Disable loading external DTDs by default, create system property to activate it #6474

romani · 2019-02-24T15:42:58Z

Ability to load external DTDs is considered as security issue, especially if DTDs are not hosted on https hosting.
Checkstyle used to rely on remote DTD files previously so such ability was enabled by default.
From 8.11 version checkstyle do not rely on remove DTDs if you use standard config, with standard DTDs.

UPGRADE INSTRUCTIONS: Users still can activate not very secure behavior by system property checkstyle.enableExternalDtdLoad, so simply make your CLI execution like java -Dcheckstyle.enableExternalDtdLoad=true -jar .......
Or activate system property by any other way in your checkstyle execution.

ATTENTION: user on old versions of checkstyle that reference to DTD files http (not secure) hosting on sourceforge.net will be forced to upgrade to at least to https versions of DTD files. Removal of DTDs on http hosting will be done in scope of - #6478.

The text was updated successfully, but these errors were encountered:

romani · 2019-02-25T03:09:10Z

without new system property checkstyle might failure the same way as failed our UTs:

java.lang.NullPointerException
    at com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDProcessor.endDTD(XMLDTDProcessor.java:1349)
    at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.endEntity(XMLDTDScannerImpl.java:652)
    at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.endEntity(XMLEntityManager.java:1401)
    at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(XMLEntityScanner.java:1917)
    at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.skipSpaces(XMLEntityScanner.java:1655)
    at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:2082)
    at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:2058)
    at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDTDExternalSubset(XMLDTDScannerImpl.java:301)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1175)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1045)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:933)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:841)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:770)
    at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
    at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
    at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
    at com.puppycrawl.tools.checkstyle.XmlLoader.parseInputSource(XmlLoader.java:84)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoader.parseInputSource(ConfigurationLoader.java:197)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoader.loadConfiguration(ConfigurationLoader.java:443)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoader.loadConfiguration(ConfigurationLoader.java:395)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoader.loadConfiguration(ConfigurationLoader.java:372)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoader.loadConfiguration(ConfigurationLoader.java:209)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoaderTest.loadConfiguration(ConfigurationLoaderTest.java:62)
    at com.puppycrawl.tools.checkstyle.ConfigurationLoaderTest.testExternalEntity(ConfigurationLoaderTest.java:410)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
    at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
    at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
    at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
    at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
    at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)

romani · 2019-02-25T05:30:29Z

fix is merged and released in 8.18

romani · 2019-03-15T12:43:02Z

Github will detect vulnerability and report it as:

we are affected probably by this non-compile dependency in plugins of verify phase:

<maven.sevntu-checkstyle-check.checkstyle.version>
      8.12
</maven.sevntu-checkstyle-check.checkstyle.version>

Fixes a vulnerability from the GitHub Security Advisory Database: _Moderate severity vulnerability that affects com.puppycrawl.tools:checkstyle_ Checkstyle prior to 8.18 loads external DTDs by default, which can potentially lead to denial of service attacks or the leaking of confidential information. checkstyle/checkstyle#6474 Affected versions: < 8.18 Ran checkstyle locally. Closes apache#25432 from Fokko/SPARK-28713. Authored-by: Fokko Driesprong <fokko@apache.org> Signed-off-by: Dongjoon Hyun <dhyun@apple.com> (cherry picked from commit d8dd571)

## What changes were proposed in this pull request? Backport to `branch-2.4` of #25432 Fixes a vulnerability from the GitHub Security Advisory Database: _Moderate severity vulnerability that affects com.puppycrawl.tools:checkstyle_ Checkstyle prior to 8.18 loads external DTDs by default, which can potentially lead to denial of service attacks or the leaking of confidential information. checkstyle/checkstyle#6474 Affected versions: < 8.18 ## How was this patch tested? Ran checkstyle locally. Closes #25437 from Fokko/branch-2.4. Authored-by: Fokko Driesprong <fokko@apache.org> Signed-off-by: Dongjoon Hyun <dhyun@apple.com>

## What changes were proposed in this pull request? Backport to `branch-2.4` of apache#25432 Fixes a vulnerability from the GitHub Security Advisory Database: _Moderate severity vulnerability that affects com.puppycrawl.tools:checkstyle_ Checkstyle prior to 8.18 loads external DTDs by default, which can potentially lead to denial of service attacks or the leaking of confidential information. checkstyle/checkstyle#6474 Affected versions: < 8.18 ## How was this patch tested? Ran checkstyle locally. Closes apache#25437 from Fokko/branch-2.4. Authored-by: Fokko Driesprong <fokko@apache.org> Signed-off-by: Dongjoon Hyun <dhyun@apple.com>

romani added a commit that referenced this issue Feb 24, 2019

Issue #6474: disable external dtd load by default

f796c50

romani mentioned this issue Feb 24, 2019

Issue #6474: disable external dtd load by default #6476

Closed

romani added approved breaking compatibility labels Feb 25, 2019

romani added a commit that referenced this issue Feb 25, 2019

Issue #6474: disable external dtd load by default

180b4fe

This was referenced Feb 25, 2019

minor: disable external dtd load by default #6464

Closed

Remove DTDs from http://checkstyle.sourceforge.net and from http://puppycrawl.com/ #6478

