Merge pull request #72 from caytec/refactor/java-security-ultimate-scan

refactor: Java Security Ultimate Security Repo Scanner 2023

examples/bundles/org.eclipse.ecf.example.collab/src/org/eclipse/ecf/example/collab/share/GenericSharedObject.java

@@ -15,6 +15,7 @@
 
 import java.io.IOException;
 import java.io.Serializable;
+import java.security.SecureRandom;
 import java.util.Hashtable;
 import java.util.Random;
 
@@ -424,6 +425,6 @@ public ID createObject(ID target, ReplicaSharedObjectDescription desc)
 	}
 
 	public String getUniqueString() {
-		return String.valueOf((new Random()).nextLong());
+		return String.valueOf((new SecureRandom()).nextLong());
 	}
 }

framework/bundles/org.eclipse.ecf.provider/src/org/eclipse/ecf/provider/comm/tcp/Client.java

@@ -16,6 +16,7 @@
 import java.net.*;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.security.SecureRandom;
 import java.util.*;
 import org.eclipse.core.runtime.Assert;
 import org.eclipse.ecf.core.identity.ID;
@@ -421,7 +422,7 @@ public void stop() {
 
 	private Thread setupPing() {
 		debug("setupPing()"); //$NON-NLS-1$
-		final int pingStartWait = (new Random()).nextInt(keepAlive / 2);
+		final int pingStartWait = (new SecureRandom()).nextInt(keepAlive / 2);
 		return new Thread(new Runnable() {
 			public void run() {
 				final Thread me = Thread.currentThread();

framework/bundles/org.eclipse.ecf.provider/src/org/eclipse/ecf/provider/comm/tcp/SSLClient.java

@@ -16,6 +16,7 @@
 import java.net.*;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.security.SecureRandom;
 import java.util.*;
 import javax.net.ssl.SSLSocketFactory;
 import org.eclipse.core.runtime.Assert;
@@ -401,7 +402,7 @@ public void stop() {
 
 	private Thread setupPing() {
 		debug("setupPing()"); //$NON-NLS-1$
-		final int pingStartWait = (new Random()).nextInt(keepAlive / 2);
+		final int pingStartWait = (new SecureRandom()).nextInt(keepAlive / 2);
 		return new Thread(new Runnable() {
 			public void run() {
 				final Thread me = Thread.currentThread();

framework/bundles/org.eclipse.ecf.remoteservice.rest/src/org/eclipse/ecf/remoteservice/rest/client/XMLRemoteResponseDeserializer.java

@@ -17,6 +17,7 @@
 import java.util.Map;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import org.eclipse.ecf.remoteservice.IRemoteCall;
 import org.eclipse.ecf.remoteservice.client.IRemoteCallable;
 import org.eclipse.ecf.remoteservice.client.IRemoteResponseDeserializer;
@@ -32,6 +33,13 @@ public class XMLRemoteResponseDeserializer implements IRemoteResponseDeserialize
 
 	public Object deserializeResponse(String uri, IRemoteCall call, IRemoteCallable callable, Map responseHeaders, byte[] responseBody) throws NotSerializableException {
 		DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
+		String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+		try {
+			documentFactory.setFeature(FEATURE, true);
+		} catch (ParserConfigurationException e) {
+			throw new IllegalStateException("ParserConfigurationException was thrown. The feature '"
+		+ FEATURE + "' is not supported by your XML processor.", e);
+		}
 		String errorMsg = "XML response can't be parsed: "; //$NON-NLS-1$
 		try {
 			DocumentBuilder builder = documentFactory.newDocumentBuilder();

incubation/projects/org.eclipse.ecf.ipc/bundles/org.eclipse.ecf.ipc/src/org/eclipse/ecf/ipc/Utils.java

@@ -21,6 +21,7 @@
 import java.io.PrintWriter;
 import java.io.Reader;
 import java.io.StringWriter;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -326,7 +327,7 @@ public static String readOrCreate(File file, String contents) throws IOException
 			// create a temp file and write the contents to it.
 			//
 			File parent = file.getParentFile();
-			File temp = File.createTempFile("tempfile", null, parent);
+			File temp = Files.createTempFile(parent.toPath(), "tempfile", null).toFile();
 			Utils.writeFile(temp, contents);
 
 			//

protocols/bundles/ch.ethz.iks.r_osgi.remote/src/main/java/ch/ethz/iks/r_osgi/impl/ChannelEndpointMultiplexer.java

@@ -28,6 +28,7 @@
  */
 package ch.ethz.iks.r_osgi.impl;
 
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Dictionary;
 import java.util.HashMap;
@@ -232,7 +233,7 @@ public boolean isConnected() {
 	 */
 	private class Mapping {
 
-		private final Random random = new Random(System.currentTimeMillis());
+		private final Random random = new SecureRandom();
 		private final List redundant = new ArrayList(0);
 		private final Map uriMapping = new HashMap(0);
 

protocols/bundles/ch.ethz.iks.r_osgi.remote/src/main/java/ch/ethz/iks/r_osgi/types/Timestamp.java

@@ -28,6 +28,7 @@
  */
 package ch.ethz.iks.r_osgi.types;
 
+import java.security.SecureRandom;
 import java.util.Random;
 
 /**
@@ -53,7 +54,7 @@ public final class Timestamp implements Comparable {
 	 * the offset of the logical clock. Initialized by a pseudo- random number
 	 * to simplify causal ordering among different peers.
 	 */
-	private static int counter = new Random().nextInt(1000);
+	private static int counter = new SecureRandom().nextInt(1000);
 
 	/**
 	 * the actual timestamp, stored as <code>long</code>.

protocols/bundles/org.eclipse.ecf.protocol.bittorrent/src/org/eclipse/ecf/protocol/bittorrent/internal/net/ConnectionPool.java

@@ -15,6 +15,7 @@
 import java.io.UnsupportedEncodingException;
 import java.net.Socket;
 import java.nio.channels.SocketChannel;
+import java.security.SecureRandom;
 import java.util.LinkedList;
 import java.util.Random;
 import java.util.Vector;
@@ -29,7 +30,7 @@ class ConnectionPool {
 	 * A shared <code>Random</code> instance to randomly select a piece to
 	 * request from peers.
 	 */
-	static final Random RANDOM = new Random();
+	static final Random RANDOM = new SecureRandom();
 
 	/**
 	 * The number of seconds to wait before rotating optimistic unchokes.

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ReconnectionManager.java

@@ -18,7 +18,10 @@
 package org.jivesoftware.smack;
 
 import org.jivesoftware.smack.packet.StreamError;
+
+import java.security.SecureRandom;
 import java.util.Random;
+
 /**
  * Handles the automatic reconnection process. Every time a connection is dropped without
  * the application explictly closing it, the manager automatically tries to reconnect to
@@ -38,7 +41,7 @@ public class ReconnectionManager implements ConnectionListener {
     // Holds the connection to the server
     private Connection connection;
     private Thread reconnectionThread;
-    private int randomBase = new Random().nextInt(11) + 5; // between 5 and 15 seconds
+    private int randomBase = new SecureRandom().nextInt(11) + 5; // between 5 and 15 seconds
 
     // Holds the state of the reconnection
     boolean done = false;

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/util/StringUtils.java

@@ -23,6 +23,7 @@
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
@@ -727,7 +728,7 @@ public static byte[] decodeBase64(String data) {
      * The Random class is not considered to be cryptographically secure, so
      * only use these random Strings for low to medium security applications.
      */
-    private static Random randGen = new Random();
+    private static Random randGen = new SecureRandom();
 
     /**
      * Array of numbers and letters of mixed case. Numbers appear in the list

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smackx/bytestreams/ibb/InBandBytestreamManager.java

@@ -13,6 +13,7 @@
  */
 package org.jivesoftware.smackx.bytestreams.ibb;
 
