fix: prevent rogue base suppression files

Author: jeremylong

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -26,6 +26,7 @@
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
@@ -188,23 +189,43 @@ private void loadSuppressionBaseData(final Engine engine) throws SuppressionPars
     }
 
     /**
-     * Loads all the base suppression rules packaged with the application.
+     * Loads the base suppression rules packaged with the application.
      *
      * @param parser The suppression parser to use
      * @param engine a reference the dependency-check engine
      * @throws SuppressionParseException thrown if the XML cannot be parsed.
      */
     private void loadPackagedSuppressionBaseData(final SuppressionParser parser, final Engine engine) throws SuppressionParseException {
-        final List<SuppressionRule> ruleList;
-        try (InputStream in = FileUtils.getResourceAsStream(BASE_SUPPRESSION_FILE)) {
-            if (in == null) {
-                throw new SuppressionParseException("Suppression rules `" + BASE_SUPPRESSION_FILE + "` could not be found");
+        List<SuppressionRule> ruleList = null;
+        Iterator<URL> urls = null;
+        try {
+            urls = FileUtils.getResources(BASE_SUPPRESSION_FILE);
+        } catch (IOException e) {
+            LOGGER.warn("Base suppression rules `{}}` could not be loaded; {}", BASE_SUPPRESSION_FILE, e.getMessage());
+            return;
+        }
+        URL loc = AbstractSuppressionAnalyzer.class.getProtectionDomain().getCodeSource().getLocation();
+        String jarPath = loc.getFile();
+        URL validUrl = null;
+        while (urls.hasNext()) {
+            URL url = urls.next();
+            String path = url.toString();
+            if (path.equals("jar:" + jarPath + "!/dependencycheck-base-suppression.xml")) {
+                validUrl = url;
+                break;
             }
-            ruleList = parser.parseSuppressionRules(in);
-        } catch (SAXException | IOException ex) {
-            throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
         }
-        if (!ruleList.isEmpty()) {
+        if (validUrl != null) {
+            try (InputStream in = validUrl.openStream()) {
+                if (in == null) {
+                    throw new SuppressionParseException("Suppression rules `" + BASE_SUPPRESSION_FILE + "` could not be found");
+                }
+                ruleList = parser.parseSuppressionRules(in);
+            } catch (SAXException | IOException ex) {
+                throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
+            }
+        }
+        if (ruleList != null && !ruleList.isEmpty()) {
             if (engine.hasObject(SUPPRESSION_OBJECT_KEY)) {
                 @SuppressWarnings("unchecked")
                 final List<SuppressionRule> rules = (List<SuppressionRule>) engine.getObject(SUPPRESSION_OBJECT_KEY);

utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java

@@ -27,6 +27,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Comparator;
+import java.util.Iterator;
 import java.util.UUID;
 import java.util.stream.Stream;
 
@@ -173,6 +174,20 @@ public static InputStream getResourceAsStream(@NotNull String resource) throws F
         return inputStream;
     }
 
+
+    /** Gets the {@link java.util.Iterator<java.net.URL>} for this resource
+     *
+     * @param resource path
+     * @return iterator of each resource URL
+     * @throws IOException if I/O error occurs
+     */
+    public static Iterator<URL> getResources(@NotNull String resource) throws IOException {
+        final ClassLoader classLoader = FileUtils.class.getClassLoader();
+        return classLoader != null
+                ? classLoader.getResources(resource).asIterator()
+                : ClassLoader.getSystemResources(resource).asIterator();
+    }
+
     /**
      * Returns a File object for the given resource. The resource is attempted
      * to be loaded from the class loader.