Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dismiss unsafe class alerts about org.apache.commons.digester3.Digester #77

Merged

Conversation

mig42
Copy link
Contributor

@mig42 mig42 commented Aug 22, 2024

This PR dismisses some security alerts about using potentially unsafe classes:

They're warning about the usage of org.apache.commons.digester3.Digester, which has uses org.xml.sax.XMLReader underneath and it's therefore vulnerable to XML eXternal Entity injection (XXE).

The plugin builds the Digester via DigesterUtils, which already applies the protections in https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlreader .

We can safely dismiss this alerts, as we're already protecting our XML readers.

Testing done

Not needed. This PR only adds @SuppressWarnings annotations.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

mig42 added 2 commits August 22, 2024 09:39
The unsafe classes warning due to the usage of
org.apache.commons.digester3.Digester can be dismissed, as we're already
disabling DTD features in DigesterUtils.

Signed-off-by: Miguel González <[email protected]>
@pablobayarri pablobayarri merged commit 17203a7 into master Aug 22, 2024
15 checks passed
@pablobayarri pablobayarri deleted the miguel/fix-security-alerts/potentially-unsafe-classes branch August 22, 2024 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants