All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.owasp.dependencycheck.utils.URLConnectionFactory Maven / Gradle / Ivy

Go to download

dependency-check-utils is a collection of common utility classes used within dependency-check that might be useful in other projects.

The newest version!
/*
 * This file is part of dependency-check-utils.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
package org.owasp.dependencycheck.utils;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.commons.lang3.StringUtils;

import java.io.IOException;
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.SocketAddress;
import java.net.URL;
import java.net.URLConnection;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.net.ssl.HttpsURLConnection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static java.nio.charset.StandardCharsets.UTF_8;

/**
 * A URLConnection Factory to create new connections. This encapsulates several
 * configuration checks to ensure that the connection uses the correct proxy
 * settings.
 *
 * @author Jeremy Long
 */
public final class URLConnectionFactory {

    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(URLConnectionFactory.class);
    /**
     * The configured settings.
     */
    private final Settings settings;

    /**
     * Private constructor for this factory.
     *
     * @param settings reference to the configured settings
     */
    public URLConnectionFactory(Settings settings) {
        this.settings = settings;
    }

    /**
     * Utility method to create an HttpURLConnection. If the application is
     * configured to use a proxy this method will retrieve the proxy settings
     * and use them when setting up the connection.
     *
     * @param url the URL to connect to
     * @return an HttpURLConnection
     * @throws org.owasp.dependencycheck.utils.URLConnectionFailureException
     * thrown if there is an exception
     */
    @SuppressWarnings("squid:S2583")
    @SuppressFBWarnings(justification = "yes, there is a redundant null check in the catch - to suppress warnings we are leaving the null check",
            value = {"RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"})
    public HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
        HttpURLConnection conn = null;
        final String proxyHost = settings.getString(Settings.KEYS.PROXY_SERVER);

        try {
            if (proxyHost != null && !matchNonProxy(url)) {
                final int proxyPort = settings.getInt(Settings.KEYS.PROXY_PORT);
                final SocketAddress address = new InetSocketAddress(proxyHost, proxyPort);

                final String username = settings.getString(Settings.KEYS.PROXY_USERNAME);
                final String password = settings.getString(Settings.KEYS.PROXY_PASSWORD);

                if (username != null && password != null) {
                    final Authenticator auth = new Authenticator() {
                        @Override
                        public PasswordAuthentication getPasswordAuthentication() {
                            if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
                                LOGGER.debug("Using the configured proxy username and password");
                                if (settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
                                    System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
                                }
                                return new PasswordAuthentication(username, password.toCharArray());
                            }
                            return super.getPasswordAuthentication();
                        }
                    };
                    Authenticator.setDefault(auth);
                }

                final Proxy proxy = new Proxy(Proxy.Type.HTTP, address);
                conn = (HttpURLConnection) url.openConnection(proxy);
            } else {
                conn = (HttpURLConnection) url.openConnection();
            }
            final int connectionTimeout = settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
            // set a conservative long default timeout to compensate for MITM-proxies that return the (final) bytes only
            // after all security checks passed
            final int readTimeout = settings.getInt(Settings.KEYS.CONNECTION_READ_TIMEOUT, 60_000);
            conn.setConnectTimeout(connectionTimeout);
            conn.setReadTimeout(readTimeout);
            conn.setInstanceFollowRedirects(true);
        } catch (IOException ex) {
            if (conn != null) {
                try {
                    conn.disconnect();
                } finally {
                    conn = null;
                }
            }
            throw new URLConnectionFailureException("Error getting connection.", ex);
        }
        //conn.setRequestProperty("user-agent",
        //  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36");
        configureTLS(url, conn);
        addAuthenticationIfPresent(conn);
        return conn;
    }

    /**
     * Adds the basic authorization header if the URL contains a username and
     * password. Example URL that will have the basic authorization header
     * added:
     * http://username:[email protected]/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
     *
     * @param conn the connection
     */
    private void addAuthenticationIfPresent(HttpURLConnection conn) {
        final String userInfo = conn.getURL().getUserInfo();
        if (userInfo != null) {
            final String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userInfo.getBytes(UTF_8));
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Adding user info as basic authorization");
            }
            conn.addRequestProperty("Authorization", basicAuth);
        }
    }

