From 898412eaeac8958e733de0764005fdfa4e632d69 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 14 May 2017 17:19:26 -0400 Subject: [PATCH] default to remove auth schemas for proxy connections - added a property to disable this functionality. Fix for issue #718 --- .../src/main/resources/dependencycheck.properties | 2 ++ .../src/test/resources/dependencycheck.properties | 1 + .../java/org/owasp/dependencycheck/utils/Settings.java | 6 ++++++ .../owasp/dependencycheck/utils/URLConnectionFactory.java | 7 +++++++ .../src/test/resources/dependencycheck.properties | 1 + 5 files changed, 17 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index bf2797f85..eb33d9aad 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -41,6 +41,8 @@ data.password=DC-Pass1337! data.driver_name=org.h2.Driver data.driver_path= + +proxy.disableSchemas=true # the number of days that the modified nvd cve data holds data for. We don't need # to update the other files if we are within this timespan. Per NIST this file # holds 8 days of updates, we are using 7 just to be safe. diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 449e1bc5f..d6083bf81 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -36,6 +36,7 @@ data.password=DC-Pass1337! data.driver_name=org.h2.Driver data.driver_path= +proxy.disableSchemas=true # the number of days that the modified nvd cve data holds data for. We don't need # to update the other files if we are within this timespan. Per NIST this file # holds 8 days of updates, we are using 7 just to be safe. diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index aac1d40ed..da96ad1c6 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -185,6 +185,12 @@ public final class Settings { * The properties key for the URL to retrieve the CPE. */ public static final String CPE_URL = "cpe.url"; + /** + * Whether or not if using basic auth with a proxy the system setting + * 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty + * string. + */ + public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas"; /** * The properties key for the proxy server. * diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java index 01b02e40c..e8557aad0 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java @@ -83,6 +83,13 @@ public final class URLConnectionFactory { public PasswordAuthentication getPasswordAuthentication() { if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) { LOGGER.debug("Using the configured proxy username and password"); + try { + if (Settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) { + System.setProperty("jdk.http.auth.tunneling.disabledSchemes", ""); + } + } catch (InvalidSettingException ex) { + LOGGER.trace("This exception can be ignored", ex); + } return new PasswordAuthentication(username, password.toCharArray()); } return super.getPasswordAuthentication(); diff --git a/dependency-check-utils/src/test/resources/dependencycheck.properties b/dependency-check-utils/src/test/resources/dependencycheck.properties index 619ec54ce..4da62d632 100644 --- a/dependency-check-utils/src/test/resources/dependencycheck.properties +++ b/dependency-check-utils/src/test/resources/dependencycheck.properties @@ -36,6 +36,7 @@ data.password=DC-Pass1337! data.driver_name=org.h2.Driver data.driver_path= +proxy.disableSchemas=true # the path to the cpe xml file cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz # the path to the cpe meta data file.