From 12820fe9f75a63599524bbff5b6ab8a042ac2711 Mon Sep 17 00:00:00 2001
From: Lyn Elisa Goltz <goltz@lat-lon.de>
Date: Tue, 23 Apr 2024 07:39:32 +0200
Subject: [PATCH] XPLANBOX-2613 - fixed/suppressed security warnings
---
pom.xml | 8 +++-
xplan-cli/xplan-cli-core/pom.xml | 4 ++
.../commons/cli/SynchronizeAllExecutor.java | 2 +
.../commons/cli/SynchronizeExecutor.java | 4 ++
xplan-cli/xplan-cli-tools/pom.xml | 4 ++
.../cli/admin/config/CommonContext.java | 2 +
.../cli/admin/db/SortPropertyDbUpdater.java | 3 ++
.../EvaluationSchemaSynchronizer.java | 6 +++
.../xplanbox/cli/manage/ExportSubcommand.java | 3 +-
.../cli/manage/config/ManageContext.java | 2 +
.../validate/config/ValidateFileContext.java | 3 ++
.../config/ValidateFromDatabaseContext.java | 2 +
.../db/domain/XPlanWithFeatureCollection.java | 5 +-
.../transform/cli/TransformAllExecutor.java | 22 ++++-----
.../cli/TransformApplicationRunner.java | 2 +-
.../server/service/ReportController.java | 18 +++----
xplan-core/xplan-core-job/pom.xml | 7 ++-
.../job/validator/memory/GmlImportJob.java | 8 +++-
xplan-core/xplan-core-manager/pom.xml | 4 ++
.../de/latlon/xplan/manager/XPlanManager.java | 6 ++-
.../CoupledResourceConfiguration.java | 2 +
.../internalid/InternalIdRetriever.java | 10 +++-
.../latlon/xplan/manager/log/SystemLog.java | 48 ++++++++++---------
.../ServiceMetadataDocumentWriter.java | 5 +-
.../filesystem/DeegreeRasterCacheCleaner.java | 2 +
.../manager/transaction/XPlanEditManager.java | 5 +-
.../transaction/service/XPlanEditService.java | 2 +
.../wmsconfig/WmsWorkspaceWrapper.java | 5 +-
.../raster/access/GdalRasterAdapter.java | 5 +-
xplan-core/xplan-core-security/pom.xml | 7 ++-
.../PropertiesFileUserDetailsManager.java | 2 +
xplan-core/xplan-core-validator/pom.xml | 4 ++
.../ValidatorConfigurationParser.java | 3 ++
.../report/html/HtmlReportGenerator.java | 9 +++-
.../dokumente/handler/DocumentHandler.java | 7 ++-
.../api/manager/handler/EditHandler.java | 3 +-
.../api/manager/handler/PlanHandler.java | 16 ++++---
.../xplan-services-wms/pom.xml | 4 ++
.../visibility/ValidityPeriodInspector.java | 2 +
39 files changed, 184 insertions(+), 72 deletions(-)
diff --git a/pom.xml b/pom.xml
index 436ac489fe..f82b91beab 100644
--- a/pom.xml
+++ b/pom.xml
@@ -608,7 +608,7 @@
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
- <version>4.8.3.1</version>
+ <version>4.8.4.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -1649,6 +1649,12 @@
<type>pom</type>
<scope>import</scope>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ <version>4.8.4</version>
+ <scope>provided</scope>
+ </dependency>
<!-- Profiles -->
<dependency>
<groupId>de.xleitstelle.xplanung</groupId>
diff --git a/xplan-cli/xplan-cli-core/pom.xml b/xplan-cli/xplan-cli-core/pom.xml
index fa5b044966..68d2154a84 100644
--- a/xplan-cli/xplan-cli-core/pom.xml
+++ b/xplan-cli/xplan-cli-core/pom.xml
@@ -16,6 +16,10 @@
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git a/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeAllExecutor.java b/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeAllExecutor.java
index 8916166505..259967dd9e 100644
--- a/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeAllExecutor.java
+++ b/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeAllExecutor.java
@@ -20,6 +20,7 @@
*/
package de.latlon.xplan.commons.cli;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -59,6 +60,7 @@ public class SynchronizeAllExecutor {
executor.synchronize(conn);
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "logTableName is a fix value")
private void insertInLogTable(Connection conn) {
LOG.info("Copy required metadata into {}", logTableName);
PreparedStatement ps = null;
diff --git a/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeExecutor.java b/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeExecutor.java
index f44d67c1b7..a19386df5f 100644
--- a/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeExecutor.java
+++ b/xplan-cli/xplan-cli-core/src/main/java/de/latlon/xplan/commons/cli/SynchronizeExecutor.java
@@ -20,6 +20,7 @@
*/
package de.latlon.xplan.commons.cli;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -54,6 +55,8 @@ public class SynchronizeExecutor {
* Starts the synchronization.
* @param conn to the dataase with th log table, never <code>null</code>
*/
+ @SuppressFBWarnings(value = { "SQL_INJECTION_JDBC", "SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" },
+ justification = "logTableName is a fix value")
public void synchronize(Connection conn) {
PreparedStatement ps = null;
ResultSet rs = null;
@@ -156,6 +159,7 @@ public class SynchronizeExecutor {
return null;
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "logTableName is a fix value")
private void removePlanFromLog(Connection conn, int xplanmgrid) {
PreparedStatement ps = null;
try {
diff --git a/xplan-cli/xplan-cli-tools/pom.xml b/xplan-cli/xplan-cli-tools/pom.xml
index b1f0f58764..b02e01c505 100644
--- a/xplan-cli/xplan-cli-tools/pom.xml
+++ b/xplan-cli/xplan-cli-tools/pom.xml
@@ -272,6 +272,10 @@
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<!-- Test -->
<dependency>
<groupId>org.junit.jupiter</groupId>
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/config/CommonContext.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/config/CommonContext.java
index a332238496..28344a9e4f 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/config/CommonContext.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/config/CommonContext.java
@@ -34,6 +34,7 @@ import de.latlon.xplan.manager.database.XPlanDbAdapter;
import de.latlon.xplan.manager.web.shared.ConfigurationException;
import de.latlon.xplan.manager.workspace.WorkspaceException;
import org.deegree.commons.config.DeegreeWorkspace;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -108,6 +109,7 @@ public class CommonContext {
return new ManagerWorkspaceWrapper(managerWorkspace);
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private Path etcDirectory() {
String path = getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
File jarLocation = new File(path);
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/db/SortPropertyDbUpdater.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/db/SortPropertyDbUpdater.java
index 88885a46b5..5226e2d37a 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/db/SortPropertyDbUpdater.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/db/SortPropertyDbUpdater.java
@@ -21,6 +21,7 @@
package de.latlon.xplanbox.cli.admin.db;
import de.latlon.xplan.manager.web.shared.XPlan;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -59,6 +60,8 @@ public class SortPropertyDbUpdater {
updateSortPropertyInMgrSchema(sortDate, plan);
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_SPRING_JDBC",
+ justification = "schemaname and tablename are selected from database")
private void updateSortPropertyInSynSchema(Date sortDate, XPlan plan) throws Exception {
String selectSchemaAndColumnsToModify = "SELECT table_name, table_schema "
+ "FROM information_schema.columns WHERE table_schema like 'xplansyn%' "
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/evaluation/EvaluationSchemaSynchronizer.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/evaluation/EvaluationSchemaSynchronizer.java
index 88687867b9..28bf18739e 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/evaluation/EvaluationSchemaSynchronizer.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/admin/evaluation/EvaluationSchemaSynchronizer.java
@@ -28,6 +28,7 @@ import org.apache.logging.log4j.Logger;
import org.gdal.gdal.gdal;
import org.gdal.ogr.Geometry;
import org.gdal.ogr.ogr;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.sql.Connection;
import java.sql.PreparedStatement;
@@ -134,6 +135,8 @@ public class EvaluationSchemaSynchronizer implements Synchronizer {
}
}
+ @SuppressFBWarnings(value = { "SQL_INJECTION_JDBC", "SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" },
+ justification = "xPath, blobSchema and synTableWithSchema are fix values")
private void updateGeomColumn(int xPlanManagerId, Connection conn, String synSchema, String blobSchema,
String synTableName, String geomColumn) throws SQLException {
PreparedStatement ps = null;
@@ -178,6 +181,7 @@ public class EvaluationSchemaSynchronizer implements Synchronizer {
}
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "synTableWithSchema is a fix value")
private int update(Connection conn, String synTableWithSchema, String geomColumn, String gmlId, String gmlGeom)
throws SQLException {
PreparedStatement ps = null;
@@ -205,6 +209,7 @@ public class EvaluationSchemaSynchronizer implements Synchronizer {
return 0;
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "synTableWithSchema is a fix value")
private void insertInEvaluationTable(Connection conn, int xPlanManagerId, String synSchema, String synTableName)
throws SQLException {
String synTableWithSchema = synSchema + "." + synTableName;
@@ -225,6 +230,7 @@ public class EvaluationSchemaSynchronizer implements Synchronizer {
}
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "synSchema and synTableName are fix values")
private void deleteFromEvaluationTable(Connection conn, int xPlanManagerId, String synSchema, String synTableName)
throws SQLException {
PreparedStatement ps = null;
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/ExportSubcommand.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/ExportSubcommand.java
index 18abfc6d67..fc552638c8 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/ExportSubcommand.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/ExportSubcommand.java
@@ -1,6 +1,7 @@
package de.latlon.xplanbox.cli.manage;
import de.latlon.xplan.manager.XPlanManager;
+import org.apache.commons.io.FilenameUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@@ -68,7 +69,7 @@ public class ExportSubcommand extends ManagerSubcommand {
private File createOutputFile(String planId) {
File parent = target.isPresent() ? target.get() : new File(".");
- return new File(parent, "xplan-exported-" + planId + ".zip");
+ return new File(parent, FilenameUtils.getName("xplan-exported-" + planId + ".zip"));
}
}
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/config/ManageContext.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/config/ManageContext.java
index ed29193b46..197d0cf874 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/config/ManageContext.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/manage/config/ManageContext.java
@@ -85,6 +85,7 @@ import de.latlon.xplan.validator.syntactic.SyntacticValidatorImpl;
import de.latlon.xplanbox.cli.XPlanCli;
import de.latlon.xplanbox.cli.manage.ServiceMetadataRecordCreator;
import org.deegree.commons.config.DeegreeWorkspace;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -411,6 +412,7 @@ public class ManageContext {
return new SortConfiguration();
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private Path etcDirectory() {
String path = XPlanCli.class.getProtectionDomain().getCodeSource().getLocation().getPath();
File jarLocation = new File(path);
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFileContext.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFileContext.java
index b19d94b1a3..84a1e9fcd8 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFileContext.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFileContext.java
@@ -38,6 +38,7 @@ import de.latlon.xplan.validator.semantic.profile.SemanticProfileValidator;
import de.latlon.xplan.validator.semantic.xquery.XQuerySemanticValidator;
import de.latlon.xplan.validator.syntactic.SyntacticValidator;
import de.latlon.xplan.validator.syntactic.SyntacticValidatorImpl;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
@@ -100,6 +101,7 @@ public class ValidateFileContext {
}
@Bean
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public Path rulesPath(ValidatorConfiguration validatorConfiguration) throws URISyntaxException {
Path validationRulesDirectory = validatorConfiguration.getValidationRulesDirectory();
if (validationRulesDirectory != null)
@@ -119,6 +121,7 @@ public class ValidateFileContext {
return new ConfigurationDirectoryPropertiesLoader(retrieveEtcPath(), ValidatorConfiguration.class);
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private Path retrieveEtcPath() throws URISyntaxException {
URL jarPath = ValidateFileContext.class.getProtectionDomain().getCodeSource().getLocation();
return get(jarPath.toURI()).getParent().getParent().resolve("etc");
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFromDatabaseContext.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFromDatabaseContext.java
index 9074a56590..84e2749221 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFromDatabaseContext.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/config/ValidateFromDatabaseContext.java
@@ -30,6 +30,7 @@ import de.latlon.xplanbox.cli.validate.db.ValidationProcessor;
import de.latlon.xplanbox.cli.validate.db.domain.ValidationResultSummary;
import de.latlon.xplanbox.cli.validate.db.domain.XPlanWithFeatureCollection;
import org.apache.commons.dbcp2.BasicDataSource;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.batch.core.Job;
@@ -98,6 +99,7 @@ public class ValidateFromDatabaseContext {
@Bean
@StepScope
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public SemanticValidator semanticValidator(@Value("#{jobParameters[rulesDirectory]}") String rulesDirectory)
throws ConfigurationException {
try {
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java
index 3b134b6bb4..ed223f5b27 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java
@@ -130,7 +130,10 @@ public class XPlanWithFeatureCollection implements SemanticValidableXPlanArchive
public XMLStreamReader getMainFileXmlReader() {
try {
GZIPInputStream is = new GZIPInputStream(new ByteArrayInputStream(data));
- XMLStreamReader xmlStreamReader = XMLInputFactory.newInstance().createXMLStreamReader(is);
+ XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+ xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
return xmlStreamReader;
}
catch (XMLStreamException | IOException e) {
diff --git a/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformAllExecutor.java b/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformAllExecutor.java
index bf1b9ed614..0b7bb76ed8 100644
--- a/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformAllExecutor.java
+++ b/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformAllExecutor.java
@@ -30,6 +30,7 @@ import java.sql.PreparedStatement;
import java.sql.SQLException;
import static de.latlon.xplan.commons.cli.DatabaseUtils.closeQuietly;
+import static de.latlon.xplan.transform.cli.TransformApplicationRunner.LOG_TABLE_NAME;
/**
* @deprecated will be removed in a future version.
@@ -40,19 +41,14 @@ public class TransformAllExecutor {
private static final Logger LOG = LoggerFactory.getLogger(TransformAllExecutor.class);
- private final String logTableName;
-
private final SynchronizeExecutor executor;
/**
- * @param logTableName the name (including the schema) of the log table, never
- * <code>null</code>
* @param synchronizer the {@link Synchronizer} used for the synchronization, never
* <code>null</code>
*/
- public TransformAllExecutor(String logTableName, Synchronizer synchronizer) {
- this.logTableName = logTableName;
- this.executor = new SynchronizeExecutor(logTableName, synchronizer);
+ public TransformAllExecutor(Synchronizer synchronizer) {
+ this.executor = new SynchronizeExecutor(LOG_TABLE_NAME, synchronizer);
}
/**
@@ -64,22 +60,22 @@ public class TransformAllExecutor {
}
private void insertInLogTable(Connection conn) {
- LOG.info("Copy required metadata into {}", logTableName);
+ LOG.info("Copy required metadata into {}", LOG_TABLE_NAME);
PreparedStatement ps = null;
try {
- ps = conn.prepareStatement("DELETE FROM " + logTableName);
- LOG.debug("Execute delete from {}: {}", logTableName, ps);
+ ps = conn.prepareStatement("DELETE FROM " + LOG_TABLE_NAME);
+ LOG.debug("Execute delete from {}: {}", LOG_TABLE_NAME, ps);
ps.execute();
- ps = conn.prepareStatement("INSERT INTO " + logTableName
+ ps = conn.prepareStatement("INSERT INTO " + LOG_TABLE_NAME
+ " (xplanmgrid, xp_version, newplanstatus, oldplanstatus, operation, datum, fids)"
+ " SELECT id, xp_version, planstatus, planstatus, (SELECT CASE WHEN EXISTS (SELECT fid FROM xplanmgr.features WHERE plan=id AND fid LIKE '%\\_PLAN\\_%' AND NOT EXISTS(SELECT gml_id from xplan51.gml_objects WHERE fid = gml_id) AND NOT EXISTS(SELECT gml_id from xplan51pre.gml_objects WHERE fid = gml_id) AND NOT EXISTS(SELECT gml_id from xplan51archive.gml_objects WHERE fid = gml_id)) THEN 'INSERT' ELSE 'UPDATE' END), now(), (SELECT ARRAY(SELECT fid FROM xplanmgr.features WHERE plan= id)) from xplanmgr.plans");
- LOG.debug("Execute insert in {}: {}", logTableName, ps);
+ LOG.debug("Execute insert in {}: {}", LOG_TABLE_NAME, ps);
ps.execute();
conn.commit();
}
catch (SQLException e) {
- LOG.error("Could not update log table {}", logTableName, e);
+ LOG.error("Could not update log table {}", LOG_TABLE_NAME, e);
try {
if (conn != null) {
conn.rollback();
diff --git a/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformApplicationRunner.java b/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformApplicationRunner.java
index 832337a978..eab5308e35 100644
--- a/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformApplicationRunner.java
+++ b/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/TransformApplicationRunner.java
@@ -89,7 +89,7 @@ public class TransformApplicationRunner implements ApplicationRunner {
sync(managerWorkspaceWrapper, (conn) -> {
TransformationSynchronizer synchronizer = new TransformationSynchronizer(xPlanDao,
transformingValidator, outDirectory);
- TransformAllExecutor allExecuter = new TransformAllExecutor(LOG_TABLE_NAME, synchronizer);
+ TransformAllExecutor allExecuter = new TransformAllExecutor(synchronizer);
allExecuter.transformAll(conn);
});
break;
diff --git a/xplan-core/xplan-core-gwt/src/main/java/de/latlon/xplanbox/core/gwt/commons/server/service/ReportController.java b/xplan-core/xplan-core-gwt/src/main/java/de/latlon/xplanbox/core/gwt/commons/server/service/ReportController.java
index e10ffba0e1..37fdb783e6 100644
--- a/xplan-core/xplan-core-gwt/src/main/java/de/latlon/xplanbox/core/gwt/commons/server/service/ReportController.java
+++ b/xplan-core/xplan-core-gwt/src/main/java/de/latlon/xplanbox/core/gwt/commons/server/service/ReportController.java
@@ -20,11 +20,8 @@
*/
package de.latlon.xplanbox.core.gwt.commons.server.service;
-import java.io.IOException;
-import java.util.List;
-
-import javax.servlet.http.HttpServletResponse;
-
+import de.latlon.xplan.validator.web.shared.ArtifactType;
+import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -35,7 +32,10 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
-import de.latlon.xplan.validator.web.shared.ArtifactType;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.List;
+import java.util.stream.Collectors;
import static org.springframework.http.MediaType.TEXT_HTML_VALUE;
@@ -60,7 +60,8 @@ public class ReportController {
public void getHtmlReport(HttpServletResponse response, @PathVariable String uuid,
@RequestParam(value = "validationName", required = true) String validationName) throws IOException {
response.addHeader("Content-Type", TEXT_HTML_VALUE);
- LOG.debug("HTML-Report for '{}' and validationName '{}' requested.", uuid, validationName);
+ LOG.debug("HTML-Report for '{}' and validationName '{}' requested.", StringUtils.normalizeSpace(uuid),
+ StringUtils.normalizeSpace(validationName));
reportProvider.writeHtmlReport(response, uuid, validationName);
response.setContentType("text/html");
}
@@ -70,7 +71,8 @@ public class ReportController {
public void getZippedReport(HttpServletResponse response, @PathVariable String uuid,
@RequestParam(value = "validationName", required = true) String validationName,
@RequestParam(value = "artifacts", required = true) List<ArtifactType> artifacts) throws IOException {
- LOG.debug("ZIP-Report for '{}' with artifacts {} requested.", uuid, artifacts);
+ LOG.debug("ZIP-Report for '{}' with artifacts {} requested.", StringUtils.normalizeSpace(uuid),
+ artifacts.stream().map(a -> a.name()).collect(Collectors.joining(",")));
response.setContentType("application/zip");
response.setHeader("Content-Disposition", "attachment; filename=\"" + validationName + "-Report.zip\"");
diff --git a/xplan-core/xplan-core-job/pom.xml b/xplan-core/xplan-core-job/pom.xml
index 8193f56798..a92dd3b64a 100644
--- a/xplan-core/xplan-core-job/pom.xml
+++ b/xplan-core/xplan-core-job/pom.xml
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>de.latlon.product.xplanbox</groupId>
@@ -50,6 +51,10 @@
<groupId>org.quartz-scheduler</groupId>
<artifactId>quartz</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<!-- test -->
<dependency>
