Sunday, August 6, 2017

XML external injection resolutions

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
http://www.gonandy.com/2016/12/xxe-injection/

DocumentBuilderFactory

StAX and XMLInputFactory

StAX parsers such as XMLInputFactory allow various properties and features to be set.
To protect a Java XMLInputFactory from XXE, do this:
  • xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory
  • xmlInputFactory.setProperty(“javax.xml.stream.isSupportingExternalEntities”, false); // disable external entities

TransformerFactory(JDK7)

To protect a Java TransformerFactory from XXE, do this:
  • TransformerFactory tf = TransformerFactory.newInstance();
  • tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
  • tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);

Validator

To protect a Java Validator from XXE, do this:
  • SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
  • Schema schema = factory.newSchema();
  • Validator validator = schema.newValidator();
  • validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);

SchemaFactory

To protect a SchemaFactory from XXE, do this:
  • SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
  • factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
  • Schema schema = factory.newSchema(Source);

SAXTransformerFactory

To protect a Java SAXTransformerFactory from XXE, do this:
  • SAXTransformerFactory sf = SAXTransformerFactory.newInstance();
  • sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
  • sf.newXMLFilter(Source);

XMLReader

To protect a Java XMLReader from XXE, do this:

Unmarshaller

Since an Unmarshaller parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a Source object as a result, and pass the source object to the Unmarshaller. For example:
  • Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
  • JAXBContext jc = JAXBContext.newInstance(Object.class);
  • Unmarshaller um = jc.createUnmarshaller();
  • um.unmarshal(xmlSource);

XPathExpression

An XPathExpression is similar to an Unmarshaller where it can’t be configured securely by itself, so the untrusted data must be parsed through another securable XML parser first. For example:
  • DocumentBuilderFactory df =DocumentBuilderFactory.newInstance();
  • df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
  • builder = df.newDocumentBuilder();
  • xPathExpression.evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );

Tuesday, June 27, 2017

Check your code dependency vulnerabilities

Here is the CLI tool from OWASP. This basically detect publicly disclosed vulnerabilities with your code dependency libraries.

https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html



Friday, June 16, 2017

Best Practice: Don't combine Refactoring commit with the actual fix changes

For a better code reviewability, don't combine refactoring changes and fix changes into a single commit.

If it's a very small refactoring change, it's completely fine, we can combine together. Otherwise, it's going to be difficult for the reviewer to read the code and understand it. The Reviewer has to change the context from refactoring to an actual fix and vice versa, and in the process, we tend to ignore the actual fix code and that leads a problem again!


Let me point to a first resource which I found when googled it about this subject.
http://jakegoulding.com/blog/2012/11/04/refactor-and-make-changes-in-different-commits/

Thursday, June 8, 2017

Programmatically executing a command in eclipse


If you know the eclipse command and you want to execute that in the programmatical way, you need to use IHandlerService.

Below is the example to perform toggle full-screen command from eclipse.


IHandlerService handlerService =
 (IHandlerService) PlatformUI.getWorkbench().getService(IHandlerService.class);

if (handlerService == null)
{
                 return null;
}

try
{
   handlerService.executeCommand("org.eclipse.ui.cocoa.fullscreenWindow", null);
}
catch (Exception ex)
{
//log exception

}

Wednesday, May 17, 2017

OSGI bundle/plugin class loading

Being a programmer, I would ask you to take a look at this class.

Plugin:
org.eclipse.osgi_3.10.2.v20150203-1939.jar

Class:
BundleLoader

Below 2 methods will give lot of understanding:

Class<?> findClass(String name, boolean checkParent) throws ClassNotFoundException {
if (checkParent && parent != null && name.startsWith(JAVA_PACKAGE))
// 1) if startsWith "java." delegate to parent and terminate search
// we want to throw ClassNotFoundExceptions if a java.* class cannot be loaded from the parent.
return parent.loadClass(name);
return findClassInternal(name, checkParent);
}


private Class<?> findClassInternal(String name, boolean checkParent) throws ClassNotFoundException {
if (debug.DEBUG_LOADER)
Debug.println("BundleLoader[" + this + "].findClassInternal(" + name + ")"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
String pkgName = getPackageName(name);
boolean bootDelegation = false;
// follow the OSGi delegation model
if (checkParent && parent != null && container.isBootDelegationPackage(pkgName))
// 2) if part of the bootdelegation list then delegate to parent and continue of failure
try {
return parent.loadClass(name);
} catch (ClassNotFoundException cnfe) {
// we want to continue
bootDelegation = true;
}
Class<?> result = null;
try {
result = (Class<?>) searchHooks(name, PRE_CLASS);
} catch (ClassNotFoundException e) {
throw e;
} catch (FileNotFoundException e) {
// will not happen
}
if (result != null)
return result;
// 3) search the imported packages
PackageSource source = findImportedSource(pkgName, null);
if (source != null) {
if (debug.DEBUG_LOADER) {
Debug.println("BundleLoader[" + this + "] loading from import package: " + source); //$NON-NLS-1$ //$NON-NLS-2$
}
// 3) found import source terminate search at the source
result = source.loadClass(name);
if (result != null)
return result;
throw new ClassNotFoundException(name + " cannot be found by " + this); //$NON-NLS-1$
}
// 4) search the required bundles
source = findRequiredSource(pkgName, null);
if (source != null) {
if (debug.DEBUG_LOADER) {
Debug.println("BundleLoader[" + this + "] loading from required bundle package: " + source); //$NON-NLS-1$ //$NON-NLS-2$
}
// 4) attempt to load from source but continue on failure
result = source.loadClass(name);
}
// 5) search the local bundle
if (result == null)
result = findLocalClass(name);
if (result != null)
return result;
// 6) attempt to find a dynamic import source; only do this if a required source was not found
if (source == null) {
source = findDynamicSource(pkgName);
if (source != null) {
result = source.loadClass(name);
if (result != null)
return result;
// must throw CNFE if dynamic import source does not have the class
throw new ClassNotFoundException(name + " cannot be found by " + this); //$NON-NLS-1$
}
}

