Merge pull request from GHSA-r2hc-pmr7-4c9r
* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
This commit is contained in:
Kai Kreuzer
GitHub
@@ -25,6 +25,9 @@ import java.util.stream.Collectors;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.JAXBException;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.stream.XMLInputFactory;
|
||||
import javax.xml.stream.XMLStreamException;
|
||||
import javax.xml.stream.XMLStreamReader;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
|
||||
import org.eclipse.jdt.annotation.NonNullByDefault;
|
||||
@@ -64,8 +67,12 @@ public class Tr064PhonebookImpl implements Phonebook {
|
||||
InputStream xml = new ByteArrayInputStream(contentResponse.getContent());
|
||||
|
||||
JAXBContext context = JAXBContext.newInstance(PhonebooksType.class);
|
||||
XMLInputFactory xif = XMLInputFactory.newFactory();
|
||||
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(xml));
|
||||
Unmarshaller um = context.createUnmarshaller();
|
||||
PhonebooksType phonebooksType = um.unmarshal(new StreamSource(xml), PhonebooksType.class).getValue();
|
||||
PhonebooksType phonebooksType = um.unmarshal(xsr, PhonebooksType.class).getValue();
|
||||
|
||||
phonebookName = phonebooksType.getPhonebook().getName();
|
||||
|
||||
@@ -76,7 +83,7 @@ public class Tr064PhonebookImpl implements Phonebook {
|
||||
this::mergeSameContactNames));
|
||||
}).collect(HashMap::new, HashMap::putAll, HashMap::putAll);
|
||||
logger.debug("Downloaded phonebook {}: {}", phonebookName, phonebook);
|
||||
} catch (JAXBException | InterruptedException | ExecutionException | TimeoutException e) {
|
||||
} catch (JAXBException | InterruptedException | ExecutionException | TimeoutException | XMLStreamException e) {
|
||||
logger.warn("Failed to get phonebook with URL {}:", phonebookUrl, e);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,7 +18,12 @@ import java.io.ByteArrayInputStream;
|
||||
import java.io.InputStream;
|
||||
import java.lang.reflect.Field;
|
||||
import java.time.Duration;
|
||||
import java.util.*;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.concurrent.TimeoutException;
|
||||
@@ -31,6 +36,9 @@ import javax.xml.bind.JAXBException;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.soap.SOAPException;
|
||||
import javax.xml.soap.SOAPMessage;
|
||||
import javax.xml.stream.XMLInputFactory;
|
||||
import javax.xml.stream.XMLStreamException;
|
||||
import javax.xml.stream.XMLStreamReader;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
|
||||
import org.eclipse.jdt.annotation.NonNullByDefault;
|
||||
@@ -49,7 +57,11 @@ import org.openhab.binding.tr064.internal.dto.config.ChannelTypeDescription;
|
||||
import org.openhab.binding.tr064.internal.dto.config.ChannelTypeDescriptions;
|
||||
import org.openhab.binding.tr064.internal.dto.config.ParameterType;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.root.SCPDServiceType;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.service.*;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.service.SCPDActionType;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.service.SCPDArgumentType;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.service.SCPDDirection;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.service.SCPDScpdType;
|
||||
import org.openhab.binding.tr064.internal.dto.scpd.service.SCPDStateVariableType;
|
||||
import org.openhab.core.cache.ExpiringCacheMap;
|
||||
import org.openhab.core.thing.ChannelUID;
|
||||
import org.openhab.core.thing.Thing;
|
||||
@@ -76,18 +88,21 @@ public class Util {
|
||||
|
||||
/**
|
||||
* read the channel config from the resource file (static initialization)
|
||||
*
|
||||
*
|
||||
* @return a list of all available channel configurations
|
||||
*/
|
||||
public static List<ChannelTypeDescription> readXMLChannelConfig() {
|
||||
try {
|
||||
InputStream resource = Thread.currentThread().getContextClassLoader().getResourceAsStream("channels.xml");
|
||||
JAXBContext context = JAXBContext.newInstance(ChannelTypeDescriptions.class);
|
||||
XMLInputFactory xif = XMLInputFactory.newFactory();
|
||||
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(resource));
|
||||
Unmarshaller um = context.createUnmarshaller();
|
||||
JAXBElement<ChannelTypeDescriptions> root = um.unmarshal(new StreamSource(resource),
|
||||
ChannelTypeDescriptions.class);
|
||||
JAXBElement<ChannelTypeDescriptions> root = um.unmarshal(xsr, ChannelTypeDescriptions.class);
|
||||
return root.getValue().getChannel();
|
||||
} catch (JAXBException e) {
|
||||
} catch (JAXBException | XMLStreamException e) {
|
||||
LOGGER.warn("Failed to read channel definitions", e);
|
||||
return List.of();
|
||||
}
|
||||
@@ -95,7 +110,7 @@ public class Util {
|
||||
|
||||
/**
|
||||
* Extract an argument from an SCPD action definition
|
||||
*
|
||||
*
|
||||
* @param scpdAction the action object
|
||||
* @param argumentName the argument's name
|
||||
* @param direction the direction (in or out)
|
||||
@@ -114,7 +129,7 @@ public class Util {
|
||||
|
||||
/**
|
||||
* Extract the related state variable from the service root for a given argument
|
||||
*
|
||||
*
|
||||
* @param serviceRoot the service root object
|
||||
* @param scpdArgument the argument object
|
||||
* @return the related state variable object for this argument
|
||||
@@ -130,7 +145,7 @@ public class Util {
|
||||
|
||||
/**
|
||||
* Extract an action from the service root
|
||||
*
|
||||
*
|
||||
* @param serviceRoot the service root object
|
||||
* @param actionName the action name
|
||||
* @param actionType "Get-Action" or "Set-Action" (for exception string only)
|
||||
@@ -338,14 +353,18 @@ public class Util {
|
||||
InputStream xml = new ByteArrayInputStream(response);
|
||||
|
||||
JAXBContext context = JAXBContext.newInstance(clazz);
|
||||
XMLInputFactory xif = XMLInputFactory.newFactory();
|
||||
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(xml));
|
||||
Unmarshaller um = context.createUnmarshaller();
|
||||
T newValue = um.unmarshal(new StreamSource(xml), clazz).getValue();
|
||||
T newValue = um.unmarshal(xsr, clazz).getValue();
|
||||
LOGGER.trace("Storing in cache {}", newValue);
|
||||
return newValue;
|
||||
} catch (ExecutionException | InterruptedException | TimeoutException e) {
|
||||
LOGGER.debug("HTTP Failed to GET uri '{}': {}", uri, e.getMessage());
|
||||
throw new IllegalArgumentException();
|
||||
} catch (JAXBException e) {
|
||||
} catch (JAXBException | XMLStreamException e) {
|
||||
LOGGER.debug("Unmarshalling failed: {}", e.getMessage());
|
||||
throw new IllegalArgumentException();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user