Merge pull request #369 from ChargeTimeEU/fix_issues_reported_by_scanners

robert-s-ubi · web-flow · commit 45710c2a6984 · 2025-12-05T08:19:32.000+01:00
Fix security and quality issues found by scanners
diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/Draft_HttpHealthCheck.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/Draft_HttpHealthCheck.java
@@ -22,7 +22,7 @@ class Draft_HttpHealthCheck extends Draft {
 
     static Boolean isHttp(ClientHandshake handshakedata) {
         String upgradeField = handshakedata.getFieldValue("Upgrade");
-        return upgradeField == null || upgradeField == "";
+        return upgradeField == null || upgradeField.isEmpty();
     }
 
     @Override
diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java
@@ -271,7 +271,11 @@ public void close() {
         server.stop();
       } catch (InterruptedException ex) {
         logger.error("Failed to close listener", ex);
+        // restore thread interrupted state
+        Thread.currentThread().interrupt();
       }
+      // restore thread interrupted state
+      Thread.currentThread().interrupt();
     } finally {
       closed = true;
       server = null;
diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/Communicator.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/Communicator.java
@@ -363,6 +363,10 @@ public void run() {
           Thread.sleep(DELAY_IN_MILLISECONDS);
           if (!hasFailed()) popRetryMessage();
         }
+      } catch (InterruptedException ex) {
+        logger.warn("RetryRunner::run() interrupted", ex);
+        // restore thread interrupted state
+        Thread.currentThread().interrupt();
       } catch (Exception ex) {
         logger.warn("RetryRunner::run() failed", ex);
       }
diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/utilities/SugarUtil.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/utilities/SugarUtil.java
@@ -31,6 +31,7 @@ of this software and associated documentation files (the "Software"), to deal
 import java.io.IOException;
 import java.io.StringWriter;
 import java.time.ZonedDateTime;
+import javax.xml.XMLConstants;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 import javax.xml.transform.Transformer;
@@ -50,6 +51,9 @@ public static String docToString(Document doc) {
     try {
       StringWriter sw = new StringWriter();
       TransformerFactory tf = TransformerFactory.newInstance();
+      // disable access to external entities to prevent XXE attacks
+      tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+      tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
       Transformer transformer = tf.newTransformer();
       transformer.transform(new DOMSource(doc), new StreamResult(sw));
       return sw.toString();
diff --git a/ocpp-v1_6-example/json-client-implementation/pom.xml b/ocpp-v1_6-example/json-client-implementation/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.5.6</version>
+		<version>3.2.0</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>eu.chargetime.ocpp</groupId>
diff --git a/ocpp-v1_6-example/json-client-implementation/src/test/java/eu/chargetime/ocpp/jsonclientimplementation/ocpphandler/OCPPHandlerTest.java b/ocpp-v1_6-example/json-client-implementation/src/test/java/eu/chargetime/ocpp/jsonclientimplementation/ocpphandler/OCPPHandlerTest.java
@@ -47,8 +47,13 @@ public void testOCPPAuthorizeHandler() {
                     .toCompletableFuture().get();
             assertTrue(true);
             assertEquals(AuthorizationStatus.Accepted,authorizeConfirmation.getIdTagInfo().getStatus());
-        } catch (OccurenceConstraintException | UnsupportedFeatureException
-                | ExecutionException | InterruptedException e) {
+        } catch (InterruptedException e) {
+          log.error("Thread interrupted: " + e);
+          // restore thread interrupted state
+          Thread.currentThread().interrupt();
+          log.error("Test will fail");
+          assertTrue(false);
+        } catch (OccurenceConstraintException | UnsupportedFeatureException | ExecutionException e) {
             log.error("Exception occurred: " + e);
             log.error("Test will fail");
             assertTrue(false);
diff --git a/ocpp-v1_6-example/json_server_example/pom.xml b/ocpp-v1_6-example/json_server_example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.5.6</version>
+		<version>3.2.0</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>eu.chargetime.ocpp</groupId>
diff --git a/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/SOAPTestClient.java b/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/SOAPTestClient.java
@@ -143,7 +143,9 @@ private void openWS() {
                 try {
                   soapMessage = transmitter.relay(message.getMessage()).get();
                 } catch (InterruptedException e) {
-                  logger.warn("openWS() transmitter.relay failed", e);
+                  logger.warn("openWS() transmitter.relay interrupted", e);
+                  // restore thread interrupted state
+                  Thread.currentThread().interrupt();
                 } catch (ExecutionException e) {
                   logger.warn("openWS() transmitter.relay failed", e);
                 }
diff --git a/ocpp-v1_6/src/main/java/eu/chargetime/ocpp/SOAPClient.java b/ocpp-v1_6/src/main/java/eu/chargetime/ocpp/SOAPClient.java
@@ -150,7 +150,9 @@ private void openWS() {
                 try {
                   soapMessage = transmitter.relay(message.getMessage()).get();
                 } catch (InterruptedException e) {
-                  logger.warn("openWS() transmitter.relay failed", e);
+                  logger.warn("openWS() transmitter.relay interrupted", e);
+                  // restore thread interrupted state
+                  Thread.currentThread().interrupt();
                 } catch (ExecutionException e) {
                   logger.warn("openWS() transmitter.relay failed", e);
                 }
diff --git a/ocpp-v1_6/src/main/java/eu/chargetime/ocpp/WebServiceListener.java b/ocpp-v1_6/src/main/java/eu/chargetime/ocpp/WebServiceListener.java
@@ -146,7 +146,11 @@ public void timeout() {
       SOAPMessage confirmation = null;
       try {
         confirmation = chargeBoxes.get(identity).relay(message).get();
-      } catch (InterruptedException | ExecutionException e) {
+      } catch (InterruptedException e) {
+        logger.warn("incomingRequest() chargeBoxes.relay interrupted", e);
+        // restore thread interrupted state
+        Thread.currentThread().interrupt();
+      } catch (ExecutionException e) {
         logger.warn("incomingRequest() chargeBoxes.relay failed", e);
       }
 
diff --git a/ocpp-v1_6/src/main/java/eu/chargetime/ocpp/model/validation/IdentifierStringValidationRule.java b/ocpp-v1_6/src/main/java/eu/chargetime/ocpp/model/validation/IdentifierStringValidationRule.java
@@ -31,7 +31,7 @@ of this software and associated documentation files (the "Software"), to deal
 
 public class IdentifierStringValidationRule implements IValidationRule {
   private final String ERROR_MESSAGE = "Illegal character(s) in IdentifierString.";
-  private final String PATTERN = "([a-zA-Z0-9]|\\*|\\-|\\_|\\=|\\:|\\+|\\||\\@|\\.)+";
+  private final String PATTERN = "^[\\w\\Q*-=:+|@.\\E]{0,255}$";
 
   @Override
   public void validate(String value) throws PropertyConstraintException {
diff --git a/ocpp-v1_6/src/test/java/eu/chargetime/ocpp/test/SOAPCommunicatorTest.java b/ocpp-v1_6/src/test/java/eu/chargetime/ocpp/test/SOAPCommunicatorTest.java
@@ -14,6 +14,7 @@
 import java.io.StringWriter;
 import java.time.ZonedDateTime;
 import java.util.Locale;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Transformer;
@@ -69,6 +70,9 @@ public static String docToString(Document doc) {
     try {
       StringWriter sw = new StringWriter();
       TransformerFactory tf = TransformerFactory.newInstance();
+      // disable access to external entities to prevent XXE attacks
+      tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+      tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
       Transformer transformer = tf.newTransformer();
       transformer.transform(new DOMSource(doc), new StreamResult(sw));
       return sw.toString();
@@ -79,6 +83,10 @@ public static String docToString(Document doc) {
 
   public static Document stringToDocument(String xml) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    // disable access to external entities to prevent XXE attacks
+    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+    factory.setExpandEntityReferences(false);
     factory.setNamespaceAware(true);
     DocumentBuilder db = factory.newDocumentBuilder();
 
diff --git a/ocpp-v2-test/src/test/java/eu/chargetime/ocpp/test/OCPP201MultiProtocolIntegrationTest.java b/ocpp-v2-test/src/test/java/eu/chargetime/ocpp/test/OCPP201MultiProtocolIntegrationTest.java
@@ -74,6 +74,8 @@ private FakeCSMS setupAndStartCSMS(List<ProtocolVersion> protocolVersions) {
     try {
       Thread.sleep(100);
     } catch (InterruptedException e) {
+      // restore thread interrupted state
+      Thread.currentThread().interrupt();
       throw new RuntimeException(e);
     }
     assertThat(csms.getPort(), not(0));
diff --git a/ocpp-v2/src/main/java/eu/chargetime/ocpp/MultiProtocolWebSocketListener.java b/ocpp-v2/src/main/java/eu/chargetime/ocpp/MultiProtocolWebSocketListener.java
@@ -300,7 +300,11 @@ public void close() {
         server.stop();
       } catch (InterruptedException ex) {
         logger.error("Failed to close listener", ex);
+        // restore thread interrupted state
+        Thread.currentThread().interrupt();
       }
+      // restore thread interrupted state
+      Thread.currentThread().interrupt();
     } finally {
       closed = true;
       server = null;
diff --git a/ocpp-v2_0/src/main/java/eu/chargetime/ocpp/model/validation/IdentifierStringValidationRule.java b/ocpp-v2_0/src/main/java/eu/chargetime/ocpp/model/validation/IdentifierStringValidationRule.java
@@ -30,7 +30,7 @@ of this software and associated documentation files (the "Software"), to deal
 
 public class IdentifierStringValidationRule implements IValidationRule {
   private final String ERROR_MESSAGE = "Illegal character(s) in IdentifierString.";
-  private final String PATTERN = "([a-zA-Z0-9]|\\*|\\-|\\_|\\=|\\:|\\+|\\||\\@|\\.)+";
+  private final String PATTERN = "^[\\w\\Q*-=:+|@.\\E]{0,255}$";
 
   @Override
   public void validate(String value) throws PropertyConstraintException {

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class Draft_HttpHealthCheck extends Draft {`
`22`	`22`
`23`	`23`	`static Boolean isHttp(ClientHandshake handshakedata) {`
`24`	`24`	`String upgradeField = handshakedata.getFieldValue("Upgrade");`
`25`		`- return upgradeField == null \|\| upgradeField == "";`
	`25`	`+ return upgradeField == null \|\| upgradeField.isEmpty();`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -363,6 +363,10 @@ public void run() {`
`363`	`363`	`Thread.sleep(DELAY_IN_MILLISECONDS);`
`364`	`364`	`if (!hasFailed()) popRetryMessage();`
`365`	`365`	`}`
	`366`	`+ } catch (InterruptedException ex) {`
	`367`	`+ logger.warn("RetryRunner::run() interrupted", ex);`
	`368`	`+ // restore thread interrupted state`
	`369`	`+ Thread.currentThread().interrupt();`
`366`	`370`	`} catch (Exception ex) {`
`367`	`371`	`logger.warn("RetryRunner::run() failed", ex);`
`368`	`372`	`}`