Group 4 - software vulnerabilities resolution

jme3-android/src/main/java/com/jme3/app/state/MjpegFileWriter.java

@@ -31,7 +31,6 @@
  */
 package com.jme3.app.state;
 
-import android.graphics.Bitmap;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -43,19 +42,28 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.crypto.Cipher;
+import javax.crypto.CipherOutputStream;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+import android.graphics.Bitmap;
+
 /**
  * Released under BSD License
  * @author monceaux, normenhansen, entrusC
  */
 public class MjpegFileWriter {
     private static final Logger logger = Logger.getLogger(MjpegFileWriter.class.getName());
+    private static final String ENCRYPTION_ALGORITHM = "AES";
+    private static final byte[] KEY = "YourSecretKey123".getBytes();
 
     int width = 0;
     int height = 0;
     double framerate = 0;
     int numFrames = 0;
     File aviFile = null;
-    FileOutputStream aviOutput = null;
+    CipherOutputStream encryptedOutput = null;
     FileChannel aviChannel = null;
     long riffOffset = 0;
     long aviMovieOffset = 0;
@@ -71,18 +79,29 @@ public MjpegFileWriter(File aviFile, int width, int height, double framerate, in
         this.height = height;
         this.framerate = framerate;
         this.numFrames = numFrames;
-        aviOutput = new FileOutputStream(aviFile);
-        aviChannel = aviOutput.getChannel();
+
+        SecretKey secretKey = new SecretKeySpec(KEY, ENCRYPTION_ALGORITHM);
+        Cipher cipher = Cipher.getInstance(ENCRYPTION_ALGORITHM);
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
+
+        FileOutputStream fileOut = new FileOutputStream(aviFile) {
+            @Override
+            public FileChannel getChannel() {
+                return super.getChannel();
+            }
+        };
+        encryptedOutput = new CipherOutputStream(fileOut, cipher);
+        aviChannel = fileOut.getChannel();
 
         RIFFHeader rh = new RIFFHeader();
-        aviOutput.write(rh.toBytes());
-        aviOutput.write(new AVIMainHeader().toBytes());
-        aviOutput.write(new AVIStreamList().toBytes());
-        aviOutput.write(new AVIStreamHeader().toBytes());
-        aviOutput.write(new AVIStreamFormat().toBytes());
-        aviOutput.write(new AVIJunk().toBytes());
+        encryptedOutput.write(rh.toBytes());
+        encryptedOutput.write(new AVIMainHeader().toBytes());
+        encryptedOutput.write(new AVIStreamList().toBytes());
+        encryptedOutput.write(new AVIStreamHeader().toBytes());
+        encryptedOutput.write(new AVIStreamFormat().toBytes());
+        encryptedOutput.write(new AVIJunk().toBytes());
         aviMovieOffset = aviChannel.position();
-        aviOutput.write(new AVIMovieList().toBytes());
+        encryptedOutput.write(new AVIMovieList().toBytes());
         indexlist = new AVIIndexList();
     }
 
@@ -105,12 +124,12 @@ public void addImage(byte[] imagedata) throws Exception {
 
         indexlist.addAVIIndex((int) position, useLength);
 
-        aviOutput.write(fcc);
-        aviOutput.write(intBytes(swapInt(useLength)));
-        aviOutput.write(imagedata);
+        encryptedOutput.write(fcc);
+        encryptedOutput.write(intBytes(swapInt(useLength)));
+        encryptedOutput.write(imagedata);
         if (extra > 0) {
             for (int i = 0; i < extra; i++) {
-                aviOutput.write(0);
+                encryptedOutput.write(0);
             }
         }
 
@@ -120,8 +139,13 @@ public void addImage(byte[] imagedata) throws Exception {
     public void finishAVI() throws Exception {
         logger.log(Level.INFO, "finishAVI");
         byte[] indexlistBytes = indexlist.toBytes();
-        aviOutput.write(indexlistBytes);
-        aviOutput.close();
+        encryptedOutput.write(indexlistBytes);
+        encryptedOutput.close();
+
+        SecretKey secretKey = new SecretKeySpec(KEY, ENCRYPTION_ALGORITHM);
+        Cipher cipher = Cipher.getInstance(ENCRYPTION_ALGORITHM);
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
+
         int fileSize = (int)aviFile.length();
         logger.log(Level.INFO, "fileSize: {0}", fileSize);
         int listSize = (int) (fileSize - 8 - aviMovieOffset - indexlistBytes.length);
@@ -133,17 +157,19 @@ public void finishAVI() throws Exception {
         }
 
         RandomAccessFile raf = new RandomAccessFile(aviFile, "rw");
+        CipherOutputStream headerUpdate = new CipherOutputStream(new FileOutputStream(raf.getFD()), cipher);
 
         //add header and length by writing the headers again
         //with the now available information
-        raf.write(new RIFFHeader(fileSize).toBytes());
-        raf.write(new AVIMainHeader().toBytes());
-        raf.write(new AVIStreamList().toBytes());
-        raf.write(new AVIStreamHeader().toBytes());
-        raf.write(new AVIStreamFormat().toBytes());
-        raf.write(new AVIJunk().toBytes());
-        raf.write(new AVIMovieList(listSize).toBytes());
-
+        headerUpdate.write(new RIFFHeader(fileSize).toBytes());
+        headerUpdate.write(new AVIMainHeader().toBytes());
+        headerUpdate.write(new AVIStreamList().toBytes());
+        headerUpdate.write(new AVIStreamHeader().toBytes());
+        headerUpdate.write(new AVIStreamFormat().toBytes());
+        headerUpdate.write(new AVIJunk().toBytes());
+        headerUpdate.write(new AVIMovieList(listSize).toBytes());
+
+        headerUpdate.close();
         raf.close();
     }
 

jme3-android/src/main/java/com/jme3/input/android/AndroidInputHandler.java

@@ -179,15 +179,14 @@ protected boolean processTouchEvent(View view, MotionEvent event) {
     public boolean onTouch(View view, MotionEvent event) {
         return processTouchEvent(view, event);
     }
-
     protected boolean consumeEvent(KeyEvent event, Object touchInput, Object joyInput) {
         int source = event.getSource();
 
-        boolean isTouch = ((source & InputDevice.SOURCE_TOUCHSCREEN) == InputDevice.SOURCE_TOUCHSCREEN)
-                || ((source & InputDevice.SOURCE_KEYBOARD) == InputDevice.SOURCE_KEYBOARD);
+        boolean isTouch = ((source & InputDevice.SOURCE_TOUCHSCREEN) == InputDevice.SOURCE_TOUCHSCREEN) ||
+                ((source & InputDevice.SOURCE_KEYBOARD) == InputDevice.SOURCE_KEYBOARD);
 
-        boolean isJoystick = ((source & InputDevice.SOURCE_GAMEPAD) == InputDevice.SOURCE_GAMEPAD)
-                || ((source & InputDevice.SOURCE_JOYSTICK) == InputDevice.SOURCE_JOYSTICK);
+        boolean isJoystick = ((source & InputDevice.SOURCE_GAMEPAD) == InputDevice.SOURCE_GAMEPAD) ||
+                ((source & InputDevice.SOURCE_JOYSTICK) == InputDevice.SOURCE_JOYSTICK);
 
         boolean isUnknown = (source & InputDevice.SOURCE_UNKNOWN) == InputDevice.SOURCE_UNKNOWN;
 
@@ -201,7 +200,7 @@ protected boolean consumeEvent(KeyEvent event, Object touchInput, Object joyInpu
 
         // Check if joyInput should consume the event
         if (isJoystick && joyInput != null) {
-            consumed |= ((AndroidJoyInput14) joyInput).onKey(event);
+            consumed |= ((AndroidJoyInput14)joyInput).onKey(event);
         }
 
         return consumed;

jme3-core/src/main/java/com/jme3/renderer/opengl/GLRenderer.java

@@ -86,7 +86,7 @@ public final class GLRenderer implements Renderer {
 
     private static final Logger logger = Logger.getLogger(GLRenderer.class.getName());
     private static final boolean VALIDATE_SHADER = false;
-    private static final Pattern GLVERSION_PATTERN = Pattern.compile(".*?(\\d+)\\.(\\d+).*");
+    private static final Pattern GLVERSION_PATTERN = Pattern.compile("\\b(\\d+)\\.(\\d+)\\b");
 
     private final ByteBuffer nameBuf = BufferUtils.createByteBuffer(250);
     private final FloatBuffer floatBuf16 = BufferUtils.createFloatBuffer(16);

