From bf368d2a9cf764f22126fd59c9a3a10ab12fb4bb Mon Sep 17 00:00:00 2001 From: ToineSiebelink Date: Mon, 29 Jun 2020 12:24:38 +0100 Subject: Fix SonarQube vulnerabilities Added logging to handle file io boolean returns Added security related settings to xml factories and builders Issue-ID: POLICY-2654 Change-Id: Ibc0a01f978bfc446e1dc1f8ad952d1305a7b7178 Signed-off-by: ToineSiebelink --- .../policy/apex/core/infrastructure/xml/XPathReader.java | 3 ++- .../org/onap/policy/apex/examples/bbs/WebClient.java | 4 ++++ .../apex/model/basicmodel/handling/ApexModelWriter.java | 6 ++++++ .../model/utilities/DirectoryDeleteShutdownHook.java | 16 ++++++++++++---- .../onap/policy/apex/model/utilities/DirectoryUtils.java | 11 +++++++---- .../org/onap/policy/apex/tools/common/OutputFile.java | 4 +++- 6 files changed, 34 insertions(+), 10 deletions(-) diff --git a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java index 53b8a7938..f20907370 100644 --- a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java +++ b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java @@ -76,7 +76,8 @@ public class XPathReader { LOGGER.info("Initializing XPath reader"); DocumentBuilderFactory df = DocumentBuilderFactory.newInstance(); df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - + df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // Check if this is operating on a file if (xmlFileName != null) { xmlDocument = df.newDocumentBuilder().parse(xmlFileName); diff --git a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java index f3ea15935..e01e997fd 100644 --- a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java +++ b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java @@ -34,6 +34,7 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -158,6 +159,9 @@ public class WebClient { TransformerFactory transformerFactory = TransformerFactory.newInstance(); transformerFactory.setAttribute("indent-number", indent); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.ENCODING, StandardCharsets.UTF_8.name()); transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); diff --git a/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java b/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java index 0dab08dcb..0763492fc 100644 --- a/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java +++ b/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java @@ -202,6 +202,9 @@ public class ApexModelWriter { // Write the concept into a DOM document, then transform to add CDATA fields and pretty // print, then write out the result final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Document document = docBuilderFactory.newDocumentBuilder().newDocument(); @@ -223,6 +226,9 @@ public class ApexModelWriter { private Transformer getTransformer() throws TransformerConfigurationException { // Transform the DOM to the output stream final TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + final Transformer domTransformer = transformerFactory.newTransformer(); // Pretty print diff --git a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java index f0fd8950f..2d96a5954 100644 --- a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java +++ b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java @@ -1,19 +1,20 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2018 Ericsson. All rights reserved. + * Modifications Copyright (C) 2020 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * + * * SPDX-License-Identifier: Apache-2.0 * ============LICENSE_END========================================================= */ @@ -21,6 +22,8 @@ package org.onap.policy.apex.model.utilities; import java.io.File; +import org.slf4j.ext.XLogger; +import org.slf4j.ext.XLoggerFactory; /** * The Class DirectoryShutdownHook removes the contents of a directory and the directory itself at shutdown. @@ -28,6 +31,9 @@ import java.io.File; * @author Liam Fallon (liam.fallon@ericsson.com) */ final class DirectoryDeleteShutdownHook extends Thread { + + private static final XLogger LOGGER = XLoggerFactory.getXLogger(DirectoryUtils.class); + // The directory we are acting on private final File tempDir; @@ -48,7 +54,9 @@ final class DirectoryDeleteShutdownHook extends Thread { if (tempDir.exists()) { // Empty and delete the directory DirectoryUtils.emptyDirectory(tempDir); - tempDir.delete(); + if (!tempDir.delete()) { + LOGGER.warn("Failed to delete directory {}", tempDir); + } } } } diff --git a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java index b129ce21c..011dbb1b2 100644 --- a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java +++ b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java @@ -1,19 +1,20 @@ /* * ============LICENSE_START======================================================= * Copyright (C) 2016-2018 Ericsson. All rights reserved. + * Modifications Copyright (C) 2020 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * + * * SPDX-License-Identifier: Apache-2.0 * ============LICENSE_END========================================================= */ @@ -96,7 +97,9 @@ public abstract class DirectoryUtils { } // Delete the directory entry - directoryFile.delete(); + if (!directoryFile.delete()) { + LOGGER.warn("Failed to delete directory file {}", directoryFile); + } } } diff --git a/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java b/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java index 0aa85df5d..2a20554b5 100644 --- a/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java +++ b/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java @@ -122,7 +122,9 @@ public class OutputFile { } } else { try { - file.createNewFile(); + if (file.createNewFile()) { + LOGGER.trace("Created output file {}", file.getName()); + } } catch (final IOException e) { String message = "could not create output file: " + e.getMessage(); LOGGER.warn(message, e); -- cgit 1.2.3-korg