utils: use safer parsing utility across codebase by yadvr · Pull Request #6562 · apache/cloudstack

yadvr · 2022-07-21T11:39:01Z

This addresses SonarQube/SonarCloud quality checks to use safer xml parser.

https://sonarcloud.io/organizations/apache/rules?open=java%3AS2755&rule_key=java%3AS2755

Types of changes

Breaking change (fix or feature that would cause existing functionality to change)
New feature (non-breaking change which adds functionality)
Bug fix (non-breaking change which fixes an issue)
Enhancement (improves an existing feature and functionality)
Cleanup (Code refactoring and cleanup, that may add test cases)

This addresses SonarQube/SonarCloud quality checks to use safer xml parser to resist potential XXE attacks. https://sonarcloud.io/organizations/apache/rules?open=java%3AS2755&rule_key=java%3AS2755 Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

yadvr · 2022-07-21T11:56:25Z

@blueorangutan package

blueorangutan · 2022-07-21T11:57:03Z

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

blueorangutan · 2022-07-21T12:33:09Z

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 3808

sonarqubecloud · 2022-07-21T12:51:31Z

Please retry analysis of this Pull-Request directly on SonarCloud.

yadvr · 2022-07-21T14:58:33Z

@blueorangutan test matrix

blueorangutan · 2022-07-21T14:59:03Z

@rohityadavcloud a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests

blueorangutan · 2022-07-22T01:36:04Z

Trillian test result (tid-4528)
Environment: xenserver-71 (x2), Advanced Networking with Mgmt server 7
Total time taken: 36964 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6562-t4528-xenserver-71.zip
Smoke tests completed. 100 look OK, 0 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File

blueorangutan · 2022-07-22T02:09:54Z

Trillian test result (tid-4529)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 38933 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6562-t4529-kvm-centos7.zip
Smoke tests completed. 99 look OK, 1 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File
test_08_upgrade_kubernetes_ha_cluster	`Failure`	859.77	test_kubernetes_clusters.py

blueorangutan · 2022-07-22T02:58:12Z

Trillian test result (tid-4530)
Environment: vmware-65u2 (x2), Advanced Networking with Mgmt server 7
Total time taken: 42012 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6562-t4530-vmware-65u2.zip
Smoke tests completed. 99 look OK, 1 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File
test_08_upgrade_kubernetes_ha_cluster	`Failure`	702.28	test_kubernetes_clusters.py

sureshanaparti · 2022-07-22T06:14:18Z

utils/src/test/java/org/apache/cloudstack/utils/security/ParserUtilsTest.java

+        final DocumentBuilderFactory factory = ParserUtils.getSaferDocumentBuilderFactory();
+        assertTrue(factory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
+        assertTrue(factory.getFeature("http://apache.org/xml/features/disallow-doctype-decl"));
+        assertFalse(factory.getFeature("http://xml.org/sax/features/external-general-entities"));


can define / use constants for these urls?

I'll check for ParserUtils but not necessarily the test itself

sureshanaparti

code LGTM

yadvr · 2022-07-22T06:32:59Z

@blueorangutan test

blueorangutan · 2022-07-22T06:34:03Z

@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

blueorangutan · 2022-07-22T18:59:57Z

Trillian test result (tid-4532)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 43437 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6562-t4532-kvm-centos7.zip
Smoke tests completed. 98 look OK, 2 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File
test_08_upgrade_kubernetes_ha_cluster	`Failure`	576.91	test_kubernetes_clusters.py
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers	`Failure`	462.22	test_vpc_redundant.py

yadvr · 2022-07-23T07:36:12Z

@blueorangutan test centos8 vmware-70u3

blueorangutan · 2022-07-23T07:37:03Z

@rohityadavcloud unsupported parameters provided. Supported mgmt server os are: centos7, centos6, suse15, alma8, ubuntu18, ubuntu22, ubuntu20, rocky8. Supported hypervisors are: kvm-centos6, kvm-centos7, kvm-rocky8, kvm-alma8, kvm-ubuntu18, kvm-ubuntu20, kvm-ubuntu22, kvm-suse15, vmware-55u3, vmware-60u2, vmware-65u2, vmware-67u3, vmware-70u1, vmware-70u2, vmware-70u3, xenserver-65sp1, xenserver-71, xenserver-74, xcpng74, xcpng76, xcpng80, xcpng81, xcpng82

yadvr · 2022-07-23T07:38:04Z

@blueorangutan test rocky8 vmware-70u3

blueorangutan · 2022-07-23T07:39:02Z

@rohityadavcloud a Trillian-Jenkins test job (rocky8 mgmt + vmware-70u3) has been kicked to run smoke tests

yadvr · 2022-07-23T07:39:08Z

@blueorangutan test ubuntu20 xcpng82

blueorangutan · 2022-07-23T07:40:03Z

@rohityadavcloud a Trillian-Jenkins test job (ubuntu20 mgmt + xcpng82) has been kicked to run smoke tests

