/main/java/org/apache/jackrabbit/vault/validation/spi/impl/AdvancedFilterValidator.java
+++ b/vault-validation/src/main/java/org/apache/jackrabbit/vault/validation/spi/impl/AdvancedFilterValidator.java
@@ -314,6 +314,7 @@ public final class AdvancedFilterValidator implements GenericMetaInfDataValidato
}
@Override
+ @SuppressWarnings("java:S2755") // false-positive as XXE attacks are prevented on the given DocumentBuilderFactory
public Collection<ValidationMessage> validateMetaInfData(@NotNull InputStream input, @NotNull Path filePath, @NotNull Path basePath) throws IOException {
Collection<ValidationMessage> messages = new LinkedList<>();
try {