Tuesday, September 19, 2017

Git force merge

Here is my scenario - I've development and release branches. And I want to merge my changes from development to release branch and if any conflicts during merge and I want to overwrite with the development branch changes.

$ git checkout release  => switch from development to release branch
$ git merge -X theirs development  => merge changes from development to release branch

Understand more about it here - https://stackoverflow.com/questions/40517129/git-merge-with-force-overwrite

Tuesday, August 8, 2017

Showing progress dialog using Eclipse jobs API

Below piece of code shows how can we run the eclipse jobs interactively by showing eclipse progress dialog using Eclipse Jobs API.

Job installationJob = new Job("Creating a new creating catalog...")
public IStatus run(IProgressMonitor monitor)
monitor.beginTask("creating catalog...", 10);
//do your task here

return Status.OK_STATUS;


//This is alternative to the installationJob.setUser(true);
//sometimes setUser(true) doesn't show up the progress dialog, in those cases below piece of code can be used.

.showInDialog(Display.getDefault().getActiveShell(), installationJob);


Sunday, August 6, 2017

XML external injection resolutions



StAX and XMLInputFactory

StAX parsers such as XMLInputFactory allow various properties and features to be set.
To protect a Java XMLInputFactory from XXE, do this:
  • xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory
  • xmlInputFactory.setProperty(“javax.xml.stream.isSupportingExternalEntities”, false); // disable external entities


To protect a Java TransformerFactory from XXE, do this:
  • TransformerFactory tf = TransformerFactory.newInstance();
  • tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
  • tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);


To protect a Java Validator from XXE, do this:
  • SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
  • Schema schema = factory.newSchema();
  • Validator validator = schema.newValidator();
  • validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);


To protect a SchemaFactory from XXE, do this:
  • SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
  • factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
  • Schema schema = factory.newSchema(Source);


To protect a Java SAXTransformerFactory from XXE, do this:
  • SAXTransformerFactory sf = SAXTransformerFactory.newInstance();
  • sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
  • sf.newXMLFilter(Source);


To protect a Java XMLReader from XXE, do this:


Since an Unmarshaller parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a Source object as a result, and pass the source object to the Unmarshaller. For example:
  • Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
  • JAXBContext jc = JAXBContext.newInstance(Object.class);
  • Unmarshaller um = jc.createUnmarshaller();
  • um.unmarshal(xmlSource);


An XPathExpression is similar to an Unmarshaller where it can’t be configured securely by itself, so the untrusted data must be parsed through another securable XML parser first. For example:
  • DocumentBuilderFactory df =DocumentBuilderFactory.newInstance();
  • df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
  • df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
  • builder = df.newDocumentBuilder();
  • xPathExpression.evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );

Tuesday, June 27, 2017