Fix security issues (#29)

* Fix issues

* Updated dependency versions for github dependabot alerts

* Updated filename check

Co-authored-by: James Wood <[email protected]>

cws-service/src/main/java/jpl/cws/controller/RestService.java

@@ -299,7 +299,12 @@ public ModelAndView getInitiatorsHtmlTable() {
 	public @ResponseBody String deployModelerFile(
 			@RequestParam("filename") String filename,
 			@RequestParam("xmlData") String xmlData) {
-
+
+		// Don't allow filename to contain path modifiers
+		if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
+			return "ERROR: Input filename '" + filename + "' cannot contain any path modifiers";
+		}
+
 		BufferedWriter bufferedWriter = null;
 		File f = null;
 		try {

cws-service/src/main/java/jpl/cws/process/initiation/InitiatorsService.java

@@ -29,6 +29,7 @@
 import org.xmlunit.builder.DiffBuilder;
 import org.xmlunit.diff.Diff;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
@@ -225,6 +226,7 @@ public void updateChangedInitiators(String newXmlContext) throws Exception {
 		waitForWorkingFileWrite(newXmlContext);
 
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+		dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 		DocumentBuilder db = dbf.newDocumentBuilder();
 
 		// Load the files

pom.xml

@@ -20,16 +20,16 @@
 	</scm>
 
 	<properties>
-		<activemq.version>5.14.5</activemq.version>
+		<activemq.version>5.15.9</activemq.version>
 		<activeio-core.version>3.1.4</activeio-core.version>
 		<software.amazon.awssdk.version>2.15.47</software.amazon.awssdk.version>
 		<!-- <boon.version>0.12</boon.version> -->
 		<camunda.version>7.13.0</camunda.version>
 		<camunda-spin.version>1.9.0</camunda-spin.version>
-		<commons-compress.version>1.5</commons-compress.version>
+		<commons-compress.version>1.18</commons-compress.version>
 		<commons-configuration.version>1.10</commons-configuration.version>
 		<commons-exec.version>1.3</commons-exec.version>
-		<commons-fileupload.version>1.3.1</commons-fileupload.version>
+		<commons-fileupload.version>1.3.3</commons-fileupload.version>
 		<commons-io.version>2.4</commons-io.version>
 		<commons-lang.version>2.6</commons-lang.version>
 		<commons-email.version>1.3.2</commons-email.version>
@@ -54,7 +54,7 @@
 		<jersey-client.version>2.6</jersey-client.version>
 		<jms.version>1.1</jms.version>
 		<joda-time.version>2.1</joda-time.version>
-		<junit.version>4.12</junit.version>
+		<junit.version>4.13.1</junit.version>
 		<jython-standalone.version>2.7.1b3</jython-standalone.version>
 		<!--<mariadb-java-client.version>2.0.3</mariadb-java-client.version>-->
         <mariadb-java-client.version>2.6.1</mariadb-java-client.version>
@@ -68,10 +68,10 @@
 		<maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
 		<mockito.version>1.9.5</mockito.version>
 		<mybatis.version>3.5.3</mybatis.version>
-		<mysql-connector.version>5.1.26</mysql-connector.version>
+		<mysql-connector.version>8.0.16</mysql-connector.version>
 		<phantomjsdriver.version>1.0.4</phantomjsdriver.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<quartz.version>2.2.1</quartz.version>
+		<quartz.version>2.3.2</quartz.version>
 		<selenium.version>3.14.0</selenium.version>
 		<servlet-api.version>3.1.0</servlet-api.version>
 		<slf4j.version>1.7.26</slf4j.version>