- Fixed CVE on tomcat embedded: upgraded to 9.0.41

- upgraded supported JRE to Java 11 - upgraded authzforce-ce-core: 17.0.0 - upgraded authzforce-ce-jaxrs-utils: 2.0.0 - updated license headers for year 2021
authzforce · Jan 27, 2021 · 6faee47 · 6faee47
1 parent 2471522
commit 6faee47
Show file tree

Hide file tree

Showing 12 changed files with 67 additions and 47 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,6 @@
 /.classpath
 /.project
 /target/
+**/.idea
+*.iml
+
diff --git a/cxf-spring-boot-server/pom.xml b/cxf-spring-boot-server/pom.xml
@@ -16,6 +16,10 @@
 		<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
 		<url>${git.url.base}/restful-pdp/cxf-spring-boot-server</url>
 	</scm>
+	<properties>
+		<!-- FIX: cxf-spring-boot-starter-jaxrs depends indirectly on tomcat-embed-core:9.0.39 affected by CVE-2020-17527 -->
+		<tomcat-version>9.0.41</tomcat-version>
+	</properties>
 	<dependencies>
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
@@ -43,6 +47,16 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.tomcat.embed</groupId>
+			<artifactId>tomcat-embed-core</artifactId>
+			<version>${tomcat-version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.tomcat.embed</groupId>
+			<artifactId>tomcat-embed-websocket</artifactId>
+			<version>${tomcat-version}</version>
+		</dependency>
 		<dependency>
 			<groupId>javax.validation</groupId>
 			<artifactId>validation-api</artifactId>
@@ -56,7 +70,7 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
-			<version>2.1.13.RELEASE</version>
+			<version>${spring-boot-starter.version}</version>
 			<scope>test</scope>
 			<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
 			<exclusions>
@@ -113,12 +127,8 @@
 				</executions>
 			</plugin>
 			<plugin>
-				<groupId>org.codehaus.mojo</groupId>
-				<artifactId>findbugs-maven-plugin</artifactId>
-				<configuration>
-					<onlyAnalyze>org.ow2.authzforce.*</onlyAnalyze>
-					<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
-				</configuration>
+				<groupId>com.github.spotbugs</groupId>
+				<artifactId>spotbugs-maven-plugin</artifactId>
 				<executions>
 					<execution>
 						<phase>verify</phase>

diff --git a/...g-boot-server/findbugs-exclude-filter.xml → ...boot-server/spotbugs-security-exclude.xml b/...g-boot-server/findbugs-exclude-filter.xml → ...boot-server/spotbugs-security-exclude.xml
diff --git a/...er/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java b/...er/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2020 THALES.
+ * Copyright (C) 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *

diff --git a/.../test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java b/.../test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2020 THALES.
+ * Copyright (C) 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -21,6 +21,8 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 
 import javax.ws.rs.core.Response;
@@ -80,7 +82,7 @@ public void testPdpRequest() throws IOException
 		final String reqLocation = "src/test/resources/server/IIA001/Request.json";
 		try (InputStream reqIn = new FileInputStream(reqLocation))
 		{
-			final JSONObject jsonRequest = new LimitsCheckingJSONObject(reqIn, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+			final JSONObject jsonRequest = new LimitsCheckingJSONObject(new InputStreamReader(reqIn, StandardCharsets.UTF_8), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 			if (!jsonRequest.has("Request"))
 			{
 				throw new IllegalArgumentException("Invalid XACML JSON Request file: " + reqLocation + ". Expected root key: \"Request\"");
@@ -92,7 +94,7 @@ public void testPdpRequest() throws IOException
 			final String respLocation = "src/test/resources/server/IIA001/Response.json";
 			try (final InputStream respIn = new FileInputStream(respLocation))
 			{
-				final JSONObject expectedResponse = new LimitsCheckingJSONObject(respIn, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+				final JSONObject expectedResponse = new LimitsCheckingJSONObject(new InputStreamReader(respIn, StandardCharsets.UTF_8), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 				if (!expectedResponse.has("Response"))
 				{
 					throw new IllegalArgumentException("Invalid XACML JSON Response file: " + respLocation + ". Expected root key: \"Response\"");
@@ -117,7 +119,7 @@ public void testInvalidPdpRequest() throws IOException
 		final String reqLocation = "src/test/resources/server/IIA001/Request-missing-category-id.json";
 		try (InputStream reqIn = new FileInputStream(reqLocation))
 		{
-			final JSONObject jsonRequest = new LimitsCheckingJSONObject(reqIn, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+			final JSONObject jsonRequest = new LimitsCheckingJSONObject(new InputStreamReader(reqIn, StandardCharsets.UTF_8), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 			if (!jsonRequest.has("Request"))
 			{
 				throw new IllegalArgumentException("Invalid XACML JSON Request file: " + reqLocation + ". Expected root key: \"Request\"");

