Prevent XML External Entities vulnerability in CurrenctyConverter module.

2020-03-18 15:47:51 -07:00 · 2020-03-18 15:47:51 -07:00 · 4aa8cc2df6
commit 4aa8cc2df6
parent acc7c42112
6 changed files with 16 additions and 12 deletions
--- a/.idea/mobibot.iml
+++ b/.idea/mobibot.iml
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module external.linked.project.id="mobibot" external.linked.project.path="$MODULE_DIR$" external.root.project.path="$MODULE_DIR$" external.system.id="GRADLE" external.system.module.group="" external.system.module.version="0.7.3-beta+571" type="JAVA_MODULE" version="4">
+<module external.linked.project.id="mobibot" external.linked.project.path="$MODULE_DIR$" external.root.project.path="$MODULE_DIR$" external.system.id="GRADLE" external.system.module.group="" external.system.module.version="0.7.3-beta+574" type="JAVA_MODULE" version="4">
  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_14" inherit-compiler-output="true">
    <exclude-output />
    <content url="file://$MODULE_DIR$">
--- a/.idea/modules/mobibot.main.iml
+++ b/.idea/modules/mobibot.main.iml
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module external.linked.project.id="mobibot:main" external.linked.project.path="$MODULE_DIR$/../.." external.root.project.path="$MODULE_DIR$/../.." external.system.id="GRADLE" external.system.module.group="" external.system.module.type="sourceSet" external.system.module.version="0.7.3-beta+571" type="JAVA_MODULE" version="4">
+<module external.linked.project.id="mobibot:main" external.linked.project.path="$MODULE_DIR$/../.." external.root.project.path="$MODULE_DIR$/../.." external.system.id="GRADLE" external.system.module.group="" external.system.module.type="sourceSet" external.system.module.version="0.7.3-beta+574" type="JAVA_MODULE" version="4">
  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_14">
    <output url="file://$MODULE_DIR$/../../build/classes/java/main" />
    <exclude-output />
@ -12,8 +12,10 @@
    </content>
    <orderEntry type="inheritedJdk" />
    <orderEntry type="sourceFolder" forTests="false" />
    <orderEntry type="library" scope="PROVIDED" name="Gradle: net.thauvin.erik:semver:1.2.0" level="project" />
    <orderEntry type="library" name="Gradle: pircbot:pircbot:1.5.0" level="project" />
    <orderEntry type="library" scope="PROVIDED" name="Gradle: pircbot:pircbot:sources:1.5.0" level="project" />
    <orderEntry type="library" scope="PROVIDED" name="Gradle: com.github.spotbugs:spotbugs-annotations:4.0.0" level="project" />
    <orderEntry type="library" name="Gradle: org.apache.logging.log4j:log4j-core:2.13.1" level="project" />
    <orderEntry type="library" name="Gradle: org.apache.logging.log4j:log4j-slf4j-impl:2.13.1" level="project" />
    <orderEntry type="library" name="Gradle: org.apache.logging.log4j:log4j-api:2.13.1" level="project" />
@ -30,8 +32,7 @@
    <orderEntry type="library" name="Gradle: org.twitter4j:twitter4j-core:4.0.7" level="project" />
    <orderEntry type="library" name="Gradle: org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.70" level="project" />
    <orderEntry type="library" name="Gradle: org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.70" level="project" />
-    <orderEntry type="library" scope="PROVIDED" name="Gradle: net.thauvin.erik:semver:1.2.0" level="project" />
+    <orderEntry type="library" scope="PROVIDED" name="Gradle: com.google.code.findbugs:jsr305:3.0.2" level="project" />
    <orderEntry type="library" scope="PROVIDED" name="Gradle: com.github.spotbugs:spotbugs-annotations:4.0.0" level="project" />
    <orderEntry type="library" name="Gradle: org.slf4j:slf4j-api:1.7.25" level="project" />
    <orderEntry type="library" name="Gradle: org.jetbrains.kotlin:kotlin-stdlib:1.3.70" level="project" />
    <orderEntry type="library" name="Gradle: com.squareup.retrofit2:converter-gson:2.5.0" level="project" />
