Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle http/https redirects when fetching using URL - security-caused problem #31

Open
linustolke opened this issue Jul 7, 2020 · 0 comments
Open

Handle http/https redirects when fetching using URL - security-caused problem #31

linustolke opened this issue Jul 7, 2020 · 0 comments

Comments

@linustolke
Copy link
Member

When moving from argouml.tigris.org to github the following code suddenly caused problems:

URL url = anURL;
InputStream stream
try {
    stream = url.openStream();
} catch (IOException e) {
    ...act on the URL not existing ...
}
...act on the URL existing...

The problem is that when redirecting from http: to https:, as from http://argouml.org to https://argouml-tigris-org.github.io, java does not follow that redirect when opening the stream, so the stream is invalid and no Exception is thrown.

I have fixed this for the simplest case, in getValidURL in XmiReferenceResolverImpl.java, where it caused a test to fail (bf30ff1). There are a lot of other places in the code where a similar pattern is used and they should also be fixed or at least protected with asserts to make sure that it is not an http- or an https-url.
@linustolke linustolke mentioned this issue Jul 7, 2020
Open
Fatimasn pushed a commit to Fatimasn/ArgoUML that referenced this issue May 13, 2024
@gerritforge-ltd
Update patch set 2
2ce571b 
Patch Set 2:

(1 comment)

> Patch Set 1:
> 
> > Patch Set 1:
> > 
> > The tests are still not working. Strange.
> 
> When I run the tests, I'm getting:
> 
> Tests run: 1175, Failures: 0, Errors: 1, Skipped: 0
> 
> and the failed test is
> org.argouml.uml.ui.foundation.extension_mechanisms.TestUMLTagDefinitionComboBoxModel.testGetApplicableTagDefinitionsIssue6008
> 
> And it fails because it tries to download the file:
> 
> http://argouml.org/user-profiles/Profile4testGetApplicableTagDefinitionsIssue60087642449135064096360.xmi
> 
> I can't even find this file from the git sources.
> 
> This test is failing even without my corrections.
> 
> Where do you see the tests results on gerrit?

The test results are not available on Gerrit but it is the exact same result as you are seeing.

And your analysis is wrong, ;-). The test fails because when attempting to download the file http://argouml.org/user-profiles/Profile4testGetApplicableTagDefinitionsIssue6008whatever it doesn't fail. The code and the test require it to fail with an IOException meaning file/resource does not exist, when it doesn't it cannot open the file.

I have fixed that now. I will rebase the rest of your changes and take action, now that the tests are working.

I have also create an issue argouml-tigris-org/argouml#31.

Patch-set: 2
Reviewer: Gerrit User 1016795 <1016795@d5d70762-12d0-45a1-890d-524b12d3f735>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@linustolke