Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PPP-5150] running Jenkins Unit Tests #9548

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[PPP-5150] running Jenkins Unit Tests #9548

wants to merge 1 commit into from

Conversation

eddie-martinez
Copy link
Contributor

No description provided.

@eddie-martinez eddie-martinez requested a review from a team as a code owner August 23, 2024 17:23
@hitachivantarasonarqube HitachiVantaraSonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@buildguy
Copy link
Collaborator

🚨 Frogbot scanned this pull request and found the below:

@buildguy
Copy link
Collaborator 

db.parse( inputSource )

at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java (line 749)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Medium		 XML external entities
Full description

Overview

Unsafe XXE (XML External Entity) expansion, is a type of vulnerability
that allows an attacker to access external resources, such as files or
network services using a crafted XML document. The attack can also lead to
a denial of service, due to quadratic expansion of XXE elements.

Vulnerable example

protected void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = dbf.newDocumentBuilder();
    InputSource is = new InputSource();
    // Load the xml string into an InputSource object.
    is.setCharacterStream(new StringReader( request.getParameter("xml") ));
    // Parse it
    db.parse(is);
}

Remediation

Set the following features on DocumentBuilderFactory to remediate XXE:

+   try {
+      dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+   } catch (ParserConfigurationException e) { }
+   try {
+      dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+   } catch (ParserConfigurationException e) { }
+   try {
+      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+   } catch (ParserConfigurationException e) { }
+   try {
+      dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",
+           false);
+   } catch (ParserConfigurationException e) { }
+   dbf.setXIncludeAware(false);
+   dbf.setExpandEntityReferences(false);
    DocumentBuilder db = dbf.newDocumentBuilder();
Code Flows
Vulnerable data flow analysis result

↘️ inputStream.read() (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 380)

↘️ c (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 380)

↘️ xml.append( (char) c ) (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 381)

↘️ xml.toString() (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 384)

↘️ XMLHandler.loadXMLString( xml.toString() ) (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 384)

↘️ DocumentBuilder db (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 741)

↘️ db.parse( inputSource ) (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 749)

Vulnerable data flow analysis result

↘️ is.read() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 92)

↘️ c (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 92)

↘️ buffer.append( (char) c ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 93)

↘️ buffer.toString() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 96)

↘️ XMLHandler.loadXMLString( buffer.toString() ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 96)

↘️ DocumentBuilder db (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 741)

↘️ db.parse( inputSource ) (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 749)

Vulnerable data flow analysis result

↘️ is.read() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 92)

↘️ c (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 92)

↘️ buffer.append( (char) c ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 93)

↘️ buffer.toString() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 96)

↘️ XMLHandler.loadXMLString( buffer.toString() ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 96)

↘️ DocumentBuilder db (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 741)

↘️ db.parse( inputSource ) (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 749)

@buildguy
Copy link
Collaborator 

new File( filename )

at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java (line 58)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Medium		 Stored Path Traversal
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        + Path normDocPath = docPath.normalize();
        + // Make sure the canonical path resides in the desired dir
        + if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
        + }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getProperty( "file.separator" ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ dialog.getFilterPath() + System.getProperty( "file.separator" ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ dialog.getFilterPath() + System.getProperty( "file.separator" ) + dialog.getFileName() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ filename (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ new SasInputHelper( filename ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 384)

↘️ `public class SasInputHelper {

private String filename;
private RowMetaInterface rowMeta;

private SasReader sasReader;

/**

  • @param filename
  •      The SAS7BAT filename

*/
public SasInputHelper( final String filename ) throws KettleException {
this.filename = filename;

sasReader = new SasReader( new File( filename ) );

// Determine the row layout of the file ...
//
try {
  rowMeta = new RowMeta();
  sasReader.read( new SasReaderCallback() {
    public void column( int index, String name, String label, SasColumnType type, int length ) {
      int kettleType = ValueMetaInterface.TYPE_NONE;
      int kettleLength;
      switch ( type ) {
        case CHARACTER:
          kettleType = ValueMetaInterface.TYPE_STRING;
          kettleLength = length;
          break;
        case NUMERIC:
          kettleType = ValueMetaInterface.TYPE_NUMBER;
          kettleLength = -1;
          break;
        default:
          throw new RuntimeException( "Unhandled SAS data type encountered: " + type );
      }
      try {
        ValueMetaInterface valueMeta = ValueMetaFactory.createValueMeta( name, kettleType );
        valueMeta.setLength( kettleLength );
        valueMeta.setComments( label );
        rowMeta.addValueMeta( valueMeta );
      } catch ( Exception e ) {
        throw new SasReaderException( "Unable to create new value meta type", e );
      }
    }

    public boolean readData() {
      return false;
    }

    public boolean row( int rowNumber, Object[] rowData ) {
      return true;
    }
  } );
} catch ( Exception e ) {
  throw new KettleException( "Unable to determine the layout of SAS7BAT file '" + filename + "'", e );
}

}

@OverRide
public String toString() {
return filename;
}

/**

  • @return the filename
    */
    public String getFilename() {
    return filename;
    }

/**

  • @return the rowMeta
    */
    public RowMetaInterface getRowMeta() {
    return rowMeta;
    }
    }` (at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java line 44)

↘️ final String filename (at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java line 55)

↘️ new File( filename ) (at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java line 58)

@buildguy
Copy link
Collaborator

❌ Build failed in 3h 25m 56s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl dbdialog

⛔ Failed Tests

⛈️ 1 test(s) failed:

org.pentaho.ui.database.event.FragmentHandlerTest.org.pentaho.ui.database.event.FragmentHandlerTest (click to expand)

No more handles [gtk_init_check() failed]

Tests run: 31, Failures: 1, Skipped: 0    Test Results

ℹ️ This is an automatic message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eddie-martinez @buildguy