Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(vulnerabilities): fix XXE attacks vulnerabilities and other code …
…smell (#17)

* Access to external entities and network access should always be
disable to avoid XXS attacks vulnerabilities.
* Log error properly
* refactor logger name to be compliant with java naming conventions
  • Loading branch information
Adrien committed Oct 12, 2020
1 parent 17a214d commit a12ad69
Showing 1 changed file with 33 additions and 27 deletions.
60 changes: 33 additions & 27 deletions src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java
Expand Up @@ -29,6 +29,7 @@
import java.util.Objects;
import java.util.logging.Logger;

import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
Expand Down Expand Up @@ -109,7 +110,7 @@ public class SecureWSConnector extends AbstractConnector {

private static final String PROXY_PASSWORD = "proxyPassword";

private final Logger LOGGER = Logger.getLogger(this.getClass().getName());
private final Logger logger = Logger.getLogger(this.getClass().getName());

private Transformer transformer;

Expand Down Expand Up @@ -181,20 +182,19 @@ public void validateInputParameters() throws ConnectorValidationException {
}
}

@SuppressWarnings("unchecked")
@Override
protected void executeBusinessLogic() throws ConnectorException {
configureProxy();
final String serviceNS = (String) getInputParameter(SERVICE_NS);
LOGGER.info(SERVICE_NS + " " + serviceNS);
logger.info(SERVICE_NS + " " + serviceNS);
final String serviceName = (String) getInputParameter(SERVICE_NAME);
LOGGER.info(SERVICE_NAME + " " + serviceName);
logger.info(SERVICE_NAME + " " + serviceName);
final String portName = (String) getInputParameter(PORT_NAME);
LOGGER.info(PORT_NAME + " " + portName);
logger.info(PORT_NAME + " " + portName);
final String binding = (String) getInputParameter(BINDING);
LOGGER.info(BINDING + " " + binding);
logger.info(BINDING + " " + binding);
final String endpointAddress = (String) getInputParameter(ENDPOINT_ADDRESS);
LOGGER.info(ENDPOINT_ADDRESS + " " + endpointAddress);
logger.info(ENDPOINT_ADDRESS + " " + endpointAddress);

final QName serviceQName = new QName(serviceNS, serviceName);
final QName portQName = new QName(serviceNS, portName);
Expand All @@ -205,15 +205,15 @@ protected void executeBusinessLogic() throws ConnectorException {
dispatch.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpointAddress);
final Object authUserName = getInputParameter(USER_NAME);
if (authUserName != null) {
LOGGER.info(USER_NAME + " " + authUserName);
logger.info(USER_NAME + " " + authUserName);
dispatch.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, authUserName);
final Object authPassword = getInputParameter(PASSWORD);
LOGGER.info(PASSWORD + " ********");
logger.info(PASSWORD + " ********");
dispatch.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, authPassword);
}

final String soapAction = (String) getInputParameter(SOAP_ACTION);
LOGGER.info(SOAP_ACTION + " " + soapAction);
logger.info(SOAP_ACTION + " " + soapAction);

if (soapAction != null) {
dispatch.getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, true);
Expand Down Expand Up @@ -245,9 +245,9 @@ protected void executeBusinessLogic() throws ConnectorException {
String initialEnvelope = (String) getInputParameter(ENVELOPE);
String sanitizedEnvelope = sanitizeString(initialEnvelope);
if (!Objects.equals(initialEnvelope, sanitizedEnvelope)) {
LOGGER.warning("Invalid XML characters have been detected in the envelope, they will be removed.");
logger.warning("Invalid XML characters have been detected in the envelope, they will be removed.");
}
LOGGER.info(ENVELOPE + " " + sanitizedEnvelope);
logger.info(ENVELOPE + " " + sanitizedEnvelope);

Boolean oneWayInvoke = (Boolean) getInputParameter(ONE_WAY_INVOKE);
if (oneWayInvoke == null) {
Expand All @@ -268,9 +268,9 @@ protected void executeBusinessLogic() throws ConnectorException {
restoreConfiguration();

