Feature/api xml properties#464
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Added XXE protection by disabling DOCTYPE, external entities, and DTD loading. - Added logging for XML parsing errors instead of silently returning null.
| File file = new File(xmlFileName); | ||
| Document document = db.parse(file); | ||
|
|
||
| XPathExpression xPathExpr = XPathFactory.newInstance().newXPath().compile(xpathExpression); |
Check failure
Code scanning / CodeQL
XPath injection Critical
uhurusurfa
left a comment
uhurusurfa
left a comment
There was a problem hiding this comment.
It would be helpful if you could provide the use case for retrieving an XML document. In the case of the config.xml, it contains sensitive information and not sure what the benefit is for the app user.
| /Server/src/config/config.xml | ||
| /Server/src/test/resources/config/ | ||
| /Server/s.bat | ||
| /Server/src/bin/c.bat |
There was a problem hiding this comment.
Please roll back the changes here. Those ignored entries are your own files which will not be accepted into the OpenAS2 package.
There was a problem hiding this comment.
Please remove this file
There was a problem hiding this comment.
Please remove this file
There was a problem hiding this comment.
Please restore this file.
| import com.fasterxml.jackson.core.JsonProcessingException; | ||
| import com.fasterxml.jackson.databind.ObjectMapper; | ||
| import com.fasterxml.jackson.databind.SerializationFeature; | ||
| import jakarta.ws.rs.*; |
There was a problem hiding this comment.
Please do not use asterisk imports, import every class specifically.
If you want to know why I prefer this way, do an internet search "using wildcard import in java".
| import java.util.HashMap; | ||
| import java.util.Iterator; | ||
| import java.util.List; | ||
| import java.util.*; |
There was a problem hiding this comment.
As above about asterisk imports
| @Produces(MediaType.APPLICATION_XML) | ||
| public Response getXml(@QueryParam("filename") String filename, @QueryParam("xpath") String xpathExpression) { | ||
| Session session = getProcessor().getSession(); | ||
| String filePath = session.getBaseDirectory() + '\\' + filename; |
There was a problem hiding this comment.
You must use a forward slash and leave Java to make the change if you run on Windows which it will normally gracefully handle for you or use File.SEPARATOR
| try { | ||
| NodeList nodeList = getNodes(filePath, xpathExpression); | ||
| DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder(); | ||
| Document resultDocument = db.newDocument(); | ||
| for (int i = 0; i < nodeList.getLength(); i++) { | ||
| Node importedNode = resultDocument.importNode(nodeList.item(i), true); | ||
| resultDocument.appendChild(importedNode); | ||
| } | ||
| StringWriter stringWriter = new StringWriter(); // Convert the XML document to a string | ||
| TransformerFactory transformerFactory = TransformerFactory.newInstance(); | ||
| Transformer transformer = transformerFactory.newTransformer(); | ||
| transformer.transform(new DOMSource(resultDocument), new StreamResult(stringWriter)); | ||
| String xmlContent = stringWriter.toString(); | ||
| return Response.ok(xmlContent, MediaType.APPLICATION_XML).build(); | ||
| } catch (Exception exception) { | ||
| return Response.serverError().entity("error").type(MediaType.APPLICATION_JSON).build(); | ||
| } |
There was a problem hiding this comment.
You will have to remove (or overwrite with random text ) any sensitive information from this extract such as passwords.
|
Closing this pull request as the current changes include sensitive information that needs to be sanitized. I will create a new pull request with the corrected and cleaned version shortly |
3 participants
Summary
/getPropertyListendpoint to return application properties as JSON/getXmlendpoint to query XML files with XPath and return resultsTesting