if (result == null)
try {
result = (Class<?>) searchHooks(name, POST_CLASS);
} catch (ClassNotFoundException e) {
throw e;
} catch (FileNotFoundException e) {
// will not happen
}
// do buddy policy loading
if (result == null && policy != null)
result = policy.doBuddyClassLoading(name);
if (result != null)
return result;
// hack to support backwards compatibility for bootdelegation
// or last resort; do class context trick to work around VM bugs
if (parent != null && !bootDelegation && ((checkParent && container.getConfiguration().compatibilityBootDelegation) || isRequestFromVM()))
// we don't need to continue if a CNFE is thrown here.
try {
return parent.loadClass(name);
} catch (ClassNotFoundException e) {
// we want to generate our own exception below
}
throw new ClassNotFoundException(name + " cannot be found by " + this); //$NON-NLS-1$

}


Resources:
http://moi.vonos.net/java/osgi-classloaders/

Tuesday, May 16, 2017

Debugging options for org.eclipse.osgi

#### Debugging options for org.eclipse.osgi

# Turn on general debugging for org.eclipse.osgi
org.eclipse.osgi/debug=false
# Prints out class loading debug information
org.eclipse.osgi/debug/loader=false
# Prints out event (FrameworkEvent/BundleEvent/ServiceEvent) and listener debug information
org.eclipse.osgi/debug/events=false
# Prints out OSGi service debug information (registration/getting/ungetting etc.)
org.eclipse.osgi/debug/services=false
# Prints out bundle manifest parsing debug information
org.eclipse.osgi/debug/manifest=false
# Prints out LDAP filter debug information
org.eclipse.osgi/debug/filter=false
# Prints out security (PermissionAdmin service) debug information
org.eclipse.osgi/debug/security=false
# Prints out start level service debug information
org.eclipse.osgi/debug/startlevel=false
# Prints out package admin service debug information
org.eclipse.osgi/debug/packageadmin=false
# Prints out timing information for bundle activation
org.eclipse.osgi/debug/bundleTime=false
# Debug the loading of message bundles
org.eclipse.osgi/debug/messageBundles=false
# Debug the object pool additions
org.eclipse.osgi/debug/objectPool/adds=false
# Debug the object pool duplications
org.eclipse.osgi/debug/objectPool/dups=false

# Eclipse adaptor options
org.eclipse.osgi/eclipseadaptor/debug = false
org.eclipse.osgi/eclipseadaptor/debug/location = false
org.eclipse.osgi/eclipseadaptor/debug/cachedmanifest = false
org.eclipse.osgi/eclipseadaptor/debug/platformadmin=false
org.eclipse.osgi/eclipseadaptor/debug/platformadmin/resolver=false
org.eclipse.osgi/eclipseadaptor/converter/debug = false

### OSGi resolver options
# Turns on debugging for the resolver
org.eclipse.osgi/resolver/debug = false
# Prints out wiring information after the resolver has completed the resolve process
org.eclipse.osgi/resolver/wiring = false
# Prints out Import-Package information
org.eclipse.osgi/resolver/imports = false
# Prints out Require-Bundle information
org.eclipse.osgi/resolver/requires = false
# Prints out debug information form the "uses" clause
org.eclipse.osgi/resolver/uses = false
# Prints out cycle information
org.eclipse.osgi/resolver/cycles = false
# Prints out Eclipse-GenericRequire information
org.eclipse.osgi/resolver/generics = false

#### Profile settings
org.eclipse.osgi/profile/startup = false
org.eclipse.osgi/profile/benchmark = false
org.eclipse.osgi/profile/debug = false

# Override the default implemenation 
org.eclipse.osgi/profile/impl = org.eclipse.osgi.internal.profile.DefaultProfileLogger

# Append all profile messages to the filename specified
org.eclipse.osgi/defaultprofile/logfilename = 

# Output all profile log messages synchronously to the jvm console.
# By default, all log messages are cached until the log buffer is
# requested.
org.eclipse.osgi/defaultprofile/logsynchronously = false

# Specify the size of the default profile implementation log buffer.
org.eclipse.osgi/defaultprofile/buffersize = 256

#### Monitoring settings
# monitor class loading
org.eclipse.osgi/monitor/classes=false

# monitor bundle activation
org.eclipse.osgi/monitor/activation=false

# monitor resource bundle (*.properties) loading
org.eclipse.osgi/monitor/resources=false


#### Trace settings
# trace class loading - snapshot the execution stack when a class is loaded
org.eclipse.osgi/trace/classLoading=false

# trace location - file in which execution traces are written
org.eclipse.osgi/trace/filename=runtime.traces

# trace filters - Java properties file defining which classes should 
# be traced (if trace/classLoading is true)
# File format:
# plugins=<comma separated list of plugins whose classes to trace>
# packages=<comma separated list of package prefixes of classes to trace>
# Note that there may be many 'plugins' and 'packages' lines in one file.
org.eclipse.osgi/trace/filters=trace.properties

# trace bundle activation - snapshot the execution stack when a bundle is activated
org.eclipse.osgi/trace/activation=false