diff options
author | Jon Bratseth <bratseth@oath.com> | 2018-10-14 10:49:03 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-14 10:49:03 +0200 |
commit | cb943c079ba1cd53f9e70e92e9c03343e85ec780 (patch) | |
tree | 768db3cfdda94fd96b73783bde9495ca964032e3 | |
parent | e2b7c6ed50d94e83e2fc00c8716fcc68ad2a9fbb (diff) | |
parent | 4b60cf8292efa0b9dcb06217813835dc3c873698 (diff) |
Merge pull request #7299 from vespa-engine/bratseth/prevent-xxe-in-xmlfeedreader
Prevent XXE
5 files changed, 26 insertions, 26 deletions
diff --git a/container-search/src/main/java/com/yahoo/search/cluster/ClusterMonitor.java b/container-search/src/main/java/com/yahoo/search/cluster/ClusterMonitor.java index cb7f5215c7c..3896e817429 100644 --- a/container-search/src/main/java/com/yahoo/search/cluster/ClusterMonitor.java +++ b/container-search/src/main/java/com/yahoo/search/cluster/ClusterMonitor.java @@ -38,7 +38,7 @@ public class ClusterMonitor<T> { private final Map<T, BaseNodeMonitor<T>> nodeMonitors = Collections.synchronizedMap(new java.util.LinkedHashMap<>()); /** @deprecated use the constructor with just the first argument instead */ - @Deprecated + @Deprecated // TODO: Remove on Vespa 7 public ClusterMonitor(NodeManager<T> manager, String ignored) { this(manager); } diff --git a/container-search/src/main/java/com/yahoo/search/result/HitGroup.java b/container-search/src/main/java/com/yahoo/search/result/HitGroup.java index 483f55f9c92..c008b133595 100644 --- a/container-search/src/main/java/com/yahoo/search/result/HitGroup.java +++ b/container-search/src/main/java/com/yahoo/search/result/HitGroup.java @@ -16,7 +16,6 @@ import java.util.Collections; import java.util.HashSet; import java.util.Iterator; import java.util.List; -import java.util.ListIterator; import java.util.Set; import java.util.stream.Collectors; diff --git a/statistics/src/main/java/com/yahoo/statistics/StatisticsImpl.java b/statistics/src/main/java/com/yahoo/statistics/StatisticsImpl.java index a19d59c193d..b74960eb6e9 100644 --- a/statistics/src/main/java/com/yahoo/statistics/StatisticsImpl.java +++ b/statistics/src/main/java/com/yahoo/statistics/StatisticsImpl.java @@ -19,13 +19,13 @@ import com.yahoo.container.StatisticsConfig; * will be disabled by initializing the Statistics class with a null config * object. * - * @author <a href="mailto:steinar@yahoo-inc.com">Steinar Knutsen</a> + * @author Steinar Knutsen */ public final class StatisticsImpl extends AbstractComponent implements Statistics { + private final Timer worker; private final StatisticsConfig config; - private static final Logger log = Logger.getLogger(StatisticsImpl.class - .getName()); + private static final Logger log = Logger.getLogger(StatisticsImpl.class.getName()); private final int collectioninterval; private final int logginginterval; // default access for testing only @@ -44,9 +44,9 @@ public final class StatisticsImpl extends AbstractComponent implements Statistic * if logging interval is smaller than collection interval, or * collection interval is not a multiplum of logging interval */ - public StatisticsImpl(final StatisticsConfig config) { - final int l = (int) config.loggingintervalsec(); - final int c = (int) config.collectionintervalsec(); + public StatisticsImpl(StatisticsConfig config) { + int l = (int) config.loggingintervalsec(); + int c = (int) config.collectionintervalsec(); if (l != 0 && l < c) { throw new IllegalArgumentException( @@ -68,15 +68,13 @@ public final class StatisticsImpl extends AbstractComponent implements Statistic * Cancel internal worker thread and do any other necessary cleanup. The * internal worker thread is a daemon thread, so not calling this will not * hamper a clean exit from the VM. - * - * @since 5.1.4 */ @Override public void deconstruct() { worker.cancel(); } - private void schedule(final Handle h) { + private void schedule(Handle h) { if (logginginterval != 0) { h.run(); // We