bump ver and support java 8

Author: nahsra

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>io.github.pixee</groupId>
     <artifactId>java-security-toolkit</artifactId>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
 
     <name>java-security-toolkit</name>
     <description>a library with common security controls</description>
@@ -163,8 +163,8 @@
                     <artifactId>maven-compiler-plugin</artifactId>
                     <version>${versions.maven-compiler-plugin}</version>
                     <configuration>
-                        <source>11</source>
-                        <target>11</target>
+                        <source>8</source>
+                        <target>8</target>
                     </configuration>
                 </plugin>
                 <plugin>

src/main/java/io/github/pixee/security/ObjectInputFilters.java

@@ -43,7 +43,7 @@ public static ObjectInputFilter getHardenedObjectFilter() {
    * @param ois the reader to secure
    */
   public static void enableObjectFilterIfUnprotected(final ObjectInputStream ois) {
-    var objectInputFilter = ois.getObjectInputFilter();
+    ObjectInputFilter objectInputFilter = ois.getObjectInputFilter();
     if (objectInputFilter == null) {
       try {
         ois.setObjectInputFilter(basicGadgetDenylistFilter);

src/main/java/io/github/pixee/security/SystemCommand.java

@@ -366,11 +366,11 @@ enum CommandParsingContext {
   }
 
   private static int findCommandSeparator(final String command) {
-    var context = new LinkedList<CommandParsingContext>();
-    var i = 0;
+    LinkedList<CommandParsingContext> context = new LinkedList<>();
+    int i = 0;
     context.push(CommandParsingContext.DEFAULT);
     while (i < command.length()) {
-      var currentContext = context.peek();
+      CommandParsingContext currentContext = context.peek();
       switch (currentContext) {
         case DOUBLE_QUOTE:
           i = eatUntilNextDoubleQuote(command, i);

src/test/java/io/github/pixee/security/DocumentBuilderFactorySecurityTest.java

@@ -10,29 +10,30 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import org.apache.commons.io.FileUtils;
 import org.junit.jupiter.api.Test;
+import org.w3c.dom.Document;
 
 final class DocumentBuilderFactorySecurityTest {
 
   @Test
   void xxe_works_in_dbf() throws Exception {
-    var exploit = generateExploit();
-    var factory = DocumentBuilderFactory.newInstance();
+    String exploit = generateExploit();
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     String secretText = getSecretText(factory, exploit);
     assertThat("s3cr3t", equalTo(secretText)); // string is empty instead of secret!
   }
 
   @Test
   void it_prevents_xxe_in_dbf() throws Exception {
-    var exploit = generateExploit();
-    var factory =
+    String exploit = generateExploit();
+    DocumentBuilderFactory factory =
         DocumentBuilderFactorySecurity.hardenDocumentBuilderFactory(
             DocumentBuilderFactory.newInstance(), false, false);
     String secretText = getSecretText(factory, exploit);
     assertThat("", equalTo(secretText)); // string is empty instead of secret!
   }
 
   private String generateExploit() throws IOException {
-    var exploit =
+    String exploit =
         FileUtils.readFileToString(new File("src/test/resources/xxe.xml"), StandardCharsets.UTF_8);
     exploit =
         exploit.replace("$PATH$", new File("src/test/resources/secret.txt").getAbsolutePath());
@@ -43,7 +44,7 @@ private String getSecretText(final DocumentBuilderFactory factory, final String
       throws Exception {
     ByteArrayInputStream exploitStream =
         new ByteArrayInputStream(exploit.getBytes(StandardCharsets.UTF_8));
-    var doc = factory.newDocumentBuilder().parse(exploitStream);
+    Document doc = factory.newDocumentBuilder().parse(exploitStream);
     return doc.getDocumentElement().getTextContent();
   }
 }

src/test/java/io/github/pixee/security/ObjectInputFiltersTest.java

@@ -19,7 +19,7 @@ final class ObjectInputFiltersTest {
 
   @BeforeAll
   static void setup() throws IOException {
-    var baos = new ByteArrayOutputStream();
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
     gadget =
         new DiskFileItem(
             "fieldName",
@@ -29,21 +29,21 @@ static void setup() throws IOException {
             100,
             Files.createTempDirectory("adi").toFile());
     gadget.getOutputStream(); // needed to make the object serializable
-    var oos = new ObjectOutputStream(baos);
+    ObjectOutputStream oos = new ObjectOutputStream(baos);
     oos.writeObject(gadget);
     serializedGadget = baos.toByteArray();
   }
 
   @Test
   void default_is_unprotected() throws Exception {
-    var ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
     Object o = ois.readObject();
     assertThat(o, instanceOf(DiskFileItem.class));
   }
 
   @Test
   void validating_ois_works() throws Exception {
-    var ois =
+    ObjectInputStream ois =
         ObjectInputFilters.createSafeObjectInputStream(new ByteArrayInputStream(serializedGadget));
     assertThrows(
         InvalidClassException.class,
@@ -55,7 +55,7 @@ void validating_ois_works() throws Exception {
 
   @Test
   void ois_harden_works() throws Exception {
-    var ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
     ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
     assertThrows(
         InvalidClassException.class,
@@ -84,7 +84,7 @@ void objectinputfilter_works_when_none_present() throws Exception {
    */
   @Test
   void objectinputfilter_works_and_honors_existing() throws Exception {
-    var filter =
+    ObjectInputFilter filter =
         ObjectInputFilter.Config.createFilter(
             "!" + BadType.class.getName() + ";" + GoodType.class.getName());
     {
@@ -102,7 +102,7 @@ void objectinputfilter_works_and_honors_existing() throws Exception {
     // make sure we still reject the bad type
     {
       byte[] serializedBadType = serialize(new BadType());
-      var ois = new ObjectInputStream(new ByteArrayInputStream(serializedBadType));
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedBadType));
       ois.setObjectInputFilter(
           ObjectInputFilters.createCombinedHardenedObjectFilter(filter)); // this is our weave
 
@@ -117,7 +117,7 @@ void objectinputfilter_works_and_honors_existing() throws Exception {
     // make we still allow the good type
     {
       byte[] serializedGoodType = serialize(new GoodType());
-      var ois = new ObjectInputStream(new ByteArrayInputStream(serializedGoodType));
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGoodType));
       ois.setObjectInputFilter(ObjectInputFilters.createCombinedHardenedObjectFilter(filter));
       GoodType goodType = (GoodType) ois.readObject();
       assertThat(goodType, is(notNullValue()));
@@ -148,7 +148,7 @@ void the_filter_works_as_expected() {
   }
 
   byte[] serialize(Serializable s) throws IOException {
-    var stream = new ByteArrayOutputStream();
+    ByteArrayOutputStream stream = new ByteArrayOutputStream();
     new ObjectOutputStream(stream).writeObject(s);
     return stream.toByteArray();
   }

src/test/java/io/github/pixee/security/XMLInputFactorySecurityTest.java

@@ -13,23 +13,24 @@
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
 import org.apache.commons.io.FileUtils;
 import org.junit.jupiter.api.Test;
 
 final class XMLInputFactorySecurityTest {
 
   @Test
   void xxe_works_in_xmlinputfactory() throws IOException, XMLStreamException {
-    var exploit = generateExploit();
-    var factory = XMLInputFactory.newFactory();
+    String exploit = generateExploit();
+    XMLInputFactory factory = XMLInputFactory.newFactory();
     String secretText = getSecretText(factory, exploit);
     assertThat("s3cr3t", equalTo(secretText));
   }
 
   @Test
   void it_prevents_xxe_in_xmlinputfactory() throws IOException, XMLStreamException {
-    var exploit = generateExploit();
-    var factory = XMLInputFactorySecurity.hardenFactory(XMLInputFactory.newFactory());
+    String exploit = generateExploit();
+    XMLInputFactory factory = XMLInputFactorySecurity.hardenFactory(XMLInputFactory.newFactory());
     String secretText = getSecretText(factory, exploit);
     assertThat("", equalTo(secretText)); // string is empty instead of secret!
   }
@@ -43,8 +44,8 @@ void it_fails_when_invalid_restrictions() {
 
   @Test
   void it_prevents_xxe_in_xmlinputfactory_doctype_only_restriction() throws IOException {
-    var exploit = generateExploit();
-    var factory =
+    String exploit = generateExploit();
+    XMLInputFactory factory =
         XMLInputFactorySecurity.hardenFactory(
             XMLInputFactory.newFactory(), Set.of(XMLRestrictions.DISALLOW_DOCTYPE));
     assertThrows(XMLStreamException.class, () -> getSecretText(factory, exploit));
@@ -53,16 +54,16 @@ void it_prevents_xxe_in_xmlinputfactory_doctype_only_restriction() throws IOExce
   @Test
   void it_prevents_xxe_in_xmlinputfactory_external_entity_only_restriction()
       throws IOException, XMLStreamException {
-    var exploit = generateExploit();
-    var factory =
+    String exploit = generateExploit();
+    XMLInputFactory factory =
         XMLInputFactorySecurity.hardenFactory(
             XMLInputFactory.newFactory(), Set.of(XMLRestrictions.DISALLOW_EXTERNAL_ENTITIES));
     String secretText = getSecretText(factory, exploit);
     assertThat("", equalTo(secretText)); // string is empty instead of secret!
   }
 
