Hello：
We found a problem about XML External Entity Injection in vsts-authentication-library-for-java.
com.microsoft.alm.storage.InsecureFileBackend.java


The xml external entity is not disabled when parsing the xml. When parsing the xml controlled by the attacker, there is an xml external entity injection risk.

This might be a user issue as opposed to your library.

I'm new to Eclipse and Git and have been attempting to run a call from a java application to connect and run a rest API call. Unfortunately, I haven't been successful for over 2 weeks. Here's what I have done so far:

1. Created an app that will retrieve test cases for a date range in VSTS and retrieve outcome info
   • This works, but I'm using files for this stage of the effort
     a. The files were copied from an API call using the browser which is already authenticated, so no issues here
2. Captured Azure access information to allow a client application to connect (client id, application id, ...)
3. Imported various jar files ranging from jackson to javax.ws.rs-api.2.0.jar
4. Imported your vsts-authentication-library-for-java to a 'general project' via Git
5. Copied over the common, config, core, providers, storage folders... and support files from the vsts-author... general project... into the java project in hopes of using the vsts-author... classes to connect.

On step 4, I'm not sure if the process above is incorrect in Eclipse. Our team is excited about using Java to extract information from VSTS via rest-API calls. At this point, your library looks like the key. If you have a procedure or step by step information, it would be greatly appreciated.

In the current implementation, the secret bytes are incorrectly decoded as UTF8. As a result, the Password of the newly created Credential object does not match the original password.

CVE-2020-9547 CVE-2018-14719 CVE-2018-14718 CVE-2019-14379 CVE-2019-20330 CVE-2019-16943

Recommended upgrade version：2..3

Jdeps JDK [9,) where the dependency auth-secure-storage is used yields;

Modules auth.secure.storage and auth.common export package com.microsoft.alm.storage ...

Hi Team. I'm working with this library to provide a secure "remember me" function for my application.

I've had great luck using the library both in Linux and Windows, thanks for all the hard work!

I'm currently having a problem on a single Windows machine. Every other machine I've tested the library with, everything works fine.

On this machine when I call StorageProvider.getCredentialStorage with either PREFER, or MUST, my application crashes completely with no information in my log4j error logs.

I'm no Windows specialist, and was hoping that you could give me some idea how I might begin debugging this issue. Wrapping the call in a exception block didn't stop the application crashing, which makes me believe that this is an operating system level issue.

Thanks,
Ian

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

This library contains a class that attempts to download the SWT JAR: https://github.com/microsoft/vsts-authentication-library-for-java/blob/master/core/src/main/java/com/microsoft/alm/auth/oauth/helper/SwtJarLoader.java#L26

However, the URL it uses only returns 404 for any of the JAR files it is supposed to download.

I eventually arrived here because the Azure DevOps plugin in JetBrains Rider IDE only presented the Device Code Authorization dialog instead of standard OAuth2.

Workaround for me was to download the JAR file manually and place it in $HOME/.swt/swt-x86_64.jar, but that should have been unnecessary.

See also: microsoft/azure-devops-intellij#441

Saving a TokenPair on the Windows Credential Manager seems to be partially working.
When getting the pair, only the refresh token is returned with the value, but the access token is empty.

I also noticed that the test behavior is the same https://github.com/microsoft/vsts-authentication-library-for-java/blob/master/storage/src/test/java/com/microsoft/alm/storage/windows/CredManagerBackedTokenPairStoreIT.java#L41

Could you please explain why the access token is not stored/fetched on Windows when using TokenPair?

Thanks
Rahul

blah blah

OAuth2Authenticator.getOAuth2TokenPair() is unable to use refresh token. Here is what happens and what we see:

• When calling OAuth2Authenticator.getOAuth2TokenPair(), a token pair with an access token and a refresh token is returned. So far, so good.
• After one hour, the access token expires and when calling OAuth2Authenticator.getOAuth2TokenPair() again, this method tries to validate the access token. In this case, VSTS will return a 203 status code.
• When this happens, the library seems to expect an IOException to be thrown, which is not the case.
• Instead, a NullPointerException is thrown in HttpClientImpl, because the stream seems to be nonexistent in this call.

Net result: NullPointerException is never caught and bubbles up to the caller, making refresh tokens impossible to use.

I have created a pull request that fixes this NullPointerException. If possible, can a new build of the library be created?

/cc @davidstaheli

Hello,

can you please provide a short code snippet or description how to fetch credentials from CredManagerBackedCredentialStore? When I call get() with a name that is displayed in the credential manager it gives me com.sun.jna.LastErrorException: [1168] Element not found.

Thank you very much!

Hi Team,
I am trying to save the credentials via auth-secure-storage API. It is working fine in windows 10. But throwing error in Windows 2019 server.

Error log:

Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:61)
Caused by: java.lang.UnsatisfiedLinkError: C:\Users\samraj\AppData\Local\Temp\5\jna--909673508\jna1174734716952454249.dll: Can't find dependent libraries
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1934)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1817)
at java.lang.Runtime.load0(Runtime.java:782)
at java.lang.System.load(System.java:1100)
at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:851)
at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:826)
at com.sun.jna.Native.(Native.java:140)
at com.microsoft.alm.storage.windows.internal.CredAdvapi32.(CredAdvapi32.java:26)
at com.microsoft.alm.storage.windows.internal.CredManagerBackedSecureStore.getCredAdvapi32Instance(CredManagerBackedSecureStore.java:218)
at com.microsoft.alm.storage.windows.internal.CredManagerBackedSecureStore.(CredManagerBackedSecureStore.java:28)
at com.microsoft.alm.storage.windows.CredManagerBackedCredentialStore.(CredManagerBackedCredentialStore.java:9)
at com.user.credential.manager.impl.SystemCredentialManagerImpl.setCredential(SystemCredentialManagerImpl.java:78)
at com.user.credential.manager.helper.CredentialManagerHelper.saveCredential(CredentialManagerHelper.java:95)
at com.user.credential.manager.console.CredentialSaver.main(CredentialSaver.java:44)
... 5 more

Secure token storage is backed by gnome-keyring under Linux. It should be changed to libsecret.

libgnome insertion