From 18b400485239f1041b1e38514d0cc58d6946aecb Mon Sep 17 00:00:00 2001
From: Joze RIHTARSIC <joze.rihtarsic@ext.ec.europa.eu>
Date: Thu, 22 Nov 2018 06:28:48 +0100
Subject: [PATCH] - fix 4 Vulnerabilities reported by sonar
---
.gitignore | 3 +-
.../conversion/ServiceMetadataConverter.java | 13 ++-
.../data/dao/utils/SMPSchemaGenerator.java | 80 ++++++++++---------
.../services/ui/UIServiceGroupService.java | 4 +
.../edelivery/smp/sml/SmlClientFactory.java | 2 +-
5 files changed, 62 insertions(+), 40 deletions(-)
diff --git a/.gitignore b/.gitignore
index d2f665c6c..072c92ae0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,4 +28,5 @@ addons/cipa-sml-migration/target/test-classes/global-truststore.jks
addons/cipa-sml-migration/target/classes/
addons/cipa-sml-migration/target/
addons/cipa-sml-migration/.idea/
-.idea/
\ No newline at end of file
+.idea/
+code-coverage
\ No newline at end of file
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/ServiceMetadataConverter.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/ServiceMetadataConverter.java
index 4720ada8b..da67f4e32 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/ServiceMetadataConverter.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/ServiceMetadataConverter.java
@@ -22,6 +22,7 @@ import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.xml.sax.SAXException;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
@@ -29,6 +30,7 @@ import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
@@ -106,14 +108,14 @@ public class ServiceMetadataConverter {
}
public static String toString(Document doc) throws TransformerException, UnsupportedEncodingException {
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ Transformer transformer = createNewSecureTransformer();
StringWriter writer = new StringWriter();
transformer.transform(new DOMSource(doc), new StreamResult(writer));
return writer.toString();
}
public static byte[] toByteArray(Document doc) throws TransformerException, UnsupportedEncodingException {
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ Transformer transformer = createNewSecureTransformer();
ByteArrayOutputStream stream = new ByteArrayOutputStream();
transformer.transform(new DOMSource(doc), new StreamResult(stream));
return stream.toByteArray();
@@ -126,6 +128,13 @@ public class ServiceMetadataConverter {
return dbf.newDocumentBuilder();
}
+ private static Transformer createNewSecureTransformer() throws TransformerConfigurationException {
+ TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+ return factory.newTransformer();
+ }
+
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/dao/utils/SMPSchemaGenerator.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/dao/utils/SMPSchemaGenerator.java
index 038d65f02..c500ab562 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/dao/utils/SMPSchemaGenerator.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/dao/utils/SMPSchemaGenerator.java
@@ -1,5 +1,8 @@
package eu.europa.ec.edelivery.smp.data.dao.utils;
+import eu.europa.ec.edelivery.smp.logging.SMPLogger;
+import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
+import org.apache.commons.lang3.StringUtils;
import org.hibernate.boot.MetadataSources;
import org.hibernate.boot.registry.StandardServiceRegistryBuilder;
import org.hibernate.boot.spi.MetadataImplementor;
@@ -8,8 +11,10 @@ import org.hibernate.tool.schema.TargetType;
import java.io.File;
import java.io.IOException;
-import java.nio.file.Path;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.List;
/**
* Class generates DDL script for SMP. Purpose of script is to manually run SQL script to create database. And to
@@ -21,18 +26,19 @@ import java.util.*;
public class SMPSchemaGenerator {
private static String filenameTemplate = "%s-%s.ddl";
private static String smpEntityPackageName = "eu.europa.ec.edelivery.smp.data.model";
+ private static final SMPLogger LOG = SMPLoggerFactory.getLogger(SMPSchemaGenerator.class);
public static void main(String[] args) throws IOException, ClassNotFoundException {
- String strDialects = args[0] ; // comma separated dialects
- String strVersion = args.length>1?args[1]:""; // version
- String exportFolder = args.length>2?args[2]:""; // export folder
+ String strDialects = args[0]; // comma separated dialects
+ String strVersion = args.length > 1 ? args[1] : ""; // version
+ String exportFolder = args.length > 2 ? args[2] : ""; // export folder
SMPSchemaGenerator sg = new SMPSchemaGenerator();
String[] dialects = strDialects.split(",");
// execute
- for (String dialect: dialects) {
+ for (String dialect : dialects) {
sg.createDDLScript(exportFolder, dialect.trim(), Arrays.asList(smpEntityPackageName.split(",")), strVersion);
}
@@ -51,10 +57,10 @@ public class SMPSchemaGenerator {
// create export file
String sqlVer = version;
int idx = version.indexOf("-SNAPSHOT");
- if (idx >0) {
+ if (idx > 0) {
sqlVer = version.substring(0, idx);
}
- String filename = createFileName(hibernateDialect,sqlVer );
+ String filename = createFileName(hibernateDialect, sqlVer);
String dialect = getDialect(hibernateDialect);
@@ -79,7 +85,9 @@ public class SMPSchemaGenerator {
// create schema exporter
SchemaExport export = new SchemaExport();
File file = new File(exportFolder, filename);
- file.delete(); // delete if exists
+ if (file.delete()) { // delete if exists
+ LOG.info("File {} deleted!", file.getAbsolutePath());
+ } ;
export.setOutputFile(file.getAbsolutePath());
export.setFormat(true);
export.setDelimiter(";");
@@ -93,27 +101,28 @@ public class SMPSchemaGenerator {
/**
* Method creates filename based on dialect and version
+ *
* @param dialect
* @param version
* @return file name.
*/
- public String createFileName(String dialect, String version){
- String dbName = dialect.substring(dialect.lastIndexOf('.') + 1,dialect.lastIndexOf("Dialect") ).toLowerCase();
+ public String createFileName(String dialect, String version) {
+ String dbName = dialect.substring(dialect.lastIndexOf('.') + 1, dialect.lastIndexOf("Dialect")).toLowerCase();
return String.format(filenameTemplate, dbName, version);
}
/**
* Some dialect are customized in order to generate better SQL DDL script. Method check the dialect and returns
* the upgrated dialect
+ *
* @param dialect - original hibernate dialect
* @return return the customized dialect or the dialects itself if not costumization
*/
- public String getDialect(String dialect){
- switch (dialect) {
- case "org.hibernate.dialect.MySQL5InnoDBDialect":
- return "eu.europa.ec.edelivery.smp.data.dao.utils.SMPMySQL5InnoDBDialect";
- default:
- return dialect;
+ public String getDialect(String dialect) {
+ if (!StringUtils.isBlank(dialect) && dialect.equalsIgnoreCase("org.hibernate.dialect.MySQL5InnoDBDialect")) {
+ return "eu.europa.ec.edelivery.smp.data.dao.utils.SMPMySQL5InnoDBDialect";
+ } else {
+ return dialect;
}
}
@@ -124,28 +133,27 @@ public class SMPSchemaGenerator {
*/
public List<Class> getAllEntityClasses(String pckgname) throws ClassNotFoundException {
ArrayList classes = new ArrayList();
- {
-
- // Get a File object for the package
- File directory = null;
- try {
- directory = new File(Thread.currentThread().getContextClassLoader().getResource(pckgname.replace('.', '/')).getFile());
- } catch (NullPointerException x) {
- throw new ClassNotFoundException(pckgname + " does not appear to be a valid package");
- }
- if (directory.exists()) {
- // Get the list of the files contained in the package
- String[] files = directory.list();
- for (int i = 0; i < files.length; i++) {
- if (files[i].endsWith(".class")) {
- // removes the .class extension
- classes.add(Class.forName(pckgname + '.' + files[i].substring(0, files[i].length() - 6)));
- }
+
+ // Get a File object for the package
+ File directory = null;
+ try {
+ directory = new File(Thread.currentThread().getContextClassLoader().getResource(pckgname.replace('.', '/')).getFile());
+ } catch (NullPointerException x) {
+ throw new ClassNotFoundException(pckgname + " does not appear to be a valid package");
+ }
+ if (directory.exists()) {
+ // Get the list of the files contained in the package
+ String[] files = directory.list();
+ for (int i = 0; i < files.length; i++) {
+ if (files[i].endsWith(".class")) {
+ // removes the .class extension
+ classes.add(Class.forName(pckgname + '.' + files[i].substring(0, files[i].length() - 6)));
}
- } else { ;
- throw new ClassNotFoundException("Package: "+pckgname + " does not eixsts!");
}
+ } else {
+ throw new ClassNotFoundException("Package: " + pckgname + " does not eixsts!");
}
+
return classes;
}
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceGroupService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceGroupService.java
index beee7dafa..112ee3bfd 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceGroupService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceGroupService.java
@@ -24,6 +24,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
+import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
@@ -608,8 +609,11 @@ public class UIServiceGroupService extends UIServiceBase<DBServiceGroup, Service
Source xmlInput = new StreamSource(new StringReader(sgExtension.getExtension()));
StringWriter stringWriter = new StringWriter();
StreamResult xmlOutput = new StreamResult(stringWriter);
+
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
transformerFactory.setAttribute("indent-number", 4);
+
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.transform(xmlInput, xmlOutput);
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactory.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactory.java
index 0858322f7..5d2fd00e8 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactory.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactory.java
@@ -159,7 +159,7 @@ public class SmlClientFactory {
return;
}
- log.info("Configuring proxy for BDMSL integration client: {}:{}@{}:{}", proxyUser, "########", proxyServer, proxyPort.get());
+ log.info("Configuring proxy for BDMSL integration client: {}:{}@{}:{}", proxyUser, "########", proxyServer,proxyPort.isPresent()? proxyPort.get():"");
httpConduit.getClient().setProxyServerType(ProxyServerType.HTTP);
httpConduit.getClient().setProxyServer(proxyServer);
if (proxyPort.isPresent()) {
--
GitLab