Tagging release 4.17.0.1 on branch b30a4a99d1b530efbf652373eda229f2cd5133b1.

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEXtHhEi3F6KSkURLCSEJIIQ7j2IQFAmLRYi0ACgkQSEJIIQ7j
 2ISTWxAAlozJuDMoRnr4D1TDbNCr2hzWSgVn5AK+IZGwnd22OnaZnS7tVQUheTCq
 t9aQgRLb7oUGAzNngHEjDaQBnxlHdLHMKby+QGe+RjX/d9urFoEyHe2xyvCJPkwM
 hFM1uesMqtH/HKwhIL3l8fATGPHlucdhQEZ+XA4bu91IVzxog0gikSnm7SjbaljF
 yYNkn9CgOWtZYFek7lcOM7iuKB79QSdpYxN8PYLpE7esyQSu4KjU4Ekufv1u6Tql
 ILsY5PA5tzzxS7ArfW5PICgSxkXOUIkflBbPHObGgduKw9Q36bmnRM/701lNb2re
 EWE4NMlM2PDn8kKZ2zULD2VBIq5tVdJuZjXbjDyD17z/KiU9pd6hGeHABSitnpDW
 vAS6rLJVY3YT9eqoVDVhpkpFQZmvdfDC8L4nYU2E7dCHj4lF9FlsgYO08SCfSgvP
 InAnfg1jZvbhA9EDL+LiuhxCStn6ZpjRuRCC89hYfRfRM1ZdrT2FazDj8KwPuC0P
 xfEr8eTnMm7xM+B9JCBQ2Lskl3jxQk3KAYQX13LtZCUj05Y1f3crx/iq6t0qIrAH
 PU9keojKMZffLz5MBlFU8qor32stw+uNMky8dZgtDIx6kRjnuYuPYOxpcPDzl+Cs
 KBRcwpIP+GR9mePU8PKBNDClLA45vDE1XqeK6KnOOf7MBSprU5o=
 =ETOD
 -----END PGP SIGNATURE-----

Merge tag '4.17.0.1' into 4.17

Tagging release 4.17.0.1 on branch b30a4a99d1b530efbf652373eda229f2cd5133b1.
This commit is contained in:
Rohit Yadav 2022-07-18 19:40:53 +05:30
commit 7a3e97d67e
8 changed files with 82 additions and 14 deletions

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
cloudstack (4.17.0.1) unstable; urgency=low
* Update the version to 4.17.0.1
-- the Apache CloudStack project <dev@cloudstack.apache.org> Fri, 15 Jul 2022 18:18:39 +0530
cloudstack (4.17.0.0) unstable; urgency=low
* Update the version to 4.17.0.0

View File

@ -1,13 +1,13 @@
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to
you under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of
the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
by applicable law or agreed to in writing, software distributed under the
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
OF ANY KIND, either express or implied. See the License for the specific
language governing permissions and limitations under the License. -->
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to
you under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of
the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
by applicable law or agreed to in writing, software distributed under the
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
OF ANY KIND, either express or implied. See the License for the specific
language governing permissions and limitations under the License. -->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

View File

@ -31,6 +31,7 @@
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml</artifactId>
<version>${cs.opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>

View File

@ -30,6 +30,7 @@ import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
import org.apache.cloudstack.api.response.SAMLMetaDataResponse;
import org.apache.cloudstack.saml.SAML2AuthManager;
import org.apache.cloudstack.saml.SAMLProviderMetadata;
import org.apache.cloudstack.utils.security.ParserUtils;
import org.apache.log4j.Logger;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
@ -239,7 +240,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
StringWriter stringWriter = new StringWriter();
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory factory = ParserUtils.getSaferDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.newDocument();
Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntityDescriptor);

View File

@ -78,7 +78,6 @@ import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.keyinfo.KeyInfoHelper;
import org.springframework.stereotype.Component;
@ -389,7 +388,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
}
}
_idpMetaDataProvider.setRequireValidMetadata(true);
_idpMetaDataProvider.setParserPool(new BasicParserPool());
_idpMetaDataProvider.setParserPool(SAMLUtils.getSaferParserPool());
_idpMetaDataProvider.initialize();
_timer.scheduleAtFixedRate(new MetadataRefreshTask(), 0, _refreshInterval * 1000);

View File

@ -42,12 +42,15 @@ import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@ -56,6 +59,7 @@ import javax.xml.stream.FactoryConfigurationError;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.response.LoginCmdResponse;
import org.apache.cloudstack.utils.security.CertUtils;
import org.apache.cloudstack.utils.security.ParserUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.operator.OperatorCreationException;
import org.joda.time.DateTime;
@ -88,6 +92,7 @@ import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.Unmarshaller;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
@ -231,7 +236,7 @@ public class SAMLUtils {
public static Response decodeSAMLResponse(String responseMessage)
throws ConfigurationException, ParserConfigurationException,
SAXException, IOException, UnmarshallingException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory documentBuilderFactory = ParserUtils.getSaferDocumentBuilderFactory();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
byte[] base64DecodedResponse = Base64.decode(responseMessage);
@ -365,4 +370,19 @@ public class SAMLUtils {
"CN=ApacheCloudStack", "CN=ApacheCloudStack",
3, "SHA256WithRSA");
}
public static BasicParserPool getSaferParserPool() {
final Map<String, Boolean> features = new HashMap<>();
features.put(XMLConstants.FEATURE_SECURE_PROCESSING, true);
features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
features.put("http://xml.org/sax/features/external-general-entities", false);
features.put("http://xml.org/sax/features/external-parameter-entities", false);
features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
final BasicParserPool parserPool = new BasicParserPool();
parserPool.setXincludeAware(false);
parserPool.setIgnoreComments(true);
parserPool.setExpandEntityReferences(false);
parserPool.setBuilderFeatures(features);
return parserPool;
}
}

View File

@ -164,7 +164,7 @@
<cs.mysql.version>8.0.19</cs.mysql.version>
<cs.neethi.version>2.0.4</cs.neethi.version>
<cs.nitro.version>10.1</cs.nitro.version>
<cs.opensaml.version>2.6.4</cs.opensaml.version>
<cs.opensaml.version>2.6.6</cs.opensaml.version>
<cs.rados-java.version>0.6.0</cs.rados-java.version>
<cs.java-linstor.version>0.3.0</cs.java-linstor.version>
<cs.reflections.version>0.9.12</cs.reflections.version>

View File

@ -0,0 +1,41 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.utils.security;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
public class ParserUtils {
public static DocumentBuilderFactory getSaferDocumentBuilderFactory() throws ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// REDHAT https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf
// OWASP https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
return factory;
}
}