midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-4495 github code scanning alerts (#308) 

* IDEMPIERE-4495 github code scanning alerts

Failure to use secure cookies

* Failure to use secure cookies - one more

* Fix: Arbitrary file write during archive extraction ("Zip Slip")

* Fix: Resolving XML external entity in user-controlled data
This commit is contained in:
Carlos Ruiz 2020-10-18 05:04:54 +02:00 committed by GitHub
parent e06938cedc
commit a60dd24533
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
org.adempiere.base/src/com/akunagroup/uk/postcode/AddressLookup.java
View File

@ -335,8 +335,8 @@ public class AddressLookup implements AddressLookupInterface {
private Document fetchResult(URL cgiUrl) { private Document fetchResult(URL cgiUrl) {
try { try {
// Get document builder. // Get document builder.
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
.newInstance(); docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder(); DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
// Get the connection. // Get the connection.
URLConnection URLconnection = cgiUrl.openConnection(); URLConnection URLconnection = cgiUrl.openConnection();

4
org.adempiere.base/src/org/compiere/model/AttachmentFileSystem.java
View File

@ -170,9 +170,9 @@ public class AttachmentFileSystem implements IAttachmentStore {
if (data.length == 0) if (data.length == 0)
return true; return true;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
try { try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final DocumentBuilder builder = factory.newDocumentBuilder(); final DocumentBuilder builder = factory.newDocumentBuilder();
final Document document = builder.parse(new ByteArrayInputStream(data)); final Document document = builder.parse(new ByteArrayInputStream(data));
final NodeList entries = document.getElementsByTagName("entry"); final NodeList entries = document.getElementsByTagName("entry");

2
org.adempiere.base/src/org/compiere/util/WebUtil.java
View File

@ -941,6 +941,7 @@ public final class WebUtil
cookie.setComment("adempiere Web User"); cookie.setComment("adempiere Web User");
cookie.setPath(request.getContextPath()); cookie.setPath(request.getContextPath());
cookie.setMaxAge(1); // second cookie.setMaxAge(1); // second
cookie.setSecure(true);
response.addCookie(cookie); response.addCookie(cookie);
} // deleteCookieWebUser } // deleteCookieWebUser
@ -970,6 +971,7 @@ public final class WebUtil
cookie.setComment("adempiere Web User"); cookie.setComment("adempiere Web User");
cookie.setPath(request.getContextPath()); cookie.setPath(request.getContextPath());
cookie.setMaxAge(2592000); // 30 days in seconds 60*60*24*30 cookie.setMaxAge(2592000); // 30 days in seconds 60*60*24*30
cookie.setSecure(true);
response.addCookie(cookie); response.addCookie(cookie);
} catch (UnsupportedEncodingException e) { } catch (UnsupportedEncodingException e) {
e.printStackTrace(); e.printStackTrace();

7
org.adempiere.pipo/src/org/adempiere/pipo2/PackIn.java
View File

@ -246,7 +246,10 @@ public class PackIn {
try{ try{
while (e.hasMoreElements()) { while (e.hasMoreElements()) {
ZipEntry ze = (ZipEntry) e.nextElement(); ZipEntry ze = (ZipEntry) e.nextElement();
File file = new File(m_packageDirectory + File.separator + ze.getName()); File file = new File(m_packageDirectory, ze.getName());
if (!file.toPath().normalize().startsWith(m_packageDirectory)) {
throw new AdempiereException("Bad zip entry: " + ze.getName());
}
FileOutputStream fout = new FileOutputStream(file); FileOutputStream fout = new FileOutputStream(file);
InputStream in = zf.getInputStream(ze); InputStream in = zf.getInputStream(ze);
for (int c = in.read(); c != -1; c = in.read()) { for (int c = in.read(); c != -1; c = in.read()) {
@ -258,7 +261,7 @@ public class PackIn {
} }
retValue = new File[files.size()]; retValue = new File[files.size()];
files.toArray(retValue); files.toArray(retValue);
}catch (Exception ex){ } finally {
zf.close(); zf.close();
} }
return retValue; return retValue;

7
org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/install/WTranslationDialog.java
View File

@ -396,9 +396,14 @@ public class WTranslationDialog extends TranslationController implements IFormCo
log.warning("Ignored file " + entry.getName()); log.warning("Ignored file " + entry.getName());
continue; continue;
} }
File outFile = new File(tempfolder.getPath(), entry.getName());
if (!outFile.toPath().normalize().startsWith(tempfolder.toPath())) {
log.severe("Bad zip entry: " + entry.getName());
continue;
}
if (log.isLoggable(Level.INFO)) log.info("Extracting file: " + entry.getName()); if (log.isLoggable(Level.INFO)) log.info("Extracting file: " + entry.getName());
copyInputStream(zipFile.getInputStream(entry), new BufferedOutputStream(new FileOutputStream(tempfolder.getPath() + File.separator + entry.getName()))); copyInputStream(zipFile.getInputStream(entry), new BufferedOutputStream(new FileOutputStream(outFile)));
validfile = true; validfile = true;
} }
} catch (Throwable e) { } catch (Throwable e) {