Commit 4f7a1d0d383d84ab0e37a37a68b3b8de8427fc18

Authored by Alan Davis
1 parent a8906227b2
Exists in master

REPO-480 Platform XXE protection implements OWASP recommendations

- switch to using alfresco-xmlfactory 1.2
Showing 1 changed file with 1 additions and 1 deletions   Show diff stats
1 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 1 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
2 <modelVersion>4.0.0</modelVersion> 2 <modelVersion>4.0.0</modelVersion>
3 3
4 <parent> 4 <parent>
5 <groupId>org.alfresco</groupId> 5 <groupId>org.alfresco</groupId>
6 <artifactId>alfresco-super-pom</artifactId> 6 <artifactId>alfresco-super-pom</artifactId>
7 <version>6</version> 7 <version>6</version>
8 </parent> 8 </parent>
9 9
10 <artifactId>alfresco-data-model</artifactId> 10 <artifactId>alfresco-data-model</artifactId>
11 <name>Alfresco Data Model</name> 11 <name>Alfresco Data Model</name>
12 <description>Alfresco Data Model classes</description> 12 <description>Alfresco Data Model classes</description>
13 <version>6.1-SNAPSHOT</version> 13 <version>6.1-SNAPSHOT</version>
14 14
15 <scm> 15 <scm>
16 <connection>scm:git:https://gitlab.alfresco.com/platform/alfresco-data-model.git</connection> 16 <connection>scm:git:https://gitlab.alfresco.com/platform/alfresco-data-model.git</connection>
17 <developerConnection>scm:git:https://gitlab.alfresco.com/platform/alfresco-data-model.git</developerConnection> 17 <developerConnection>scm:git:https://gitlab.alfresco.com/platform/alfresco-data-model.git</developerConnection>
18 <url>https://gitlab.alfresco.com/platform/alfresco-data-model</url> 18 <url>https://gitlab.alfresco.com/platform/alfresco-data-model</url>
19 <tag>HEAD</tag> 19 <tag>HEAD</tag>
20 </scm> 20 </scm>
21 21
22 <distributionManagement> 22 <distributionManagement>
23 <repository> 23 <repository>
24 <id>alfresco-internal</id> 24 <id>alfresco-internal</id>
25 <url>https://artifacts.alfresco.com/nexus/content/repositories/releases</url> 25 <url>https://artifacts.alfresco.com/nexus/content/repositories/releases</url>
26 </repository> 26 </repository>
27 <snapshotRepository> 27 <snapshotRepository>
28 <id>alfresco-internal-snapshots</id> 28 <id>alfresco-internal-snapshots</id>
29 <url>https://artifacts.alfresco.com/nexus/content/repositories/snapshots</url> 29 <url>https://artifacts.alfresco.com/nexus/content/repositories/snapshots</url>
30 </snapshotRepository> 30 </snapshotRepository>
31 </distributionManagement> 31 </distributionManagement>
32 32
33 <properties> 33 <properties>
34 <!-- Files to exclude from SonarQube analysis --> 34 <!-- Files to exclude from SonarQube analysis -->
35 <sonar.exclusions> 35 <sonar.exclusions>
36 source/java/org/alfresco/repo/search/impl/parsers/CMIS*er.java, 36 source/java/org/alfresco/repo/search/impl/parsers/CMIS*er.java,
37 source/java/org/alfresco/repo/search/impl/parsers/FTSParser.java, 37 source/java/org/alfresco/repo/search/impl/parsers/FTSParser.java,
38 source/java/org/alfresco/repo/search/impl/parsers/FTSLexer.java 38 source/java/org/alfresco/repo/search/impl/parsers/FTSLexer.java
39 </sonar.exclusions> 39 </sonar.exclusions>
40 40
41 </properties> 41 </properties>
42 42
43 <build> 43 <build>
44 <plugins> 44 <plugins>
45 <plugin> 45 <plugin>
46 <groupId>org.jibx</groupId> 46 <groupId>org.jibx</groupId>
47 <artifactId>maven-jibx-plugin</artifactId> 47 <artifactId>maven-jibx-plugin</artifactId>
48 <configuration> 48 <configuration>
49 <load>true</load> 49 <load>true</load>
50 <schemaBindingDirectory>${project.build.sourceDirectory}/org/alfresco/repo/dictionary</schemaBindingDirectory> 50 <schemaBindingDirectory>${project.build.sourceDirectory}/org/alfresco/repo/dictionary</schemaBindingDirectory>
51 <includeSchemaBindings> 51 <includeSchemaBindings>
52 <includeSchemaBinding>m2binding.xml</includeSchemaBinding> 52 <includeSchemaBinding>m2binding.xml</includeSchemaBinding>
53 </includeSchemaBindings> 53 </includeSchemaBindings>
54 </configuration> 54 </configuration>
55 <executions> 55 <executions>
56 <execution> 56 <execution>
57 <id>bind-sources</id> 57 <id>bind-sources</id>
58 <goals> 58 <goals>
59 <goal>bind</goal> 59 <goal>bind</goal>
60 </goals> 60 </goals>
61 </execution> 61 </execution>
62 </executions> 62 </executions>
63 </plugin> 63 </plugin>
64 64
65 <!-- ACE-3329 Create _en.properties message files --> 65 <!-- ACE-3329 Create _en.properties message files -->
66 <plugin> 66 <plugin>
67 <artifactId>maven-antrun-plugin</artifactId> 67 <artifactId>maven-antrun-plugin</artifactId>
68 <executions> 68 <executions>
69 <execution> 69 <execution>
70 <id>duplicate-english-messages</id> 70 <id>duplicate-english-messages</id>
71 <phase>generate-resources</phase> 71 <phase>generate-resources</phase>
72 <goals> 72 <goals>
73 <goal>run</goal> 73 <goal>run</goal>
74 </goals> 74 </goals>
75 </execution> 75 </execution>
76 </executions> 76 </executions>
77 <configuration> 77 <configuration>
78 <target> 78 <target>
79 <copy todir="${project.build.outputDirectory}"> 79 <copy todir="${project.build.outputDirectory}">
80 <fileset dir="${basedir}/src/main/resources" includes="alfresco/messages/**/*.properties" /> 80 <fileset dir="${basedir}/src/main/resources" includes="alfresco/messages/**/*.properties" />
81 <mapper type="regexp" from="^([^_]*).properties$" to="\1_en.properties" /> 81 <mapper type="regexp" from="^([^_]*).properties$" to="\1_en.properties" />
82 </copy> 82 </copy>
83 </target> 83 </target>
84 </configuration> 84 </configuration>
85 </plugin> 85 </plugin>
86 <plugin> 86 <plugin>
87 <artifactId>maven-jar-plugin</artifactId> 87 <artifactId>maven-jar-plugin</artifactId>
88 <version>2.6</version> 88 <version>2.6</version>
89 <executions> 89 <executions>
90 <execution> 90 <execution>
91 <goals> 91 <goals>
92 <goal>test-jar</goal> 92 <goal>test-jar</goal>
93 </goals> 93 </goals>
94 </execution> 94 </execution>
95 </executions> 95 </executions>
96 </plugin> 96 </plugin>
97 </plugins> 97 </plugins>
98 98
99 <pluginManagement> 99 <pluginManagement>
100 <plugins> 100 <plugins>
101 <!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.--> 101 <!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.-->
102 <plugin> 102 <plugin>
103 <groupId>org.eclipse.m2e</groupId> 103 <groupId>org.eclipse.m2e</groupId>
104 <artifactId>lifecycle-mapping</artifactId> 104 <artifactId>lifecycle-mapping</artifactId>
105 <version>1.0.0</version> 105 <version>1.0.0</version>
106 <configuration> 106 <configuration>
107 <lifecycleMappingMetadata> 107 <lifecycleMappingMetadata>
108 <pluginExecutions> 108 <pluginExecutions>
109 <pluginExecution> 109 <pluginExecution>
110 <pluginExecutionFilter> 110 <pluginExecutionFilter>
111 <groupId>org.jibx</groupId> 111 <groupId>org.jibx</groupId>
112 <artifactId> 112 <artifactId>
113 maven-jibx-plugin 113 maven-jibx-plugin
114 </artifactId> 114 </artifactId>
115 <versionRange> 115 <versionRange>
116 [1.2.5,) 116 [1.2.5,)
117 </versionRange> 117 </versionRange>
118 <goals> 118 <goals>
119 <goal>bind</goal> 119 <goal>bind</goal>
120 </goals> 120 </goals>
121 </pluginExecutionFilter> 121 </pluginExecutionFilter>
122 <action> 122 <action>
123 <execute> 123 <execute>
124 <runOnConfiguration>true</runOnConfiguration> 124 <runOnConfiguration>true</runOnConfiguration>
125 <runOnIncremental>true</runOnIncremental> 125 <runOnIncremental>true</runOnIncremental>
126 </execute> 126 </execute>
127 </action> 127 </action>
128 </pluginExecution> 128 </pluginExecution>
129 </pluginExecutions> 129 </pluginExecutions>
130 </lifecycleMappingMetadata> 130 </lifecycleMappingMetadata>
131 </configuration> 131 </configuration>
132 </plugin> 132 </plugin>
133 <plugin> 133 <plugin>
134 <artifactId>maven-release-plugin</artifactId> 134 <artifactId>maven-release-plugin</artifactId>
135 <configuration> 135 <configuration>
136 <autoVersionSubmodules>true</autoVersionSubmodules> 136 <autoVersionSubmodules>true</autoVersionSubmodules>
137 <tagNameFormat>@{project.version}</tagNameFormat> 137 <tagNameFormat>@{project.version}</tagNameFormat>
138 </configuration> 138 </configuration>
139 </plugin> 139 </plugin>
140 </plugins> 140 </plugins>
141 </pluginManagement> 141 </pluginManagement>
142 </build> 142 </build>
143 143
144 <dependencies> 144 <dependencies>
145 <dependency> 145 <dependency>
146 <groupId>org.alfresco</groupId> 146 <groupId>org.alfresco</groupId>
147 <artifactId>alfresco-core</artifactId> 147 <artifactId>alfresco-core</artifactId>
148 <version>6.5</version> 148 <version>6.5</version>
149 </dependency> 149 </dependency>
150 <!-- 150 <!--
151 | provided dependencies (are not transitive and not included in webapps) 151 | provided dependencies (are not transitive and not included in webapps)
152 | see http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope 152 | see http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
153 --> 153 -->
154 <dependency> 154 <dependency>
155 <groupId>javax.servlet</groupId> 155 <groupId>javax.servlet</groupId>
156 <artifactId>servlet-api</artifactId> 156 <artifactId>servlet-api</artifactId>
157 <version>2.5</version> 157 <version>2.5</version>
158 <scope>provided</scope> 158 <scope>provided</scope>
159 </dependency> 159 </dependency>
160 <!-- 160 <!--
161 | compile dependencies 161 | compile dependencies
162 --> 162 -->
163 <dependency> 163 <dependency>
164 <groupId>jaxen</groupId> 164 <groupId>jaxen</groupId>
165 <artifactId>jaxen</artifactId> 165 <artifactId>jaxen</artifactId>
166 <version>1.1.6</version> 166 <version>1.1.6</version>
167 </dependency> 167 </dependency>
168 <dependency> 168 <dependency>
169 <groupId>org.jibx</groupId> 169 <groupId>org.jibx</groupId>
170 <artifactId>jibx-run</artifactId> 170 <artifactId>jibx-run</artifactId>
171 <version>1.2.6</version> 171 <version>1.2.6</version>
172 </dependency> 172 </dependency>
173 173
174 <dependency> 174 <dependency>
175 <groupId>org.antlr</groupId> 175 <groupId>org.antlr</groupId>
176 <artifactId>antlr</artifactId> 176 <artifactId>antlr</artifactId>
177 <version>3.5.2</version> 177 <version>3.5.2</version>
178 </dependency> 178 </dependency>
179 <dependency> 179 <dependency>
180 <groupId>org.apache.chemistry.opencmis</groupId> 180 <groupId>org.apache.chemistry.opencmis</groupId>
181 <artifactId>chemistry-opencmis-client-impl</artifactId> 181 <artifactId>chemistry-opencmis-client-impl</artifactId>
182 <version>0.11.0</version> 182 <version>0.11.0</version>
183 <exclusions> 183 <exclusions>
184 <exclusion> 184 <exclusion>
185 <groupId>junit</groupId> 185 <groupId>junit</groupId>
186 <artifactId>junit</artifactId> 186 <artifactId>junit</artifactId>
187 </exclusion> 187 </exclusion>
188 <exclusion> 188 <exclusion>
189 <groupId>org.jvnet.staxex</groupId> 189 <groupId>org.jvnet.staxex</groupId>
190 <artifactId>stax-ex</artifactId> 190 <artifactId>stax-ex</artifactId>
191 </exclusion> 191 </exclusion>
192 </exclusions> 192 </exclusions>
193 </dependency> 193 </dependency>
194 <dependency> 194 <dependency>
195 <groupId>org.apache.chemistry.opencmis</groupId> 195 <groupId>org.apache.chemistry.opencmis</groupId>
196 <artifactId>chemistry-opencmis-commons-impl</artifactId> 196 <artifactId>chemistry-opencmis-commons-impl</artifactId>
197 <version>0.11.0</version> 197 <version>0.11.0</version>
198 <exclusions> 198 <exclusions>
199 <exclusion> 199 <exclusion>
200 <groupId>com.sun.xml.messaging.saaj</groupId> 200 <groupId>com.sun.xml.messaging.saaj</groupId>
201 <artifactId>saaj-impl</artifactId> 201 <artifactId>saaj-impl</artifactId>
202 </exclusion> 202 </exclusion>
203 <exclusion> 203 <exclusion>
204 <groupId>org.jvnet.staxex</groupId> 204 <groupId>org.jvnet.staxex</groupId>
205 <artifactId>stax-ex</artifactId> 205 <artifactId>stax-ex</artifactId>
206 </exclusion> 206 </exclusion>
207 </exclusions> 207 </exclusions>
208 </dependency> 208 </dependency>
209 <!-- stax-ex is exluded from chemistry and included here, to avoid making constant requests to the repo --> 209 <!-- stax-ex is exluded from chemistry and included here, to avoid making constant requests to the repo -->
210 <!-- That's becausde the chemistry-pulled one does not specify a specific version --> 210 <!-- That's becausde the chemistry-pulled one does not specify a specific version -->
211 <dependency> 211 <dependency>
212 <groupId>org.jvnet.staxex</groupId> 212 <groupId>org.jvnet.staxex</groupId>
213 <artifactId>stax-ex</artifactId> 213 <artifactId>stax-ex</artifactId>
214 <version>1.2</version> 214 <version>1.2</version>
215 </dependency> 215 </dependency>
216 <dependency> 216 <dependency>
217 <groupId>org.apache.chemistry.opencmis</groupId> 217 <groupId>org.apache.chemistry.opencmis</groupId>
218 <artifactId>chemistry-opencmis-server-bindings</artifactId> 218 <artifactId>chemistry-opencmis-server-bindings</artifactId>
219 <version>0.11.0</version> 219 <version>0.11.0</version>
220 <exclusions> 220 <exclusions>
221 <exclusion> 221 <exclusion>
222 <groupId>org.jvnet.staxex</groupId> 222 <groupId>org.jvnet.staxex</groupId>
223 <artifactId>stax-ex</artifactId> 223 <artifactId>stax-ex</artifactId>
224 </exclusion> 224 </exclusion>
225 </exclusions> 225 </exclusions>
226 </dependency> 226 </dependency>
227 <dependency> 227 <dependency>
228 <groupId>org.codehaus.woodstox</groupId> 228 <groupId>org.codehaus.woodstox</groupId>
229 <artifactId>woodstox-core-asl</artifactId> 229 <artifactId>woodstox-core-asl</artifactId>
230 <version>4.2.0</version> 230 <version>4.2.0</version>
231 </dependency> 231 </dependency>
232 <!-- This is now deployed at: 232 <!-- This is now deployed at:
233 | http://artifacts.alfresco.com/nexus/content/repositories/thirdparty/org/acegisecurity/acegi-security/0.8.2_patched/ 233 | http://artifacts.alfresco.com/nexus/content/repositories/thirdparty/org/acegisecurity/acegi-security/0.8.2_patched/
234 --> 234 -->
235 <dependency> 235 <dependency>
236 <groupId>org.acegisecurity</groupId> 236 <groupId>org.acegisecurity</groupId>
237 <artifactId>acegi-security</artifactId> 237 <artifactId>acegi-security</artifactId>
238 <version>0.8.2_patched</version> 238 <version>0.8.2_patched</version>
239 </dependency> 239 </dependency>
240 <dependency> 240 <dependency>
241 <groupId>org.alfresco</groupId> 241 <groupId>org.alfresco</groupId>
242 <artifactId>alfresco-xmlfactory</artifactId> 242 <artifactId>alfresco-xmlfactory</artifactId>
243 <version>1.1</version> 243 <version>1.2</version>
244 </dependency> 244 </dependency>
245 <dependency> 245 <dependency>
246 <groupId>xerces</groupId> 246 <groupId>xerces</groupId>
247 <artifactId>xercesImpl</artifactId> 247 <artifactId>xercesImpl</artifactId>
248 <version>2.10.0-alfresco-patched</version> 248 <version>2.10.0-alfresco-patched</version>
249 </dependency> 249 </dependency>
250 <dependency> 250 <dependency>
251 <groupId>xpp3</groupId> 251 <groupId>xpp3</groupId>
252 <artifactId>xpp3</artifactId> 252 <artifactId>xpp3</artifactId>
253 <version>1.1.3_8</version> 253 <version>1.1.3_8</version>