jme3-core/src/tools/java/jme3tools/shadercheck/GpuAnalyzerValidator.java

@@ -54,59 +54,73 @@ public String getInstalledVersion() {
         }
         return version;
     }
-    private static void executeAnalyzer(String sourceCode, String language, String defines, String asic, StringBuilder results){
+    private static void executeAnalyzer(String sourceCode, String language, String defines, String asic, StringBuilder results) {
         try {
-            // Export sourcecode to temporary file
-            File tempFile = File.createTempFile("test_shader", ".glsl");
-            FileWriter writer = new FileWriter(tempFile);
-
-            String glslVer = language.substring(4);
-            writer.append("#version ").append(glslVer).append('\n');
-            writer.append("#extension all : warn").append('\n');
-            writer.append(defines).append('\n');
-            writer.write(sourceCode);
-            writer.close();
-
-            ProcessBuilder pb = new ProcessBuilder("GPUShaderAnalyzer", 
-                                                   tempFile.getAbsolutePath(),
-                                                   "-I",
-                                                   "-ASIC", asic);
-
-            Process p = pb.start();
-
-            Scanner scan = new Scanner(p.getInputStream());
-
-            if (!scan.hasNextLine()){
-                String x = scan.next();
-                System.out.println(x);
+            // Export source code to a secure temporary file
+            File tempFile = File.createTempFile("test_shader", ".glsl", new File(System.getProperty("java.io.tmpdir")));
+
+            // Set secure file permissions and validate results
+            if (!tempFile.setReadable(false, false)) {
+                logger.log(Level.WARNING, "Failed to set temp file as non-readable for others: {0}", tempFile.getAbsolutePath());
             }
-
-            String ln = scan.nextLine();
-
-            if (ln.startsWith(";")){
-                results.append(" - Success!").append('\n');
-            }else{
-                results.append(" - Failure!").append('\n');
-                results.append(ln).append('\n');
-                while (scan.hasNextLine()){
-                    results.append(scan.nextLine()).append('\n');
-                }
+            if (!tempFile.setWritable(true, true)) {
+                logger.log(Level.WARNING, "Failed to set temp file as writable for the owner: {0}", tempFile.getAbsolutePath());
+            }
+            if (!tempFile.setExecutable(false, false)) {
+                logger.log(Level.WARNING, "Failed to disable execute permissions on temp file: {0}", tempFile.getAbsolutePath());
             }
 
-            scan.close();
+            try (FileWriter writer = new FileWriter(tempFile)) {
+                String glslVer = language.substring(4);
+                writer.append("#version ").append(glslVer).append('\n');
+                writer.append("#extension all : warn").append('\n');
+                writer.append(defines).append('\n');
+                writer.write(sourceCode);
+            }
+
+            ProcessBuilder pb = new ProcessBuilder("GPUShaderAnalyzer",
+                    tempFile.getAbsolutePath(),
+                    "-I",
+                    "-ASIC", asic);
+
+            Process p = pb.start();
+
+            try (Scanner scan = new Scanner(p.getInputStream())) {
+                if (!scan.hasNextLine()) {
+                    String x = scan.next();
+                    System.out.println(x);
+                }
+
+                String ln = scan.nextLine();
+
+                if (ln.startsWith(";")) {
+                    results.append(" - Success!").append('\n');
+                } else {
+                    results.append(" - Failure!").append('\n');
+                    results.append(ln).append('\n');
+                    while (scan.hasNextLine()) {
+                        results.append(scan.nextLine()).append('\n');
+                    }
+                }
+            }   
+
             p.getOutputStream().close();
             p.getErrorStream().close();
-            
+
             p.waitFor();
             p.destroy();
-
-            tempFile.delete();
+
+            // Delete the temporary file securely
+            if (!tempFile.delete()) {
+                logger.log(Level.WARNING, "Temporary file could not be deleted: {0}", tempFile.getAbsolutePath());
+            }
         } catch (InterruptedException ex) {
+            Thread.currentThread().interrupt(); // Restore the interrupted status
         } catch (IOException ex) {
-            logger.log(Level.SEVERE, "IOEx", ex);
+            logger.log(Level.SEVERE, "IOException occurred", ex);
         }
     }
-    
+
     @Override
     public void validate(Shader shader, StringBuilder results) {
         for (ShaderSource source : shader.getSources()){
@@ -121,5 +135,5 @@ public void validate(Shader shader, StringBuilder results) {
             }
         }
     }
-    
+
 }