Closed

romani added this to the 8.18 milestone Feb 25, 2019

romani closed this as completed Feb 25, 2019

romani mentioned this issue Feb 25, 2019

Set Load external DTD feature to be enabled #3605

Closed

JLLeitschuh mentioned this issue Mar 14, 2019

Disable XML External Entity load in XmlUtil.java in tests #6133

Closed

romani mentioned this issue Mar 15, 2019

upgrade to checkstyle 8.18 checkstyle/eclipse-cs#135

Closed

big-guy mentioned this issue Mar 15, 2019

CVE-2019-9658: Gradle depends upon Checkstyle Version vulnerable to MITM based XXE gradle/gradle#8792

Closed

olyutorskii mentioned this issue Mar 17, 2019

checkstyle security vulnerability olyutorskii/JarabraDix#7

Closed

trustin mentioned this issue Mar 22, 2019

Update Checkstyle to 8.18+ netty/netty#8968

Closed

romani mentioned this issue Apr 23, 2019

MCHECKSTYLE-366 Upgrade checkstyle to a more recent version apache/maven-checkstyle-plugin#13

Closed

mend-bolt-for-github bot mentioned this issue May 19, 2019

CVE-2019-9658 (Medium) detected in checkstyle-6.16.1.jar dexmo007/ostfalia-javaee#1

Open

romani mentioned this issue Jul 10, 2019

Support Multiple Configuration Files #991

Closed

mend-bolt-for-github bot mentioned this issue Jul 18, 2019

CVE-2019-9658 (Medium) detected in checkstyle-8.1.jar LevyForchh/cruise-control#2

Open

1 task

Fokko mentioned this issue Aug 13, 2019

[SPARK-28713][BUILD] Bump checkstyle from 8.14 to 8.23 apache/spark#25432

Closed

Fokko mentioned this issue Aug 13, 2019

[SPARK-28713][BUILD][2.4] Bump checkstyle from 8.2 to 8.23 apache/spark#25437

Closed

mend-for-github-com bot mentioned this issue Feb 26, 2020

CVE-2019-9658 (Medium) detected in checkstyle-7.7.jar LevyForchh/wire#3

Open

1 task

mend-for-github-com bot mentioned this issue Jul 21, 2020

CVE-2019-9658 (Medium) detected in checkstyle-6.18.jar kenferrara/atlasdb#10

Open

mend-for-github-com bot mentioned this issue Jul 29, 2020

CVE-2019-9658 (Medium) detected in checkstyle-8.13.jar kenferrara/hadoop-crypto#8

Open

mend-for-github-com bot mentioned this issue Mar 25, 2021

CVE-2019-9658 (Medium) detected in checkstyle-7.2.jar jmacwhitesource/cloud-pipeline#184

Open

mend-for-github-com bot mentioned this issue Jul 23, 2021

CVE-2019-9658 (Medium) detected in checkstyle-6.18.jar snowdensb/dependabot-core#113

Open

ddidier mentioned this issue Sep 8, 2021

Suppressions DTD not found #10788

Closed

mend-bolt-for-github bot mentioned this issue Oct 5, 2021

CVE-2019-9658 (Medium) detected in checkstyle-8.12.jar - autoclosed bsbtd/Teste#691

Closed

mend-bolt-for-github bot mentioned this issue Jan 18, 2022

CVE-2019-9658 (Medium) detected in checkstyle-8.7.jar ar-abed/sample#23

Open

big-guy mentioned this issue Sep 19, 2022

Adds support for EnableExternalDTDLoad property to Checkstyle Plugin gradle/gradle#22036

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable loading external DTDs by default, create system property to activate it #6474

Disable loading external DTDs by default, create system property to activate it #6474

romani commented Feb 24, 2019 •

edited

romani commented Feb 25, 2019

romani commented Feb 25, 2019

romani commented Mar 15, 2019 •

edited

Disable loading external DTDs by default, create system property to activate it #6474

Disable loading external DTDs by default, create system property to activate it #6474

Comments

romani commented Feb 24, 2019 • edited

romani commented Feb 25, 2019

romani commented Feb 25, 2019

romani commented Mar 15, 2019 • edited

romani commented Feb 24, 2019 •

edited

romani commented Mar 15, 2019 •

edited