-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GEOT-7587] Improve handling of XPath expressions #4797
Conversation
modules/extension/xsd/xsd-core/src/test/java/org/geotools/xsd/StreamingParserTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a great addition. I don't really know the code, so I cannot say too much - sorry.
I think increasing the 5 second to something like 20 seconds would make it very unlikely to have a busy-machine problem. However, this is just a guess - its okay the way it is.
...ension/complex/src/test/java/org/geotools/filter/expression/FeaturePropertyAccessorTest.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am approving, with some minor feedback (test case threadsafety, and method name choice). I do not feel comfortable about "request changes" as that would block PR.
@sikeoka I will wait for your response/consideration before merge and backport.
public void testParseWithJavaMethod() throws Exception { | ||
ByteArrayInputStream in = new ByteArrayInputStream("<mails></mails>".getBytes()); | ||
StreamingParser parser = | ||
new StreamingParser(new MLConfiguration(), in, "java.lang.Thread.sleep(30000)"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am a bit confused as to choosing a time based example? Why not java.lang.Math.abs(-1.0)
- and test. to see that 1.0 is returned. This would be a test that is not sensitive to build server speed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a type of issue that is commonly referred to as blind
. Just because something is being done doesn't mean that the result is actually sent anywhere so I needed some kind of side effect that I could check for. I originally tested this using System.exit
but that isn't as JUnit or Maven friendly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay that makes sense, thanks for explaining.
} | ||
|
||
JXPathContext context = | ||
JXPathUtils.newSafeContext(object, false, this.namespaces, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor feedback, newSafeContext
may promise too much, if attribute security is used for something like GeoFence security plugin this would not know enough to prevent specific data traversals.
A name like newDataContext
would be more clear this is about providing access to data only, not functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I named this based on two existing cases for similar types of issues although getSafeContext
would be a more consistent name than newSafeContext
:
org.geoserver.template.TemplateUtils.getSafeConfiguration()
org.geotools.ysld.YamlUtil.getSafeYaml()
* @param lenient whether the context is in lenient mode | ||
* @return the context | ||
*/ | ||
public static JXPathContext newSafeContext(Object contextBean, boolean lenient) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clear javadocs I appreciate it.
Minor feedback: Consider newDataContext
to accurately describe the restriction of no methods. In a more complicated security model such as GeoFence data traversal may be considered "unsafe" leading to this method name being misleading / incomplete.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really don't understand this comment since GeoFence has no dependence on gt-complex or commons-jxpath.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was trying to indicate that specific attributes may be restricted (using a geofence as an example of a plugin that offers this kind of functionality).
So "safe" indicates no functions, but it would not be safe from using xpath to traverse data to access a restricted columns.
As indicated this was minor feedback only.
The backport to
stderr
stdout
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-29.x 29.x
# Navigate to the new working tree
cd .worktrees/backport-29.x
# Create a new branch
git switch --create backport-4797-to-29.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick e53e5170ba71521728875a436c80616cfb03c1e8
# Push it to GitHub
git push --set-upstream origin backport-4797-to-29.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-29.x Then, create a pull request where the |
Hi, bro, since the versions 30.4, 31.2, and 29.6 of GeoTools that fix the vulnerability CVE-2024-36404 are all compiled jar files based on JDK 11, could you release a version that fixes this vulnerability but is compiled with JDK 8, such as version 28.x? |
No one has volunteered to do that. We have a public release procedure if you wish to volunteer. Even if you back port this fix, there are other vulnerabilities in older versions so why bother? |
Because our projects are based on Jdk8, the version of jdk11 cannot be run in our project. If I can study the open course and release a jdk 8 version of geotools that solves this vulnerability, how should I get this course? |
This PR refactors all jxpath initialization into a new utility method that disables calling functions from XPath expressions and fixes an incomplete class check that allowed complex feature code to be used on simple features. Some unnecessary dependency exclusions were also removed to clean up the pom.xml (commons-jxpath has no transitive dependencies).
Checklist
main
branch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOT-XYZW] Title of the Jira ticket
.