Skip to content

Fix CWE-311: Enforce HTTPS for all outbound URL connections#190

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/update-httpservletresponse-secure
Draft

Fix CWE-311: Enforce HTTPS for all outbound URL connections#190
Copilot wants to merge 2 commits intomainfrom
copilot/update-httpservletresponse-secure

Conversation

Copy link

Copilot AI commented Mar 4, 2026
edited
Loading

HTTP connections in Utility.openConnection, DataObject.getDataSize, and ObjectAccess.setObservationalProduct were made without SSL enforcement, exposing data in transit to interception.

Changes

  • Utility.java: Added toHttpsUrl(URL) helper that upgrades http://https://, mapping default HTTP port 80 to HTTPS default (port -1/443) while preserving custom ports. Applied at connection open time and on every redirect target. Emits a WARN log when an upgrade occurs.
  • DataObject.java: getDataSize() now calls Utility.toHttpsUrl(u).openConnection() instead of u.openConnection() directly.
  • ObjectAccess.java: setObservationalProduct() wraps the constructed URL with Utility.toHttpsUrl() before opening a write connection.
// Before
conn = u.openConnection();

// After — HTTP silently upgraded to HTTPS
conn = Utility.toHttpsUrl(u).openConnection();

All redirect targets within openConnection are similarly upgraded, preventing a redirect chain from reverting to plain HTTP.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • download.osgeo.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/pds4-jparser/pds4-jparser org.codehaus.plexus.classworlds.launcher.Launcher compile -q (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/pds4-jparser/pds4-jparser org.codehaus.plexus.classworlds.launcher.Launcher compile -q -s settings.xml (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/pds4-jparser/pds4-jparser org.codehaus.plexus.classworlds.launcher.Launcher -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip (dns block)
  • repository.jboss.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/pds4-jparser/pds4-jparser org.codehaus.plexus.classworlds.launcher.Launcher compile -q (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/pds4-jparser/pds4-jparser org.codehaus.plexus.classworlds.launcher.Launcher compile -q -s settings.xml (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/pds4-jparser/pds4-jparser org.codehaus.plexus.classworlds.launcher.Launcher -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip (dns block)
  • www.puppycrawl.com
    • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/xml/tools/xml-extractor.jar --fileList=/tmp/codeql-scratch-d67c6d2584ecd749/dbs/java/working/files-to-index8551114325350931724.list --sourceArchiveDir=/tmp/codeql-scratch-d67c6d2584ecd749/dbs/java/src --outputDir=/tmp/codeql-scratch-d67c6d2584ecd749/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Update HTTPServletResponse to ensure secure connections</issue_title>
<issue_description>

PDS-000001 12/31/18 If possible always use setSecure to set the 'secure' flag on a cookie before adding it to an HttpServletResponse. high preparation/core/src/main/java/gov/nasa/pds/tools/util/Utility.java 96 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
preparation/pds4-tools/src/main/java/gov/nasa/pds/label/object/DataObject.java 73 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
preparation/pds4-tools/src/main/java/gov/nasa/pds/label/object/DataObject.java 120 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
preparation/pds4-tools/src/main/java/gov/nasa/pds/objectAccess/ObjectAccess.java 253 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
preparation/pds4-tools/src/main/java/gov/nasa/pds/objectAccess/utility/Utility.java 88 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
report/report-manager/src/main/java/gov/nasa/pds/report/logs/pushpull/HttpPull.java 185 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
transport/transport-proxy/src/main/java/gov/nasa/pds/portal/product/HTTPAdaptor.java 96 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
transport/transport-proxy/src/main/java/gov/nasa/pds/portal/product/HTTPAdaptor.java 147 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
transport/transport-proxy/src/main/java/gov/nasa/pds/portal/product/HTTPAdaptor.java 160 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
transport/transport-registry/src/main/java/gov/nasa/pds/transport/SearchProductHandler.java 472 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.
transport/transport-registry/src/main/java/gov/nasa/pds/transport/SearchProductHandler.java 513 Failure to use SSL (CWE-311) Failure to use SSL (CWE-311).  Non-SSL connections can be intercepted by third parties. Y Not using secure flag   3 CWE-311 Try to set secure before addCookie. ssoCookie.setSecure(true) plain text viewing possible if not set.

</issue_description>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] Update HTTPServletResponse to ensure secure connections Fix CWE-311: Enforce HTTPS for all outbound URL connections Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jordanpadams jordanpadams

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update HTTPServletResponse to ensure secure connections

2 participants

@jordanpadams