ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [ws-wss4j] branch 2_4_x-fixes updated: Catching some NumberFormatExceptions
Date Thu, 13 May 2021 09:11:52 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 2_4_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git


The following commit(s) were added to refs/heads/2_4_x-fixes by this push:
     new f83fc56  Catching some NumberFormatExceptions
f83fc56 is described below

commit f83fc566cfbefdcd45801bf5a5cdfc19b885f3d6
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu May 13 10:03:01 2021 +0100

    Catching some NumberFormatExceptions
---
 .../wss4j/dom/message/token/DerivedKeyToken.java   | 70 +++++++++++++++-------
 .../wss4j/dom/message/token/UsernameToken.java     | 51 +++++++++-------
 2 files changed, 76 insertions(+), 45 deletions(-)

diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
index 356983a..9fe5cd2 100755
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/DerivedKeyToken.java
@@ -67,6 +67,9 @@ public class DerivedKeyToken {
     private Element elementLength;
     private Element elementLabel;
     private Element elementNonce;
+    private int length = 32;
+    private int offset = 0;
+    private int generation = -1;
 
     private String ns;
 
@@ -149,6 +152,45 @@ public class DerivedKeyToken {
             XMLUtils.getDirectChildElement(
                 element, ConversationConstants.NONCE_LN, ns
             );
+
+        if (elementLength != null) {
+            Text text = getFirstNode(elementLength);
+            if (text != null) {
+                try {
+                    length = Integer.parseInt(text.getData());
+                } catch (NumberFormatException ex) {
+                    throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+                    );
+                }
+            }
+        }
+
+        if (elementOffset != null) {
+            Text text = getFirstNode(elementOffset);
+            if (text != null) {
+                try {
+                    offset = Integer.parseInt(text.getData());
+                } catch (NumberFormatException ex) {
+                    throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+                    );
+                }
+            }
+        }
+
+        if (elementGeneration != null) {
+            Text text = getFirstNode(elementGeneration);
+            if (text != null) {
+                try {
+                    generation = Integer.parseInt(text.getData());
+                } catch (NumberFormatException ex) {
+                    throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+                    );
+                }
+            }
+        }
     }
 
     /**
@@ -297,16 +339,11 @@ public class DerivedKeyToken {
             element.getOwnerDocument().createTextNode(Long.toString(length))
         );
         element.appendChild(elementLength);
+        this.length = length;
     }
 
     public int getLength() {
-        if (elementLength != null) {
-            Text text = getFirstNode(elementLength);
-            if (text != null) {
-                return Integer.parseInt(text.getData());
-            }
-        }
-        return 32;
+        return length;
     }
 
     /**
@@ -328,17 +365,11 @@ public class DerivedKeyToken {
         } else {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "offsetError");
         }
-
+        this.offset = offset;
     }
 
     public int getOffset() {
-        if (elementOffset != null) {
-            Text text = getFirstNode(elementOffset);
-            if (text != null) {
-                return Integer.parseInt(text.getData());
-            }
-        }
-        return 0;
+        return offset;
     }
 
     /**
@@ -360,16 +391,11 @@ public class DerivedKeyToken {
         } else {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "offsetError");
         }
+        this.generation = generation;
     }
 
     public int getGeneration() {
-        if (elementGeneration != null) {
-            Text text = getFirstNode(elementGeneration);
-            if (text != null) {
-                return Integer.parseInt(text.getData());
-            }
-        }
-        return -1;
+        return generation;
     }
 
     /**
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
index b8b2bf7..73929c5 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
@@ -70,6 +70,7 @@ public class UsernameToken {
     private Element elementCreated;
     private Element elementSalt;
     private Element elementIteration;
+    private int iteration = DEFAULT_ITERATION;
     private String passwordType;
     private boolean hashed = true;
     private boolean passwordsAreEncoded;
@@ -131,36 +132,37 @@ public class UsernameToken {
                 new Object[] {"Username is missing"}
             );
         }
-
         checkBSPCompliance(bspEnforcer);
-
         hashed = false;
-        if (elementSalt != null) {
+        if (elementSalt != null && (elementPassword != null || elementIteration ==
null)) {
             //
             // If the UsernameToken is to be used for key derivation, the (1.1)
             // spec says that it cannot contain a password, and it must contain
             // an Iteration element
             //
-            if (elementPassword != null || elementIteration == null) {
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
-                    "badUsernameToken",
-                    new Object[] {"Password is missing"}
-                );
-            }
-            return;
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+                "badUsernameToken",
+                new Object[] {"Password is missing"}
+            );
         }
 
         // Guard against a malicious user sending a bogus iteration value
         if (elementIteration != null) {
             String iter = XMLUtils.getElementText(elementIteration);
             if (iter != null) {
-                int iterInt = Integer.parseInt(iter);
-                if (iterInt < 0 || iterInt > 10000) {
+                try {
+                    iteration = Integer.parseInt(iter);
+                    if (iteration < 0 || iteration > 10000) {
+                        throw new WSSecurityException(
+                            WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
+                            "badUsernameToken",
+                            new Object[] {"Iteration is missing"}
+                        );
+                    }
+                } catch (NumberFormatException ex) {
                     throw new WSSecurityException(
-                        WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
-                        "badUsernameToken",
-                        new Object[] {"Iteration is missing"}
+                            WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
                     );
                 }
             }
@@ -352,6 +354,7 @@ public class UsernameToken {
         XMLUtils.setNamespace(element, WSConstants.WSSE11_NS, WSConstants.WSSE11_PREFIX);
         elementIteration.appendChild(doc.createTextNode(text));
         element.appendChild(elementIteration);
+        this.iteration = iteration;
     }
 
     /**
@@ -446,11 +449,7 @@ public class UsernameToken {
      *         is returned.
      */
     public int getIteration() {
-        String iter = XMLUtils.getElementText(elementIteration);
-        if (iter != null) {
-            return Integer.parseInt(iter);
-        }
-        return DEFAULT_ITERATION;
+        return iteration;
     }
 
     /**
@@ -596,8 +595,14 @@ public class UsernameToken {
             bspEnforcer.handleBSPRule(BSPRule.R4218);
         } else {
             String iter = XMLUtils.getElementText(elementIteration);
-            if (iter == null || Integer.parseInt(iter) < 1000) {
-                bspEnforcer.handleBSPRule(BSPRule.R4218);
+            try {
+                if (iter == null || Integer.parseInt(iter) < 1000) {
+                    bspEnforcer.handleBSPRule(BSPRule.R4218);
+                }
+            } catch (NumberFormatException ex) {
+                throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.FAILURE, ex, "decoding.general"
+                );
             }
         }
 

Mime
View raw message