Good color selector

http://www.color-hex.com

Showing progress dialog using Eclipse jobs API

Below piece of code shows how can we run the eclipse jobs interactively by showing eclipse progress dialog using Eclipse Jobs API.

Job installationJob = new Job("Creating a new creating catalog...")

{

@Override

public IStatus run(IProgressMonitor monitor)

{

try

{

monitor.beginTask("creating catalog...", 10);

//do your task here

}

finally

{

monitor.done();

}

return Status.OK_STATUS;

}

};

installationJob.setPriority(Job.INTERACTIVE);

//This is alternative to the installationJob.setUser(true);
//sometimes setUser(true) doesn't show up the progress dialog, in those cases below piece of code can be used.

PlatformUI.getWorkbench().getProgressService()

.showInDialog(Display.getDefault().getActiveShell(), installationJob);

installationJob.schedule();

XML external injection resolutions

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
http://www.gonandy.com/2016/12/xxe-injection/

DocumentBuilderFactory

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();     String FEATURE = null;       // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented       // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl       FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";       dbf.setFeature(FEATURE, true);         // If you can't completely disable DTDs, then at least do the following:       // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities       // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities       // JDK7+ - http://xml.org/sax/features/external-general-entities           FEATURE = "http://xml.org/sax/features/external-general-entities";       dbf.setFeature(FEATURE, false);         // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities       // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities       // JDK7+ - http://xml.org/sax/features/external-parameter-entities           FEATURE = "http://xml.org/sax/features/external-parameter-entities";       dbf.setFeature(FEATURE, false);         // Disable external DTDs as well       FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";       dbf.setFeature(FEATURE, false);         // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below)       dbf.setXIncludeAware(false);       dbf.setExpandEntityReferences(false);

StAX and XMLInputFactory

StAX parsers such as XMLInputFactory allow various properties and features to be set.

To protect a Java XMLInputFactory from XXE, do this:

• xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory
• xmlInputFactory.setProperty(“javax.xml.stream.isSupportingExternalEntities”, false); // disable external entities

TransformerFactory(JDK7)

To protect a Java TransformerFactory from XXE, do this:

• TransformerFactory tf = TransformerFactory.newInstance();
• tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
• tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
• tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);

Validator

To protect a Java Validator from XXE, do this:

• SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
• Schema schema = factory.newSchema();
• Validator validator = schema.newValidator();
• validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
• validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);

SchemaFactory

To protect a SchemaFactory from XXE, do this:

• SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
• factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
• factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
• Schema schema = factory.newSchema(Source);

SAXTransformerFactory

To protect a Java SAXTransformerFactory from XXE, do this:

• SAXTransformerFactory sf = SAXTransformerFactory.newInstance();
• sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
• sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
• sf.newXMLFilter(Source);

XMLReader

To protect a Java XMLReader from XXE, do this:

• XMLReader spf = XMLReaderFactory.createXMLReader();
• spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
• spf.setFeature(“http://xml.org/sax/features/external-parameter-entities“, false);
• spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd”,false);

Unmarshaller

Since an Unmarshaller parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a Source object as a result, and pass the source object to the Unmarshaller. For example:

• SAXParserFactory spf = SAXParserFactory.newInstance();
• spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
• spf.setFeature(“http://xml.org/sax/features/external-parameter-entities“, false);
• spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd“, false);

• Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
• JAXBContext jc = JAXBContext.newInstance(Object.class);
• Unmarshaller um = jc.createUnmarshaller();
• um.unmarshal(xmlSource);

XPathExpression

An XPathExpression is similar to an Unmarshaller where it can’t be configured securely by itself, so the untrusted data must be parsed through another securable XML parser first. For example:

• DocumentBuilderFactory df =DocumentBuilderFactory.newInstance();
• df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
• df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
• builder = df.newDocumentBuilder();
• xPathExpression.evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );

Reverse DNS lookup and Java

http://archive.oreilly.com/pub/post/reverse_dns_lookup_and_java.html

Check your code dependency vulnerabilities

Here is the CLI tool from OWASP. This basically detect publicly disclosed vulnerabilities with your code dependency libraries.

https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html

Best Practice: Don't combine Refactoring commit with the actual fix changes

For a better code reviewability, don't combine refactoring changes and fix changes into a single commit.

If it's a very small refactoring change, it's completely fine, we can combine together. Otherwise, it's going to be difficult for the reviewer to read the code and understand it. The Reviewer has to change the context from refactoring to an actual fix and vice versa, and in the process, we tend to ignore the actual fix code and that leads a problem again!


Let me point to a first resource which I found when googled it about this subject.
http://jakegoulding.com/blog/2012/11/04/refactor-and-make-changes-in-different-commits/

Programmatically executing a command in eclipse

If you know the eclipse command and you want to execute that in the programmatical way, you need to use IHandlerService.

Below is the example to perform toggle full-screen command from eclipse.

IHandlerService handlerService =

 (IHandlerService) PlatformUI.getWorkbench().getService(IHandlerService.class);

if (handlerService == null)

{

                 return null;

}

try

{

   handlerService.executeCommand("org.eclipse.ui.cocoa.fullscreenWindow", null);

}

catch (Exception ex)

{

//log exception

}