introduced animal sniffer and took away java 8 deps

Author: nahsra

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>io.github.pixee</groupId>
     <artifactId>java-security-toolkit</artifactId>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
 
     <name>java-security-toolkit</name>
     <description>a library with common security controls</description>
@@ -90,14 +90,19 @@
             <artifactId>commons-collections4</artifactId>
             <version>4.4</version>
         </dependency>
+        <dependency>
+            <groupId>org.codehaus.mojo</groupId>
+            <artifactId>animal-sniffer-annotations</artifactId>
+            <version>1.23</version>
+            <optional>true</optional>
+        </dependency>
         <!-- needed for testing deserialization protection -->
         <dependency>
             <groupId>commons-fileupload</groupId>
             <artifactId>commons-fileupload</artifactId>
             <version>1.5</version>
             <scope>test</scope>
         </dependency>
-
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-api</artifactId>
@@ -167,6 +172,27 @@
                         <target>8</target>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.codehaus.mojo</groupId>
+                    <artifactId>animal-sniffer-maven-plugin</artifactId>
+                    <version>1.23</version>
+                    <configuration>
+                        <signature>
+                            <groupId>org.codehaus.mojo.signature</groupId>
+                            <artifactId>java18</artifactId>
+                            <version>1.0</version>
+                        </signature>
+                    </configuration>
+                    <executions>
+                        <execution>
+                            <id>animal-sniffer</id>
+                            <phase>test</phase>
+                            <goals>
+                                <goal>check</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
                 <plugin>
                     <groupId>org.jacoco</groupId>
                     <artifactId>jacoco-maven-plugin</artifactId>
@@ -256,6 +282,10 @@
             <plugin>
                 <artifactId>maven-compiler-plugin</artifactId>
             </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>animal-sniffer-maven-plugin</artifactId>
+            </plugin>
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>

src/main/java/io/github/pixee/security/DocumentBuilderFactorySecurity.java

@@ -1,5 +1,7 @@
 package io.github.pixee.security;
 
+import static io.github.pixee.security.J8ApiBridge.listOf;
+
 import java.util.List;
 import javax.xml.parsers.DocumentBuilderFactory;
 
@@ -47,7 +49,7 @@ public static DocumentBuilderFactory hardenDocumentBuilderFactory(
   }
 
   private static final List<String> externalEntityFeatures =
-      List.of(
+      listOf(
           "http://apache.org/xml/features/disallow-doctype-decl",
           "http://apache.org/xml/features/disallow-doctype-decl",
           "http://apache.org/xml/features/nonvalidating/load-external-dtd",

src/main/java/io/github/pixee/security/Filenames.java

@@ -42,7 +42,7 @@ private Filenames() {}
    *     File Upload</a>
    */
   public static String toSimpleFileName(final String fileName) {
-    if (fileName == null || fileName.isBlank()) {
+    if (fileName == null || "".equals(fileName.trim())) {
       // this file name may cause issues with the apis they'll be used in but we can't help so don't
       // try
       return fileName;

src/main/java/io/github/pixee/security/HostValidator.java

@@ -1,5 +1,7 @@
 package io.github.pixee.security;
 
+import static io.github.pixee.security.J8ApiBridge.setOf;
+
 import java.net.URL;
 import java.util.Set;
 import java.util.regex.Pattern;
@@ -33,7 +35,7 @@ public boolean isAllowed(final String host) {
         }
 
         private final Set<String> knownInfrastructureTargets =
-            Set.of("192.168.1.1", "3232235777", "169.254.169.254", "2852039166");
+            setOf("192.168.1.1", "3232235777", "169.254.169.254", "2852039166");
       };
 
   /**

src/main/java/io/github/pixee/security/J8ApiBridge.java

@@ -0,0 +1,18 @@
+package io.github.pixee.security;
+
+import java.util.*;
+
+final class J8ApiBridge {
+
+  private J8ApiBridge() {}
+
+  /** A replacement API for Set.of(), which doesn't exist in Java 8, which we target. */
+  static <T> Set<T> setOf(final T... t) {
+    return Collections.unmodifiableSet(new HashSet<>(Arrays.asList(t)));
+  }
+
+  /** A replacement API for List.of(), which doesn't exist in Java 8, which we target. */
+  static <T> List<T> listOf(final T... t) {
+    return Collections.unmodifiableList(new ArrayList<>(Arrays.asList(t)));
+  }
+}

src/main/java/io/github/pixee/security/ObjectInputFilters.java

@@ -6,6 +6,7 @@
 import java.io.ObjectInputStream;
 import java.util.Objects;
 import org.apache.commons.io.serialization.ValidatingObjectInputStream;
+import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement;
 
 /**
  * This type exposes helper methods that will help defend against Java deserialization attacks.
@@ -14,6 +15,7 @@
  * href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP
  * Cheat Sheet</a>.
  */
+@IgnoreJRERequirement
 public final class ObjectInputFilters {
 
   private ObjectInputFilters() {}
@@ -78,6 +80,7 @@ public static ObjectInputFilter createCombinedHardenedObjectFilter(
     return new CombinedObjectInputFilter(existingFilter);
   }
 
