Commit Graph

948 Commits

Author SHA1 Message Date
Michael Bayne 935f77e3e8 Merge pull request #135 from sdgx/dos-start-delay
Small DoS mitigation: add start delay sanity check
2018-09-14 14:49:53 -07:00
Michael Bayne 2f0eae9753 Excise additional samskivert code. 2018-09-14 14:48:58 -07:00
Michael Bayne 24a23637a7 Avoid samskivert StringUtil import.
I thought I excised all of these except the Swing stuff, but apparently not.
I will finish that job.
2018-09-14 14:38:22 -07:00
Michael Bayne 0548befe2b Replace singleton with static methods.
Apologies for messing with code after the fact, but some OOPisms are just too
much for me to stomach. This should just be a function of two arguments. No
objects required.

Yes, we're now reparsing the whitelist on every call, but this function is
called only a handful of times.
2018-09-14 14:36:23 -07:00
Michael Bayne 64ce5c2e1c Merge pull request #136 from sdgx/patch-notes-url-command-injection
Avoid possible command injection (patch notes URL)
2018-09-14 14:35:45 -07:00
Michael Bayne 694457da53 Merge pull request #137 from sdgx/remove-legacy-main
Remove legacy Getdown.main( ) method
2018-09-14 14:34:41 -07:00
Michael Bayne 655da01d56 Merge pull request #138 from sdgx/url-whitelist-2
Implement URL host whitelist
2018-09-14 14:19:23 -07:00
Michael Bayne d6e1dba2c9 Plug Application constructor hole differently.
I can imagine scenarios where someone might legitimately want to extend
Application, so I'd rather not close off that avenue completely.
2018-09-14 14:14:09 -07:00
Michael Bayne a1894107af Merge pull request #139 from sdgx/ctor-invokes-overridable-function
Avoid calling overridable function from constructor
2018-09-14 14:12:55 -07:00
Daniel Gredler f49bc7daf5 Update dependencies and enable Mockito extension so that we can mock final classes 2018-09-13 16:43:53 -04:00
Daniel Gredler fdd767086a Avoid calling overridable function from constructor
When a constructor calls an overridable function, it may allow an attacker to access the "this" reference prior to the object being fully initialized, which can in turn lead to a vulnerability.

Application -> getLocalPath
ProxyPanel -> get
AbortPanel -> get
RotatingBackgrounds -> makeEmpty

(Triggered by internal security audit and Fortify analysis.)
2018-09-13 16:20:53 -04:00
Daniel Gredler dac72d1665 Implement URL host whitelist
Allows users to build customized Getdown JARs which can only talk to whitelisted hosts. This can be useful for very security-conscious organizations which want to distribute Getdown internally as a standard application bootstrapping mechanism, but want to ensure that it can only be used for internal applications.

This is an adaptation of the whitelist proof-of-concept discussed on the mailing list, adjusted to use the new Build class.

(Triggered by internal security audit and Fortify analysis.)
2018-09-13 12:18:33 -04:00
Daniel Gredler d9826ff895 Remove legacy Getdown.main( ) method
This method was apparently deprecated 12 years ago, when GetdownApp.main( ) was added. The immediate motivation is to eliminate some of the security noise around this method being a source of untrusted data, but in a more general sense it also probably makes sense to clean it up after not being used for so long.

(Triggered by internal security audit and Fortify analysis.)
2018-09-12 16:43:05 -04:00
Daniel Gredler 70174d2a98 Avoid possible command injection
Because we are running cmd.exe here, it is possible to use a malicious URL to execute arbitrary commands on the shell ( e.g. if url=http://my-patch-notes.com/" & del C:\ )

(Triggered by internal security audit and Fortify analysis.)
2018-09-12 16:26:25 -04:00
Michael Bayne 712b06f8fb Generate Build.java file with data from the build.
Currently includes build version and time, but additional build-time static
data can be easily added in the future.
2018-09-10 14:23:11 -07:00
Daniel Gredler a7d847a8e8 Small DoS mitigation: add start delay sanity check
These types of denial of service issues are more common in web applications, but even here an attacker could tie up system resources indefinitely by specifying a very large start delay.

(Triggered by internal security audit and Fortify analysis.)
2018-09-07 13:55:37 -04:00
Michael Bayne b0d2c75cee Name integration test properly. 2018-09-05 16:36:17 -07:00
Michael Bayne 3ab218cf22 Sigh, have to clean before verify due to Proguard blahblah.
Travis insists on running 'mvn install' before running our script. I wish it
wouldn't.
2018-09-05 16:23:03 -07:00
Michael Bayne 7adaa325a8 Run integration tests on Travis. 2018-09-05 16:18:28 -07:00
Michael Bayne 108f87d4c7 Simplify Color & Rectangle handling, fix bug.
We can just keep Color in its ARGB format and have a single static brightness()
helper. Reactangle grew a union method which allows us to avoid AWT's Rectangle
entirely.

stringsToList() needed to return null for null array input, and I went ahead
and used Arrays.asList while I was in there because we know the provenance of
the input array, no one will mutate it.
2018-09-05 16:11:20 -07:00
Michael Bayne f8efdea9ed Oops, committed that a bit too hastily. 2018-09-05 16:11:20 -07:00
Michael Bayne 3c9a023ec6 Provide a Charset to readAllLines. 2018-09-05 15:51:20 -07:00
Michael Bayne cc8ed1cd3a Create simple integration test for digester process.
Much of this lived in the separate testapp, but we can exercise a lot of the
code as an integration test in the main project, so let's do so.
2018-09-05 15:46:42 -07:00
Michael Bayne 4537401d09 Merge pull request #134 from sdgx/unsafe-public-fields
Unsafe public fields in UpdateInterface class: make public fields final
2018-09-05 14:44:22 -07:00
Daniel Gredler 1f2c736564 Unsafe public fields in UpdateInterface class: make public fields final
This commit makes the UpdateInterface class immutable. The Config -> UpdateInterface initialization is moved to the UpdateInterface constructor. Default values for the fields are moved to the constructor as well. Instances of String[] are changed to List<String> and made immutable. Instances of java.awt.Rectangle (which is mutable) are replaced with a new immutable com.threerings.getdown.util.Rectangle class.

Although java.awt.Color is (sort of) immutable, it was also removed and replaced with a new immutable com.threerings.getdown.util.Color class, since it was the last dependency from the getdown core module to anything in the java.awt package, which means that when we migrate to Java 9+ the core module should no longer require a dependency on the java.desktop module.

The assertions and expected values in ColorTest have been verified against the corresponding java.awt.Color values.

(Triggered by internal security audit and Fortify analysis.)
2018-09-05 17:07:58 -04:00
Michael Bayne 31c8315c1f Ignore target dirs in submodules. 2018-09-05 13:26:13 -07:00
Michael Bayne be5490dce7 Merged the tools module into core.
It wasn't actually providing any value. Neither tools nor core have any special
dependencies. The code in tools operates on the same files, formats and data
structures that core/runtime code operates on. It is simpler to have them in
the same module.
2018-09-04 16:06:37 -07:00
Michael Bayne 97ec8632ae Eliminate samskivert dependency in core.
I've long wanted to do this, but the launcher's use of all the samskivert UI
stuff made it onerous. Now that the launcher is a separate module, we can
remove the samskivert dependency in core (and tools), which simplifies things
and makes it easier to depend on core in a (future) self-updating app (when we
add support for that).
2018-09-04 13:54:40 -07:00
Michael Bayne 852d15a033 Change groupId to com.threerings.getdown.
I don't want to pollute the com.threerings top-level namespace with a bunch of
getdown-foo artifacts, and grouping everything under the top-level project
name, even when that name is repeated for all the artifacts is fairly standard
practice.
2018-09-04 12:36:48 -07:00
Michael Bayne a21657d6d0 Target 1.8-SNAPSHOT.
The new multi-module Getdown will be 1.8.
2018-09-04 12:33:38 -07:00
Michael Bayne 2cb99ed04d Use existing utility method.
This also avoids the weird old structure that closed an auto-closed input
stream inside the try-with-resources block.
2018-09-04 12:31:46 -07:00
Michael Bayne 8195460ee2 Remove obsolete Applet code. 2018-09-04 12:31:46 -07:00
Michael Bayne 4c383f99c7 Split Getdown into multiple (Maven) modules.
- core: the main Getdown logic code
- tools: code to create digest.txt & patch files
- launcher: the standalone launcher/updater app
- ant: the Ant task for creating digest.txt files

