From 0fb5a577b87681931b148aed7c8dbefe8975f666 Mon Sep 17 00:00:00 2001 From: Maninda Date: Thu, 5 Jan 2017 11:47:09 +0530 Subject: [PATCH 1/3] Fixed some issues found in FindBugs security analysis. --- .../extension/api/filter/ApiPermissionFilter.java | 2 +- .../mgt/jaxrs/api/common/GsonMessageBodyHandler.java | 6 +----- .../mgt/cert/jaxrs/api/common/GsonMessageBodyHandler.java | 6 +----- .../device/mgt/jaxrs/common/GsonMessageBodyHandler.java | 6 +----- .../carbon/device/mgt/common/device/details/DeviceInfo.java | 2 +- .../device/mgt/common/device/details/DeviceLocation.java | 2 +- 6 files changed, 6 insertions(+), 18 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java index bc7dab7053..9c1dfac4bd 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java @@ -119,7 +119,7 @@ public class ApiPermissionFilter implements Filter { .getThreadLocalCarbonContext().getTenantId()); return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action); } catch (UserStoreException e) { - String errorMsg = String.format("Unable to authorize the user : %s", username, e); + String errorMsg = String.format("Unable to authorize the user : %s", username); log.error(errorMsg, e); return false; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.api/src/main/java/org/wso2/carbon/certificate/mgt/jaxrs/api/common/GsonMessageBodyHandler.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.api/src/main/java/org/wso2/carbon/certificate/mgt/jaxrs/api/common/GsonMessageBodyHandler.java index 9cd6c3190a..91b3283e68 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.api/src/main/java/org/wso2/carbon/certificate/mgt/jaxrs/api/common/GsonMessageBodyHandler.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.api/src/main/java/org/wso2/carbon/certificate/mgt/jaxrs/api/common/GsonMessageBodyHandler.java @@ -83,11 +83,7 @@ public class GsonMessageBodyHandler implements MessageBodyWriter, Messag OutputStreamWriter writer = new OutputStreamWriter(entityStream, UTF_8); try { - Type jsonType = null; - if (type.equals(type)) { - jsonType = type; - } - getGson().toJson(object, jsonType, writer); + getGson().toJson(object, type, writer); } finally { writer.close(); } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/common/GsonMessageBodyHandler.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/common/GsonMessageBodyHandler.java index 6abb296c17..7ca13eb59f 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/common/GsonMessageBodyHandler.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/common/GsonMessageBodyHandler.java @@ -83,11 +83,7 @@ public class GsonMessageBodyHandler implements MessageBodyWriter, Messag OutputStreamWriter writer = new OutputStreamWriter(entityStream, UTF_8); try { - Type jsonType = null; - if (type.equals(type)) { - jsonType = type; - } - getGson().toJson(object, jsonType, writer); + getGson().toJson(object, type, writer); } finally { writer.close(); } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/common/GsonMessageBodyHandler.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/common/GsonMessageBodyHandler.java index f069edee75..a25fb84833 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/common/GsonMessageBodyHandler.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/common/GsonMessageBodyHandler.java @@ -83,11 +83,7 @@ public class GsonMessageBodyHandler implements MessageBodyWriter, Messag OutputStreamWriter writer = new OutputStreamWriter(entityStream, UTF_8); try { - Type jsonType = null; - if (type.equals(type)) { - jsonType = type; - } - getGson().toJson(object, jsonType, writer); + getGson().toJson(object, type, writer); } finally { writer.close(); } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceInfo.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceInfo.java index 343add988e..b7f5a5b14c 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceInfo.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceInfo.java @@ -370,7 +370,7 @@ public class DeviceInfo implements Serializable { } public Date getUpdatedTime() { - if(updatedTime.equals(null)){ + if(updatedTime == null){ updatedTime = new Date(); } return updatedTime; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceLocation.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceLocation.java index 5223b0f047..f1107091b0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceLocation.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/device/details/DeviceLocation.java @@ -137,7 +137,7 @@ public class DeviceLocation implements Serializable { } public Date getUpdatedTime() { - if(updatedTime.equals(null)){ + if(updatedTime == null ){ updatedTime = new Date(); } return updatedTime; From 00a5a07373773ee1443b40bfaf1c98b0334313e1 Mon Sep 17 00:00:00 2001 From: Maninda Date: Thu, 5 Jan 2017 14:28:30 +0530 Subject: [PATCH 2/3] Fixed some security issues found after running FindBugs security scan. --- .../mgt/common/push/notification/NotificationContext.java | 4 ++++ .../framework/authenticator/JWTAuthenticator.java | 3 +++ 2 files changed, 7 insertions(+) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/push/notification/NotificationContext.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/push/notification/NotificationContext.java index 546e4fcf29..617525c579 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/push/notification/NotificationContext.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/push/notification/NotificationContext.java @@ -48,6 +48,10 @@ public class NotificationContext { return properties; } + public void setProperties(Map propertiesMap) { + properties = propertiesMap; + } + public Operation getOperation() { return operation; } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java index 9184682d3a..b269f7c285 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java @@ -90,6 +90,9 @@ public class JWTAuthenticator implements WebappAuthenticator { if (requestUri == null || "".equals(requestUri)) { authenticationInfo.setStatus(Status.CONTINUE); } + if (requestUri == null) { + requestUri = ""; + } StringTokenizer tokenizer = new StringTokenizer(requestUri, "/"); String context = tokenizer.nextToken(); if (context == null || "".equals(context)) { From 0a6ef8daf7bfba026d8866826eee6bd7ac86786f Mon Sep 17 00:00:00 2001 From: Maninda Date: Thu, 5 Jan 2017 14:51:13 +0530 Subject: [PATCH 3/3] Added some security fixes for issues reported by FindBugs --- .../pom.xml | 1 + .../device/type/deployer/util/DeviceTypeConfigUtil.java | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/pom.xml b/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/pom.xml index df0314173c..b50459eb15 100644 --- a/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/pom.xml +++ b/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/pom.xml @@ -91,6 +91,7 @@ javax.naming, javax.sql, + javax.xml, javax.xml.bind, javax.xml.bind.annotation, javax.xml.parsers; version="${javax.xml.parsers.import.pkg.version}", diff --git a/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/src/main/java/org/wso2/carbon/device/mgt/extensions/device/type/deployer/util/DeviceTypeConfigUtil.java b/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/src/main/java/org/wso2/carbon/device/mgt/extensions/device/type/deployer/util/DeviceTypeConfigUtil.java index bdf3bd861e..495a72b48d 100644 --- a/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/src/main/java/org/wso2/carbon/device/mgt/extensions/device/type/deployer/util/DeviceTypeConfigUtil.java +++ b/components/device-mgt-extensions/org.wso2.carbon.device.mgt.extensions.device.type.deployer/src/main/java/org/wso2/carbon/device/mgt/extensions/device/type/deployer/util/DeviceTypeConfigUtil.java @@ -21,8 +21,10 @@ package org.wso2.carbon.device.mgt.extensions.device.type.deployer.util; import org.w3c.dom.Document; import org.wso2.carbon.device.mgt.extensions.device.type.deployer.config.exception.DeviceTypeConfigurationException; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import java.io.File; /** @@ -34,8 +36,12 @@ public class DeviceTypeConfigUtil { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder docBuilder = factory.newDocumentBuilder(); return docBuilder.parse(file); + } catch (ParserConfigurationException e) { + e.printStackTrace(); + return null; } catch (Exception e) { throw new DeviceTypeConfigurationException("Error occurred while parsing file, while converting " + "to a org.w3c.dom.Document", e);