Suggested pom.xml updates and XmlEsapiPropertyLoader.java improvements (#612)

Close issue #614 

Pom changes:
* Upgrade a few libraries, add some used but undeclared libraries,
and delete a bunch of declared/unused libraries.

* Upgrade a bunch of the plugins.

* Suggested updates to XmlEsapiPropertyLoader.java to eliminate insider XXE risk,
and other minor suggested cleanup.

* A few more tweaks to use autoclosables to ensure streams get closed.

* Remove debug lines.

Author: davewichers

pom.xml

@@ -132,16 +132,12 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <version.jmh>1.23</version.jmh>
+        <version.jmh>1.28</version.jmh>
+        <!-- Note: powermock v2.0.8 doesn't exist. v2.0.9+ requires mockito-core v3+, which requires Java 8 -->
         <version.powermock>2.0.7</version.powermock>
-        <version.spotbugs>4.2.0</version.spotbugs>
-
-        <!-- Upgrading to 3.0.0-M3+ causes this test case error:
-                org.owasp.esapi.reference.DefaultValidatorInputStringAPITest.getValidInputNullAllowedPassthrough  Time elapsed: 2.057 s  <<< ERROR!
-                java.lang.OutOfMemoryError: PermGen space
-             when running tests with Java 7 on Mac OS X. No problems observed on Linux.
-        -->
-        <version.surefire>3.0.0-M2</version.surefire>
+        <version.spotbugs>4.2.2</version.spotbugs>
+        <version.spotbugs.maven>4.2.2</version.spotbugs.maven>
+        <version.surefire>3.0.0-M5</version.surefire>
     </properties>
 
     <dependencies>
@@ -235,8 +231,8 @@
         </dependency>
         <dependency>
             <groupId>org.apache-extras.beanshell</groupId>
-                <artifactId>bsh</artifactId>
-                <version>2.0b6</version>
+            <artifactId>bsh</artifactId>
+            <version>2.0b6</version>
         </dependency>
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
@@ -248,68 +244,38 @@
             <artifactId>slf4j-api</artifactId>
             <version>1.7.30</version>
         </dependency>
-
-        <!--
-             FORCE SPECIFIC VERSIONS OF TRANSITIVE DEPENDENCIES EXCLUDED ABOVE.
-             This is to force patched versions of these libraries with known CVEs against them.
-        -->
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <!-- Note: commons-io:2.7+ require Java 8, so can't upgrade past 2.6 -->
-            <version>2.6</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.xmlgraphics</groupId>
-            <artifactId>batik-css</artifactId>
-            <version>1.14</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>commons-io</groupId>
-                    <artifactId>commons-io</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>commons-logging</groupId>
-                    <artifactId>commons-logging</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>xalan</groupId>
-            <artifactId>xalan</artifactId>
-            <version>2.7.2</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
         <dependency>
             <groupId>xml-apis</groupId>
             <artifactId>xml-apis</artifactId>
             <version>1.4.01</version>
         </dependency>
 
+        <!--
+             FORCE SPECIFIC VERSIONS OF TRANSITIVE DEPENDENCIES EXCLUDED ABOVE.
+             This is to force patched versions of these libraries with known CVEs against them.
+        -->
+
+        <!-- No forced upgrades required currently -->
+
         <!-- SpotBugs dependencies -->
         <dependency>
             <groupId>com.github.spotbugs</groupId>
             <artifactId>spotbugs-annotations</artifactId>
             <version>${version.spotbugs}</version>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>net.jcip</groupId>
-            <artifactId>jcip-annotations</artifactId>
-            <version>1.0</version>
-            <optional>true</optional>
-        </dependency>
 
         <!-- Dependencies which are ONLY used for JUnit tests -->
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.15</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>4.13.1</version>
+            <version>4.13.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -318,6 +284,12 @@
             <version>1.68</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-core</artifactId>
+            <version>1.3</version>
+            <scope>test</scope>
+        </dependency>
         <!-- https://mvnrepository.com/artifact/org.powermock/powermock-api-mockito -->
         <dependency>
             <groupId>org.powermock</groupId>
@@ -351,6 +323,19 @@
             <version>2.28.2</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.powermock</groupId>
+            <artifactId>powermock-core</artifactId>
+            <version>${version.powermock}</version>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                  <!-- We exclude this here, because we import the version we need above, and this imports a newer version. -->
+                  <groupId>org.javassist</groupId>
+                  <artifactId>javassist</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.powermock</groupId>
             <artifactId>powermock-module-junit4</artifactId>
@@ -389,12 +374,6 @@
             <version>${version.jmh}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.openjdk.jmh</groupId>
-            <artifactId>jmh-generator-annprocess</artifactId>
-            <version>${version.jmh}</version>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>
@@ -419,6 +398,21 @@
         </pluginManagement>
 