<groupId>org.springframework</groupId>
diff --git a/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java b/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java
index 13b2587dcb..85b51df7f5 100644
--- a/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java
+++ b/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java
@@ -20,7 +20,7 @@
*/
package de.latlon.xplan.job.validator.memory;
-import org.apache.commons.io.IOUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.config.DeegreeWorkspace;
import org.deegree.feature.FeatureCollection;
import org.deegree.feature.persistence.FeatureStore;
@@ -70,6 +70,7 @@ public class GmlImportJob implements Job {
private DeegreeWorkspace workspace;
@Override
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public void execute(final JobExecutionContext jobExecutionContext) throws JobExecutionException {
File workspaceLocation = workspace.getLocation();
Path path = Paths.get(workspaceLocation.toURI()).resolve("data");
@@ -109,7 +110,10 @@ public class GmlImportJob implements Job {
GMLStreamReader gmlStreamReader = null;
FeatureStoreTransaction ta = null;
try (InputStream inputStream = Files.newInputStream(p)) {
- xmlStreamReader = XMLInputFactory.newInstance().createXMLStreamReader(inputStream);
+ XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+ xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ xmlStreamReader = xmlInputFactory.createXMLStreamReader(inputStream);
gmlStreamReader = GMLInputFactory.createGMLStreamReader(GML_32, xmlStreamReader);
FeatureCollection fc = gmlStreamReader.readFeatureCollection();
FeatureStore fs = workspace.getNewWorkspace().getResource(FeatureStoreProvider.class, MEMORY_FEATURESTORE);
diff --git a/xplan-core/xplan-core-manager/pom.xml b/xplan-core/xplan-core-manager/pom.xml
index 7201b88e31..c237b88825 100644
--- a/xplan-core/xplan-core-manager/pom.xml
+++ b/xplan-core/xplan-core-manager/pom.xml
@@ -124,6 +124,10 @@
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-s3</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<!-- test -->
<dependency>
<groupId>junit</groupId>
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/XPlanManager.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/XPlanManager.java
index 73544503a4..7a2674a6e0 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/XPlanManager.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/XPlanManager.java
@@ -56,6 +56,7 @@ import de.latlon.xplan.manager.wmsconfig.WmsWorkspaceWrapper;
import de.latlon.xplan.manager.wmsconfig.raster.XPlanRasterManager;
import de.latlon.xplan.manager.wmsconfig.raster.evaluation.XPlanRasterEvaluator;
import de.latlon.xplan.manager.workspace.WorkspaceException;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.utils.Pair;
import org.deegree.commons.xml.XMLParsingException;
import org.deegree.cs.coordinatesystems.ICRS;
@@ -154,10 +155,11 @@ public class XPlanManager {
managerConfigurationAnalyser.checkConfiguration();
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public XPlanArchive analyzeArchive(String fileName) throws IOException {
- LOG.info("- Analyse des XPlanArchivs ('" + fileName + "')...");
+ LOG.info("- Analyse des XPlanArchivs ('{}')...", fileName);
XPlanArchive archive = archiveCreator.createXPlanArchive(new File(fileName));
- LOG.info("OK. " + archive);
+ LOG.info("OK. {}", archive);
return archive;
}
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/configuration/CoupledResourceConfiguration.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/configuration/CoupledResourceConfiguration.java
index 0f4630f685..4fe53e7cfa 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/configuration/CoupledResourceConfiguration.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/configuration/CoupledResourceConfiguration.java
@@ -22,6 +22,7 @@ package de.latlon.xplan.manager.configuration;
import de.latlon.xplan.commons.XPlanType;
import de.latlon.xplan.commons.configuration.PropertiesLoader;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -207,6 +208,7 @@ public class CoupledResourceConfiguration {
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private static Path getDirectoryToStoreMetadata(Properties properties) {
String directoryToStoreMetadata = properties.getProperty("directoryToStoreMetadata");
if (directoryToStoreMetadata != null)
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/internalid/InternalIdRetriever.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/internalid/InternalIdRetriever.java
index fb031df1f9..9084f338e0 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/internalid/InternalIdRetriever.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/internalid/InternalIdRetriever.java
@@ -26,6 +26,7 @@ import org.deegree.commons.config.DeegreeWorkspace;
import org.deegree.db.ConnectionProvider;
import org.deegree.db.ConnectionProviderProvider;
import org.deegree.workspace.Workspace;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -35,6 +36,7 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.LinkedHashMap;
import java.util.Map;
+import java.util.stream.Collectors;
import static de.latlon.xplan.manager.database.DatabaseUtils.closeQuietly;
@@ -103,6 +105,7 @@ public class InternalIdRetriever {
* @return prepared statement
* @throws SQLException
*/
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "SQL Statement is read from configuration")
PreparedStatement retrievePreparedStatement(String matchString, String sql, Connection conn) throws SQLException {
PreparedStatement ps = conn.prepareStatement(sql);
if (matchString != null)
@@ -134,7 +137,11 @@ public class InternalIdRetriever {
ps = retrievePreparedStatement(matchString, sql, conn);
rs = retrieveResultSet(ps);
Map<String, String> result = collectResultSet(rs);
- LOG.debug("Result: {}", result);
+ LOG.debug("Result: {}",
+ result.entrySet()
+ .stream()
+ .map((e) -> "InternalId: " + e.getKey() + " InternalName: " + e.getValue())
+ .collect(Collectors.joining(",")));
return result;
}
catch (SQLException e) {
@@ -152,7 +159,6 @@ public class InternalIdRetriever {
while (rs.next()) {
String internalId = rs.getString(configuration.getInternalIdLabel());