Boolean buildResponseDocumentEnvelope = (Boolean) getInputParameter(BUILD_RESPONSE_DOCUMENT_ENVELOPE);
LOGGER.info(BUILD_RESPONSE_DOCUMENT_ENVELOPE + " " + buildResponseDocumentEnvelope);
logger.info(BUILD_RESPONSE_DOCUMENT_ENVELOPE + " " + buildResponseDocumentEnvelope);
Boolean buildResponseDocumentBody = (Boolean) getInputParameter(BUILD_RESPONSE_DOCUMENT_BODY);
LOGGER.info(BUILD_RESPONSE_DOCUMENT_BODY + " " + buildResponseDocumentBody);
logger.info(BUILD_RESPONSE_DOCUMENT_BODY + " " + buildResponseDocumentBody);
if (buildResponseDocumentEnvelope == null) {
buildResponseDocumentEnvelope = false;
}
Expand All @@ -288,7 +288,7 @@ protected void executeBusinessLogic() throws ConnectorException {
}

Boolean printRequestAndResponse = (Boolean) getInputParameter(PRINT_REQUEST_AND_RESPONSE);
LOGGER.info(PRINT_REQUEST_AND_RESPONSE + " " + printRequestAndResponse);
logger.info(PRINT_REQUEST_AND_RESPONSE + " " + printRequestAndResponse);
if (printRequestAndResponse == null) {
printRequestAndResponse = false;
}
Expand Down Expand Up @@ -323,30 +323,30 @@ private void configureProxy() {
if (host == null || host.isEmpty()) {
return;
}
LOGGER.info(PROXY_HOST + " " + host);
logger.info(PROXY_HOST + " " + host);
final String protocol = (String) getInputParameter(PROXY_PROTOCOL);
LOGGER.info(PROXY_PROTOCOL + " " + protocol);
logger.info(PROXY_PROTOCOL + " " + protocol);
final String port = (String) getInputParameter(PROXY_PORT);
LOGGER.info(PROXY_PORT + " " + port);
logger.info(PROXY_PORT + " " + port);

if (SOCKS.equals(protocol)) {
System.setProperty("socksProxyHost", host);
LOGGER.info("Setting environment variable: socksProxyHost=" + host);
logger.info("Setting environment variable: socksProxyHost=" + host);
System.setProperty("socksProxyPort", port);
LOGGER.info("Setting environment variable: socksProxyPort=" + port);
logger.info("Setting environment variable: socksProxyPort=" + port);
} else {
final String hostKey = String.format("%s.proxyHost", protocol.toLowerCase());
System.setProperty(hostKey, host);
LOGGER.info("Setting environment variable: " + hostKey + "=" + host);
logger.info("Setting environment variable: " + hostKey + "=" + host);
final String portKey = String.format("%s.proxyPort", protocol.toLowerCase());
System.setProperty(portKey, port);
LOGGER.info("Setting environment variable: " + portKey + "=" + port);
logger.info("Setting environment variable: " + portKey + "=" + port);
}

final String user = (String) getInputParameter(PROXY_USER);
LOGGER.info(PROXY_USER + " " + user);
logger.info(PROXY_USER + " " + user);
final String password = (String) getInputParameter(PROXY_PASSWORD);
LOGGER.info(PROXY_PASSWORD + " ********");
logger.info(PROXY_PASSWORD + " ********");
if (user != null && !user.isEmpty()) {
Authenticator.setDefault(new Authenticator() {

Expand Down Expand Up @@ -392,7 +392,10 @@ private Document buildResponseDocumentBody(Document responseDocumentEnvelope) th
Document responseDocumentBody = null;
if (responseDocumentEnvelope != null) {
try {
responseDocumentBody = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
responseDocumentBody = documentBuilderFactory.newDocumentBuilder().newDocument();
} catch (final ParserConfigurationException pce) {
throw new ConnectorException(pce);
}
Expand All @@ -417,7 +420,7 @@ private void printRequestAndResponse(Source sourceResponse, boolean buildRespons
getTransformer().transform(new DOMSource(responseDocumentBody), new StreamResult(System.err));
}
} catch (final TransformerException e) {
e.printStackTrace();
logger.severe(e.getMessage());
}
}

Expand Down Expand Up @@ -452,7 +455,10 @@ Node getEnvelopeBodyContent(final Document envelope) {

Transformer getTransformer() throws TransformerConfigurationException {
if (transformer == null) {
transformer = TransformerFactory.newInstance().newTransformer();
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
}
Expand Down

0 comments on commit a12ad69

Please sign in to comment.