Fix issues identified in Sonatype lift

Issues include:
- Securing against bad redirects for the spdx.org/licenses site
- Updating the log4j logging version
- Specifying UTF-8 character sets
- Making ChecksumAlgorithm more immutable
- Fixing potential race conditions

Signed-off-by: Gary O'Neall <[email protected]>

Author: goneall

pom.xml

@@ -93,7 +93,7 @@
     <dependency>
     	<groupId>org.apache.logging.log4j</groupId>
     	<artifactId>log4j-slf4j-impl</artifactId>
-    	<version>2.17.0</version>
+    	<version>2.17.1</version>
     </dependency>
     <dependency>
     	<groupId>org.apache.commons</groupId>

src/main/java/org/spdx/library/DefaultModelStore.java

@@ -44,7 +44,12 @@ private DefaultModelStore() {
 	}
 
 	public static IModelStore getDefaultModelStore() {
-		return defaultModelStore;
+		lock.readLock().lock();
+		try {
+			return defaultModelStore;
+		} finally {
+			lock.readLock().unlock();
+		}
 	}
 
 	public static String getDefaultDocumentUri() {

src/main/java/org/spdx/library/model/enumerations/ChecksumAlgorithm.java

@@ -47,7 +47,7 @@ public enum ChecksumAlgorithm implements IndividualUriValue {
 	ADLER32("checksumAlgorithm_adler32"),
 	;
 
-	private String longName;
+	private final String longName;
 
 	private ChecksumAlgorithm(String longName) {
 		this.longName = longName;

src/main/java/org/spdx/library/referencetype/ListedReferenceTypes.java

@@ -112,17 +112,15 @@ private void loadReferenceTypeNames() {
 	 * @return the listed reference types as maintained by the SPDX workgroup
 	 */
 	public static ListedReferenceTypes getListedReferenceTypes() {
-        if (listedReferenceTypes == null) {
-        	listedReferenceTypesModificationLock.writeLock().lock();
-            try {
-                if (listedReferenceTypes == null) {
-                	listedReferenceTypes = new ListedReferenceTypes();
-                }
-            } finally {
-            	listedReferenceTypesModificationLock.writeLock().unlock();
+    	listedReferenceTypesModificationLock.writeLock().lock();
+        try {
+            if (listedReferenceTypes == null) {
+            	listedReferenceTypes = new ListedReferenceTypes();
             }
+            return listedReferenceTypes;
+        } finally {
+        	listedReferenceTypesModificationLock.writeLock().unlock();
         }
-        return listedReferenceTypes;
 	}
 
 	/**

src/main/java/org/spdx/storage/listedlicense/SpdxListedLicenseModelStore.java

@@ -150,7 +150,7 @@ private void loadIds() throws InvalidSPDXAnalysisException {
             try {
             	// read the license IDs
             	tocStream = getTocInputStream();
-                reader = new BufferedReader(new InputStreamReader(tocStream));
+                reader = new BufferedReader(new InputStreamReader(tocStream, "UTF-8"));
                 StringBuilder tocJsonStr = new StringBuilder();
                 String line;
                 while((line = reader.readLine()) != null) {
@@ -162,17 +162,17 @@ private void loadIds() throws InvalidSPDXAnalysisException {
 
                 // read the exception ID's
                 tocStream = getExceptionTocInputStream();
-                reader = new BufferedReader(new InputStreamReader(tocStream));
+                reader = new BufferedReader(new InputStreamReader(tocStream, "UTF-8"));
                 tocJsonStr  = new StringBuilder();
                 while((line = reader.readLine()) != null) {
                 	tocJsonStr.append(line);
                 }
                 ExceptionJsonTOC exceptionToc = gson.fromJson(tocJsonStr.toString(), ExceptionJsonTOC.class);
                 exceptionIds = exceptionToc.getExceptionIds();
             } catch (MalformedURLException e) {
-				throw(new SpdxListedLicenseException("License TOC URL invalid"));
+				throw new SpdxListedLicenseException("License TOC URL invalid") ;
 			} catch (IOException e) {
-				throw(new SpdxListedLicenseException("I/O error reading license TOC"));
+				throw new SpdxListedLicenseException("I/O error reading license TOC");
 			} finally {
             	if (reader != null) {
             		try {
@@ -195,9 +195,14 @@ public boolean exists(String documentUri, String id) {
 		if (!SpdxConstants.LISTED_LICENSE_URL.equals(documentUri)) {
 			return false;
 		}
+		listedLicenseModificationLock.readLock().lock();
+		try {
 			return this.licenseIds.containsKey(id.toLowerCase()) || 
 					this.exceptionIds.containsKey(id.toLowerCase()) ||
 					this.crossRefs.containsKey(id);
+		} finally {
+			listedLicenseModificationLock.readLock().unlock();
+		}
 	}
 
 	/* (non-Javadoc)
@@ -260,21 +265,21 @@ public List<String> getPropertyValueNames(String documentUri, String id) throws
 			} else if (crossRefs.containsKey(id)) {
 				crossRef = crossRefs.get(id);
 			}
+			if (isLicenseId) {
+				LicenseJson license = fetchLicenseJson(licenseIds.get(id.toLowerCase()));
+				return license.getPropertyValueNames();
+			} else if (isExceptionId) {
+				ExceptionJson exc = fetchExceptionJson(exceptionIds.get(id.toLowerCase()));
+				return exc.getPropertyValueNames();
+			} else if (Objects.nonNull(crossRef)) {
+				return crossRef.getPropertyValueNames();
+			} else {
+				logger.error("ID "+id+" is not a listed license ID, crossRef ID nor a listed exception ID");
+				throw new SpdxIdNotFoundException("ID "+id+" is not a listed license ID. crossRef ID nor a listed exception ID");
+			}
 		} finally {
 			listedLicenseModificationLock.readLock().unlock();
 		}
-		if (isLicenseId) {
-			LicenseJson license = fetchLicenseJson(licenseIds.get(id.toLowerCase()));
-			return license.getPropertyValueNames();
-		} else if (isExceptionId) {
-			ExceptionJson exc = fetchExceptionJson(exceptionIds.get(id.toLowerCase()));
-			return exc.getPropertyValueNames();
-		} else if (Objects.nonNull(crossRef)) {
-			return crossRef.getPropertyValueNames();
-		} else {
-			logger.error("ID "+id+" is not a listed license ID, crossRef ID nor a listed exception ID");
-			throw new SpdxIdNotFoundException("ID "+id+" is not a listed license ID. crossRef ID nor a listed exception ID");
-		}
 	}
 
