[PPP-5150] running Jenkins Unit Tests

[eddie-martinez]

No description provided.

[hitachivantarasonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[buildguy]

---

🐸 JFrog Frogbot

[buildguy]

db.parse( inputSource )

at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java (line 749)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Medium	XML external entities

Full description

Overview

Unsafe XXE (XML External Entity) expansion, is a type of vulnerability
that allows an attacker to access external resources, such as files or
network services using a crafted XML document. The attack can also lead to
a denial of service, due to quadratic expansion of XXE elements.

Vulnerable example

protected void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = dbf.newDocumentBuilder();
    InputSource is = new InputSource();
    // Load the xml string into an InputSource object.
    is.setCharacterStream(new StringReader( request.getParameter("xml") ));
    // Parse it
    db.parse(is);
}

Remediation

Set the following features on DocumentBuilderFactory to remediate XXE:

+   try {
+      dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+   } catch (ParserConfigurationException e) { }
+   try {
+      dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+   } catch (ParserConfigurationException e) { }
+   try {
+      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+   } catch (ParserConfigurationException e) { }
+   try {
+      dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",
+           false);
+   } catch (ParserConfigurationException e) { }
+   dbf.setXIncludeAware(false);
+   dbf.setExpandEntityReferences(false);
    DocumentBuilder db = dbf.newDocumentBuilder();

Code Flows

Vulnerable data flow analysis result

↘️ inputStream.read() (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 380)

↘️ c (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 380)

↘️ xml.append( (char) c ) (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 381)

↘️ xml.toString() (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 384)

↘️ XMLHandler.loadXMLString( xml.toString() ) (at engine/src/main/java/org/pentaho/di/pan/PanCommandExecutor.java line 384)

↘️ DocumentBuilder db (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 741)

↘️ db.parse( inputSource ) (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 749)

Vulnerable data flow analysis result

↘️ is.read() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 92)

↘️ c (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 92)

↘️ buffer.append( (char) c ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 93)

↘️ buffer.toString() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 96)

↘️ XMLHandler.loadXMLString( buffer.toString() ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/script/ScriptHelp.java line 96)

↘️ DocumentBuilder db (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 741)

↘️ db.parse( inputSource ) (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 749)

Vulnerable data flow analysis result

↘️ is.read() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 92)

↘️ c (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 92)

↘️ buffer.append( (char) c ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 93)

↘️ buffer.toString() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 96)

↘️ XMLHandler.loadXMLString( buffer.toString() ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/scriptvalues_mod/ScriptValuesHelp.java line 96)

↘️ DocumentBuilder db (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 741)

↘️ db.parse( inputSource ) (at core/src/main/java/org/pentaho/di/core/xml/XMLHandler.java line 749)

---

🐸 JFrog Frogbot

---

🐸 JFrog Frogbot

[buildguy]

new File( filename )

at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java (line 58)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Medium	Stored Path Traversal

Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        + Path normDocPath = docPath.normalize();
        + // Make sure the canonical path resides in the desired dir
        + if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
        + }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows

Vulnerable data flow analysis result

↘️ System.getProperty( "file.separator" ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ dialog.getFilterPath() + System.getProperty( "file.separator" ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ dialog.getFilterPath() + System.getProperty( "file.separator" ) + dialog.getFileName() (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ filename (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 383)

↘️ new SasInputHelper( filename ) (at ui/src/main/java/org/pentaho/di/ui/trans/steps/sasinput/SasInputDialog.java line 384)

↘️ `public class SasInputHelper {

private String filename;
private RowMetaInterface rowMeta;

private SasReader sasReader;

/**

• @param filename

•      The SAS7BAT filename
  

*/
public SasInputHelper( final String filename ) throws KettleException {
this.filename = filename;

sasReader = new SasReader( new File( filename ) );

// Determine the row layout of the file ...
//
try {
  rowMeta = new RowMeta();
  sasReader.read( new SasReaderCallback() {
    public void column( int index, String name, String label, SasColumnType type, int length ) {
      int kettleType = ValueMetaInterface.TYPE_NONE;
      int kettleLength;
      switch ( type ) {
        case CHARACTER:
          kettleType = ValueMetaInterface.TYPE_STRING;
          kettleLength = length;
          break;
        case NUMERIC:
          kettleType = ValueMetaInterface.TYPE_NUMBER;
          kettleLength = -1;
          break;
        default:
          throw new RuntimeException( "Unhandled SAS data type encountered: " + type );
      }
      try {
        ValueMetaInterface valueMeta = ValueMetaFactory.createValueMeta( name, kettleType );
        valueMeta.setLength( kettleLength );
        valueMeta.setComments( label );
        rowMeta.addValueMeta( valueMeta );
      } catch ( Exception e ) {
        throw new SasReaderException( "Unable to create new value meta type", e );
      }
    }

    public boolean readData() {
      return false;
    }

    public boolean row( int rowNumber, Object[] rowData ) {
      return true;
    }
  } );
} catch ( Exception e ) {
  throw new KettleException( "Unable to determine the layout of SAS7BAT file '" + filename + "'", e );
}

}

@OverRide
public String toString() {
return filename;
}

/**

• @return the filename
  */
  public String getFilename() {
  return filename;
  }

/**

• @return the rowMeta
  */
  public RowMetaInterface getRowMeta() {
  return rowMeta;
  }
  }` (at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java line 44)

↘️ final String filename (at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java line 55)

↘️ new File( filename ) (at engine/src/main/java/org/pentaho/di/trans/steps/sasinput/SasInputHelper.java line 58)

---

🐸 JFrog Frogbot

---

🐸 JFrog Frogbot

[buildguy]

❌ Build failed in 4m 22s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl dbdialog

---

❗ No tests found!

Errors:

Filtered log (click to expand)

script returned exit code 1

ℹ️ This is an automatic message