   private String generateExploit() throws IOException {
-    var exploit =
+    String exploit =
         FileUtils.readFileToString(new File("src/test/resources/xxe.xml"), StandardCharsets.UTF_8);
     exploit =
         exploit.replace("$PATH$", new File("src/test/resources/secret.txt").getAbsolutePath());
@@ -71,15 +72,15 @@ private String generateExploit() throws IOException {
 
   private String getSecretText(final XMLInputFactory factory, final String exploit)
       throws XMLStreamException {
-    var xmlEventReader = factory.createXMLEventReader(new StringReader(exploit));
+    XMLEventReader xmlEventReader = factory.createXMLEventReader(new StringReader(exploit));
     eatEventsUntil(xmlEventReader, StartElement.class);
     return xmlEventReader.getElementText();
   }
 
   private <T> void eatEventsUntil(XMLEventReader xmlEventReader, Class<T> type)
       throws XMLStreamException {
     while (xmlEventReader.hasNext()) {
-      var xmlEvent = xmlEventReader.nextEvent();
+      XMLEvent xmlEvent = xmlEventReader.nextEvent();
       if (type.isAssignableFrom((xmlEvent.getClass()))) {
         return;
       }

src/test/java/io/github/pixee/security/ZipSecurityTest.java

@@ -10,6 +10,7 @@
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
 import java.util.zip.ZipOutputStream;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -19,47 +20,48 @@ final class ZipSecurityTest {
 
   @Test
   void it_doesnt_prevent_normal_zip_file_reads() throws IOException {
-    var entry = new ZipEntry("normal.txt");
-    var is = createZipFrom(entry);
+    ZipEntry entry = new ZipEntry("normal.txt");
+    InputStream is = createZipFrom(entry);
 
-    var hardenedStream = ZipSecurity.createHardenedInputStream(is, StandardCharsets.UTF_8);
-    var retrievedEntry = hardenedStream.getNextEntry();
+    ZipInputStream hardenedStream =
+        ZipSecurity.createHardenedInputStream(is, StandardCharsets.UTF_8);
+    ZipEntry retrievedEntry = hardenedStream.getNextEntry();
     assertThat(retrievedEntry.getName(), equalTo("normal.txt"));
   }
 
   @ParameterizedTest
   @ValueSource(strings = {"dir1/dir2/../normal.txt", "dir1/../normal.txt"})
   void it_doesnt_prevent_normal_zip_files_with_safe_escapes(String path) throws IOException {
-    var entry = new ZipEntry(path);
-    var is = createZipFrom(entry);
+    ZipEntry entry = new ZipEntry(path);
+    InputStream is = createZipFrom(entry);
 
-    var hardenedStream = ZipSecurity.createHardenedInputStream(is);
-    var retrievedEntry = hardenedStream.getNextEntry();
+    ZipInputStream hardenedStream = ZipSecurity.createHardenedInputStream(is);
+    ZipEntry retrievedEntry = hardenedStream.getNextEntry();
     assertThat(retrievedEntry.getName(), equalTo(path));
   }
 
   @ParameterizedTest
   @ValueSource(strings = {"../etc/whatever", "/foo/bar/../../../proc/whatever"})
   void it_prevents_escapes(String path) throws IOException {
-    var entry = new ZipEntry(path);
-    var is = createZipFrom(entry);
+    ZipEntry entry = new ZipEntry(path);
+    InputStream is = createZipFrom(entry);
 
-    var hardenedStream = ZipSecurity.createHardenedInputStream(is);
+    ZipInputStream hardenedStream = ZipSecurity.createHardenedInputStream(is);
     assertThrows(SecurityException.class, hardenedStream::getNextEntry);
   }
 
   @Test
   void it_prevents_absolute_paths_in_zip_entries() throws IOException {
-    var entry = new ZipEntry("/foo.txt");
-    var is = createZipFrom(entry);
+    ZipEntry entry = new ZipEntry("/foo.txt");
+    InputStream is = createZipFrom(entry);
 
-    var hardenedStream = ZipSecurity.createHardenedInputStream(is);
+    ZipInputStream hardenedStream = ZipSecurity.createHardenedInputStream(is);
     assertThrows(SecurityException.class, hardenedStream::getNextEntry);
   }
 
   private InputStream createZipFrom(final ZipEntry entry) throws IOException {
-    var os = new ByteArrayOutputStream();
-    var zos = new ZipOutputStream(os);
+    ByteArrayOutputStream os = new ByteArrayOutputStream();
+    ZipOutputStream zos = new ZipOutputStream(os);
     zos.putNextEntry(entry);
     zos.closeEntry();
     zos.close();