diff --git a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java index ccfa7cc..63207fa 100644 --- a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java +++ b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java @@ -11,6 +11,9 @@ private DigesterUtils() { // private as it is an utility class } + // This method disables features that are known to allow XML External Entity (XXE) attacks + // unless forced to be insecure + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") public static Digester createDigester(boolean secure) throws SAXException { Digester digester = new Digester(); if (secure) { diff --git a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java index 4ff2aad..0d35b53 100644 --- a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java @@ -24,6 +24,8 @@ */ public class ChangeSetReader extends ChangeLogParser { + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") @Override public ChangeSetList parse( Run run, RepositoryBrowser browser, File changelogFile) @@ -36,6 +38,8 @@ public ChangeSetList parse( } } + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") public ChangeSetList parse( Run run, RepositoryBrowser browser, Reader reader) throws IOException, SAXException { diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java index 00db885..1ec75de 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java @@ -21,6 +21,8 @@ public class FindOutputParser { // Utility classes shouldn't have default constructors private FindOutputParser() { } + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in FindOutputParser set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") @Nonnull public static List parseReader( @Nonnull final ObjectSpecType specType, diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java index 475a167..545b2d3 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java @@ -19,6 +19,8 @@ public final class LogOutputParser { // Utility classes shouldn't have default constructors private LogOutputParser() { } + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in LogOutputParser set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") public static List parseFile( FilePath path, String repoName, String server) throws IOException, ParseException { List csetList = new ArrayList<>();