    /**
     * Adds a basic authentication header if the values in the settings are not
     * null.
     *
     * @param conn the connection to add the basic auth header
     * @param userKey the settings key for the username
     * @param passwordKey the settings key for the password
     */
    public void addBasicAuthentication(HttpURLConnection conn, String userKey, String passwordKey) {
        if (StringUtils.isNotEmpty(settings.getString(userKey))
                && StringUtils.isNotEmpty(settings.getString(passwordKey))) {
            final String user = settings.getString(userKey);
            final String password = settings.getString(passwordKey);

            if (user.isEmpty() || password.isEmpty()) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Skip authentication as user and/or password is empty");
                }
            } else {
                final String userColonPassword = user + ":" + password;
                final String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userColonPassword.getBytes(UTF_8));
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Adding user/password from settings.xml as basic authorization");
                }
                conn.addRequestProperty("Authorization", basicAuth);
            }
        }
    }

    /**
     * Check if host name matches nonProxy settings
     *
     * @param url the URL to connect to
     * @return matching result. true: match nonProxy
     */
    @SuppressWarnings("StringSplitter")
    private boolean matchNonProxy(final URL url) {
        final String host = url.getHost();

        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
        final String nonProxyHosts = settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
        if (null != nonProxyHosts) {
            final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
            for (final String nonProxyHost : nonProxies) {
                //if ( StringUtils.contains( nonProxyHost, "*" ) )
                if (null != nonProxyHost && nonProxyHost.contains("*")) {
                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
                    final int pos = nonProxyHost.indexOf('*');
                    final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
                    final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
                    // prefix*
                    if (!StringUtils.isBlank(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isBlank(nonProxyHostSuffix)) {
                        return true;
                    }
                    // *suffix
                    if (StringUtils.isBlank(nonProxyHostPrefix) && !StringUtils.isBlank(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
                        return true;
                    }
                    // prefix*suffix
                    if (!StringUtils.isBlank(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isBlank(nonProxyHostSuffix)
                            && host.endsWith(nonProxyHostSuffix)) {
                        return true;
                    }
                } else if (host.equals(nonProxyHost)) {
                    return true;
                }
            }
        }
        return false;
    }

    /**
     * Utility method to create an HttpURLConnection. The use of a proxy here is
     * optional as there may be cases where a proxy is configured but we don't
     * want to use it (for example, if there's an internal repository
     * configured)
     *
     * @param url the URL to connect to
     * @param proxy whether to use the proxy (if configured)
     * @return a newly constructed HttpURLConnection
     * @throws org.owasp.dependencycheck.utils.URLConnectionFailureException
     * thrown if there is an exception
     */
    public HttpURLConnection createHttpURLConnection(URL url, boolean proxy) throws URLConnectionFailureException {
        if (proxy) {
            return createHttpURLConnection(url);
        }
        final HttpURLConnection conn;
        try {
            conn = (HttpURLConnection) url.openConnection();
            final int timeout = settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
            conn.setConnectTimeout(timeout);
            conn.setInstanceFollowRedirects(true);
        } catch (IOException ioe) {
            throw new URLConnectionFailureException("Error getting connection.", ioe);
        }
        configureTLS(url, conn);
        addAuthenticationIfPresent(conn);
        return conn;
    }

    /**
     * If the protocol is HTTPS, this will configure the cipher suites so that
     * connections can be made to the NVD, and others, using older versions of
     * Java.
     *
     * @param url the URL
     * @param conn the connection
     */
    private void configureTLS(URL url, URLConnection conn) {
        if ("https".equals(url.getProtocol())) {
            try {
                final HttpsURLConnection secCon = (HttpsURLConnection) conn;
                final SSLSocketFactoryEx factory = new SSLSocketFactoryEx(settings);
                secCon.setSSLSocketFactory(factory);
            } catch (NoSuchAlgorithmException ex) {
                LOGGER.debug("Unsupported algorithm in SSLSocketFactoryEx", ex);
            } catch (KeyManagementException ex) {
                LOGGER.debug("Key management exception in SSLSocketFactoryEx", ex);
            }
        }
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy