New security rule for SonarJava plugin

(Patrick Roth) #1

I have implemented a security rule for the java scanner. This rule checks the use of the org.apache.activemq.ActiveMQConnectionFactory class, which is subject to an extended XML Entity flaw.
I guess I should receive a RSPEC before I can merge this rule to the SonarJava scanner. Can you please provide a new number?
Thanx

1 Like
(Alexandre Gigleux) #3

Hello Patrick,

Before thinking about creating a new RSPEC, I think we need a little bit of context.

Can you share some links related to that specific problem? Or explain here what you want to catch and why? Are there already CVEs related to XXE + ActiveMQConnectionFactory?

Thanks

(Patrick Roth) #4

Hi Alexandre,

Here are my references:
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
http://activemq.apache.org/objectmessage.html
http://cwe.mitre.org/data/definitions/611.html
https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)

Regards,
Patrick

(Patrick Roth) #5

Hi Alexandre,

Any update to this issue?

Regards,

Patrick

(Alexandre Gigleux) #6

Hello Patrick,

If my understanding is correct, you want to raise an issue if ActiveMQConnectionFactory is not properly configured or configured in a not safe way as per defined in http://activemq.apache.org/objectmessage.html

For the first case, you will raise an issue when there is no call to factory.setTrustedPackages
For the second case, you will raise an issue when factory.setTrustAllPackages( true );

Is it what you want to catch?

Thanks
Alex

(Alexandre Gigleux) #7

Hello Patrick,

Can you raise your PR with a RSPEC-XXX so I can look at your code to be sure to understand which issue you want to catch?

Thanks

(Patrick Roth) #8

Hi Alexandre,

This is correct. These are the two cases I’d like to catch.

Reards,

Patrick

Le mar. 12 mars 2019 à 15:33, Alexandre Gigleux via SonarSource Community sscommunity@discoursemail.com a écrit :

(Alexandre Gigleux) #9

Hello,

I created https://jira.sonarsource.com/browse/RSPEC-5301 to get a RSPEC ID. I will finalize it once you will have submitted your PR.

Regards

(Alexandre Gigleux) #10

Hello @Patrick_Roth,

Can you submit your PR so we can move forward on this thread?

Thanks

(Patrick Roth) #11

Hi Alexandre,

Unfortunately I didn’t manage to pass the Integration tests. Some tests fail.

(Alexandre Gigleux) #12

Hello,

Where is your code so we can look at it? We can certainly help to fix the ITs.

Thanks