@ -40,7 +41,6 @@
    <orderEntry type="library" name="Gradle: com.squareup.okio:okio:2.4.3" level="project" />
    <orderEntry type="library" name="Gradle: com.rometools:rome-utils:1.12.2" level="project" />
    <orderEntry type="library" name="Gradle: org.jdom:jdom2:2.0.6" level="project" />
    <orderEntry type="library" scope="PROVIDED" name="Gradle: com.google.code.findbugs:jsr305:3.0.2" level="project" />
    <orderEntry type="library" name="Gradle: org.jetbrains.kotlin:kotlin-stdlib-common:1.3.70" level="project" />
    <orderEntry type="library" name="Gradle: org.jetbrains:annotations:13.0" level="project" />
  </component>
--- a/.idea/modules/mobibot.test.iml
+++ b/.idea/modules/mobibot.test.iml
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module external.linked.project.id="mobibot:test" external.linked.project.path="$MODULE_DIR$/../.." external.root.project.path="$MODULE_DIR$/../.." external.system.id="GRADLE" external.system.module.group="" external.system.module.type="sourceSet" external.system.module.version="0.7.3-beta+571" type="JAVA_MODULE" version="4">
+<module external.linked.project.id="mobibot:test" external.linked.project.path="$MODULE_DIR$/../.." external.root.project.path="$MODULE_DIR$/../.." external.system.id="GRADLE" external.system.module.group="" external.system.module.type="sourceSet" external.system.module.version="0.7.3-beta+574" type="JAVA_MODULE" version="4">
  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_14">
    <output-test url="file://$MODULE_DIR$/../../build/classes/java/test" />
    <exclude-output />
--- a/src/generated/java/net/thauvin/erik/mobibot/ReleaseInfo.java
+++ b/src/generated/java/net/thauvin/erik/mobibot/ReleaseInfo.java
@ -14,13 +14,13 @@ import java.time.*;
 public final class ReleaseInfo {
    public static final String PROJECT = "mobibot";
    public static final LocalDateTime BUILDDATE =
-        LocalDateTime.ofInstant(Instant.ofEpochMilli(1584495033449L), ZoneId.systemDefault());
+        LocalDateTime.ofInstant(Instant.ofEpochMilli(1584571512171L), ZoneId.systemDefault());
    public static final int MAJOR = 0;
    public static final int MINOR = 7;
    public static final int PATCH = 3;
    public static final String PRERELEASE = "beta";
-    public static final String BUILDMETA = "566";
+    public static final String BUILDMETA = "579";
-    public static final String VERSION = "0.7.3-beta+566";
+    public static final String VERSION = "0.7.3-beta+579";
    /**
     * Disables the default constructor.
--- a/src/main/java/net/thauvin/erik/mobibot/modules/CurrencyConverter.java
+++ b/src/main/java/net/thauvin/erik/mobibot/modules/CurrencyConverter.java
@ -47,6 +47,7 @@ import org.jdom2.JDOMException;
 import org.jdom2.Namespace;
 import org.jdom2.input.SAXBuilder;
 import javax.xml.XMLConstants;
 import java.io.IOException;
 import java.net.URL;
 import java.text.NumberFormat;
@ -137,6 +138,9 @@ public final class CurrencyConverter extends ThreadedModule {
        if (EXCHANGE_RATES.isEmpty()) {
            try {
                final SAXBuilder builder = new SAXBuilder();
                // See https://rules.sonarsource.com/java/tag/owasp/RSPEC-2755
                builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
                builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
                builder.setIgnoringElementContentWhitespace(true);
                final Document doc = builder.build(new URL(EXCHANGE_TABLE_URL));
--- a/version.properties
+++ b/version.properties
@ -1,9 +1,9 @@
 #Generated by the Semver Plugin for Gradle
-#Wed Mar 18 15:07:49 PDT 2020
+#Wed Mar 18 15:45:11 PDT 2020
-version.buildmeta=574
+version.buildmeta=579
 version.major=0
 version.minor=7
 version.patch=3
 version.prerelease=beta
 version.project=mobibot
-version.semver=0.7.3-beta+574
+version.semver=0.7.3-beta+579