+  @IgnoreJRERequirement
   private static class CombinedObjectInputFilter implements ObjectInputFilter {
     private final ObjectInputFilter originalFilter;
 

src/main/java/io/github/pixee/security/Reflection.java

@@ -1,5 +1,7 @@
 package io.github.pixee.security;
 
+import static io.github.pixee.security.J8ApiBridge.setOf;
+
 import java.lang.reflect.Modifier;
 import java.util.Set;
 
@@ -12,7 +14,7 @@ public final class Reflection {
   private Reflection() {}
 
   private static final Set<ReflectionRestrictions> defaultRestrictions =
-      Set.of(ReflectionRestrictions.MUST_NOT_INVOLVE_CODE_EXECUTION);
+      setOf(ReflectionRestrictions.MUST_NOT_INVOLVE_CODE_EXECUTION);
 
   /**
    * Provide the default restrictions for loading a type that will work for the vast majority of
@@ -99,14 +101,14 @@ public static Class<?> loadAndVerify(
   }
 
   private static final Set<Class<?>> codeLoadingTypes =
-      Set.of(
+      setOf(
           java.lang.Runtime.class,
           java.lang.ProcessBuilder.class,
           java.lang.Class.class,
           java.lang.ClassLoader.class);
 
   private static final Set<String> codeLoadingPackages =
-      Set.of(
+      setOf(
           "java.lang.invoke.",
           "org.apache.commons.collections.functors.",
           "bsh.",

src/main/java/io/github/pixee/security/SystemCommand.java

@@ -1,5 +1,8 @@
 package io.github.pixee.security;
 
+import static io.github.pixee.security.J8ApiBridge.listOf;
+import static io.github.pixee.security.J8ApiBridge.setOf;
+
 import java.io.File;
 import java.io.IOException;
 import java.util.LinkedList;
@@ -17,7 +20,7 @@ private SystemCommand() {}
    * @return a set of restrictions suitable for general use
    */
   public static Set<SystemCommandRestrictions> defaultRestrictions() {
-    return Set.of(
+    return setOf(
         SystemCommandRestrictions.PREVENT_COMMAND_CHAINING,
         SystemCommandRestrictions.PREVENT_ARGUMENTS_TARGETING_SENSITIVE_FILES);
   }
@@ -453,10 +456,10 @@ private static boolean isShell(final String commandToken) {
     return SHELL_FILE_NAMES.contains(commandFile.getName());
   }
 
-  private static final List<String> SHELL_FILE_NAMES = List.of("bash", "sh", "zsh", "csh", "tcsh");
+  private static final List<String> SHELL_FILE_NAMES = listOf("bash", "sh", "zsh", "csh", "tcsh");
 
   private static final List<String> BANNED_EXECUTABLES =
-      List.of(
+      listOf(
           // reverse shells, exfiltration, downloading malware
           "nc",
           "curl",
@@ -466,7 +469,7 @@ private static boolean isShell(final String commandToken) {
           "rpm");
 
   private static final List<String> SENSITIVE_FILE_NAMES =
-      List.of(
+      listOf(
           "/etc/passwd",
           "/etc/shadow",
           "/etc/group",

src/main/java/io/github/pixee/security/UnwantedTypes.java

@@ -1,5 +1,7 @@
 package io.github.pixee.security;
 
+import static io.github.pixee.security.J8ApiBridge.listOf;
+
 import java.util.List;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -64,7 +66,7 @@ public static boolean isUnwanted(final String className) {
 
   /** A list of types known to be involved in deserialization and remote code execution attacks. */
   private static final List<String> gadgets =
-      List.of(
+      listOf(
           " org.apache.commons.beanutils.BeanComparator".substring(1),
           " org.apache.commons.collections.functors.ChainedTransformer".substring(1),
           " org.apache.commons.collections.functors.ConstantTransformer".substring(1),
@@ -128,7 +130,7 @@ public static boolean isUnwanted(final String className) {
    * remote code execution attacks.
    */
   private static final List<String> gadgetPrefixes =
-      List.of(
+      listOf(
           "com.sun.rowset.JdbcRowSetImpl$",
           "java.rmi.registry.Registry$",
           "java.rmi.server.ObjID$",

src/main/java/io/github/pixee/security/Urls.java

@@ -1,5 +1,7 @@
 package io.github.pixee.security;
 
+import static io.github.pixee.security.J8ApiBridge.setOf;
+
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLStreamHandler;
@@ -17,7 +19,7 @@ public final class Urls {
    * This is a convenience {@link Set} provided for most people who probably only want to allow
    * HTTP-based protocols.
    */
-  public static Set<UrlProtocol> HTTP_PROTOCOLS = Set.of(UrlProtocol.HTTPS, UrlProtocol.HTTP);
+  public static Set<UrlProtocol> HTTP_PROTOCOLS = setOf(UrlProtocol.HTTPS, UrlProtocol.HTTP);
 
   public static URL create(
       final String url, final Set<UrlProtocol> allowedProtocols, final HostValidator validator)