You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/10/25 11:07:25 UTC

[2/3] syncope git commit: Ensuring all XML input processing is safe - disable DTD and external entities

Ensuring all XML input processing is safe - disable DTD and external entities


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a0f35f45
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a0f35f45
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a0f35f45

Branch: refs/heads/2_1_X
Commit: a0f35f45f8ca5c98853ae8477fb2db81a84709a1
Parents: e559417
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Oct 25 12:57:02 2018 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Oct 25 13:06:42 2018 +0200

----------------------------------------------------------------------
 .../widgets/reconciliation/ReconciliationReportParser.java  | 9 +++++++--
 .../syncope/core/flowable/impl/FlowableDeployUtils.java     | 9 ++++++++-
 .../flowable/support/DomainProcessEngineFactoryBean.java    | 9 +++------
 3 files changed, 18 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/a0f35f45/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
index da5e76d..95e6fd8 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
@@ -32,10 +32,15 @@ import org.apache.syncope.common.lib.types.AnyTypeKind;
 
 public final class ReconciliationReportParser {
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
 
     public static ReconciliationReport parse(final Date run, final InputStream in) throws XMLStreamException {
-        XMLStreamReader streamReader = INPUT_FACTORY.createXMLStreamReader(in);
+        XMLStreamReader streamReader = XML_INPUT_FACTORY.createXMLStreamReader(in);
         streamReader.nextTag(); // root
         streamReader.nextTag(); // report
         streamReader.nextTag(); // reportlet

http://git-wip-us.apache.org/repos/asf/syncope/blob/a0f35f45/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
----------------------------------------------------------------------
diff --git a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
index 5af0188..115d027 100644
--- a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
+++ b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
@@ -41,6 +41,13 @@ public final class FlowableDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition) {
 
@@ -58,7 +65,7 @@ public final class FlowableDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/a0f35f45/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
index de2bbfe..81b0fd8 100644
--- a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
+++ b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
@@ -18,16 +18,14 @@
  */
 package org.apache.syncope.core.flowable.support;
 
-import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import javax.sql.DataSource;
 import org.apache.commons.lang3.StringUtils;
 import org.flowable.engine.ProcessEngine;
 import org.flowable.common.engine.impl.cfg.SpringBeanFactoryProxyMap;
 import org.flowable.common.engine.impl.interceptor.EngineConfigurationConstants;
-import org.flowable.engine.form.AbstractFormType;
 import org.flowable.engine.impl.util.EngineServiceUtil;
 import org.flowable.idm.spring.SpringIdmEngineConfiguration;
 import org.flowable.spring.SpringExpressionManager;
@@ -84,9 +82,8 @@ public class DomainProcessEngineFactoryBean
                                 EngineConfigurationConstants.KEY_IDM_ENGINE_CONFIG,
                                 ctx.getBean(SpringIdmEngineConfiguration.class));
                     }
-                    List<AbstractFormType> customFormTypes = new ArrayList<>();
-                    customFormTypes.add(new DropdownFormType(null));
-                    conf.setCustomFormTypes(customFormTypes);
+                    conf.setEnableSafeBpmnXml(true);
+                    conf.setCustomFormTypes(Arrays.asList(new DropdownFormType(null)));
 
                     engines.put(domain, conf.buildProcessEngine());
                 }