Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GEOT-7587] Improve handling of XPath expressions #4797

Merged
merged 1 commit into from
Jun 5, 2024

Conversation

sikeoka
Copy link
Contributor

@sikeoka sikeoka commented Jun 4, 2024

GEOT-7587 Powered by Pull Request Badge

This PR refactors all jxpath initialization into a new utility method that disables calling functions from XPath expressions and fixes an incomplete class check that allowed complex feature code to be used on simple features. Some unnecessary dependency exclusions were also removed to clean up the pom.xml (commons-jxpath has no transitive dependencies).

Checklist

For core and extension modules:

  • New unit tests have been added covering the changes.
  • Documentation has been updated (if change is visible to end users).
  • There is an issue in GeoTools Jira (except for changes not visible to end users).
  • Commit message(s) must be in the form [GEOT-XYZW] Title of the Jira ticket.
  • Bug fixes and small new features are presented as a single commit.
  • The commit targets a single objective (if multiple focuses cannot be avoided, each one is in its own commit, and has a separate ticket describing it).

Copy link
Contributor

@davidblasby davidblasby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a great addition. I don't really know the code, so I cannot say too much - sorry.

I think increasing the 5 second to something like 20 seconds would make it very unlikely to have a busy-machine problem. However, this is just a guess - its okay the way it is.

Copy link
Member

@jodygarnett jodygarnett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am approving, with some minor feedback (test case threadsafety, and method name choice). I do not feel comfortable about "request changes" as that would block PR.

@sikeoka I will wait for your response/consideration before merge and backport.

public void testParseWithJavaMethod() throws Exception {
ByteArrayInputStream in = new ByteArrayInputStream("<mails></mails>".getBytes());
StreamingParser parser =
new StreamingParser(new MLConfiguration(), in, "java.lang.Thread.sleep(30000)");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit confused as to choosing a time based example? Why not java.lang.Math.abs(-1.0) - and test. to see that 1.0 is returned. This would be a test that is not sensitive to build server speed?

Copy link
Contributor Author

@sikeoka sikeoka Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a type of issue that is commonly referred to as blind. Just because something is being done doesn't mean that the result is actually sent anywhere so I needed some kind of side effect that I could check for. I originally tested this using System.exit but that isn't as JUnit or Maven friendly.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay that makes sense, thanks for explaining.

}

JXPathContext context =
JXPathUtils.newSafeContext(object, false, this.namespaces, true);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor feedback, newSafeContext may promise too much, if attribute security is used for something like GeoFence security plugin this would not know enough to prevent specific data traversals.

A name like newDataContext would be more clear this is about providing access to data only, not functions.

Copy link
Contributor Author

@sikeoka sikeoka Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I named this based on two existing cases for similar types of issues although getSafeContext would be a more consistent name than newSafeContext:
org.geoserver.template.TemplateUtils.getSafeConfiguration()
org.geotools.ysld.YamlUtil.getSafeYaml()

* @param lenient whether the context is in lenient mode
* @return the context
*/
public static JXPathContext newSafeContext(Object contextBean, boolean lenient) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clear javadocs I appreciate it.

Minor feedback: Consider newDataContext to accurately describe the restriction of no methods. In a more complicated security model such as GeoFence data traversal may be considered "unsafe" leading to this method name being misleading / incomplete.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really don't understand this comment since GeoFence has no dependence on gt-complex or commons-jxpath.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to indicate that specific attributes may be restricted (using a geofence as an example of a plugin that offers this kind of functionality).

So "safe" indicates no functions, but it would not be safe from using xpath to traverse data to access a restricted columns.

As indicated this was minor feedback only.

@jodygarnett jodygarnett added backport 30.x Backport bot will backport to 30.x on merge backport 31.x Automatic backport to 31.x branch labels Jun 5, 2024
@jodygarnett jodygarnett merged commit f0c9961 into geotools:main Jun 5, 2024
23 checks passed
@aaime
Copy link
Member

aaime commented Jun 5, 2024

The backport to 29.x failed:

The process '/usr/bin/git' failed with exit code 1
stderr
error: could not apply e53e5170ba... [GEOT-7587] Improve handling of XPath expressions
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config advice.mergeConflict false"

stdout
Auto-merging modules/extension/complex/src/main/java/org/geotools/data/complex/expression/FeaturePropertyAccessorFactory.java
CONFLICT (content): Merge conflict in modules/extension/complex/src/main/java/org/geotools/data/complex/expression/FeaturePropertyAccessorFactory.java
Auto-merging modules/extension/complex/src/main/java/org/geotools/data/complex/expression/MapPropertyAccessorFactory.java
CONFLICT (content): Merge conflict in modules/extension/complex/src/main/java/org/geotools/data/complex/expression/MapPropertyAccessorFactory.java
Auto-merging modules/extension/complex/src/test/java/org/geotools/filter/expression/FeaturePropertyAccessorTest.java
Auto-merging modules/extension/xsd/xsd-core/pom.xml
CONFLICT (content): Merge conflict in modules/extension/xsd/xsd-core/pom.xml

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-29.x 29.x
# Navigate to the new working tree
cd .worktrees/backport-29.x
# Create a new branch
git switch --create backport-4797-to-29.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick e53e5170ba71521728875a436c80616cfb03c1e8
# Push it to GitHub
git push --set-upstream origin backport-4797-to-29.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-29.x

Then, create a pull request where the base branch is 29.x and the compare/head branch is backport-4797-to-29.x.

@javacoderpyl
Copy link

Hi, bro, since the versions 30.4, 31.2, and 29.6 of GeoTools that fix the vulnerability CVE-2024-36404 are all compiled jar files based on JDK 11, could you release a version that fixes this vulnerability but is compiled with JDK 8, such as version 28.x?

@jodygarnett
Copy link
Member

No one has volunteered to do that. We have a public release procedure if you wish to volunteer.

Even if you back port this fix, there are other vulnerabilities in older versions so why bother?

@javacoderpyl
Copy link

No one has volunteered to do that. We have a public release procedure if you wish to volunteer.

Even if you back port this fix, there are other vulnerabilities in older versions so why bother?

Because our projects are based on Jdk8, the version of jdk11 cannot be run in our project. If I can study the open course and release a jdk 8 version of geotools that solves this vulnerability, how should I get this course?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 30.x Backport bot will backport to 30.x on merge backport 31.x Automatic backport to 31.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants