Author: kiwiwings Date: Sun Dec 1 02:05:51 2019 New Revision: 1870657 URL: http://svn.apache.org/viewvc?rev=1870657&view=rev Log: Sonar Fixes - fix/annotate type "vulnerability" / severity "blocker"
Modified: poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java poi/trunk/src/java/org/apache/poi/util/StaxHelper.java poi/trunk/src/java/org/apache/poi/util/XMLHelper.java poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java Modified: poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java?rev=1870657&r1=1870656&r2=1870657&view=diff ============================================================================== --- poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java (original) +++ poi/trunk/src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java Sun Dec 1 02:05:51 2019 @@ -102,6 +102,7 @@ public final class RecordFactoryInputStr _lastRecord = rec; } + @SuppressWarnings({"squid:S2068"}) public RecordInputStream createDecryptingStream(InputStream original) { String userPassword = Biff8EncryptionKey.getCurrentUserPassword(); if (userPassword == null) { Modified: poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java?rev=1870657&r1=1870656&r2=1870657&view=diff ============================================================================== --- poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java (original) +++ poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java Sun Dec 1 02:05:51 2019 @@ -101,6 +101,7 @@ public class CryptoFunctions { * if false the n-1 hash value is applied first * @return the hashed password */ + @SuppressWarnings({"squid:S2068"}) public static byte[] hashPassword(String password, HashAlgorithm hashAlgorithm, byte[] salt, int spinCount, boolean iteratorFirst) { // If no password was given, use the default if (password == null) { Modified: poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java?rev=1870657&r1=1870656&r2=1870657&view=diff ============================================================================== --- poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java (original) +++ poi/trunk/src/java/org/apache/poi/poifs/crypt/Decryptor.java Sun Dec 1 02:05:51 2019 @@ -33,6 +33,7 @@ import org.apache.poi.poifs.filesystem.P import org.apache.poi.util.GenericRecordUtil; public abstract class Decryptor implements Cloneable, GenericRecord { + @SuppressWarnings({"squid:S2068"}) public static final String DEFAULT_PASSWORD="VelvetSweatshop"; public static final String DEFAULT_POIFS_ENTRY="EncryptedPackage"; Modified: poi/trunk/src/java/org/apache/poi/util/StaxHelper.java URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/util/StaxHelper.java?rev=1870657&r1=1870656&r2=1870657&view=diff ============================================================================== --- poi/trunk/src/java/org/apache/poi/util/StaxHelper.java (original) +++ poi/trunk/src/java/org/apache/poi/util/StaxHelper.java Sun Dec 1 02:05:51 2019 @@ -17,6 +17,8 @@ package org.apache.poi.util; +import java.util.function.Consumer; + import javax.xml.stream.XMLEventFactory; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLOutputFactory; @@ -28,17 +30,19 @@ import javax.xml.stream.XMLOutputFactory public final class StaxHelper { private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class); - private StaxHelper() {} + private StaxHelper() { + } /** * Creates a new StAX XMLInputFactory, with sensible defaults */ + @SuppressWarnings({"squid:S2755"}) public static XMLInputFactory newXMLInputFactory() { XMLInputFactory factory = XMLInputFactory.newInstance(); - trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true); - trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false); - trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false); - trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + trySet(XMLInputFactory.IS_NAMESPACE_AWARE, (n) -> factory.setProperty(n, true)); + trySet(XMLInputFactory.IS_VALIDATING, (n) -> factory.setProperty(n, false)); + trySet(XMLInputFactory.SUPPORT_DTD, (n) -> factory.setProperty(n, false)); + trySet(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, (n) -> factory.setProperty(n, false)); return factory; } @@ -47,7 +51,7 @@ public final class StaxHelper { */ public static XMLOutputFactory newXMLOutputFactory() { XMLOutputFactory factory = XMLOutputFactory.newInstance(); - trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true); + trySet(XMLOutputFactory.IS_REPAIRING_NAMESPACES, (n) -> factory.setProperty(n, true)); return factory; } @@ -58,24 +62,14 @@ public final class StaxHelper { // this method seems safer on Android than getFactory() return XMLEventFactory.newInstance(); } - - private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) { - try { - factory.setProperty(feature, flag); - } catch (Exception e) { - logger.log(POILogger.WARN, "StAX Property unsupported", feature, e); - } catch (AbstractMethodError ame) { - logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame); - } - } - private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) { + private static void trySet(String name, Consumer<String> securityFeature) { try { - factory.setProperty(feature, flag); + securityFeature.accept(name); } catch (Exception e) { - logger.log(POILogger.WARN, "StAX Property unsupported", feature, e); + logger.log(POILogger.WARN, "StAX Property unsupported", name, e); } catch (AbstractMethodError ame) { - logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame); + logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", name, ame); } } } Modified: poi/trunk/src/java/org/apache/poi/util/XMLHelper.java URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/util/XMLHelper.java?rev=1870657&r1=1870656&r2=1870657&view=diff ============================================================================== --- poi/trunk/src/java/org/apache/poi/util/XMLHelper.java (original) +++ poi/trunk/src/java/org/apache/poi/util/XMLHelper.java Sun Dec 1 02:05:51 2019 @@ -19,37 +19,47 @@ package org.apache.poi.util; import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; /** * Helper methods for working with javax.xml classes. */ -public final class XMLHelper -{ +public final class XMLHelper { private static POILogger logger = POILogFactory.getLogger(XMLHelper.class); - + + @FunctionalInterface + private interface SecurityFeature { + void accept(String name) throws ParserConfigurationException; + } + /** * Creates a new DocumentBuilderFactory, with sensible defaults + * + * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE</a> */ + @SuppressWarnings({"squid:S2755"}) public static DocumentBuilderFactory getDocumentBuilderFactory() { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setExpandEntityReferences(false); - trySetSAXFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true); - trySetSAXFeature(factory, "http://xml.org/sax/features/external-general-entities", false); - trySetSAXFeature(factory, "http://xml.org/sax/features/external-parameter-entities", false); - trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); + trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true)); + trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setAttribute(n, "")); + trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setAttribute(n, "")); + trySet("http://xml.org/sax/features/external-general-entities", (n) -> factory.setFeature(n, false)); + trySet("http://xml.org/sax/features/external-parameter-entities", (n) -> factory.setFeature(n, false)); + trySet("http://apache.org/xml/features/nonvalidating/load-external-dtd", (n) -> factory.setFeature(n, false)); + trySet("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", (n) -> factory.setFeature(n, false)); + trySet("http://apache.org/xml/features/disallow-doctype-decl", (n) -> factory.setFeature(n, true)); + trySet("XIncludeAware", (n) -> factory.setXIncludeAware(false)); return factory; } - - private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) { + + private static void trySet(String name, SecurityFeature feature) { try { - documentBuilderFactory.setFeature(feature, enabled); + feature.accept(name); } catch (Exception e) { - logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e); + logger.log(POILogger.WARN, "SAX Feature unsupported", name, e); } catch (AbstractMethodError ame) { - logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame); + logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", name, ame); } } - - } Modified: poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java?rev=1870657&r1=1870656&r2=1870657&view=diff ============================================================================== --- poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java (original) +++ poi/trunk/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java Sun Dec 1 02:05:51 2019 @@ -39,10 +39,10 @@ import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import javax.xml.validation.Validator; +import org.apache.poi.ooxml.util.DocumentHelper; import org.apache.poi.ooxml.util.TransformerHelper; import org.apache.poi.ss.usermodel.CellType; import org.apache.poi.ss.usermodel.DateUtil; -import org.apache.poi.ooxml.util.DocumentHelper; import org.apache.poi.util.LocaleUtil; import org.apache.poi.util.POILogFactory; import org.apache.poi.util.POILogger; @@ -82,6 +82,13 @@ import org.xml.sax.SAXException; public class XSSFExportToXml implements Comparator<String>{ private static final POILogger LOG = POILogFactory.getLogger(XSSFExportToXml.class); + + @FunctionalInterface + private interface SecurityFeature { + void accept(String name) throws SAXException; + } + + private XSSFMap map; private final HashMap<String, Integer> indexMap = new HashMap<>(); /** @@ -240,11 +247,13 @@ public class XSSFExportToXml implements * @return true, if document is valid * @throws SAXException If validating the document fails */ + @SuppressWarnings({"squid:S2755"}) private boolean isValid(Document xml) throws SAXException{ try { - String language = "http://www.w3.org/2001/XMLSchema"; - SchemaFactory factory = SchemaFactory.newInstance(language); - trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true); + SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true)); + trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setProperty(n,"")); + trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setProperty(n,"")); Source source = new DOMSource(map.getSchema()); Schema schema = factory.newSchema(source); @@ -537,13 +546,13 @@ public class XSSFExportToXml implements return complexTypeNode; } - private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) { + private static void trySet(String name, SecurityFeature securityFeature) { try { - sf.setFeature(feature, enabled); + securityFeature.accept(name); } catch (Exception e) { - LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e); + LOG.log(POILogger.WARN, "SchemaFactory feature unsupported", name, e); } catch (AbstractMethodError ame) { - LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame); + LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", name, ame); } } } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@poi.apache.org For additional commands, e-mail: commits-h...@poi.apache.org