Security issues #782
Comments
Merged
bors bot
added a commit
that referenced
this issue
Jun 30, 2022
783: Address issues in #782 r=thomaskrause a=thomaskrause #782 reports two issues found by automatic code analysis which also have been found by Sonarcloud before. The fix for one of the potential problems is not to include any information from the exception at all, even if only the message (and not as claimed the whole stacktrace) is exposed. The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. I updated the comment for future reviewers to explain more what is going on and why this code is safe. Co-authored-by: Thomas Krause <thomaskrause@posteo.de> Co-authored-by: Thomas Krause <thomaskrause@users.noreply.github.com>
|
This will be addressed in a bugfix 4.9.1 release later this day by #783
The fix for this potential problem (part of the pull request #783) is not to include any information from the exception at all, even if in the original only the message of the exception (and not as claimed the whole stacktrace) is exposed.
The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. // Not using Spring CSRF protection here because Vaadin also has a
// Cross-site request forgery protection running.
// Spring will try to enforce an additional layer
// on the filtered resources, which conflicts with
// the Vaadin CSRF protection and makes the frontend
// unusable. Disabling Spring CSRF is therefore
// safe, as long as Vaadin CSRF protection is
// activated (which it is per default).
// https://vaadin.com/blog/filter-based-spring-security-in-vaadin-applications
.and().csrf().disable(); |
bors bot
added a commit
that referenced
this issue
Jun 30, 2022
783: Address issues in #782 r=thomaskrause a=thomaskrause #782 reports two issues found by automatic code analysis which also have been found by Sonarcloud before. The fix for one of the potential problems is not to include any information from the exception at all, even if only the message (and not as claimed the whole stacktrace) is exposed. The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. I updated the comment for future reviewers to explain more what is going on and why this code is safe. Co-authored-by: Thomas Krause <thomaskrause@posteo.de> Co-authored-by: Thomas Krause <thomaskrause@users.noreply.github.com>
bors bot
added a commit
that referenced
this issue
Jun 30, 2022
783: Address issues in #782 r=thomaskrause a=thomaskrause #782 reports two issues found by automatic code analysis which also have been found by Sonarcloud before. The fix for one of the potential problems is not to include any information from the exception at all, even if only the message (and not as claimed the whole stacktrace) is exposed. The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. I updated the comment for future reviewers to explain more what is going on and why this code is safe. Co-authored-by: Thomas Krause <thomaskrause@posteo.de> Co-authored-by: Thomas Krause <thomaskrause@users.noreply.github.com>
|
This is addressed in the bugfix release 4.9.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @thomaskrause - we are getting some potential security issues flagged by an automatic code inspection:
com.lgtm/java-queries:java/stack-trace-exposure: com.lgtm/java-queries:java/stack-trace-exposure (src/main/java/org/corpus_tools/annis/gui/servlets/CitationRedirectionServlet.java#L51)
com.lgtm/java-queries:java/spring-disabled-csrf-protection: com.lgtm/java-queries:java/spring-disabled-csrf-protection (src/main/java/org/corpus_tools/annis/gui/security/SecurityConfiguration.java#L90)
It would be really great if these could be patched quickly!
The text was updated successfully, but these errors were encountered: