[ofbiz-framework] branch trunk updated (11634ae -> a234f8e)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.


    from 11634ae  Improved: Converted OrderDeliveryServices.xml minilang to groovy (OFBIZ-11461)
     new af9ed4e  Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)
     new a234f8e  Improved: fixes a Java doc issue reported by checkstyle

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 build.gradle                                                |  2 +-
 .../org/apache/ofbiz/base/util/SafeObjectInputStream.java   | 13 +++++++++++--
 .../java/org/apache/ofbiz/entity/model/ModelEntity.java     | 11 ++---------
 3 files changed, 14 insertions(+), 12 deletions(-)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit af9ed4e68e906d5bef5cb8514a7545795b2c4eed
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Feb 5 11:02:28 2021 +0100

    Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)
   
    Adds an example based on RMI which is known to be a problem
---
 .../org/apache/ofbiz/base/util/SafeObjectInputStream.java   | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 84c8050..c18708c 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -62,9 +62,18 @@ public final class SafeObjectInputStream extends ObjectInputStream {
 
     @Override
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
-        if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+        String className = classDesc.getName();
+        // BlackList exploits; eg: don't allow RMI here
+        if (className.contains("java.rmi.server")) {
+            Debug.logWarning("***Incompatible class***: "
+                    + classDesc.getName()
+                    + ". java.rmi.server classes are not allowed for security reason",
+                    "SafeObjectInputStream");
+            return null;
+        }
+        if (!whitelistPattern.matcher(className).find()) {
             // DiskFileItem, FileItemHeadersImpl are not serializable.
-            if (classDesc.getName().contains("org.apache.commons.fileupload")) {
+            if (className.contains("org.apache.commons.fileupload")) {
                 return null;
             }
             Debug.logWarning("***Incompatible class***: "

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit a234f8e2016bcd8e5d334421d57a61dfeca7d28d
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Feb 5 11:26:34 2021 +0100

    Improved: fixes a Java doc issue reported by checkstyle
   
    Also removes unused ModelEntity::toXmlElement and ModelEntity::toGroupXmlElement
   
    tasks.checkstyleMain.maxErrors from 278 to 277
---
 build.gradle                                                  |  2 +-
 .../main/java/org/apache/ofbiz/entity/model/ModelEntity.java  | 11 ++---------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/build.gradle b/build.gradle
index f962f0a..f40f89a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -310,7 +310,7 @@ checkstyle {
     // the sum of errors found last time it was changed after using the
     // ‘checkstyle’ tool present in the framework and in the official
     // plugins.
-    tasks.checkstyleMain.maxErrors = 278
+    tasks.checkstyleMain.maxErrors = 277
     // Currently there are a lot of errors so we need to temporarily
     // hide them to avoid polluting the terminal output.
     showViolations = false
diff --git a/framework/entity/src/main/java/org/apache/ofbiz/entity/model/ModelEntity.java b/framework/entity/src/main/java/org/apache/ofbiz/entity/model/ModelEntity.java
index 72bea12..83e44e7 100644
--- a/framework/entity/src/main/java/org/apache/ofbiz/entity/model/ModelEntity.java
+++ b/framework/entity/src/main/java/org/apache/ofbiz/entity/model/ModelEntity.java
@@ -2165,18 +2165,11 @@ public class ModelEntity implements Comparable<ModelEntity>, Serializable {
     }
 
     /**
-     * To xml element element.
+     * To Group elements of a document in a package
      * @param document the document
+     * @param packageName the name of the package where to group the elements of the document
      * @return the element
      */
-    public Element toXmlElement(Document document) {
-        return this.toXmlElement(document, this.getPackageName());
-    }
-
-    public Element toGroupXmlElement(Document document) {
-        return this.toGroupXmlElement(document, this.getPackageName());
-    }
-
     public Element toGroupXmlElement(Document document, String packageName) {
         if (UtilValidate.isNotEmpty(this.getPackageName()) && !packageName.equals(this.getPackageName())) {
             Debug.logWarning(