String internalName = rs.getString(configuration.getInternalNameLabel());
- LOG.debug("adding entry: {} with value {}", internalId, internalName);
map.put(internalId, internalName);
}
return map;
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/log/SystemLog.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/log/SystemLog.java
index 2bcb5a54e2..9b021bfe04 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/log/SystemLog.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/log/SystemLog.java
@@ -22,6 +22,7 @@ package de.latlon.xplan.manager.log;
import org.apache.xalan.Version;
import org.apache.xalan.xslt.EnvironmentCheck;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -52,46 +53,47 @@ public class SystemLog {
LOG.info("System info");
LOG.info("--------------------------------------------------------------------------------");
LOG.info("");
- LOG.info("- java version " + System.getProperty("java.version") + " (" + System.getProperty("java.vendor")
- + ")");
- LOG.info("- operating system " + System.getProperty("os.name") + " (" + System.getProperty("os.version")
- + ", " + System.getProperty("os.arch") + ")");
- LOG.info("- system encoding " + Charset.defaultCharset().displayName());
- LOG.info("- XMLOutputFactory " + XMLOutputFactory.newInstance().getClass().getCanonicalName());
- LOG.info("- XMLInputFactory " + XMLInputFactory.newInstance().getClass().getCanonicalName());
+ LOG.info("- java version {} ({})", System.getProperty("java.version"), System.getProperty("java.vendor"));
+ LOG.info("- operating system {} ({}, {})", System.getProperty("os.name"), System.getProperty("os.version"),
+ System.getProperty("os.arch"));
+ LOG.info("- system encoding {}", Charset.defaultCharset().displayName());
+ LOG.info("- XMLOutputFactory {}", XMLOutputFactory.newInstance().getClass().getCanonicalName());
+ LOG.info("- XMLInputFactory {}", XMLInputFactory.newInstance().getClass().getCanonicalName());
LOG.info("- xalan environment ");
- LOG.info(" - development version: " + Version.getDevelopmentVersionNum());
- LOG.info(" - implementation language: " + Version.getImplementationLanguage());
- LOG.info(" - maintenance version: " + Version.getMaintenanceVersionNum());
- LOG.info(" - major version: " + Version.getMajorVersionNum());
- LOG.info(" - product: " + Version.getProduct());
- LOG.info(" - release version: " + Version.getReleaseVersionNum());
- LOG.info(" - version: " + Version.getVersion());
+ LOG.info(" - development version: {}", Version.getDevelopmentVersionNum());
+ LOG.info(" - implementation language: {}", Version.getImplementationLanguage());
+ LOG.info(" - maintenance version: {}", Version.getMaintenanceVersionNum());
+ LOG.info(" - major version: {}", Version.getMajorVersionNum());
+ LOG.info(" - product: {}", Version.getProduct());
+ LOG.info(" - release version: {}", Version.getReleaseVersionNum());
+ LOG.info(" - version: {}", Version.getVersion());
StringWriter envCheck = new StringWriter();
PrintWriter pw = new PrintWriter(envCheck, true);
(new EnvironmentCheck()).checkEnvironment(pw);
LOG.info(envCheck.toString());
LOG.info("- xerces environment ");
- LOG.info(" - version: " + org.apache.xerces.impl.Version.getVersion());
+ LOG.info(" - version: {}", org.apache.xerces.impl.Version.getVersion());
logTransformer();
LOG.info("- saxon environment ");
- LOG.info(" - product name: " + net.sf.saxon.Version.getProductName());
- LOG.info(" - product title: " + net.sf.saxon.Version.getProductTitle());
- LOG.info(" - product vendor: " + net.sf.saxon.Version.getProductVendor());
- LOG.info(" - product version: " + net.sf.saxon.Version.getProductVersion());
+ LOG.info(" - product name: {}", net.sf.saxon.Version.getProductName());
+ LOG.info(" - product title: {}", net.sf.saxon.Version.getProductTitle());
+ LOG.info(" - product vendor: {}", net.sf.saxon.Version.getProductVendor());
+ LOG.info(" - product version: {}", net.sf.saxon.Version.getProductVersion());
LOG.info("--------------------------------------------------------------------------------");
}
+ @SuppressFBWarnings(value = { "XXE_DTD_TRANSFORM_FACTORY", "XXE_XSLT_TRANSFORM_FACTORY" },
+ justification = "Transformer is created only for logging purposes")
private static void logTransformer() {
try {
LOG.info("- transformer ");
- LOG.info(" - system property (-Djava.xml.transform.TransformerFactory): '"
- + System.getProperty("java.xml.transform.TransformerFactory") + "'");
+ LOG.info(" - system property (-Djava.xml.transform.TransformerFactory): '{}'",
+ System.getProperty("java.xml.transform.TransformerFactory"));
TransformerFactory transformerFactory = TransformerFactory.newInstance();
- LOG.info(" - factory " + transformerFactory.getClass());
+ LOG.info(" - factory {}", transformerFactory.getClass());
Transformer transformer = transformerFactory.newTransformer();
- LOG.info(" - " + transformer.getClass());
+ LOG.info(" - {}", transformer.getClass());
}
catch (TransformerConfigurationException e) {
LOG.warn("An error occurred during creating a transformer instance, this may cause some "
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java
index 9e3282042d..1e021570ff 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java
@@ -49,7 +49,10 @@ public class ServiceMetadataDocumentWriter {
XMLStreamReader xmlStreamReader = null;
try {
xmlStreamWriter = XMLOutputFactory.newInstance().createXMLStreamWriter(out);
- xmlStreamReader = XMLInputFactory.newInstance().createXMLStreamReader(new ByteArrayInputStream(template));
+ XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+ xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ xmlStreamReader = xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(template));
TemplateXmlStreamWriterFilter templateWriterFilter = new TemplateXmlStreamWriterFilter(properties);
templateWriterFilter.setDelegate(xmlStreamWriter);
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/storage/filesystem/DeegreeRasterCacheCleaner.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/storage/filesystem/DeegreeRasterCacheCleaner.java
index 13961ed6d8..2bc58631df 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/storage/filesystem/DeegreeRasterCacheCleaner.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/storage/filesystem/DeegreeRasterCacheCleaner.java
@@ -2,6 +2,7 @@ package de.latlon.xplan.manager.storage.filesystem;
import de.latlon.xplan.manager.workspace.WorkspaceReloader;
import de.latlon.xplan.manager.workspace.WorkspaceReloaderConfiguration;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
@@ -64,6 +65,7 @@ public class DeegreeRasterCacheCleaner {
return isSuccessfulForAll;
}
+ @SuppressFBWarnings(value = "HTTP_PARAMETER_POLLUTION")
private boolean clearCache(String url, String tileStoreId) {
try {
String clearCacheUrl = retrieveDeletePlanwerkWmsUrl(url, tileStoreId);
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java
index 0cc84699c6..3258d73446 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java
@@ -244,7 +244,10 @@ public class XPlanEditManager extends XPlanTransactionManager {
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
xPlanExporter.export(outputStream, version, modifiedFeatures, null);
ByteArrayInputStream originalPlan = new ByteArrayInputStream(outputStream.toByteArray());
- XMLStreamReader originalPlanAsXmlReader = XMLInputFactory.newInstance().createXMLStreamReader(originalPlan);
+ XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+ xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ XMLStreamReader originalPlanAsXmlReader = xmlInputFactory.createXMLStreamReader(originalPlan);
try {
return XPlanGmlParserBuilder.newBuilder().build().parseFeatureCollection(originalPlanAsXmlReader, version);
}
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/service/XPlanEditService.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/service/XPlanEditService.java
index 3e6b5b8a70..57e57080e8 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/service/XPlanEditService.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/service/XPlanEditService.java
@@ -27,6 +27,7 @@ import de.latlon.xplan.manager.edit.EditedArtefacts;
import de.latlon.xplan.manager.web.shared.AdditionalPlanData;
import de.latlon.xplan.manager.web.shared.XPlan;
import de.latlon.xplan.manager.wmsconfig.raster.storage.StorageException;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.feature.FeatureCollection;
import javax.transaction.Transactional;
@@ -61,6 +62,7 @@ public class XPlanEditService {
updateDocuments(planId, uploadedArtefacts, editedArtefacts);
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private void updateDocuments(int planId, List<File> uploadedArtefacts, EditedArtefacts editedArtefacts)
throws StorageException {
if (xPlanDocumentManager != null) {
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/WmsWorkspaceWrapper.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/WmsWorkspaceWrapper.java
index 09f5adca01..0276d7b125 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/WmsWorkspaceWrapper.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/WmsWorkspaceWrapper.java
@@ -21,6 +21,8 @@
package de.latlon.xplan.manager.wmsconfig;
import de.latlon.xplan.manager.configuration.ConfigurationException;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.io.FilenameUtils;
import org.deegree.commons.config.DeegreeWorkspace;
import org.deegree.commons.xml.jaxb.JAXBUtils;
import org.deegree.theme.persistence.standard.StandardThemeProvider;
@@ -72,6 +74,7 @@ public class WmsWorkspaceWrapper {
/**
* @return the workspace location (must not exist!), never <code>null</code>
*/
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public Path getDataDirectory() {
return Paths.get(getLocation().toURI()).resolve(DATA_DIRECTORY);
}
@@ -123,7 +126,7 @@ public class WmsWorkspaceWrapper {
}
private File createConfig(String type) {
- File configFile = new File(workspace.getLocation(), format("themes/%sraster.xml", type));
+ File configFile = new File(workspace.getLocation(), format("themes/%sraster.xml", FilenameUtils.getName(type)));
if (!configFile.isFile() || !configFile.canRead()) {
throw new RuntimeException("Datei '" + configFile + "' ist nicht vorhanden.");
}
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/access/GdalRasterAdapter.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/access/GdalRasterAdapter.java
index 18570fc0aa..79167d6f92 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/access/GdalRasterAdapter.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/access/GdalRasterAdapter.java
@@ -22,6 +22,7 @@ package de.latlon.xplan.manager.wmsconfig.raster.access;
import de.latlon.xplan.commons.archive.ArchiveEntry;
import de.latlon.xplan.commons.archive.XPlanArchiveContentAccess;
+import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.gdal.gdal.Dataset;
import org.gdal.gdal.gdal;
@@ -79,7 +80,7 @@ public class GdalRasterAdapter {
*/
public Vector<?> getReferencedFiles(XPlanArchiveContentAccess archive, String entryName) throws IOException {
File zipArchiveLocation = unzipArchiveInTmpDirectory(archive);
- File entry = new File(zipArchiveLocation, entryName);
+ File entry = new File(zipArchiveLocation, FilenameUtils.getName(entryName));
Dataset dataset = gdal.OpenShared(entry.getAbsolutePath());
if (dataset != null) {
return dataset.GetFileList();
@@ -113,7 +114,7 @@ public class GdalRasterAdapter {
private void copyToTempFile(XPlanArchiveContentAccess archive, String entryName, File archiveDirectory)
throws IOException {
InputStream content = archive.retrieveInputStreamFor(entryName);
- File writeRasterIn = new File(archiveDirectory, entryName);
+ File writeRasterIn = new File(archiveDirectory, FilenameUtils.getName(entryName));
OutputStream outputStream = null;
try {
outputStream = new FileOutputStream(writeRasterIn);
diff --git a/xplan-core/xplan-core-security/pom.xml b/xplan-core/xplan-core-security/pom.xml
index ad4793d381..f93776e936 100644
--- a/xplan-core/xplan-core-security/pom.xml
+++ b/xplan-core/xplan-core-security/pom.xml
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>xplan-core-security</artifactId>
@@ -18,6 +19,10 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<!-- logging -->
<dependency>
<groupId>org.slf4j</groupId>
diff --git a/xplan-core/xplan-core-security/src/main/java/de/latlon/xplanbox/security/authentication/PropertiesFileUserDetailsManager.java b/xplan-core/xplan-core-security/src/main/java/de/latlon/xplanbox/security/authentication/PropertiesFileUserDetailsManager.java
index 27789f34cd..cfb3e01421 100644
--- a/xplan-core/xplan-core-security/src/main/java/de/latlon/xplanbox/security/authentication/PropertiesFileUserDetailsManager.java
+++ b/xplan-core/xplan-core-security/src/main/java/de/latlon/xplanbox/security/authentication/PropertiesFileUserDetailsManager.java
@@ -20,6 +20,7 @@
*/
package de.latlon.xplanbox.security.authentication;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.userdetails.User;
@@ -46,6 +47,7 @@ public class PropertiesFileUserDetailsManager implements UserDetailsManager {
private final Map<String, String> usersAndEncryptedPasswords;
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public PropertiesFileUserDetailsManager(String userPropertiesFile, PasswordEncoder passwordEncoder)
throws SecurityConfigurationException {
try (FileInputStream inputStream = new FileInputStream(userPropertiesFile)) {
diff --git a/xplan-core/xplan-core-validator/pom.xml b/xplan-core/xplan-core-validator/pom.xml
index a9601743e5..84ad42fc1f 100644
--- a/xplan-core/xplan-core-validator/pom.xml
+++ b/xplan-core/xplan-core-validator/pom.xml
@@ -135,6 +135,10 @@
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
diff --git a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/configuration/ValidatorConfigurationParser.java b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/configuration/ValidatorConfigurationParser.java
index e6108da5bd..bc373f2e78 100644
--- a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/configuration/ValidatorConfigurationParser.java
+++ b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/configuration/ValidatorConfigurationParser.java
@@ -26,6 +26,7 @@ import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
import de.latlon.xplan.commons.configuration.PropertiesLoader;
import de.latlon.xplan.manager.web.shared.ConfigurationException;
import org.apache.commons.lang3.StringUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -108,6 +109,7 @@ public class ValidatorConfigurationParser {
}
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private Path createReportDirectory(Properties properties) throws IOException {
String validationReportDirectory = properties.getProperty(VALIDATION_REPORT_DIRECTORY);
if (validationReportDirectory == null || validationReportDirectory.isEmpty())
@@ -116,6 +118,7 @@ public class ValidatorConfigurationParser {
return Paths.get(validationReportDirectory);
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private Path createRulesDirectory(Properties properties) {
String validationRulesDirectory = properties.getProperty(VALIDATION_RULES_DIRECTORY);
if (validationRulesDirectory != null && !validationRulesDirectory.isEmpty())
diff --git a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java
index a6ccca99e5..62e9f0706b 100644
--- a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java
+++ b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java
@@ -23,6 +23,7 @@ package de.latlon.xplan.validator.report.html;
import de.latlon.xplan.validator.report.ReportGenerationException;
import de.latlon.xplan.validator.report.ValidatorReport;
import de.latlon.xplan.validator.report.xml.XmlReportGenerator;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.commons.io.IOUtils;
import org.slf4j.LoggerFactory;
@@ -31,7 +32,11 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
-import java.io.*;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
/**
* Utility methods for generating reports
@@ -51,6 +56,8 @@ public class HtmlReportGenerator {
* @throws ReportGenerationException if the generation of the XML report failed
* @throws IllegalArgumentException if on of the parameters is <code>null</code>
*/
+ @SuppressFBWarnings(value = { "XXE_DTD_TRANSFORM_FACTORY", "XXE_XSLT_TRANSFORM_FACTORY" },
+ justification = "XML is generated, does not contain DTDs")
public void generateHtmlReport(ValidatorReport report, OutputStream htmlOut) throws ReportGenerationException {
checkParameters(report, htmlOut);
ByteArrayOutputStream xmlOut = writeXmlToStream(report);
diff --git a/xplan-dokumente/xplan-dokumente-api/src/main/java/de/latlon/xplanbox/api/dokumente/handler/DocumentHandler.java b/xplan-dokumente/xplan-dokumente-api/src/main/java/de/latlon/xplanbox/api/dokumente/handler/DocumentHandler.java
index 5cb8dac396..6c44603bd1 100644
--- a/xplan-dokumente/xplan-dokumente-api/src/main/java/de/latlon/xplanbox/api/dokumente/handler/DocumentHandler.java
+++ b/xplan-dokumente/xplan-dokumente-api/src/main/java/de/latlon/xplanbox/api/dokumente/handler/DocumentHandler.java
@@ -29,6 +29,7 @@ import de.latlon.xplanbox.api.dokumente.service.DocumentHeader;
import de.latlon.xplanbox.api.dokumente.service.DocumentHeaderWithStream;
import de.latlon.xplanbox.api.dokumente.service.DocumentService;
import de.latlon.xplanbox.api.dokumente.v1.model.Document;
+import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -62,14 +63,16 @@ public class DocumentHandler {
public DocumentHeader headDocument(String planId, String fileName)
throws InvalidPlanIdSyntax, InvalidPlanId, InvalidDocument, StorageException {
int planIdAsInt = checkPlanIdAndConvertIdToInt(planId);
- LOG.debug("Retrieve header of document with filename {} of plan with id {}.", fileName, planIdAsInt);
+ LOG.debug("Retrieve header of document with filename {} of plan with id {}.",
+ StringUtils.normalizeSpace(fileName), planIdAsInt);
return documentService.retrieveHeader(planIdAsInt, fileName);
}
public DocumentHeaderWithStream getDocument(String planId, String fileName)
throws InvalidPlanIdSyntax, InvalidPlanId, InvalidDocument, StorageException {
int planIdAsInt = checkPlanIdAndConvertIdToInt(planId);
- LOG.debug("Retrieve document with filename {} of plan with id {}.", fileName, planIdAsInt);
+ LOG.debug("Retrieve document with filename {} of plan with id {}.", StringUtils.normalizeSpace(fileName),
+ planIdAsInt);
return documentService.retrieveDocumentAndHeader(planIdAsInt, fileName);
}
diff --git a/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/EditHandler.java b/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/EditHandler.java
index 80a6d2d9c6..f033ad1af7 100644
--- a/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/EditHandler.java
+++ b/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/EditHandler.java
@@ -28,6 +28,7 @@ import de.latlon.xplan.manager.web.shared.XPlan;
import de.latlon.xplanbox.api.commons.exception.InvalidPlanId;
import de.latlon.xplanbox.api.commons.exception.InvalidPlanIdSyntax;
import de.latlon.xplanbox.api.manager.exception.InvalidPlanToEdit;
+import org.apache.commons.lang3.StringUtils;
import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
@@ -53,7 +54,7 @@ public abstract class EditHandler {
protected XPlanManager manager;
public XPlan findPlanById(String planId) throws Exception {
- LOG.info("Find plan by Id '{}'", planId);
+ LOG.info("Find plan by Id '{}'", StringUtils.normalizeSpace(planId));
try {
int id = Integer.parseInt(planId);
return findPlanById(id);
diff --git a/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/PlanHandler.java b/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/PlanHandler.java
index 9d94c4647b..ded984479e 100644
--- a/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/PlanHandler.java
+++ b/xplan-manager/xplan-manager-api/src/main/java/de/latlon/xplanbox/api/manager/handler/PlanHandler.java
@@ -41,6 +41,7 @@ import de.latlon.xplanbox.api.commons.exception.InvalidPlanIdSyntax;
import de.latlon.xplanbox.api.commons.exception.UnsupportedParameterValue;
import de.latlon.xplanbox.api.manager.exception.InvalidPlan;
import de.latlon.xplanbox.api.manager.v1.model.StatusMessage;
+import org.apache.commons.lang3.StringUtils;
import org.deegree.cs.exceptions.UnknownCRSException;
import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
@@ -96,7 +97,7 @@ public class PlanHandler {
if (!validatorReport.isReportValid()) {
throw new InvalidPlan(validatorReport, xFileName);
}
- LOG.info("Plan is valid. Importing plan into storage for '{}'", planStatus);
+ LOG.info("Plan is valid. Importing plan into storage for '{}'", StringUtils.normalizeSpace(planStatus));
AdditionalPlanData metadata = createAdditionalPlanData(xPlanArchive, planStatus);
List<Integer> planIds = xPlanInsertManager.importPlan(xPlanArchive, null, false, true, internalId, metadata);
List<XPlan> plansById = findPlansById(planIds);
@@ -106,7 +107,7 @@ public class PlanHandler {
}
public StatusMessage deletePlan(String planId) throws Exception {
- LOG.info("Deleting plan with Id {}", planId);
+ LOG.info("Deleting plan with Id {}", StringUtils.normalizeSpace(planId));
xPlanDeleteManager.delete(planId);
return new StatusMessage().message(String.format(DELETE_MSG, planId));
}
@@ -114,7 +115,7 @@ public class PlanHandler {
public StreamingOutput exportPlan(String planId) throws Exception {
try {
int planIdAsInt = checkIdAndConvertIdToInt(planId);
- LOG.info("Exporting plan with Id '{}'", planId);
+ LOG.info("Exporting plan with Id '{}'", StringUtils.normalizeSpace(planId));
if (!xPlanDao.existsPlan(planIdAsInt)) {
throw new InvalidPlanId(planId);
}
@@ -127,25 +128,26 @@ public class PlanHandler {
}
public XPlan findPlanById(String planId) throws InvalidPlanIdSyntax, InvalidPlanId {
- LOG.info("Finding plan by Id '{}'", planId);
+ LOG.info("Finding plan by Id '{}'", StringUtils.normalizeSpace(planId));
int id = checkIdAndConvertIdToInt(planId);
return findPlanById(id);
}
public List<XPlan> findPlansByName(String planName) {
- LOG.info("Finding plan by name '{}'", planName);
+ LOG.info("Finding plan by name '{}'", StringUtils.normalizeSpace(planName));
return xPlanDao.getXPlanByName(planName);
}
public List<XPlan> findPlans(String planName) throws Exception {
- LOG.info("Searching plan by name '{}'", planName);
+ LOG.info("Searching plan by name '{}'", StringUtils.normalizeSpace(planName));
if (planName != null)
return xPlanDao.getXPlansLikeName(planName);
return xPlanDao.getXPlanList();
}
public List<XPlan> findPlansById(List<Integer> planIds) throws Exception {
- LOG.info("Finding plan by IDs '{}'", planIds);
+ LOG.info("Finding plan by IDs '{}'",
+ planIds.stream().map(planId -> Integer.toString(planId)).collect(Collectors.joining(",")));
List<XPlan> plans = new ArrayList<>();
for (int planId : planIds) {
XPlan planById = findPlanById(planId);
diff --git a/xplan-webservices/xplan-webservices-services/xplan-services-wms/pom.xml b/xplan-webservices/xplan-webservices-services/xplan-services-wms/pom.xml
index 2ceaf9f827..ad840b8bcf 100644
--- a/xplan-webservices/xplan-webservices-services/xplan-services-wms/pom.xml
+++ b/xplan-webservices/xplan-webservices-services/xplan-services-wms/pom.xml
@@ -111,6 +111,10 @@
<groupId>org.locationtech.jts</groupId>
<artifactId>jts-core</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
diff --git a/xplan-webservices/xplan-webservices-services/xplan-services-wms/src/main/java/de/latlon/xplan/wms/visibility/ValidityPeriodInspector.java b/xplan-webservices/xplan-webservices-services/xplan-services-wms/src/main/java/de/latlon/xplan/wms/visibility/ValidityPeriodInspector.java
index aa423cae53..d3f967ac39 100644
--- a/xplan-webservices/xplan-webservices-services/xplan-services-wms/src/main/java/de/latlon/xplan/wms/visibility/ValidityPeriodInspector.java
+++ b/xplan-webservices/xplan-webservices-services/xplan-services-wms/src/main/java/de/latlon/xplan/wms/visibility/ValidityPeriodInspector.java
@@ -20,6 +20,7 @@
*/
package de.latlon.xplan.wms.visibility;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.db.ConnectionProvider;
import org.deegree.db.ConnectionProviderProvider;
import org.deegree.layer.metadata.LayerMetadata;
@@ -61,6 +62,7 @@ public abstract class ValidityPeriodInspector implements LayerVisibilityInspecto
this.schema = schema;
}
+ @SuppressFBWarnings(value = "SQL_INJECTION_JDBC", justification = "schema is a fix value")
public boolean isVisible(LayerMetadata layerMetadata) {
String layerName = layerMetadata.getName();
int planId = parsePlanId(layerName);
--
GitLab