Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HIGH Security Vulnerability in hapi-fhir-test-utilities #3885

Closed
joepaquette opened this issue Aug 5, 2022 · 7 comments · Fixed by #4306 · May be fixed by #4558
Closed

HIGH Security Vulnerability in hapi-fhir-test-utilities #3885

joepaquette opened this issue Aug 5, 2022 · 7 comments · Fixed by #4306 · May be fixed by #4558

Comments

@joepaquette
Copy link

hapi-fhir-test-utilities has a dependency on net.sourceforge.htmlunit which has a dependency on xalan:xalan.

xalan:xalan:2.7.2 has a HIGH security vulnerability and was last updated on July 24, 2014. see

Results from a WHITESOURCE security scan:

  • Artifact ID: xalan
  • Group ID: xalan
  • Library Version: 2.7.2
  • Library Path: /root/.gradle/caches/modules-2/files-2.1/xalan/xalan/2.7.2/d55d3f02a56ec4c25695fe67e1334ff8c2ecea23/xalan-2.7.2.jar
  • Type: MAVEN_ARTIFACT
  • Description: The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
  • Suggested Fix: No suggested fix
@tadgh
Copy link
Collaborator

tadgh commented Aug 8, 2022

Heya! Greatly appreciate the report. The test utilities are test-scoped, and not shipped in production code. Since there seems to be no remediation immediately available, do you have any recommendations? Do you think it would be safe to just remove the dependency?

@joepaquette
Copy link
Author

Someone should look at hapi-fhir-server-openapi because the test utilities are not scoped to test only. That's how we stumbled onto this issue. I'll add a new issue to resolve this.

The scanning tool we use apparently does not make distinctions between "test" and "production" dependencies, so we cannot make use of the test utilities package in our project.

Since the test utilities has a dependency on HtmlUnit and HtmlUnit has the dependency on Xalan, the only thing I can think of is to find an alternative to HtmlUnit that does not contain a dependency on Xalan. I'm not familiar with these tools, but a quick Google search (htmlunit alternative java) identified https://github.com/dhamaniasad/HeadlessBrowsers with numerous suggestions.

@jamesagnew
Copy link
Collaborator

Whoops! That is definitely an oversight, that should be a test scoped dep for sure.

@tadgh
Copy link
Collaborator

tadgh commented Aug 8, 2022 via email

@jamesagnew
Copy link
Collaborator

FWIW I'd say let's just fix the scoping and that should be sufficient. We don't do any XSLT processing as a part of our build/test process so there is no risk of this being exploitable with that scope.

@jbonzohln
Copy link
Contributor

This is fixed by #4306 if someone could review.

@tadgh
Copy link
Collaborator

tadgh commented Feb 15, 2023

Having a peek now. Looks like I.... did not fix this for 6.1.0 🤦🏻

@jbonzohln jbonzohln mentioned this issue Feb 15, 2023
Merged
@jbonzohln jbonzohln mentioned this issue Feb 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clean up dependencies jbonzohln/hapi-fhir
Clean up dependencies jbonzohln/hapi-fhir
4 participants
@tadgh @jamesagnew @joepaquette @jbonzohln