Merge pull request #1165 from rasika/fix-1624

Adding additional validations to improve stability of the product
revert-70aa11f8
Rasika Perera 7 years ago committed by GitHub
commit 6c2f4e3c8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -124,8 +124,9 @@ public class Utils {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new APIMCertificateMGTException("Error occurred while parsing file, while converting " + throw new APIMCertificateMGTException("Error occurred while parsing file, while converting " +

@ -79,6 +79,7 @@ public class APIMConfigReader {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);

@ -35,6 +35,7 @@ public class WebappPublisherUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);

@ -38,7 +38,7 @@ public final class CertificateManagementConstants {
public static final String RSA_PRIVATE_KEY_BEGIN_TEXT = "-----BEGIN RSA PRIVATE KEY-----\n"; public static final String RSA_PRIVATE_KEY_BEGIN_TEXT = "-----BEGIN RSA PRIVATE KEY-----\n";
public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----"; public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----";
public static final String EMPTY_TEXT = ""; public static final String EMPTY_TEXT = "";
public static final int RSA_KEY_LENGTH = 1024; public static final int RSA_KEY_LENGTH = 2048;
public static final class DataBaseTypes { public static final class DataBaseTypes {
private DataBaseTypes() { private DataBaseTypes() {

@ -47,8 +47,9 @@ public class CertificateManagerUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new CertificateManagementException("Error occurred while parsing file, while converting " + throw new CertificateManagementException("Error occurred while parsing file, while converting " +

@ -36,6 +36,7 @@ public class DeviceTypeConfigUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);

@ -36,8 +36,9 @@ public class DataPublisherUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new DataPublisherConfigurationException("Error occurred while parsing file, while converting " + throw new DataPublisherConfigurationException("Error occurred while parsing file, while converting " +

@ -31,6 +31,9 @@ import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException; import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller; import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller; import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import java.io.StringReader; import java.io.StringReader;
import java.io.StringWriter; import java.io.StringWriter;
import java.nio.charset.Charset; import java.nio.charset.Charset;
@ -80,14 +83,19 @@ public class PlatformConfigurationManagementServiceImpl
try { try {
resource = ConfigurationManagerUtil.getRegistryResource(resourcePath); resource = ConfigurationManagerUtil.getRegistryResource(resourcePath);
if(resource != null){ if(resource != null){
JAXBContext context = JAXBContext.newInstance(PlatformConfiguration.class); XMLInputFactory factory = XMLInputFactory.newFactory();
Unmarshaller unmarshaller = context.createUnmarshaller(); factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
return (PlatformConfiguration) unmarshaller.unmarshal( factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
XMLStreamReader reader = factory.createXMLStreamReader(
new StringReader(new String((byte[]) resource.getContent(), Charset new StringReader(new String((byte[]) resource.getContent(), Charset
.forName(ConfigurationManagerConstants.CharSets.CHARSET_UTF8)))); .forName(ConfigurationManagerConstants.CharSets.CHARSET_UTF8))));
JAXBContext context = JAXBContext.newInstance(PlatformConfiguration.class);
Unmarshaller unmarshaller = context.createUnmarshaller();
return (PlatformConfiguration) unmarshaller.unmarshal(reader);
} }
return new PlatformConfiguration(); return new PlatformConfiguration();
} catch (JAXBException e) { } catch (JAXBException | XMLStreamException e) {
throw new ConfigurationManagementException( throw new ConfigurationManagementException(
"Error occurred while parsing the Tenant configuration : " + e.getMessage(), e); "Error occurred while parsing the Tenant configuration : " + e.getMessage(), e);
} catch (RegistryException e) { } catch (RegistryException e) {

@ -120,8 +120,9 @@ public class PermissionUtils {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new PermissionManagementException("Error occurred while parsing file, while converting " + throw new PermissionManagementException("Error occurred while parsing file, while converting " +

