Fix importer vulnerability #4240
Conversation
Fixed issue JabRef#4229 where importer was vulnerable to XXE attacks by disabling DTDs along with adding warning to logger if features are unavailable. fixes JabRef#4229
|
Thanks for your contribution |
| /** | ||
| * Importer for the MS Office 2007 XML bibliography format | ||
| * By S. M. Mahbub Murshed | ||
| * By S. M. Mahbub Murshed & Nicholas S. Weatherley |
There was a problem hiding this comment.
Pleas remove this author comment completely as we handle author credits via our authors-file
| private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) { | ||
| String FEATURE = null; | ||
| try { | ||
| FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; |
There was a problem hiding this comment.
Just some minor improvemtns: I would suggest extracting both urls to two separate variables and make them private static final as constants.
| dBuild.setExpandEntityReferences(false); | ||
|
|
||
| } catch (ParserConfigurationException e) { | ||
| LOGGER.warn("Builder not fully configured. ParserConfigurationException was thrown. Feature:'" + |
There was a problem hiding this comment.
slf4j has the nice advantage that it supports variables via curly braces:
https://www.slf4j.org/faq.html#logging_performance
There was a problem hiding this comment.
and please add the exception as a parameter so that the root cause is also logged. (then probably the part "ParserConfigurationException was thrown." is no longer necessary).
Siedlerchr
added
the
status: ready-for-review
CHANGELOG.md
Outdated
| @@ -60,7 +60,8 @@ We refer to [GitHub issues](https://github.com/JabRef/jabref/issues) by using `# | |||
| - We fixed an issue where the "Convert to BibTeX-Cleanup" moved the content of the `file` field to the `pdf` field [#4120](https://github.com/JabRef/jabref/issues/4120) | |||
| - We fixed an issue where the preview pane in entry preview in preferences wasn't showing the citation style selected [#3849](https://github.com/JabRef/jabref/issues/3849) | |||
| - We fixed an issue where the default entry preview style still contained the field `review`. The field `review` in the style is now replaced with comment to be consistent with the entry editor [#4098](https://github.com/JabRef/jabref/issues/4098) | |||
| - We fixed an issue where filles added via the "Attach file" contextmenu of an entry were not made relative. [#4201](https://github.com/JabRef/jabref/issues/4201) | |||
| - We an issue where users were vulnerable to XXE attacks during parsing [#4229](https://github.com/JabRef/jabref/issues/4229) | |||
| * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given | ||
| */ | ||
| private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) { | ||
| String FEATURE = null; |
There was a problem hiding this comment.
We have the convention that only static (constant) values are all capitals. Thus, please change the name to feature.
| dBuild.setExpandEntityReferences(false); | ||
|
|
||
| } catch (ParserConfigurationException e) { | ||
| LOGGER.warn("Builder not fully configured. ParserConfigurationException was thrown. Feature:'" + |
There was a problem hiding this comment.
and please add the exception as a parameter so that the root cause is also logged. (then probably the part "ParserConfigurationException was thrown." is no longer necessary).
Removed author line in class comment. Reworded CHANGLOG.md. Set DTD features to individual final static constants. Optimized logger by parameterizing feature and error.
…into fix-for-issue-4229
|
Thanks for the feedback. Yes, I agree with all of the fixes. Sorry about the two commits back to back. The first one stated it did not go through on my end as I needed to update HEAD. Also, I am not sure why I am failing both tests. the CI test seems to be related to GUI errors while the Codacy fail is from the extra space before importing items from slf4j. |
|
The Travis CI log raises a check style issue, so just some code formatting and the wrong import order. Although it might seem annoying, but it serves the purpose to have consistent code style and to avoid unnecessary conflicts between files Both for intellij and Eclipse we provide the correct code format layout. In Eclipse hit ctrl + f to format and ctrl + o for the import order fix |
|
No I agree. The project should be uniform in import and code style as it would look a mess without. Pushed the changes. |
Fixed issue where importer was vulnerable to XXE attacks by
disabling DTDs. If feature is unavailable, warning is sent to logger and returns builderFactory at current state. Used #4229