         <plugins>
+            <plugin>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-maven-plugin</artifactId>
+                <version>${version.spotbugs.maven}</version>
+                <dependencies>
+                  <!-- Overwrite dependency on SpotBugs if you want to specify the version of SpotBugs.
+                       SpotBugs itself is frequently several versions ahead of the spotbugs-maven-plugin -->
+                  <dependency>
+                    <groupId>com.github.spotbugs</groupId>
+                    <artifactId>spotbugs</artifactId>
+                    <version>${version.spotbugs}</version>
+                  </dependency>
+                </dependencies>
+            </plugin>
+
             <plugin>
                 <groupId>net.sourceforge.maven-taglib</groupId>
                 <artifactId>maven-taglib-plugin</artifactId>
@@ -622,19 +616,19 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.13.0</version>
+                <version>3.14.0</version>
             </plugin>
 
             <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
-               <version>3.1.0</version>
+               <version>3.1.1</version>
             </plugin>
 
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-resources-plugin</artifactId>
-                <version>3.1.0</version>
+                <version>3.2.0</version>
             </plugin>
 
             <plugin>
@@ -689,7 +683,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.7</version>
+                <version>2.8.1</version>
             </plugin>
 
             <plugin>
@@ -701,7 +695,7 @@
             <plugin>
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
-                <version>5.3.2</version>
+                <version>6.1.3</version>
                 <configuration>
                     <failBuildOnCVSS>5.0</failBuildOnCVSS>
                     <suppressionFiles>./suppressions.xml</suppressionFiles>
@@ -829,7 +823,6 @@
               <plugin>
                 <groupId>com.github.spotbugs</groupId>
                 <artifactId>spotbugs-maven-plugin</artifactId>
-                <version>${version.spotbugs}</version>
                 <configuration>
                     <plugins>
                         <plugin>

src/main/java/org/owasp/esapi/configuration/XmlEsapiPropertyLoader.java

@@ -6,10 +6,12 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
 
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
@@ -99,12 +101,14 @@ public String getStringProp(String propertyName) throws ConfigurationException {
     /**
      * Methods loads configuration from .xml file. 
      * @param file
+     * @throws ConfigurationException if there is a problem loading the specified configuration file.
      */
     protected void loadPropertiesFromFile(File file) throws ConfigurationException {
-        try {
-            validateAgainstXSD(new FileInputStream(file));
+        try ( InputStream configFile = new FileInputStream(file); ) {
+            validateAgainstXSD(configFile);
 
-            DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance("org.apache.xerces.jaxp.DocumentBuilderFactoryImpl", null);
+            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
             Document doc = dBuilder.parse(file);
             doc.getDocumentElement().normalize();
@@ -119,19 +123,20 @@ protected void loadPropertiesFromFile(File file) throws ConfigurationException {
                     properties.put(propertyKey, propertyValue);
                 }
             }
-        } catch (Exception e) {
-            logSpecial("XML config file " + filename + " has invalid schema", e);
-            throw new ConfigurationException("Configuration file : " + filename + " has invalid schema." + e.getMessage(), e);
+        } catch (IOException | SAXException | ParserConfigurationException e) {
+            logSpecial("XML config file " + filename + " doesn't exist or has invalid schema", e);
+            throw new ConfigurationException("Configuration file : " + filename + " has invalid schema."
+                  + e.getMessage(), e);
         }
     }
 
-    private void validateAgainstXSD(InputStream xml) throws Exception {
-        InputStream xsd = getClass().getResourceAsStream("/ESAPI-properties.xsd");
-        SchemaFactory factory =
-                SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-        Schema schema = factory.newSchema(new StreamSource(xsd));
-        Validator validator = schema.newValidator();
-        validator.validate(new StreamSource(xml));
+    private void validateAgainstXSD(InputStream xml) throws IOException, SAXException {
+        try ( InputStream xsd = getClass().getResourceAsStream("/ESAPI-properties.xsd"); ) {
+            SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+	        Schema schema = factory.newSchema(new StreamSource(xsd));
+	        Validator validator = schema.newValidator();
+	        validator.validate(new StreamSource(xml));
+        }
     }
 
 }