From 12f75a15006006f7d5bf2e27829c4b47f0630a30 Mon Sep 17 00:00:00 2001 From: olivier lamy Date: Wed, 24 Mar 2021 14:05:29 +1000 Subject: [PATCH 1/5] [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 Signed-off-by: olivier lamy --- pom.xml | 16 ++++++++++++++++ .../plugins/hudson/ChangeSetReader.java | 5 ++--- .../commands/parsers/FindOutputParser.java | 5 ++--- .../hudson/commands/parsers/LogOutputParser.java | 5 ++--- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/pom.xml b/pom.xml index 2949dea..6a0ea28 100755 --- a/pom.xml +++ b/pom.xml @@ -121,6 +121,17 @@ + + + + commons-beanutils + commons-beanutils + + 1.9.3 + + + + org.jenkins-ci.plugins @@ -132,5 +143,10 @@ workflow-scm-step 2.9 + + org.apache.commons + commons-digester3 + 3.2 + diff --git a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java index ed63514..9ef0541 100644 --- a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java @@ -5,8 +5,7 @@ import hudson.model.Run; import hudson.scm.ChangeLogParser; import hudson.scm.RepositoryBrowser; -import hudson.util.Digester2; -import org.apache.commons.digester.Digester; +import org.apache.commons.digester3.Digester; import org.apache.commons.io.IOUtils; import org.xml.sax.SAXException; @@ -40,7 +39,7 @@ public ChangeSetList parse( Run run, RepositoryBrowser browser, Reader reader) throws IOException, SAXException { List changesetList = new ArrayList<>(); - Digester digester = new Digester2(); + Digester digester = new Digester(); digester.push(changesetList); digester.addObjectCreate("*/changeset", ChangeSet.class); diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java index 0d11c38..408b849 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java @@ -2,8 +2,7 @@ import com.codicesoftware.plugins.hudson.model.ChangeSet; import hudson.FilePath; -import hudson.util.Digester2; -import org.apache.commons.digester.Digester; +import org.apache.commons.digester3.Digester; import org.xml.sax.SAXException; import java.io.IOException; @@ -27,7 +26,7 @@ public static List parseReader(FilePath path) throws IOException, Par return csetList; } - Digester digester = new Digester2(); + Digester digester = new Digester(); digester.push(csetList); digester.addObjectCreate("*/CHANGESET", ChangeSet.class); diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java index bfecb27..7d926da 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java @@ -2,8 +2,7 @@ import com.codicesoftware.plugins.hudson.model.ChangeSet; import hudson.FilePath; -import hudson.util.Digester2; -import org.apache.commons.digester.Digester; +import org.apache.commons.digester3.Digester; import org.xml.sax.SAXException; import java.io.IOException; @@ -27,7 +26,7 @@ public static List parseFile(FilePath path) throws IOException, Parse return csetList; } - Digester digester = new Digester2(); + Digester digester = new Digester(); digester.push(csetList); digester.addObjectCreate("LogList/Changeset", ChangeSet.class); From 1b5be212abe35a277ca81904518833204da95f23 Mon Sep 17 00:00:00 2001 From: olivier lamy Date: Mon, 19 Apr 2021 16:23:10 +1000 Subject: [PATCH 2/5] fix Digester security configuration Signed-off-by: olivier lamy --- .../commands/parsers/FindOutputParser.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java index 408b849..07f895d 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java @@ -5,6 +5,7 @@ import org.apache.commons.digester3.Digester; import org.xml.sax.SAXException; +import javax.xml.parsers.ParserConfigurationException; import java.io.IOException; import java.io.InputStream; import java.text.ParseException; @@ -27,6 +28,21 @@ public static List parseReader(FilePath path) throws IOException, Par } Digester digester = new Digester(); + + digester.setXIncludeAware(false); + + if (!Boolean.getBoolean(FindOutputParser.class.getName() + ".UNSAFE")) { + try { + digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + digester.setFeature("http://xml.org/sax/features/external-general-entities", false); + digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + } + catch ( SAXException | ParserConfigurationException ex) { + throw new IOException("Failed to securely configure CVS changelog parser", ex); + } + } + digester.push(csetList); digester.addObjectCreate("*/CHANGESET", ChangeSet.class); From de3165dcb54a997d1cb3d028d463f81b15fdf93d Mon Sep 17 00:00:00 2001 From: olivier lamy Date: Tue, 20 Apr 2021 11:57:45 +1000 Subject: [PATCH 3/5] fix checkstyle Signed-off-by: olivier lamy --- .../codicesoftware/plugins/DigesterUtils.java | 29 ++++++++++++ .../plugins/hudson/ChangeSetReader.java | 3 +- .../commands/parsers/FindOutputParser.java | 45 +++++++------------ .../commands/parsers/LogOutputParser.java | 42 ++++++++--------- 4 files changed, 67 insertions(+), 52 deletions(-) create mode 100644 src/main/java/com/codicesoftware/plugins/DigesterUtils.java diff --git a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java new file mode 100644 index 0000000..d46e2f7 --- /dev/null +++ b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java @@ -0,0 +1,29 @@ +package com.codicesoftware.plugins; + +import org.apache.commons.digester3.Digester; +import org.xml.sax.SAXException; + +import javax.xml.parsers.ParserConfigurationException; + +public class DigesterUtils { + + private DigesterUtils() { + // private as it is an utility class + } + + public static Digester createDigester(boolean secure) throws SAXException { + Digester digester = new Digester(); + if (secure) { + digester.setXIncludeAware(false); + try { + digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + digester.setFeature("http://xml.org/sax/features/external-general-entities", false); + digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + } catch (ParserConfigurationException ex) { + throw new SAXException("Failed to securely configure CVS changelog parser", ex); + } + } + return digester; + } +} diff --git a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java index 9ef0541..5eaf2e7 100644 --- a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java @@ -1,5 +1,6 @@ package com.codicesoftware.plugins.hudson; +import com.codicesoftware.plugins.DigesterUtils; import com.codicesoftware.plugins.hudson.model.ChangeSet; import com.codicesoftware.plugins.hudson.model.ChangeSetList; import hudson.model.Run; @@ -39,7 +40,7 @@ public ChangeSetList parse( Run run, RepositoryBrowser browser, Reader reader) throws IOException, SAXException { List changesetList = new ArrayList<>(); - Digester digester = new Digester(); + Digester digester = DigesterUtils.createDigester(!Boolean.getBoolean(ChangeSetReader.class.getName() + ".UNSAFE")); digester.push(changesetList); digester.addObjectCreate("*/changeset", ChangeSet.class); diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java index 07f895d..c2328bb 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java @@ -1,11 +1,11 @@ package com.codicesoftware.plugins.hudson.commands.parsers; +import com.codicesoftware.plugins.DigesterUtils; import com.codicesoftware.plugins.hudson.model.ChangeSet; import hudson.FilePath; import org.apache.commons.digester3.Digester; import org.xml.sax.SAXException; -import javax.xml.parsers.ParserConfigurationException; import java.io.IOException; import java.io.InputStream; import java.text.ParseException; @@ -27,36 +27,21 @@ public static List parseReader(FilePath path) throws IOException, Par return csetList; } - Digester digester = new Digester(); - - digester.setXIncludeAware(false); - - if (!Boolean.getBoolean(FindOutputParser.class.getName() + ".UNSAFE")) { - try { - digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - digester.setFeature("http://xml.org/sax/features/external-general-entities", false); - digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - } - catch ( SAXException | ParserConfigurationException ex) { - throw new IOException("Failed to securely configure CVS changelog parser", ex); - } - } - - digester.push(csetList); - - digester.addObjectCreate("*/CHANGESET", ChangeSet.class); - digester.addBeanPropertySetter("*/CHANGESET/CHANGESETID", "version"); - digester.addBeanPropertySetter("*/CHANGESET/COMMENT", "comment"); - digester.addBeanPropertySetter("*/CHANGESET/DATE", "xmlDate"); - digester.addBeanPropertySetter("*/CHANGESET/BRANCH", "branch"); - digester.addBeanPropertySetter("*/CHANGESET/OWNER", "user"); - digester.addBeanPropertySetter("*/CHANGESET/REPNAME", "repoName"); - digester.addBeanPropertySetter("*/CHANGESET/REPSERVER", "repoServer"); - digester.addBeanPropertySetter("*/CHANGESET/GUID", "guid"); - digester.addSetNext("*/CHANGESET", "add"); - try (InputStream stream = SafeFilePath.read(path)) { + Digester digester = DigesterUtils.createDigester(!Boolean.getBoolean(FindOutputParser.class.getName() + ".UNSAFE")); + + digester.push(csetList); + + digester.addObjectCreate("*/CHANGESET", ChangeSet.class); + digester.addBeanPropertySetter("*/CHANGESET/CHANGESETID", "version"); + digester.addBeanPropertySetter("*/CHANGESET/COMMENT", "comment"); + digester.addBeanPropertySetter("*/CHANGESET/DATE", "xmlDate"); + digester.addBeanPropertySetter("*/CHANGESET/BRANCH", "branch"); + digester.addBeanPropertySetter("*/CHANGESET/OWNER", "user"); + digester.addBeanPropertySetter("*/CHANGESET/REPNAME", "repoName"); + digester.addBeanPropertySetter("*/CHANGESET/REPSERVER", "repoServer"); + digester.addBeanPropertySetter("*/CHANGESET/GUID", "guid"); + digester.addSetNext("*/CHANGESET", "add"); if (stream != null) { digester.parse(stream); } diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java index 7d926da..5718d24 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java @@ -1,5 +1,6 @@ package com.codicesoftware.plugins.hudson.commands.parsers; +import com.codicesoftware.plugins.DigesterUtils; import com.codicesoftware.plugins.hudson.model.ChangeSet; import hudson.FilePath; import org.apache.commons.digester3.Digester; @@ -26,28 +27,27 @@ public static List parseFile(FilePath path) throws IOException, Parse return csetList; } - Digester digester = new Digester(); - digester.push(csetList); - - digester.addObjectCreate("LogList/Changeset", ChangeSet.class); - digester.addBeanPropertySetter("LogList/Changeset/ChangesetId", "version"); - digester.addBeanPropertySetter("LogList/Changeset/Comment", "comment"); - digester.addBeanPropertySetter("LogList/Changeset/Date", "xmlDate"); - digester.addBeanPropertySetter("LogList/Changeset/Branch", "branch"); - digester.addBeanPropertySetter("LogList/Changeset/Owner", "user"); - // no "*/CHANGESET/REPNAME" tag - // no "*/CHANGESET/REPSERVER" tag - digester.addBeanPropertySetter("LogList/Changeset/GUID", "guid"); - digester.addSetNext("LogList/Changeset", "add"); - - digester.addObjectCreate("LogList/Changeset/Changes/Item", ChangeSet.Item.class); - digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/RevId", "revId"); - digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/ParentRevId", "parentRevId"); - digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/DstCmPath", "path"); - digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/Type", "status"); - digester.addSetNext("LogList/Changeset/Changes/Item", "addItem"); - try (InputStream stream = SafeFilePath.read(path)) { + Digester digester = DigesterUtils.createDigester(!Boolean.getBoolean(LogOutputParser.class.getName() + ".UNSAFE")); + digester.push(csetList); + + digester.addObjectCreate("LogList/Changeset", ChangeSet.class); + digester.addBeanPropertySetter("LogList/Changeset/ChangesetId", "version"); + digester.addBeanPropertySetter("LogList/Changeset/Comment", "comment"); + digester.addBeanPropertySetter("LogList/Changeset/Date", "xmlDate"); + digester.addBeanPropertySetter("LogList/Changeset/Branch", "branch"); + digester.addBeanPropertySetter("LogList/Changeset/Owner", "user"); + // no "*/CHANGESET/REPNAME" tag + // no "*/CHANGESET/REPSERVER" tag + digester.addBeanPropertySetter("LogList/Changeset/GUID", "guid"); + digester.addSetNext("LogList/Changeset", "add"); + + digester.addObjectCreate("LogList/Changeset/Changes/Item", ChangeSet.Item.class); + digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/RevId", "revId"); + digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/ParentRevId", "parentRevId"); + digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/DstCmPath", "path"); + digester.addBeanPropertySetter("LogList/Changeset/Changes/Item/Type", "status"); + digester.addSetNext("LogList/Changeset/Changes/Item", "addItem"); if (stream != null) { digester.parse(stream); } From 5b34b1f545d26645949760dcbf4188e2223e5b37 Mon Sep 17 00:00:00 2001 From: olivier lamy Date: Wed, 21 Apr 2021 10:25:16 +1000 Subject: [PATCH 4/5] fix copy/paste Signed-off-by: olivier lamy --- src/main/java/com/codicesoftware/plugins/DigesterUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java index d46e2f7..ccfa7cc 100644 --- a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java +++ b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java @@ -21,7 +21,7 @@ public static Digester createDigester(boolean secure) throws SAXException { digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); } catch (ParserConfigurationException ex) { - throw new SAXException("Failed to securely configure CVS changelog parser", ex); + throw new SAXException("Failed to securely configure xml digester parser", ex); } } return digester; From 6ebc5ae93843d2215fd0e8fa6ac0f1fa033b5fcd Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Tue, 4 May 2021 06:22:25 +1000 Subject: [PATCH 5/5] remove commons-beanutils from dptMngt --- pom.xml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/pom.xml b/pom.xml index 6a0ea28..2c43b10 100755 --- a/pom.xml +++ b/pom.xml @@ -121,17 +121,6 @@ - - - - commons-beanutils - commons-beanutils - - 1.9.3 - - - - org.jenkins-ci.plugins