254 </dependency> 254 </dependency>
255 <!-- Tika --> 255 <!-- Tika -->
256 <dependency> 256 <dependency>
257 <groupId>org.apache.tika</groupId> 257 <groupId>org.apache.tika</groupId>
258 <artifactId>tika-core</artifactId> 258 <artifactId>tika-core</artifactId>
259 <version>1.6-20160727-alfresco-patched</version> 259 <version>1.6-20160727-alfresco-patched</version>
260 </dependency> 260 </dependency>
261 <dependency> 261 <dependency>
262 <groupId>org.apache.tika</groupId> 262 <groupId>org.apache.tika</groupId>
263 <artifactId>tika-parsers</artifactId> 263 <artifactId>tika-parsers</artifactId>
264 <version>1.6-20160727-alfresco-patched</version> 264 <version>1.6-20160727-alfresco-patched</version>
265 </dependency> 265 </dependency>
266 <dependency> 266 <dependency>
267 <groupId>org.gagravarr</groupId> 267 <groupId>org.gagravarr</groupId>
268 <artifactId>vorbis-java-core</artifactId> 268 <artifactId>vorbis-java-core</artifactId>
269 <version>0.4</version> 269 <version>0.4</version>
270 </dependency> 270 </dependency>
271 <dependency> 271 <dependency>
272 <groupId>org.gagravarr</groupId> 272 <groupId>org.gagravarr</groupId>
273 <artifactId>vorbis-java-tika</artifactId> 273 <artifactId>vorbis-java-tika</artifactId>
274 <version>0.4</version> 274 <version>0.4</version>
275 </dependency> 275 </dependency>
276 <dependency> 276 <dependency>
277 <groupId>com.googlecode.juniversalchardet</groupId> 277 <groupId>com.googlecode.juniversalchardet</groupId>
278 <artifactId>juniversalchardet</artifactId> 278 <artifactId>juniversalchardet</artifactId>
279 <version>1.0.3</version> 279 <version>1.0.3</version>
280 </dependency> 280 </dependency>
281 281
282 <!-- Test dependencies --> 282 <!-- Test dependencies -->
283 <dependency> 283 <dependency>
284 <groupId>junit</groupId> 284 <groupId>junit</groupId>
285 <artifactId>junit</artifactId> 285 <artifactId>junit</artifactId>
286 <version>4.12</version> 286 <version>4.12</version>
287 <scope>test</scope> 287 <scope>test</scope>
288 </dependency> 288 </dependency>
289 <dependency> 289 <dependency>
290 <groupId>org.antlr</groupId> 290 <groupId>org.antlr</groupId>
291 <artifactId>gunit</artifactId> 291 <artifactId>gunit</artifactId>
292 <version>3.5.2</version> 292 <version>3.5.2</version>
293 <scope>test</scope> 293 <scope>test</scope>
294 </dependency> 294 </dependency>
295 <dependency> 295 <dependency>
296 <groupId>org.mockito</groupId> 296 <groupId>org.mockito</groupId>
297 <artifactId>mockito-all</artifactId> 297 <artifactId>mockito-all</artifactId>
298 <version>1.10.19</version> 298 <version>1.10.19</version>
299 <scope>test</scope> 299 <scope>test</scope>
300 </dependency> 300 </dependency>
301 </dependencies> 301 </dependencies>
302 302
303 <profiles> 303 <profiles>
304 <profile> 304 <profile>
305 <id>doclint-java8-max</id> 305 <id>doclint-java8-max</id>
306 <activation> 306 <activation>
307 <jdk>[1.8,)</jdk> 307 <jdk>[1.8,)</jdk>
308 </activation> 308 </activation>
309 <build> 309 <build>
310 <plugins> 310 <plugins>
311 <plugin> 311 <plugin>
312 <artifactId>maven-javadoc-plugin</artifactId> 312 <artifactId>maven-javadoc-plugin</artifactId>
313 <configuration> 313 <configuration>
314 <!-- <additionalparam>-Xmaxwarns 10000 -Xmaxerrs 10000</additionalparam> to detect more than 100 error --> 314 <!-- <additionalparam>-Xmaxwarns 10000 -Xmaxerrs 10000</additionalparam> to detect more than 100 error -->
315 <additionalparam>-Xdoclint:none</additionalparam> 315 <additionalparam>-Xdoclint:none</additionalparam>
316 </configuration> 316 </configuration>
317 </plugin> 317 </plugin>
318 </plugins> 318 </plugins>
319 </build> 319 </build>
320 </profile> 320 </profile>
321 </profiles> 321 </profiles>
322 </project> 322 </project>
323 323