fix: CVE-2022-41967

Dragonfly v0.3.0-SNAPSHOT fails to properly configure the
DocumentBuilderFactory to prevent XML enternal entity (XXE) attacks when
parsing maven-metadata.xml files provided by external Maven repositories
during "SNAPSHOT" version resolution.

This patches CVE-2022-41967 by disabling features which may lead to XXE.
If you are currently using v0.3.0-SNAPSHOT it is STRONGLY advised to
update Dragonfly to v0.3.1-SNAPSHOT just to be safe.

Author: joshuasing

AUTHORS

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Joshua Sing <[email protected]>
+Copyright (c) 2021-2022 Joshua Sing <[email protected]>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

LICENSE

@@ -7,8 +7,8 @@
 
 ### Supported Versions
 | Version | Supported          |
-| ------- | ------------------ |
-| 0.3.0   | :white_check_mark: |
+|---------| ------------------ |
+| 0.3.x   | :white_check_mark: |
 | < 0.3   | :x:                |
 
 ### Reporting a Vulnerability

SECURITY.md

@@ -29,7 +29,7 @@
 
   <groupId>dev.hypera</groupId>
   <artifactId>Dragonfly</artifactId>
-  <version>0.3.0-SNAPSHOT</version>
+  <version>0.3.1-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Dragonfly</name>
@@ -121,7 +121,7 @@
     <dependency>
       <groupId>org.jetbrains</groupId>
       <artifactId>annotations</artifactId>
-      <version>22.0.0</version>
+      <version>23.1.0</version>
     </dependency>
     <dependency>
       <groupId>me.lucko</groupId>

pom.xml

@@ -40,23 +40,24 @@
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 import org.jetbrains.annotations.ApiStatus.Internal;
+import org.jetbrains.annotations.NotNull;
 
 /**
  * Main Dragonfly class.
  * @author Joshua Sing <[email protected]>
  */
 public class Dragonfly {
 
-	private static final String VERSION = "0.3.0-SNAPSHOT";
+	private static final @NotNull String VERSION = "0.3.1-SNAPSHOT";
 
 	private final int timeout;
-	private final Path directory;
-	private final Set<String> repositories;
-	private final Consumer<Status> statusHandler;
+	private final @NotNull Path directory;
+	private final @NotNull Set<String> repositories;
+	private final @NotNull Consumer<Status> statusHandler;
 
-	private final DependencyDownloader dependencyDownloader = new DependencyDownloader(this);
-	private final DependencyRelocator dependencyRelocator;
-	private final DependencyLoader dependencyLoader;
+	private final @NotNull DependencyDownloader dependencyDownloader = new DependencyDownloader(this);
+	private final @NotNull DependencyRelocator dependencyRelocator;
+	private final @NotNull DependencyLoader dependencyLoader;
 
 
 	@Internal
@@ -74,7 +75,7 @@ protected Dragonfly(int timeout, IClassLoader classLoader, Path directory, Set<S
 		}
 	}
 
-	public static String getVersion() {
+	public static @NotNull String getVersion() {
 		return VERSION;
 	}
 
@@ -84,7 +85,7 @@ public static String getVersion() {
 	 * @param dependencies Dependencies to be loaded.
 	 * @return If the load was successful, in the form of a {@link CompletableFuture<Boolean>}.
 	 */
-	public CompletableFuture<Boolean> load(Dependency... dependencies) {
+	public @NotNull CompletableFuture<Boolean> load(@NotNull Dependency... dependencies) {
 		return CompletableFuture.supplyAsync(() -> {
 			try {
 				statusHandler.accept(Status.STARTING);
@@ -137,11 +138,11 @@ public int getTimeout() {
 		return timeout;
 	}
 
-	public Path getDirectory() {
+	public @NotNull Path getDirectory() {
 		return directory;
 	}
 
-	public Set<String> getRepositories() {
+	public @NotNull Set<String> getRepositories() {
 		return repositories;
 	}
 
@@ -151,7 +152,7 @@ public Set<String> getRepositories() {
 	 * @return Stored instance of {@link DependencyDownloader}.
 	 */
 	@Internal
-	public DependencyDownloader getDependencyDownloader() {
+	public @NotNull DependencyDownloader getDependencyDownloader() {
 		return dependencyDownloader;
 	}
 

src/main/java/dev/hypera/dragonfly/Dragonfly.java

@@ -32,6 +32,7 @@
 import java.util.HashSet;
 import java.util.Set;
 import java.util.function.Consumer;
+import org.jetbrains.annotations.Contract;
 import org.jetbrains.annotations.NotNull;
 
 /**
@@ -115,6 +116,7 @@ private DragonflyBuilder(@NotNull IClassLoader classLoader, @NotNull Path direct
 	 *
 	 * @return New {@link Dragonfly} instance.
 	 */
+	@Contract(value = "-> new", pure = true)
 	public @NotNull Dragonfly build() {
 		try {
 			return new Dragonfly(timeout, classLoader, directory, repositories, deleteOnRelocate, statusHandler);

src/main/java/dev/hypera/dragonfly/DragonflyBuilder.java

@@ -41,8 +41,8 @@
 @Downloader(MavenDependency.class)
 public class MavenDownloader implements IDownloader<MavenDependency> {
 
-	private final MavenResolver resolver = new MavenResolver();
-	private final MavenSnapshotResolver snapshotResolver = new MavenSnapshotResolver();
+	private final @NotNull MavenResolver resolver = new MavenResolver();
+	private final @NotNull MavenSnapshotResolver snapshotResolver = new MavenSnapshotResolver();
 
 	@Override
 	public void download(@NotNull Dragonfly dragonfly, @NotNull MavenDependency dependency) throws DownloadFailureException {

src/main/java/dev/hypera/dragonfly/downloaders/impl/MavenDownloader.java

@@ -23,25 +23,29 @@
 
 package dev.hypera.dragonfly.exceptions;
 
+import org.jetbrains.annotations.NotNull;
+
 public class DownloadFailureException extends DragonflyException {
 
+	private static final long serialVersionUID = 5648475409314204882L;
+
 	public DownloadFailureException() {
 		super();
 	}
 
-	public DownloadFailureException(String message) {
+	public DownloadFailureException(@NotNull String message) {
 		super(message);
 	}
 
-	public DownloadFailureException(String message, Throwable cause) {
+	public DownloadFailureException(@NotNull String message, @NotNull Throwable cause) {
 		super(message, cause);
 	}
 
-	public DownloadFailureException(Throwable cause) {
+	public DownloadFailureException(@NotNull Throwable cause) {
 		super(cause);
 	}
 
-	protected DownloadFailureException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+	protected DownloadFailureException(@NotNull String message, @NotNull Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
 		super(message, cause, enableSuppression, writableStackTrace);
 	}
 

src/main/java/dev/hypera/dragonfly/exceptions/DownloadFailureException.java

@@ -23,29 +23,33 @@
 
 package dev.hypera.dragonfly.exceptions;
 
+import org.jetbrains.annotations.NotNull;
+
 /**
  * Dragonfly Exception.
  * @author Joshua Sing <[email protected]>
  */
 public class DragonflyException extends Exception {
 
+	private static final long serialVersionUID = 3565376065959848642L;
+
 	public DragonflyException() {
 		super();
 	}
 
-	public DragonflyException(String message) {
+	public DragonflyException(@NotNull String message) {
 		super(message);
 	}
 
-	public DragonflyException(String message, Throwable cause) {
+	public DragonflyException(@NotNull String message, @NotNull Throwable cause) {
 		super(message, cause);
 	}
 
-	public DragonflyException(Throwable cause) {
+	public DragonflyException(@NotNull Throwable cause) {
 		super(cause);
 	}
 
-	protected DragonflyException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+	protected DragonflyException(@NotNull String message, @NotNull Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
 		super(message, cause, enableSuppression, writableStackTrace);
 	}
 

src/main/java/dev/hypera/dragonfly/exceptions/DragonflyException.java

@@ -23,25 +23,29 @@
 
 package dev.hypera.dragonfly.exceptions;
 
+import org.jetbrains.annotations.NotNull;
+
 public class LoadFailureException extends DragonflyException {
 
+	private static final long serialVersionUID = -8555618454694039541L;
+
 	public LoadFailureException() {
 		super();
 	}
 
-	public LoadFailureException(String message) {
+	public LoadFailureException(@NotNull String message) {
 		super(message);
 	}
 
-	public LoadFailureException(String message, Throwable cause) {
+	public LoadFailureException(@NotNull String message, @NotNull Throwable cause) {
 		super(message, cause);
 	}
 
-	public LoadFailureException(Throwable cause) {
+	public LoadFailureException(@NotNull Throwable cause) {
 		super(cause);
 	}
 
-	protected LoadFailureException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+	protected LoadFailureException(@NotNull String message, @NotNull Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
 		super(message, cause, enableSuppression, writableStackTrace);
 	}