syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [1/3] syncope git commit: Ensuring all XML input processing is safe - disable DTD and external entities
Date Thu, 25 Oct 2018 11:07:24 GMT
Repository: syncope
Updated Branches:
  refs/heads/2_0_X 7915c896f -> 979c28abf
  refs/heads/2_1_X e55941787 -> a0f35f45f
  refs/heads/master 6d285b201 -> bdb6a180d


Ensuring all XML input processing is safe - disable DTD and external entities


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/979c28ab
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/979c28ab
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/979c28ab

Branch: refs/heads/2_0_X
Commit: 979c28abf2587c73b57d20e4b892410fdd336f06
Parents: 7915c89
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Thu Oct 25 12:57:02 2018 +0200
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Thu Oct 25 12:57:02 2018 +0200

----------------------------------------------------------------------
 .../syncope/client/cli/commands/migrate/MigrateConf.java    | 9 +++++++--
 .../widgets/reconciliation/ReconciliationReportParser.java  | 9 +++++++--
 .../syncope/core/workflow/activiti/ActivitiDeployUtils.java | 9 ++++++++-
 .../activiti/spring/DomainProcessEngineFactoryBean.java     | 1 +
 .../syncope/core/workflow/flowable/FlowableDeployUtils.java | 9 ++++++++-
 .../flowable/spring/DomainProcessEngineFactoryBean.java     | 1 +
 6 files changed, 32 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
----------------------------------------------------------------------
diff --git a/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
b/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
index 8b4884d..ec88457 100644
--- a/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
+++ b/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
@@ -53,12 +53,17 @@ public class MigrateConf {
 
     private static final String HELP_MESSAGE = "migrate --conf {SRC} {DST}";
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
 
     private static final XMLOutputFactory OUTPUT_FACTORY = XMLOutputFactory.newInstance();
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     private final MigrateResultManager migrateResultManager = new MigrateResultManager();
 
     private final Input input;
@@ -144,7 +149,7 @@ public class MigrateConf {
         reporter.writeStartElement("dataset");
 
         InputStream inputStream = Files.newInputStream(Paths.get(src));
-        XMLStreamReader reader = INPUT_FACTORY.createXMLStreamReader(inputStream);
+        XMLStreamReader reader = XML_INPUT_FACTORY.createXMLStreamReader(inputStream);
         reader.nextTag(); // root
         reader.nextTag(); // dataset
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
index b73b4ba..812e5c1 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
@@ -33,10 +33,15 @@ import org.apache.syncope.common.lib.types.AnyTypeKind;
 
 public final class ReconciliationReportParser {
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
 
     public static ReconciliationReport parse(final Date run, final InputStream in) throws
XMLStreamException {
-        XMLStreamReader streamReader = INPUT_FACTORY.createXMLStreamReader(in);
+        XMLStreamReader streamReader = XML_INPUT_FACTORY.createXMLStreamReader(in);
         streamReader.nextTag(); // root
         streamReader.nextTag(); // report
         streamReader.nextTag(); // reportlet

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
index 6022f85..ef542d7 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
@@ -41,6 +41,13 @@ public final class ActivitiDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition)
{
 
@@ -58,7 +65,7 @@ public final class ActivitiDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
index cf112bd..bc71ac0 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
@@ -73,6 +73,7 @@ public class DomainProcessEngineFactoryBean
                     if (conf.getExpressionManager() == null) {
                         conf.setExpressionManager(new SpringExpressionManager(ctx, conf.getBeans()));
                     }
+                    conf.setEnableSafeBpmnXml(true);
 
                     engines.put(domain, conf.buildProcessEngine());
                 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
----------------------------------------------------------------------
diff --git a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
index 080332e..7013e31 100644
--- a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
+++ b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
@@ -41,6 +41,13 @@ public final class FlowableDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition)
{
 
@@ -58,7 +65,7 @@ public final class FlowableDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
index 620d6b9..4ab1dd8 100644
--- a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
+++ b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
@@ -73,6 +73,7 @@ public class DomainProcessEngineFactoryBean
                     if (conf.getExpressionManager() == null) {
                         conf.setExpressionManager(new SpringExpressionManager(ctx, conf.getBeans()));
                     }
+                    conf.setEnableSafeBpmnXml(true);
 
                     engines.put(domain, conf.buildProcessEngine());
                 }


Mime
View raw message