use the rather creative assumption that there is @@ -94,9 +92,9 @@ public final class StatisticsImpl extends AbstractComponent implements Statistic * the internal state of this object. */ @Override - public void register(final Handle h) { + public void register(Handle h) { synchronized (handles) { - final Handle oldHandle = handles.get(h.getName()); + Handle oldHandle = handles.get(h.getName()); if (oldHandle == h) { log.log(Level.WARNING, "Handle [" + h + "] already registered"); return; @@ -115,9 +113,9 @@ public final class StatisticsImpl extends AbstractComponent implements Statistic * Remove a named handler from the set of working handlers. */ @Override - public void remove(final String name) { + public void remove(String name) { synchronized (handles) { - final Handle oldHandle = handles.remove(name); + Handle oldHandle = handles.remove(name); if (oldHandle != null) { oldHandle.cancel(); } @@ -141,7 +139,7 @@ public final class StatisticsImpl extends AbstractComponent implements Statistic @Override public int purge() { synchronized (handles) { - final Iterator<Handle> it = handles.values().iterator(); + Iterator<Handle> it = handles.values().iterator(); while (it.hasNext()) { final Handle h = it.next(); if (h.isCancelled()) { @@ -151,4 +149,5 @@ public final class StatisticsImpl extends AbstractComponent implements Statistic return worker == null ? 0 : worker.purge(); } } + } diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java index ba89ed550de..670b30f880d 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java @@ -14,6 +14,7 @@ import java.util.concurrent.atomic.AtomicInteger; /** * Reads an input stream of xml, sends these to session. + * * @author dybis */ public class XmlFeedReader { @@ -23,12 +24,13 @@ public class XmlFeedReader { public static void read(InputStream inputStream, FeedClient feedClient, AtomicInteger numSent) throws Exception { - SAXParserFactory parserFactor = SAXParserFactory.newInstance(); - parserFactor.setValidating(false); - parserFactor.setNamespaceAware(false); - final SAXParser parser = parserFactor.newSAXParser(); + SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + // XXE prevention: + parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + parserFactory.setValidating(false); + parserFactory.setNamespaceAware(false); + SAXParser parser = parserFactory.newSAXParser(); SAXClientFeeder saxClientFeeder = new SAXClientFeeder(feedClient, numSent); - SAXClientFeeder handler = saxClientFeeder; InputSource inputSource = new InputSource(); inputSource.setEncoding(StandardCharsets.UTF_8.displayName()); @@ -36,8 +38,7 @@ public class XmlFeedReader { // This is to send events about CDATA to the saxClientFeeder // (https://docs.oracle.com/javase/tutorial/jaxp/sax/events.html) parser.setProperty("http://xml.org/sax/properties/lexical-handler", saxClientFeeder); - - parser.parse(inputSource, handler); + parser.parse(inputSource, saxClientFeeder); } } diff --git a/vespajlib/src/main/java/com/yahoo/system/ProcessExecuter.java b/vespajlib/src/main/java/com/yahoo/system/ProcessExecuter.java index 9452a2924ba..cceac7e84bb 100644 --- a/vespajlib/src/main/java/com/yahoo/system/ProcessExecuter.java +++ b/vespajlib/src/main/java/com/yahoo/system/ProcessExecuter.java @@ -24,7 +24,8 @@ public class ProcessExecuter { public Pair<Integer, String> exec(String command) throws IOException { StringTokenizer tok = new StringTokenizer(command); List<String> tokens = new ArrayList<>(); - while (tok.hasMoreElements()) tokens.add(tok.nextToken()); + while (tok.hasMoreElements()) + tokens.add(tok.nextToken()); return exec(tokens.toArray(new String[0])); } @@ -43,10 +44,10 @@ public class ProcessExecuter { InputStream is = p.getInputStream(); while (true) { int b = is.read(); - if (b==-1) break; + if (b == -1) break; ret.append((char)b); } - int rc=0; + int rc = 0; try { rc = p.waitFor(); } catch (InterruptedException e) { |