This paves the way for a proper Jigsaw-ification of the Getdown code.

I may further factor code out of getdown-launcher and into getdown-core to
enable the use-case where an app embeds Getdown completely and does not use the
launcher app/UI. That will also make it easier to create a JavaFX UI and retire
the old Swing UI.

This also moves the obsolete applet code into a separate applet module, which
is merely a temporary holding area. It will be deleted in the next commit.
2018-09-04 12:31:46 -07:00
Michael Bayne 8ff9bf4d68 Merge pull request #127 from sdgx/readme-version-info
Fix version info in README file
2018-09-04 08:44:54 -07:00
Michael Bayne 9b2f2364ca Merge pull request #128 from sdgx/locale-dependent-comparison
Use ROOT locale when lowercasing strings
2018-09-04 08:44:31 -07:00
Michael Bayne 1a7976281e Merge pull request #129 from sdgx/final-constants
Constants should be final
2018-09-04 08:43:05 -07:00
Michael Bayne e93ae413ca Merge pull request #130 from sdgx/file-delete-unchecked-return-value
Eliminate unchecked file.delete() return values
2018-09-04 08:41:37 -07:00
Daniel Gredler 15ea50dc55 Eliminate unchecked file.delete() return values, standardize the way files are deleted.
Ignoring a method's return value can cause the program to overlook unexpected states and conditions.
2018-08-31 14:04:00 -04:00
Daniel Gredler 9cd0c893ad Use ROOT locale when lowercasing strings, for consist results regardless of system locale 2018-08-30 18:07:39 -04:00
Daniel Gredler 010b9395c3 Constants should be final 2018-08-30 17:52:14 -04:00
Daniel Gredler 6b656869e7 Fix version info in README file 2018-08-30 17:49:30 -04:00
Michael Bayne d1d3102a97 Merge pull request #121 from sdgx/reliance-on-default-encoding
Reliance on default encoding
2018-08-30 14:13:11 -07:00
Michael Bayne 831a5e8b21 Merge pull request #122 from sdgx/weak-security-manager-check
Make security check method final
2018-08-30 14:10:43 -07:00
Michael Bayne 8988aa82b4 Some alternatives to/for null checking. 2018-08-30 14:09:24 -07:00
Michael Bayne 038b8351ac Merge pull request #124 from sdgx/missing-check-against-null
Add missing checks against null
2018-08-30 14:03:01 -07:00
Michael Bayne a2655c741a Formatting tweaks. 2018-08-30 13:55:21 -07:00
Michael Bayne 8f24ce4cc4 Merge pull request #125 from sdgx/missing-environment-variable
Missing environment variable handled incorrectly
2018-08-30 13:54:24 -07:00
Michael Bayne f33527284f Merge pull request #126 from sdgx/incompatible-bit-masks
Bitmasks using wrong operator? ("anything | 1 != 0" is always true)
2018-08-30 13:51:07 -07:00
Daniel Gredler ad6a08cdd3 Bitmasks seem to be using wrong operator ("anything | 1 != 0" is always true)
Note return value check was changed from != to == based on JavaDoc for return value and logic in overridden method in superclass.
2018-08-30 15:52:11 -04:00
Daniel Gredler 46f6814952 Missing environment variable handled incorrectly (mixup between varName and varValue) 2018-08-30 15:34:18 -04:00