 	/**
@@ -322,10 +327,10 @@ private LicenseJson fetchLicenseJson(String idCaseInsensitive) throws InvalidSPD
 	                this.listedLicenseCache.put(id, license);
 	            } catch (MalformedURLException e) {
 					logger.error("Json license invalid for ID "+id);
-					throw(new SpdxListedLicenseException("JSON license URL invalid for ID "+id));
+					throw new SpdxListedLicenseException("JSON license URL invalid for ID "+id);
 				} catch (IOException e) {
 					logger.error("I/O error opening Json license URL");
-					throw(new SpdxListedLicenseException("I/O Error reading license data for ID "+id));
+					throw new SpdxListedLicenseException("I/O Error reading license data for ID "+id);
 				} finally {
 	            	if (reader != null) {
 	            		try {
@@ -393,10 +398,10 @@ private ExceptionJson fetchExceptionJson(String idCaseInsensitive) throws Invali
 	                this.listedExceptionCache.put(id, exc);
 	            } catch (MalformedURLException e) {
 					logger.error("Json license invalid for ID "+id);
-					throw(new SpdxListedLicenseException("JSON license URL invalid for ID "+id));
+					throw new SpdxListedLicenseException("JSON license URL invalid for ID "+id);
 				} catch (IOException e) {
 					logger.error("I/O error opening Json license URL");
-					throw(new SpdxListedLicenseException("I/O Error reading license data for ID "+id));
+					throw new SpdxListedLicenseException("I/O Error reading license data for ID "+id);
 				} finally {
 	            	if (reader != null) {
 	            		try {
@@ -663,8 +668,8 @@ public Object next() {
 							throw new RuntimeException(new InvalidSPDXAnalysisException("Invalid type for "+propertyName+".  Must be of type CrossRefJson"));
 						}
 						CrossRefJson nextCrossRef = (CrossRefJson)nextVal;
-						listedLicenseModificationLock.writeLock().lock();
 						String crossRefId = nextCrossRef.getId();
+						listedLicenseModificationLock.writeLock().lock();
 						try {
 							if (Objects.isNull(crossRefId)) {
 								// Need to create an ID and store it in the cache
@@ -977,7 +982,7 @@ public boolean collectionContains(String documentUri, String id, String property
 		if (isLicenseId) {
 			LicenseJson license = fetchLicenseJson(id);
 			List<Object> valueList = (List<Object>)(List<?>)license.getValueList(propertyName);
-			if (value instanceof TypedValue && (SpdxConstants.CLASS_CROSS_REF.equals(((TypedValue)value).getType()))) {
+			if (value instanceof TypedValue && SpdxConstants.CLASS_CROSS_REF.equals(((TypedValue)value).getType())) {
 				CrossRefJson compareValue = crossRefs.get(((TypedValue)value).getId());
 				if (Objects.isNull(compareValue)) {
 					return false;
@@ -1179,7 +1184,7 @@ public void delete(String documentUri, String id) throws InvalidSPDXAnalysisExce
 			throw new SpdxIdNotFoundException("Document URI for SPDX listed licenses is expected to be "+
 					SpdxConstants.LISTED_LICENSE_URL + ".  Supplied document URI was "+documentUri);
 		}
-		listedLicenseModificationLock.writeLock().lock();;
+		listedLicenseModificationLock.writeLock().lock();
 		try {
 			if (licenseIds.containsKey(id.toLowerCase())) {
 				this.listedLicenseCache.remove(id);

src/main/java/org/spdx/storage/listedlicense/SpdxListedLicenseWebStore.java

@@ -21,6 +21,9 @@
 import java.io.InputStream;
 import java.net.HttpURLConnection;
 import java.net.URL;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.Objects;
 
 import org.spdx.library.InvalidSPDXAnalysisException;
@@ -33,6 +36,9 @@
 public class SpdxListedLicenseWebStore extends SpdxListedLicenseModelStore {
 
 	private static final int READ_TIMEOUT = 5000;
+	
+	static final List<String> WHITE_LIST = Collections.unmodifiableList(Arrays.asList(
+			"spdx.org", "spdx.dev", "spdx.com", "spdx.info")); // Allowed host names for the SPDX listed licenses
 
 	/**
 	 * @throws InvalidSPDXAnalysisException
@@ -49,11 +55,23 @@ private InputStream getUrlInputStream(URL url) throws IOException {
 			(status == HttpURLConnection.HTTP_MOVED_TEMP || status == HttpURLConnection.HTTP_MOVED_PERM
 						|| status == HttpURLConnection.HTTP_SEE_OTHER)) {
 				// redirect
-			String redirectUrl = connection.getHeaderField("Location");
-			if (Objects.isNull(redirectUrl) || redirectUrl.isEmpty()) {
-				throw new IOException("Invalid redirect URL response");
+			String redirectUrlStr = connection.getHeaderField("Location");
+			if (Objects.isNull(redirectUrlStr) || redirectUrlStr.isEmpty()) {
+				throw new IOException("Empty redirect URL response");
+			}
+			URL redirectUrl;
+			try {
+				redirectUrl = new URL(redirectUrlStr);
+			} catch(Exception ex) {
+				throw new IOException("Invalid redirect URL");
+			}
+			if (!redirectUrl.getProtocol().toLowerCase().startsWith("http")) {
+				throw new IOException("Invalid redirect protocol");
+			}
+			if (!WHITE_LIST.contains(redirectUrl.getHost())) {
+				throw new IOException("Invalid redirect host - not on the allowed 'white list'");
 			}
-			connection = (HttpURLConnection)new URL(redirectUrl).openConnection();
+			connection = (HttpURLConnection)redirectUrl.openConnection();
 		}
 		return connection.getInputStream();
 	}