pool/testng
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/Java:packages/testng?expand=0&rev=15

Browse Source
This commit is contained in:
Fridrich Strba 2024-04-15 18:12:18 +00:00 committed by Git OBS Bridge
parent f1d42e5dde
commit 7b77c168d6
7 changed files with 124 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
0001-Avoid-accidental-javascript-in-javadoc.patch
View File

@ -1,17 +1,17 @@
From bce3019741aeb785658b23095ae408a6c2d8ca35 Mon Sep 17 00:00:00 2001
From c8fcf5bd1154bd435e57b12100eb282034f4990f Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 31 May 2017 13:44:36 +0200
Subject: [PATCH 1/2] Avoid accidental javascript in javadoc
Subject: [PATCH 1/4] Avoid accidental javascript in javadoc
---
src/main/java/org/testng/xml/TestNGContentHandler.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/testng/xml/TestNGContentHandler.java b/src/main/java/org/testng/xml/TestNGContentHandler.java
index b74572a..7c490e9 100644
index f464412d..9d2da018 100644
--- a/src/main/java/org/testng/xml/TestNGContentHandler.java
+++ b/src/main/java/org/testng/xml/TestNGContentHandler.java
@@ -250,7 +250,9 @@ public class TestNGContentHandler extends DefaultHandler {
@@ -298,7 +298,9 @@ public class TestNGContentHandler extends DefaultHandler {
}
}
@ -23,5 +23,5 @@ index b74572a..7c490e9 100644
if (start) {
m_currentLanguage = attributes.getValue("language");
--
2.20.1
2.44.0

10
0002-Replace-bundled-jquery-with-CDN-link.patch
View File

@ -1,7 +1,7 @@
From 9155677e2d5acdd2379c38041189da52c7f04946 Mon Sep 17 00:00:00 2001
From e579eeb8505135c415e3742993de3cbb6b21d9d9 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 18 Jul 2018 15:57:49 +0200
Subject: [PATCH 2/2] Replace bundled jquery with CDN link
Subject: [PATCH 2/4] Replace bundled jquery with CDN link
---
src/main/java/org/testng/reporters/jq/Main.java | 1 -
@ -9,7 +9,7 @@ Subject: [PATCH 2/2] Replace bundled jquery with CDN link
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/main/java/org/testng/reporters/jq/Main.java b/src/main/java/org/testng/reporters/jq/Main.java
index efd6799..2d8b74e 100644
index efd6799a..2d8b74e1 100644
--- a/src/main/java/org/testng/reporters/jq/Main.java
+++ b/src/main/java/org/testng/reporters/jq/Main.java
@@ -21,7 +21,6 @@ public class Main implements IReporter {
@ -21,7 +21,7 @@ index efd6799..2d8b74e 100644
"testng-reports.js",
"testng-reports1.css",
diff --git a/src/main/resources/org/testng/header b/src/main/resources/org/testng/header
index f5abbc3..817badc 100644
index f5abbc3e..817badce 100644
--- a/src/main/resources/org/testng/header
+++ b/src/main/resources/org/testng/header
@@ -7,7 +7,7 @@
@ -34,5 +34,5 @@ index f5abbc3..817badc 100644
<script type="text/javascript" src="https://www.google.com/jsapi"></script>
<script type='text/javascript'>
--
2.31.1
2.44.0

45
0003-Upgrade-snakeyaml-to-2.0.patch Normal file
View File

@ -0,0 +1,45 @@
From aa7331aba84d9061ff57d55aa3da4f4e73bb1602 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=C3=ADs=20Bianchin?= <labianchin@users.noreply.github.com>
Date: Fri, 28 Apr 2023 13:49:38 +0200
Subject: [PATCH 3/4] Upgrade snakeyaml to 2.0
Includes CVE fix https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for https://nvd.nist.gov/vuln/detail/CVE-2022-1471
---
src/main/java/org/testng/internal/Yaml.java | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/main/java/org/testng/internal/Yaml.java b/src/main/java/org/testng/internal/Yaml.java
index 3bd146a2..db17b60d 100644
--- a/src/main/java/org/testng/internal/Yaml.java
+++ b/src/main/java/org/testng/internal/Yaml.java
@@ -8,6 +8,7 @@ import org.testng.xml.XmlPackage;
import org.testng.xml.XmlScript;
import org.testng.xml.XmlSuite;
import org.testng.xml.XmlTest;
+import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.TypeDescription;
import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.nodes.MappingNode;
@@ -29,7 +30,7 @@ public final class Yaml {
private Yaml() {}
public static XmlSuite parse(String filePath, InputStream is) throws FileNotFoundException {
- Constructor constructor = new TestNGConstructor(XmlSuite.class);
+ Constructor constructor = new TestNGConstructor(XmlSuite.class, new LoaderOptions());
{
TypeDescription suiteDescription = new TypeDescription(XmlSuite.class);
suiteDescription.addPropertyParameters("packages", XmlPackage.class);
@@ -303,8 +304,8 @@ public final class Yaml {
private static class TestNGConstructor extends Constructor {
- public TestNGConstructor(Class<?> theRoot) {
- super(theRoot);
+ public TestNGConstructor(Class<?> theRoot, LoaderOptions loadingConfig) {
+ super(theRoot, loadingConfig);
yamlClassConstructors.put(NodeId.scalar, new ConstructParallelMode());
yamlClassConstructors.put(NodeId.mapping, new ConstructXmlScript());
}
--
2.44.0

52
0004-vuln-fix-Zip-Slip-Vulnerability.patch Normal file
View File

@ -0,0 +1,52 @@
From 99ba3bc7a03fb8d55cd938d5def9e5a71a9ee92b Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Mon, 3 Oct 2022 21:21:05 +0000
Subject: [PATCH 4/4] vuln-fix: Zip Slip Vulnerability
This fixes a Zip-Slip vulnerability.
This change does one of two things. This change either
1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16
Co-authored-by: Moderne <team@moderne.io>
---
src/main/java/org/testng/JarFileUtils.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
index 683a8b55..8eb15759 100644
--- a/src/main/java/org/testng/JarFileUtils.java
+++ b/src/main/java/org/testng/JarFileUtils.java
@@ -77,7 +77,9 @@ class JarFileUtils {
if (Parser.canParse(jeName.toLowerCase())) {
InputStream inputStream = jf.getInputStream(je);
File copyFile = new File(file, jeName);
- Files.copyFile(inputStream, copyFile);
+ if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+ throw new IOException("Bad zip entry");
+ }
if (matchesXmlPathInJar(je)) {
suitePath = copyFile.toString();
}
--
2.44.0

14
testng-CVE-2022-4065.patch
View File

@ -1,14 +0,0 @@
diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
index 683a8b5..2f2ed8f 100644
--- a/src/main/java/org/testng/JarFileUtils.java
+++ b/src/main/java/org/testng/JarFileUtils.java
@@ -77,6 +77,9 @@ class JarFileUtils {
if (Parser.canParse(jeName.toLowerCase())) {
InputStream inputStream = jf.getInputStream(je);
File copyFile = new File(file, jeName);
+ if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+ throw new IOException("Bad zip entry");
+ }
Files.copyFile(inputStream, copyFile);
if (matchesXmlPathInJar(je)) {
suitePath = copyFile.toString();

13
testng.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Mon Apr 15 18:07:44 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Modified patches:
* 0001-Avoid-accidental-javascript-in-javadoc.patch
* 0002-Replace-bundled-jquery-with-CDN-link.patch
* testng-CVE-2022-4065.patch ->
0004-vuln-fix-Zip-Slip-Vulnerability.patch
+ re-cherry-pick and rediff in git
- Added patch:
* 0003-Upgrade-snakeyaml-to-2.0.patch
+ Fix build against snakeyaml >= 2.0
-------------------------------------------------------------------
Wed Feb 21 17:12:29 UTC 2024 - Fridrich Strba <fstrba@suse.com>

6
testng.spec
View File

@ -28,7 +28,8 @@ Source1: pom.xml
Source2: %{name}-build.xml
Patch0: 0001-Avoid-accidental-javascript-in-javadoc.patch
Patch1: 0002-Replace-bundled-jquery-with-CDN-link.patch
Patch2: testng-CVE-2022-4065.patch
Patch2: 0003-Upgrade-snakeyaml-to-2.0.patch
Patch3: 0004-vuln-fix-Zip-Slip-Vulnerability.patch
BuildRequires: ant
BuildRequires: beust-jcommander
BuildRequires: bsh2
@ -37,7 +38,7 @@ BuildRequires: google-guice
BuildRequires: javapackages-local >= 6
BuildRequires: jsr-305
BuildRequires: junit
BuildRequires: snakeyaml
BuildRequires: snakeyaml >= 2.0
BuildArch: noarch
%description
@ -59,6 +60,7 @@ This package contains the API documentation for %{name}.
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
sed 's/@VERSION@/%{version}/' %{SOURCE1} > pom.xml
cp %{SOURCE2} build.xml