+import java.security.SecureRandom;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
@@ -126,7 +127,7 @@ public void connectionClosed() {
     private static final String SESSION_ID_PREFIX = "jibb_";
 
     /* random generator to create session IDs */
-    private final static Random randomGenerator = new Random();
+    private final static Random randomGenerator = new SecureRandom();
 
     /* stores one InBandBytestreamManager for each XMPP connection */
     private final static Map<Connection, InBandBytestreamManager> managers = new HashMap<Connection, InBandBytestreamManager>();

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smackx/bytestreams/socks5/Socks5BytestreamManager.java

@@ -15,6 +15,7 @@
 
 import java.io.IOException;
 import java.net.Socket;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -115,7 +116,7 @@ public void connectionClosed() {
     private static final String SESSION_ID_PREFIX = "js5_";
 
     /* random generator to create session IDs */
-    private final static Random randomGenerator = new Random();
+    private final static Random randomGenerator = new SecureRandom();
 
     /* stores one Socks5BytestreamManager for each XMPP connection */
     private final static Map<Connection, Socks5BytestreamManager> managers = new HashMap<Connection, Socks5BytestreamManager>();

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smackx/debugger/EnhancedDebugger.java

@@ -35,6 +35,7 @@
 import javax.swing.event.ListSelectionListener;
 import javax.swing.table.DefaultTableModel;
 import javax.swing.text.BadLocationException;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -872,6 +873,9 @@ private String formatXML(String str) {
         try {
             // Use a Transformer for output
             TransformerFactory tFactory = TransformerFactory.newInstance();
+            tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             // Surround this setting in a try/catch for compatibility with Java 1.4. This setting is required
             // for Java 1.5
             try {

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smackx/filetransfer/FileTransferNegotiator.java

@@ -20,6 +20,7 @@
 package org.jivesoftware.smackx.filetransfer;
 
 import java.net.URLConnection;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -69,7 +70,7 @@ public class FileTransferNegotiator {
 
     protected static final String STREAM_DATA_FIELD_NAME = "stream-method";
 
-    private static final Random randomGenerator = new Random();
+    private static final Random randomGenerator = new SecureRandom();
 
     /**
      * A static variable to use only offer IBB for file transfer. It is generally recommend to only

protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smackx/provider/VCardProvider.java

@@ -30,6 +30,8 @@
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.ArrayList;
@@ -92,6 +94,13 @@ public static VCard createVCardFromXML(String xml) throws Exception {
         VCard vCard = new VCard();
 
         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+        String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+        try {
+            documentBuilderFactory.setFeature(FEATURE, true);
+        } catch (ParserConfigurationException e) {
+            throw new IllegalStateException("ParserConfigurationException was thrown. The feature '"
+                    + FEATURE + "' is not supported by your XML processor.", e);
+        }
         DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
         Document document = documentBuilder.parse(
                 new ByteArrayInputStream(xml.getBytes(PREFERRED_ENCODING)));

providers/bundles/org.eclipse.ecf.provider.irc.ui/src/org/eclipse/ecf/internal/irc/ui/wizards/IRCConnectWizardPage.java

@@ -13,6 +13,7 @@
  *****************************************************************************/
 package org.eclipse.ecf.internal.irc.ui.wizards;
 
+import java.security.SecureRandom;
 import java.util.*;
 import java.util.List;
 import org.eclipse.ecf.internal.irc.ui.Activator;
@@ -167,7 +168,7 @@ public void handleEvent(Event arg0) {
 	}
 
 	private String getRandomNumber() {
-		Random random = new Random();
+		Random random = new SecureRandom();
 		return String.valueOf(random.nextInt(100000));
 	}
 

providers/bundles/org.eclipse.ecf.provider.jmdns/jmdns/javax/jmdns/impl/JmDNSImpl.java