@ -83,8 +83,9 @@ public final class DeviceManagerUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new DeviceManagementException("Error occurred while parsing file, while converting " + throw new DeviceManagementException("Error occurred while parsing file, while converting " +

@ -167,6 +167,7 @@
javax.sql, javax.sql,
javax.xml, javax.xml,
javax.xml.bind.annotation, javax.xml.bind.annotation,
javax.xml.stream,
javax.xml.parsers;resolution:=optional, javax.xml.parsers;resolution:=optional,
org.apache.commons.lang, org.apache.commons.lang,
org.osgi.service.component, org.osgi.service.component,

@ -50,6 +50,9 @@ import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException; import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller; import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller; import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import java.io.File; import java.io.File;
import java.io.StringReader; import java.io.StringReader;
import java.io.StringWriter; import java.io.StringWriter;
@ -235,11 +238,16 @@ public class DeviceTypeManager implements DeviceManager {
try { try {
resource = DeviceTypeUtils.getRegistryResource(deviceType); resource = DeviceTypeUtils.getRegistryResource(deviceType);
if (resource != null) { if (resource != null) {
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
XMLStreamReader reader = factory.createXMLStreamReader(
new StringReader(new String((byte[]) resource.getContent(), Charset
.forName(DeviceTypePluginConstants.CHARSET_UTF8))));
JAXBContext context = JAXBContext.newInstance(PlatformConfiguration.class); JAXBContext context = JAXBContext.newInstance(PlatformConfiguration.class);
Unmarshaller unmarshaller = context.createUnmarshaller(); Unmarshaller unmarshaller = context.createUnmarshaller();
return (PlatformConfiguration) unmarshaller.unmarshal( return (PlatformConfiguration) unmarshaller.unmarshal(reader);
new StringReader(new String((byte[]) resource.getContent(), Charset.
forName(DeviceTypePluginConstants.CHARSET_UTF8))));
} else if (defaultPlatformConfiguration != null) { } else if (defaultPlatformConfiguration != null) {
return defaultPlatformConfiguration; return defaultPlatformConfiguration;
} }
@ -247,7 +255,7 @@ public class DeviceTypeManager implements DeviceManager {
} catch (DeviceTypeMgtPluginException e) { } catch (DeviceTypeMgtPluginException e) {
throw new DeviceManagementException( throw new DeviceManagementException(
"Error occurred while retrieving the Registry instance : " + e.getMessage(), e); "Error occurred while retrieving the Registry instance : " + e.getMessage(), e);
} catch (JAXBException e) { } catch (JAXBException | XMLStreamException e) {
throw new DeviceManagementException( throw new DeviceManagementException(
"Error occurred while parsing the " + deviceType + " configuration : " + e.getMessage(), e); "Error occurred while parsing the " + deviceType + " configuration : " + e.getMessage(), e);
} catch (RegistryException e) { } catch (RegistryException e) {

@ -141,6 +141,7 @@ public class DeviceTypeUtils {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);

@ -87,7 +87,7 @@ public class Utils {
throws DeviceTypeConfigurationException, ParserConfigurationException, IOException, SAXException { throws DeviceTypeConfigurationException, ParserConfigurationException, IOException, SAXException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);

@ -31,8 +31,9 @@ public class EmailSenderUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new EmailSenderConfigurationFailedException("Error occurred while parsing file, while converting " + throw new EmailSenderConfigurationFailedException("Error occurred while parsing file, while converting " +

@ -62,8 +62,9 @@ public class PolicyManagerUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new PolicyManagementException("Error occurred while parsing file, while converting " + throw new PolicyManagementException("Error occurred while parsing file, while converting " +

@ -55,8 +55,9 @@ public class AuthenticationFrameworkUtil {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
DocumentBuilder docBuilder = factory.newDocumentBuilder(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {
throw new AuthenticatorFrameworkException("Error occurred while parsing file, while converting " + throw new AuthenticatorFrameworkException("Error occurred while parsing file, while converting " +

Loading…
Cancel
Save