blueorangutan · 2022-07-23T07:48:22Z

Trillian Build Failed (tid-4534)

blueorangutan · 2022-07-23T22:10:15Z

Trillian test result (tid-4535)
Environment: xcpng82 (x2), Advanced Networking with Mgmt server u20
Total time taken: 50774 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6562-t4535-xcpng82.zip
Smoke tests completed. 97 look OK, 3 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File
test_attach_and_distribute_multiple_volumes	`Error`	16.97	test_attach_multiple_volumes.py
test_attach_multiple_volumes	`Failure`	13.88	test_attach_multiple_volumes.py
test_08_upgrade_kubernetes_ha_cluster	`Failure`	727.28	test_kubernetes_clusters.py
test_12_resize_volume_with_only_size_parameter	`Error`	1.08	test_volumes.py

shwstppr · 2022-07-25T12:26:25Z

Trillian test result (tid-4535) Environment: xcpng82 (x2), Advanced Networking with Mgmt server u20 Total time taken: 50774 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6562-t4535-xcpng82.zip Smoke tests completed. 97 look OK, 3 have errors Only failed tests results shown below:
Test Result Time (s) Test File
test_attach_and_distribute_multiple_volumes Error 16.97 test_attach_multiple_volumes.py
test_attach_multiple_volumes Failure 13.88 test_attach_multiple_volumes.py
test_08_upgrade_kubernetes_ha_cluster Failure 727.28 test_kubernetes_clusters.py
test_12_resize_volume_with_only_size_parameter Error 1.08 test_volumes.py

volumes error not related, #6549 should fix it

harikrishna-patnala

LGTM

This addresses SonarQube/SonarCloud quality checks to use safer xml parser to resist potential XXE attacks. https://sonarcloud.io/organizations/apache/rules?open=java%3AS2755&rule_key=java%3AS2755 Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

yadvr added the type:security label Jul 21, 2022

yadvr added this to the 4.17.1.0 milestone Jul 21, 2022

yadvr requested review from DaanHoogland, borisstoyanov, harikrishna-patnala and nvazquez July 21, 2022 11:39

yadvr force-pushed the safer-xml-parser branch from b2f4a4e to 7774ed9 Compare July 21, 2022 11:39

boring-cyborg bot added component:api component:kvm component:networking component:saml component:vmware component:XenServer labels Jul 21, 2022

yadvr force-pushed the safer-xml-parser branch 2 times, most recently from 5f5c2a8 to 188ede5 Compare July 21, 2022 11:53

yadvr force-pushed the safer-xml-parser branch from 188ede5 to 4a9fa0e Compare July 21, 2022 11:55

sureshanaparti reviewed Jul 22, 2022

View reviewed changes

sureshanaparti approved these changes Jul 22, 2022

View reviewed changes

yadvr assigned shwstppr Jul 25, 2022

shwstppr approved these changes Jul 27, 2022

View reviewed changes

harikrishna-patnala approved these changes Jul 27, 2022

View reviewed changes

yadvr merged commit 441edf3 into apache:4.17 Jul 27, 2022

Conversation

yadvr commented Jul 21, 2022

Types of changes

Uh oh!

yadvr commented Jul 21, 2022

Uh oh!

blueorangutan commented Jul 21, 2022

Uh oh!

blueorangutan commented Jul 21, 2022

Uh oh!

sonarqubecloud bot commented Jul 21, 2022

Uh oh!

yadvr commented Jul 21, 2022

Uh oh!

blueorangutan commented Jul 21, 2022

Uh oh!

blueorangutan commented Jul 22, 2022

Uh oh!

blueorangutan commented Jul 22, 2022

Uh oh!

blueorangutan commented Jul 22, 2022

Uh oh!

sureshanaparti Jul 22, 2022

Choose a reason for hiding this comment

Uh oh!

yadvr Jul 22, 2022

Choose a reason for hiding this comment

Uh oh!

sureshanaparti left a comment

Choose a reason for hiding this comment

Uh oh!

yadvr commented Jul 22, 2022

Uh oh!

blueorangutan commented Jul 22, 2022

Uh oh!

blueorangutan commented Jul 22, 2022

Uh oh!

yadvr commented Jul 23, 2022

Uh oh!

blueorangutan commented Jul 23, 2022

Uh oh!

yadvr commented Jul 23, 2022

Uh oh!

blueorangutan commented Jul 23, 2022

Uh oh!

yadvr commented Jul 23, 2022

Uh oh!

blueorangutan commented Jul 23, 2022

Uh oh!

blueorangutan commented Jul 23, 2022

Uh oh!

blueorangutan commented Jul 23, 2022

Uh oh!

shwstppr commented Jul 25, 2022

Uh oh!

harikrishna-patnala left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants