default to remove auth schemas for proxy connections - added a property to disable this functionality. Fix for issue #718

2026-01-14 07:43:40 +01:00 · 2017-05-14 17:19:26 -04:00
parent 7753b6f3c1
commit 898412eaea
5 changed files with 17 additions and 0 deletions
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -41,6 +41,8 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=

+
+proxy.disableSchemas=true
 # the number of days that the modified nvd cve data holds data for. We don't need
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=

+proxy.disableSchemas=true
 # the number of days that the modified nvd cve data holds data for. We don't need
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -185,6 +185,12 @@ public final class Settings {
         * The properties key for the URL to retrieve the CPE.
         */
        public static final String CPE_URL = "cpe.url";
+        /**
+         * Whether or not if using basic auth with a proxy the system setting
+         * 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty
+         * string.
+         */
+        public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas";
        /**
         * The properties key for the proxy server.
         *
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -83,6 +83,13 @@ public final class URLConnectionFactory {
                        public PasswordAuthentication getPasswordAuthentication() {
                            if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
                                LOGGER.debug("Using the configured proxy username and password");
+                                try {
+                                    if (Settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
+                                        System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
+                                    }
+                                } catch (InvalidSettingException ex) {
+                                    LOGGER.trace("This exception can be ignored", ex);
+                                }
                                return new PasswordAuthentication(username, password.toCharArray());
                            }
                            return super.getPasswordAuthentication();
--- a/dependency-check-utils/src/test/resources/dependencycheck.properties
+++ b/dependency-check-utils/src/test/resources/dependencycheck.properties
@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=

+proxy.disableSchemas=true
 # the path to the cpe xml file
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
 # the path to the cpe meta data file.