-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues #782
Comments
783: Address issues in #782 r=thomaskrause a=thomaskrause #782 reports two issues found by automatic code analysis which also have been found by Sonarcloud before. The fix for one of the potential problems is not to include any information from the exception at all, even if only the message (and not as claimed the whole stacktrace) is exposed. The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. I updated the comment for future reviewers to explain more what is going on and why this code is safe. Co-authored-by: Thomas Krause <thomaskrause@posteo.de> Co-authored-by: Thomas Krause <thomaskrause@users.noreply.github.com>
This will be addressed in a bugfix 4.9.1 release later this day by #783
The fix for this potential problem (part of the pull request #783) is not to include any information from the exception at all, even if in the original only the message of the exception (and not as claimed the whole stacktrace) is exposed.
The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. // Not using Spring CSRF protection here because Vaadin also has a
// Cross-site request forgery protection running.
// Spring will try to enforce an additional layer
// on the filtered resources, which conflicts with
// the Vaadin CSRF protection and makes the frontend
// unusable. Disabling Spring CSRF is therefore
// safe, as long as Vaadin CSRF protection is
// activated (which it is per default).
// https://vaadin.com/blog/filter-based-spring-security-in-vaadin-applications
.and().csrf().disable(); |
783: Address issues in #782 r=thomaskrause a=thomaskrause #782 reports two issues found by automatic code analysis which also have been found by Sonarcloud before. The fix for one of the potential problems is not to include any information from the exception at all, even if only the message (and not as claimed the whole stacktrace) is exposed. The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. I updated the comment for future reviewers to explain more what is going on and why this code is safe. Co-authored-by: Thomas Krause <thomaskrause@posteo.de> Co-authored-by: Thomas Krause <thomaskrause@users.noreply.github.com>
783: Address issues in #782 r=thomaskrause a=thomaskrause #782 reports two issues found by automatic code analysis which also have been found by Sonarcloud before. The fix for one of the potential problems is not to include any information from the exception at all, even if only the message (and not as claimed the whole stacktrace) is exposed. The second issue is not an issue after reviewing this again. But the explanation in the comment why this is needed/ok was wrong. I updated the comment for future reviewers to explain more what is going on and why this code is safe. Co-authored-by: Thomas Krause <thomaskrause@posteo.de> Co-authored-by: Thomas Krause <thomaskrause@users.noreply.github.com>
This is addressed in the bugfix release 4.9.1 |
Hi @thomaskrause - we are getting some potential security issues flagged by an automatic code inspection:
com.lgtm/java-queries:java/stack-trace-exposure: com.lgtm/java-queries:java/stack-trace-exposure (src/main/java/org/corpus_tools/annis/gui/servlets/CitationRedirectionServlet.java#L51)
com.lgtm/java-queries:java/spring-disabled-csrf-protection: com.lgtm/java-queries:java/spring-disabled-csrf-protection (src/main/java/org/corpus_tools/annis/gui/security/SecurityConfiguration.java#L90)
It would be really great if these could be patched quickly!
The text was updated successfully, but these errors were encountered: