Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Update to JDK21 - EXO-71474 - Meeds-io/MIPs#91 #324

Merged
merged 2 commits into from
May 22, 2024
Merged

fix: Update to JDK21 - EXO-71474 - Meeds-io/MIPs#91 #324

merged 2 commits into from
May 22, 2024

Conversation

rdenarie
Copy link
Member

Remove usage of SecurityManager as it is deprecated for removal in jdk21 Remove also usage of classes

  • SecurityHelper
  • PrivilegedSystemHelper
  • PrivilegedFileHelper
  • SecureList
  • SecureSet
  • SecureCollections

These classes are here only to use securityManager, and as it is removed, it is no more necessary

@rdenarie rdenarie mentioned this pull request May 16, 2024
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems May 16, 2024
View reviewed changes
...xt/src/main/java/org/exoplatform/services/jcr/ext/backup/impl/RepositoryBackupChainImpl.java
@@ -106,7 +105,7 @@
File dir =
FileNameProducer.generateBackupSetDir(wsBackupConfig.getRepository(), wsBackupConfig.getWorkspace(),
config.getBackupDir().getPath(), startTime);
PrivilegedFileHelper.mkdirs(dir);
dir.mkdirs();

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/impl/BackupManagerImpl.java
@@ -1956,7 +1946,7 @@
public void restoreExistingRepository(File repositoryBackupSetDir, boolean asynchronous)
throws BackupOperationException, BackupConfigurationException
{
File[] cfs = PrivilegedFileHelper.listFiles(repositoryBackupSetDir, new RepositoryBackupLogsFilter());
File[] cfs = repositoryBackupSetDir.listFiles(new RepositoryBackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/impl/BackupManagerImpl.java
@@ -1981,7 +1971,7 @@
public void restoreExistingWorkspace(File workspaceBackupSetDir, boolean asynchronous)
throws BackupOperationException, BackupConfigurationException
{
File[] cfs = PrivilegedFileHelper.listFiles(workspaceBackupSetDir, new BackupLogsFilter());
File[] cfs = workspaceBackupSetDir.listFiles(new BackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/impl/BackupManagerImpl.java
@@ -770,7 +766,7 @@
File dir =
FileNameProducer.generateBackupSetDir(config.getRepository(), config.getWorkspace(), config.getBackupDir()
.getPath(), startTime);
PrivilegedFileHelper.mkdirs(dir);
dir.mkdirs();

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/impl/BackupManagerImpl.java
@@ -2007,7 +1997,7 @@
public void restoreRepository(File repositoryBackupSetDir, boolean asynchronous) throws BackupOperationException,
BackupConfigurationException
{
File[] cfs = PrivilegedFileHelper.listFiles(repositoryBackupSetDir, new RepositoryBackupLogsFilter());
File[] cfs = repositoryBackupSetDir.listFiles(new RepositoryBackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/server/HTTPBackupAgent.java
@@ -1842,7 +1841,7 @@
throw new RestoreConfigurationException("Backup set directory is not directory :" + backupSetPath);
}

File[] cfs = PrivilegedFileHelper.listFiles(backupSetDir, new RepositoryBackupLogsFilter());
File[] cfs = backupSetDir.listFiles(new RepositoryBackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/server/HTTPBackupAgent.java
@@ -1301,8 +1300,8 @@
throw new RestoreConfigurationException("Backup set directory is not directory :" + backupSetPath);
}

File[] cfsw = PrivilegedFileHelper.listFiles(backupSetDir, new BackupLogsFilter());
File[] cfsr = PrivilegedFileHelper.listFiles(backupSetDir, new RepositoryBackupLogsFilter());
File[] cfsw = backupSetDir.listFiles(new BackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/server/HTTPBackupAgent.java
@@ -965,7 +964,7 @@
throw new RestoreConfigurationException("Backup set directory is not directory :" + backupSetPath);
}

File[] cfs = PrivilegedFileHelper.listFiles(backupSetDir, new BackupLogsFilter());
File[] cfs = backupSetDir.listFiles(new BackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...ponent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/server/HTTPBackupAgent.java
File[] cfsw = PrivilegedFileHelper.listFiles(backupSetDir, new BackupLogsFilter());
File[] cfsr = PrivilegedFileHelper.listFiles(backupSetDir, new RepositoryBackupLogsFilter());
File[] cfsw = backupSetDir.listFiles(new BackupLogsFilter());
File[] cfsr = backupSetDir.listFiles(new RepositoryBackupLogsFilter());

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
...nent.ext/src/main/java/org/exoplatform/services/jcr/ext/backup/RepositoryBackupChainLog.java
@@ -298,7 +238,7 @@
{
this.logFile = logFile;
reader =
XMLInputFactory.newInstance().createXMLStreamReader(PrivilegedFileHelper.fileInputStream(logFile),
XMLInputFactory.newInstance().createXMLStreamReader(new FileInputStream(logFile),

Check failure

Code scanning / SonarCloud

XML parsers should not be vulnerable to XXE attacks High

Disable access to external entities in XML parsing. See more on SonarCloud
@hbenali hbenali removed the jdk21PR label May 22, 2024
rdenarie added 2 commits May 22, 2024 13:25
@rdenarie
fix: Update to JDK21 - EXO-71474 - Meeds-io/MIPs#91
1e83bcf 
Remove usage of SecurityManager as it is deprecated for removal in jdk21
Remove also usage of classes
- SecurityHelper
- PrivilegedSystemHelper
- PrivilegedFileHelper
- SecureList
- SecureSet
- SecureCollections

These classes are here only to use securityManager, and as it is removed, it is no more necessary
@rdenarie
Factorize surefire argLine
002507c
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
3 Security Hotspots
25.7% Coverage on New Code (required ≥ 75%)
42 New Blocker Issues (required ≤ 0)
18 New Critical Issues (required ≤ 0)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

@rdenarie rdenarie merged commit ed8c0b0 into develop May 22, 2024
3 of 5 checks passed
@rdenarie rdenarie deleted the merge-mip-91 branch May 22, 2024 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boubaker boubaker boubaker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rdenarie @boubaker @hbenali