mirrors
/
poi
espelhamento de https://github.com/apache/poi.git
Observar 1
Favorito 0
Fork 0
Código Issues 0 Versões 100 Wiki Atividade
Ver código fonte

Sonar Fixes - fix/annotate type "vulnerability" / severity "blocker" 

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1870657 13f79535-47bb-0310-9956-ffa450edef68
tags/REL_4_1_2
Andreas Beeker 4 anos atrás
pai
5f28881a35
commit
a17a9168b1
6 arquivos alterados com 59 adições e 43 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 1
    0
      src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java
  2. 1
    0
      src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
  3. 1
    0
      src/java/org/apache/poi/poifs/crypt/Decryptor.java
  4. 14
    20
      src/java/org/apache/poi/util/StaxHelper.java
  5. 25
    15
      src/java/org/apache/poi/util/XMLHelper.java
  6. 17
    8
      src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java

+ 1
- 0
src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java Ver arquivo

@@ -102,6 +102,7 @@ public final class RecordFactoryInputStream {
_lastRecord = rec;
}

@SuppressWarnings({"squid:S2068"})
public RecordInputStream createDecryptingStream(InputStream original) {
String userPassword = Biff8EncryptionKey.getCurrentUserPassword();
if (userPassword == null) {

+ 1
- 0
src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java Ver arquivo

@@ -101,6 +101,7 @@ public class CryptoFunctions {
* if false the n-1 hash value is applied first
* @return the hashed password
*/
@SuppressWarnings({"squid:S2068"})
public static byte[] hashPassword(String password, HashAlgorithm hashAlgorithm, byte[] salt, int spinCount, boolean iteratorFirst) {
// If no password was given, use the default
if (password == null) {

+ 1
- 0
src/java/org/apache/poi/poifs/crypt/Decryptor.java Ver arquivo

@@ -33,6 +33,7 @@ import org.apache.poi.poifs.filesystem.POIFSFileSystem;
import org.apache.poi.util.GenericRecordUtil;

public abstract class Decryptor implements Cloneable, GenericRecord {
@SuppressWarnings({"squid:S2068"})
public static final String DEFAULT_PASSWORD="VelvetSweatshop";
public static final String DEFAULT_POIFS_ENTRY="EncryptedPackage";

+ 14
- 20
src/java/org/apache/poi/util/StaxHelper.java Ver arquivo

@@ -17,6 +17,8 @@

package org.apache.poi.util;

import java.util.function.Consumer;

import javax.xml.stream.XMLEventFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
@@ -28,17 +30,19 @@ import javax.xml.stream.XMLOutputFactory;
public final class StaxHelper {
private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class);

private StaxHelper() {}
private StaxHelper() {
}

/**
* Creates a new StAX XMLInputFactory, with sensible defaults
*/
@SuppressWarnings({"squid:S2755"})
public static XMLInputFactory newXMLInputFactory() {
XMLInputFactory factory = XMLInputFactory.newInstance();
trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
trySet(XMLInputFactory.IS_NAMESPACE_AWARE, (n) -> factory.setProperty(n, true));
trySet(XMLInputFactory.IS_VALIDATING, (n) -> factory.setProperty(n, false));
trySet(XMLInputFactory.SUPPORT_DTD, (n) -> factory.setProperty(n, false));
trySet(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, (n) -> factory.setProperty(n, false));
return factory;
}

@@ -47,7 +51,7 @@ public final class StaxHelper {
*/
public static XMLOutputFactory newXMLOutputFactory() {
XMLOutputFactory factory = XMLOutputFactory.newInstance();
trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true);
trySet(XMLOutputFactory.IS_REPAIRING_NAMESPACES, (n) -> factory.setProperty(n, true));
return factory;
}

@@ -58,24 +62,14 @@ public final class StaxHelper {
// this method seems safer on Android than getFactory()
return XMLEventFactory.newInstance();
}
private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
try {
factory.setProperty(feature, flag);
} catch (Exception e) {
logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
} catch (AbstractMethodError ame) {
logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
}
}

private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) {
private static void trySet(String name, Consumer<String> securityFeature) {
try {
factory.setProperty(feature, flag);
securityFeature.accept(name);
} catch (Exception e) {
logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
logger.log(POILogger.WARN, "StAX Property unsupported", name, e);
} catch (AbstractMethodError ame) {
logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", name, ame);
}
}
}

+ 25
- 15
src/java/org/apache/poi/util/XMLHelper.java Ver arquivo

@@ -19,37 +19,47 @@ package org.apache.poi.util;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

/**
* Helper methods for working with javax.xml classes.
*/
public final class XMLHelper
{
public final class XMLHelper {
private static POILogger logger = POILogFactory.getLogger(XMLHelper.class);

@FunctionalInterface
private interface SecurityFeature {
void accept(String name) throws ParserConfigurationException;
}

/**
* Creates a new DocumentBuilderFactory, with sensible defaults
*
* @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE</a>
*/
@SuppressWarnings({"squid:S2755"})
public static DocumentBuilderFactory getDocumentBuilderFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setExpandEntityReferences(false);
trySetSAXFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
trySetSAXFeature(factory, "http://xml.org/sax/features/external-general-entities", false);
trySetSAXFeature(factory, "http://xml.org/sax/features/external-parameter-entities", false);
trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setAttribute(n, ""));
trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setAttribute(n, ""));
trySet("http://xml.org/sax/features/external-general-entities", (n) -> factory.setFeature(n, false));
trySet("http://xml.org/sax/features/external-parameter-entities", (n) -> factory.setFeature(n, false));
trySet("http://apache.org/xml/features/nonvalidating/load-external-dtd", (n) -> factory.setFeature(n, false));
trySet("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", (n) -> factory.setFeature(n, false));
trySet("http://apache.org/xml/features/disallow-doctype-decl", (n) -> factory.setFeature(n, true));
trySet("XIncludeAware", (n) -> factory.setXIncludeAware(false));
return factory;
}
private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
private static void trySet(String name, SecurityFeature feature) {
try {
documentBuilderFactory.setFeature(feature, enabled);
feature.accept(name);
} catch (Exception e) {
logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e);
logger.log(POILogger.WARN, "SAX Feature unsupported", name, e);
} catch (AbstractMethodError ame) {
logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", name, ame);
}
}

}

+ 17
- 8
src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java Ver arquivo

@@ -39,10 +39,10 @@ import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;

import org.apache.poi.ooxml.util.DocumentHelper;
import org.apache.poi.ooxml.util.TransformerHelper;
import org.apache.poi.ss.usermodel.CellType;
import org.apache.poi.ss.usermodel.DateUtil;
import org.apache.poi.ooxml.util.DocumentHelper;
import org.apache.poi.util.LocaleUtil;
import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger;
@@ -82,6 +82,13 @@ import org.xml.sax.SAXException;
public class XSSFExportToXml implements Comparator<String>{
private static final POILogger LOG = POILogFactory.getLogger(XSSFExportToXml.class);


@FunctionalInterface
private interface SecurityFeature {
void accept(String name) throws SAXException;
}


private XSSFMap map;
private final HashMap<String, Integer> indexMap = new HashMap<>();
/**
@@ -240,11 +247,13 @@ public class XSSFExportToXml implements Comparator<String>{
* @return true, if document is valid
* @throws SAXException If validating the document fails
*/
@SuppressWarnings({"squid:S2755"})
private boolean isValid(Document xml) throws SAXException{
try {
String language = "http://www.w3.org/2001/XMLSchema";
SchemaFactory factory = SchemaFactory.newInstance(language);
trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setProperty(n,""));
trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setProperty(n,""));

Source source = new DOMSource(map.getSchema());
Schema schema = factory.newSchema(source);
@@ -537,13 +546,13 @@ public class XSSFExportToXml implements Comparator<String>{
return complexTypeNode;
}

private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
private static void trySet(String name, SecurityFeature securityFeature) {
try {
sf.setFeature(feature, enabled);
securityFeature.accept(name);
} catch (Exception e) {
LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
LOG.log(POILogger.WARN, "SchemaFactory feature unsupported", name, e);
} catch (AbstractMethodError ame) {
LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", name, ame);
}
}
}

Escrever Pré-visualização
Carregando…
Cancelar
Salvar