@@ -6,6 +6,7 @@
 
 import java.io.IOException;
 import java.net.*;
+import java.security.SecureRandom;
 import java.util.*;
 import javax.jmdns.*;
 import javax.jmdns.impl.tasks.*;
@@ -106,7 +107,7 @@ public class JmDNSImpl extends JmDNS {
 	 * The source for random values. This is used to introduce random delays in
 	 * responses. This reduces the potential for collisions on the network.
 	 */
-	private final static Random random = new Random();
+	private final static Random random = new SecureRandom();
 
 	/**
 	 * This lock is used to coordinate processing of incoming and outgoing

server-side/bundles/org.eclipse.ecf.server.generic/src/org/eclipse/ecf/server/generic/app/ClientApplication.java

@@ -11,6 +11,7 @@
  *****************************************************************************/
 package org.eclipse.ecf.server.generic.app;
 
+import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.Random;
 import org.eclipse.ecf.core.ContainerTypeDescription;
@@ -56,7 +57,7 @@ public class ClientApplication {
 	ID[] sharedObjects = null;
 
 	static ContainerTypeDescription contd = null;
-	static Random aRan = new Random();
+	static Random aRan = new SecureRandom();
 
 	public ClientApplication() {
 		super();

server-side/bundles/org.eclipse.ecf.server.generic/src/org/eclipse/ecf/server/generic/app/ServerConfigParser.java

@@ -116,6 +116,13 @@ protected String getAttributeValue(Node node, String attrName) {
 
 	public List load(InputStream ins) throws ParserConfigurationException, SAXException, IOException {
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+		String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+		try {
+			dbf.setFeature(FEATURE, true);
+		} catch (ParserConfigurationException e) {
+			throw new IllegalStateException("ParserConfigurationException was thrown. The feature '"
+		+ FEATURE + "' is not supported by your XML processor.", e);
+		}
 		DocumentBuilder db = dbf.newDocumentBuilder();
 		Document doc = db.parse(ins);
 		return loadConnectors(doc);

tests/bundles/org.eclipse.ecf.tests.apache.httpclient.server/src/org/apache/commons/httpclient/TestPartsNoHost.java

@@ -35,6 +35,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 
 import junit.framework.Test;
 import junit.framework.TestCase;
@@ -108,7 +109,7 @@ public void testFilePartNullFileResendsData() throws Exception {
      * written to.
      */
     private File createTempTestFile() throws IOException {
-        File file = File.createTempFile("FilePartTest", ".txt");
+        File file = Files.createTempFile("FilePartTest", ".txt").toFile();
         PrintWriter out = new PrintWriter(new FileWriter(file));
         out.println(PART_DATA);
         out.flush();

tests/bundles/org.eclipse.ecf.tests.discovery/src/org/eclipse/ecf/tests/discovery/AbstractDiscoveryTest.java

@@ -13,6 +13,7 @@
 package org.eclipse.ecf.tests.discovery;
 
 import java.net.URI;
+import java.security.SecureRandom;
 import java.util.Comparator;
 import java.util.Properties;
 import java.util.Random;
@@ -51,7 +52,7 @@ public abstract class AbstractDiscoveryTest extends TestCase {
 	public AbstractDiscoveryTest(String name) {
 		super();
 		this.containerUnderTest = name;
-		this.random = new Random();
+		this.random = new SecureRandom();
 	}
 
 	public String getTestId() {

tests/bundles/org.eclipse.ecf.tests.discovery/src/org/eclipse/ecf/tests/discovery/RndStatsTestCase.java

@@ -12,6 +12,7 @@
  *****************************************************************************/
 package org.eclipse.ecf.tests.discovery;
 
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -80,7 +81,7 @@ public static Test suite(TestSuite suite) {
 
 		// shuffle the list to create randomized test order
 		System.out.println("Seed used for test ordering: " + SEED);
-		Collections.shuffle(tests, new Random(SEED));
+		Collections.shuffle(tests, new SecureRandom());
 
 		// Create empty test suite and add tests in order of shuffeled list
 		suite = new MyTestSuite(RndStatsTestCase.class.getName());