From 81b2b966ba22c70f8b5055c1b4461e5ba8eda717 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 6 May 2017 10:48:31 -0400
Subject: [PATCH 1/2] added additional check to add proxy credentials

---
 .../dependencycheck/utils/URLConnectionFactory.java      | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
index 83802e482..01b02e40c 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -67,12 +67,12 @@ public final class URLConnectionFactory {
     @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe")
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
-        final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
+        final String proxyHost = Settings.getString(Settings.KEYS.PROXY_SERVER);
 
         try {
-            if (proxyUrl != null && !matchNonProxy(url)) {
+            if (proxyHost != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
-                final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
+                final SocketAddress address = new InetSocketAddress(proxyHost, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
@@ -81,7 +81,8 @@ public final class URLConnectionFactory {
                     final Authenticator auth = new Authenticator() {
                         @Override
                         public PasswordAuthentication getPasswordAuthentication() {
-                            if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
+                            if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
+                                LOGGER.debug("Using the configured proxy username and password");
                                 return new PasswordAuthentication(username, password.toCharArray());
                             }
                             return super.getPasswordAuthentication();

From 898412eaeac8958e733de0764005fdfa4e632d69 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 14 May 2017 17:19:26 -0400
Subject: [PATCH 2/2] default to remove auth schemas for proxy connections -
 added a property to disable this functionality. Fix for issue #718

---
 .../src/main/resources/dependencycheck.properties          | 2 ++
 .../src/test/resources/dependencycheck.properties          | 1 +
 .../java/org/owasp/dependencycheck/utils/Settings.java     | 6 ++++++
 .../owasp/dependencycheck/utils/URLConnectionFactory.java  | 7 +++++++
 .../src/test/resources/dependencycheck.properties          | 1 +
 5 files changed, 17 insertions(+)

diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties
index bf2797f85..eb33d9aad 100644
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -41,6 +41,8 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=
 
+
+proxy.disableSchemas=true
 # the number of days that the modified nvd cve data holds data for. We don't need
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties
index 449e1bc5f..d6083bf81 100644
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=
 
+proxy.disableSchemas=true
 # the number of days that the modified nvd cve data holds data for. We don't need
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
index aac1d40ed..da96ad1c6 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -185,6 +185,12 @@ public final class Settings {
          * The properties key for the URL to retrieve the CPE.
          */
         public static final String CPE_URL = "cpe.url";
+        /**
+         * Whether or not if using basic auth with a proxy the system setting
+         * 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty
+         * string.
+         */
+        public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas";
         /**
          * The properties key for the proxy server.
          *
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
index 01b02e40c..e8557aad0 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -83,6 +83,13 @@ public final class URLConnectionFactory {
                         public PasswordAuthentication getPasswordAuthentication() {
                             if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
                                 LOGGER.debug("Using the configured proxy username and password");
+                                try {
+                                    if (Settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
+                                        System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
+                                    }
+                                } catch (InvalidSettingException ex) {
+                                    LOGGER.trace("This exception can be ignored", ex);
+                                }
                                 return new PasswordAuthentication(username, password.toCharArray());
                             }
                             return super.getPasswordAuthentication();
diff --git a/dependency-check-utils/src/test/resources/dependencycheck.properties b/dependency-check-utils/src/test/resources/dependencycheck.properties
index 619ec54ce..4da62d632 100644
--- a/dependency-check-utils/src/test/resources/dependencycheck.properties
+++ b/dependency-check-utils/src/test/resources/dependencycheck.properties
@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=
 
+proxy.disableSchemas=true
 # the path to the cpe xml file
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
 # the path to the cpe meta data file.