diff --git a/jaxrs/pom.xml b/jaxrs/pom.xml
@@ -17,7 +17,7 @@
 		<url>${git.url.base}/restful-pdp/jaxrs</url>
 	</scm>
 	<properties>
-		<authzforce-ce-core.version>15.2.0</authzforce-ce-core.version>
+		<authzforce-ce-core.version>17.0.0</authzforce-ce-core.version>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -33,7 +33,7 @@
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-jaxrs-utils</artifactId>
-			<version>1.5.0</version>
+			<version>2.0.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.testng</groupId>
@@ -109,12 +109,8 @@
 				</executions>
 			</plugin>
 			<plugin>
-				<groupId>org.codehaus.mojo</groupId>
-				<artifactId>findbugs-maven-plugin</artifactId>
-				<configuration>
-					<onlyAnalyze>org.ow2.authzforce.*</onlyAnalyze>
-					<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
-				</configuration>
+				<groupId>com.github.spotbugs</groupId>
+				<artifactId>spotbugs-maven-plugin</artifactId>
 				<executions>
 					<execution>
 						<phase>verify</phase>

diff --git a/jaxrs/findbugs-exclude-filter.xml → jaxrs/spotbugs-security-exclude.xml b/jaxrs/findbugs-exclude-filter.xml → jaxrs/spotbugs-security-exclude.xml
diff --git a/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/PdpBundle.java b/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/PdpBundle.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -75,19 +75,11 @@ public PdpBundle(final PdpEngineConfiguration pdpConf, final boolean enableXacml
 		final boolean isStrictAttIssuerMatchEnabled = pdpConf.isStrictAttributeIssuerMatchEnabled();
 		final boolean isXpathEnabled = pdpConf.isXpathEnabled();
 
-		this.xacmlJaxbIoAdapter = PdpEngineAdapters.newInoutAdapter(Request.class, Response.class, engine, ioProcChains, extraPdpFeatures -> {
-			return SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled, XmlUtils.SAXON_PROCESSOR,
-					extraPdpFeatures);
-		}, () -> {
-			return new BaseXacmlJaxbResultPostprocessor(clientReqErrVerbosityLevel);
-		});
+		this.xacmlJaxbIoAdapter = PdpEngineAdapters.newInoutAdapter(Request.class, Response.class, engine, ioProcChains, extraPdpFeatures -> SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled, XmlUtils.SAXON_PROCESSOR,
+				extraPdpFeatures), () -> new BaseXacmlJaxbResultPostprocessor(clientReqErrVerbosityLevel));
 
-		this.xacmlJsonIoAdapter = enableXacmlJsonProfile ? PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, engine, ioProcChains, extraPdpFeatures -> {
-			return SingleDecisionXacmlJsonRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled, XmlUtils.SAXON_PROCESSOR,
-					extraPdpFeatures);
-		}, () -> {
-			return new BaseXacmlJsonResultPostprocessor(clientReqErrVerbosityLevel);
-		}) : null;
+		this.xacmlJsonIoAdapter = enableXacmlJsonProfile ? PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, engine, ioProcChains, extraPdpFeatures -> SingleDecisionXacmlJsonRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled, XmlUtils.SAXON_PROCESSOR,
+				extraPdpFeatures), () -> new BaseXacmlJsonResultPostprocessor(clientReqErrVerbosityLevel)) : null;
 	}
 
 	/**

diff --git a/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/XacmlPdpResource.java b/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/XacmlPdpResource.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *

diff --git a/jaxrs/src/test/java/org/ow2/authzforce/rest/pdp/jaxrs/test/XacmlRestProfileJaxRsTest.java b/jaxrs/src/test/java/org/ow2/authzforce/rest/pdp/jaxrs/test/XacmlRestProfileJaxRsTest.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -17,13 +17,6 @@
  */
 package org.ow2.authzforce.rest.pdp.jaxrs.test;
 
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.security.SecureRandom;
-import java.util.Collections;
-import java.util.Random;
-import java.util.concurrent.atomic.AtomicInteger;
-
 import org.apache.cxf.endpoint.Server;
 import org.apache.cxf.ext.logging.LoggingFeature;
 import org.apache.cxf.jaxrs.JAXRSServerFactoryBean;
@@ -40,6 +33,16 @@
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
 
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.util.Collections;
+import java.util.Random;
+import java.util.concurrent.atomic.AtomicInteger;
+
 /**
  * Test for CXF/JAX-RS-based REST profile implementation using XACML JSON Profile for payloads
  *
@@ -87,18 +90,18 @@ public static void initialize() throws Exception
 	}
 
 	@AfterClass
-	public static void destroy() throws Exception
+	public static void destroy()
 	{
 		server.stop();
 		server.destroy();
 	}
 
 	@Test
-	public void testPdpRequest() throws FileNotFoundException
+	public void testPdpRequest() throws IOException
 	{
 		// Request body
 		final String reqLocation = "src/test/resources/IIA001/Request.json";
-		final JSONObject jsonRequest = new LimitsCheckingJSONObject(new FileInputStream(reqLocation), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+		final JSONObject jsonRequest = new LimitsCheckingJSONObject(new FileReader(reqLocation, StandardCharsets.UTF_8), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 		if (!jsonRequest.has("Request"))
 		{
 			throw new IllegalArgumentException("Invalid XACML JSON Request file: " + reqLocation + ". Expected root key: \"Request\"");
@@ -108,7 +111,7 @@ public void testPdpRequest() throws FileNotFoundException
 
 		// expected response
 		final String respLocation = "src/test/resources/IIA001/Response.json";
-		final JSONObject expectedResponse = new LimitsCheckingJSONObject(new FileInputStream(respLocation), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+		final JSONObject expectedResponse = new LimitsCheckingJSONObject(new FileReader(respLocation, StandardCharsets.UTF_8), MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 		if (!expectedResponse.has("Response"))
 		{
 			throw new IllegalArgumentException("Invalid XACML JSON Response file: " + respLocation + ". Expected root key: \"Response\"");

diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>7.6.0</version>
+      <version>8.0.0</version>
    </parent>
    <artifactId>authzforce-ce-restful-pdp</artifactId>
    <version>3.1.1-SNAPSHOT</version>

diff --git a/spotbugs-security-exclude.xml b/spotbugs-security-exclude.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<!--
+  This file contains some false positive bugs detected by Findbugs. Their
+  false positive nature has been analyzed individually and they have been
+  put here to instruct Findbugs to ignore them.
+-->
+<FindBugsFilter>
+  <Match>
+  <!-- CRLF injection in logs is considered fixed in the logger configuration, e.g. logback.xml.
+  More info: https://github.com/find-sec-bugs/find-sec-bugs/issues/240
+   -->
+    <Bug pattern="CRLF_INJECTION_LOGS" />
+  </Match>
+</FindBugsFilter>