Save BioModel Endpoint#1500
Conversation
Instead of several save variances, allow for only one save endpoint with optional parameters.
Use a custom object mapper for the Java client so that XML strings can be properly read, and further enhancements can be made on mapping relations.
Update the save tests to ensure input validation is occurring, and follow the new single save endpoint.
Update generated client.
|
please look at CodeQL failure - we need to decide to fix or ignore. |
jcschaff
left a comment
There was a problem hiding this comment.
nice job, reviewed with Ezequiel
| } | ||
| sDoc = builder.build(reader); | ||
| builder.setFeature("https://apache.org/xml/features/disallow-doctype-decl", true); // disable potential attack vector https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java | ||
| sDoc = builder.build(reader); |
Check failure
Code scanning / CodeQL
Resolving XML external entity in user-controlled data
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the issue, we need to explicitly disable DTDs and external entities in the SAXBuilder instance used in the readXML method. This can be achieved by setting the http://apache.org/xml/features/disallow-doctype-decl feature to true and the http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities features to false. These changes ensure that the XML parser does not process external entities, effectively mitigating the risk of XXE attacks.
| @@ -150,4 +150,7 @@ | ||
| } | ||
| builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); // https://semgrep.dev/docs/cheat-sheets/java-xxe | ||
| sDoc = builder.build(reader); | ||
| builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); // https://semgrep.dev/docs/cheat-sheets/java-xxe | ||
| builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); | ||
| builder.setFeature("http://xml.org/sax/features/external-general-entities", false); | ||
| builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false); | ||
| sDoc = builder.build(reader); | ||
| // ----- Element root = null; |
There was a problem hiding this comment.
Secure processing is the strictest possible limitations that can be set due to external validation that is required for SBML.
Different Method For Secure Processing
20779d6 to
04d06e8
Compare
This branch does the following: