Skip to content

Commit

Permalink
Merge pull request #1863 from BorderTech/feature/latest-dep-sec
Browse files Browse the repository at this point in the history
Update project dependencies
  • Loading branch information
jonathanaustin authored Sep 19, 2024
2 parents 904b839 + 3c02544 commit 2a592ae
Show file tree
Hide file tree
Showing 30 changed files with 247 additions and 371 deletions.
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,23 @@
# Change log

## Release in-progress
* Pickup latest qa-parent 1.0.21
* Removed dependency commons-htttpclient:3.0 due to a security issue. HttpClient was only used by WebUtilities to
percent encode URLs. However, the latest version no longer provides the URI class that provided this functionality.
As encoding full URLs is unsafe and unreliable and should be done while constructing the URL, the encodeURL
and percentEncodeUrl methods have been removed from WebUtilities.
* Update project dependencies to current versions
* Update theme dependencies to current versions
* Fixed bug in DefaultInternalConfiguration subset method that was not removing the prefix key of the matched properties
in the returned Configuration. The subset method now uses the SubsetConfiguration class to implement the correct
behaviour as described in the subset method interface javadoc.
* Updated velocity version from 1.5 to 2.3 due to security vulnerabilities.
* Removed the custom VelocityLogger class as version 2.3 now uses SLF4J.
* Version 2.3 allows for backward compatability properties to be set for version 1.5 and 1.7. The VeloctityRenderImpl
and VelocityEngineFactory classes have been updated to set these properties by default. This can be disabled by setting
runtime property "bordertech.wcomponents.velocity.backward17.enabled=false". These backward compatability properties
use a prefix of "bt.velocity.backward17.*" in web.properties. Refer to https://velocity.apache.org/engine/2.3/upgrading.html.
* Additional velocity initilisation properties can also be set by using runtime properties with the prefix "bt.velocity.app.*".

### API Changes
### Enhancements
Expand Down
32 changes: 0 additions & 32 deletions owasp-jetty-suppression.xml

This file was deleted.

7 changes: 0 additions & 7 deletions owasp-velocity-suppression.xml

This file was deleted.

45 changes: 33 additions & 12 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.github.bordertech.common</groupId>
<artifactId>qa-parent</artifactId>
<version>1.0.20</version>
<version>1.0.21</version>
<relativePath />
</parent>

Expand Down Expand Up @@ -92,20 +92,20 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.12</version>
<version>2.0.16</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>2.0.12</version>
<version>2.0.16</version>
</dependency>

<!-- Force versions to help avoid convergence errors -->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<!-- As of 1.3.X commons logging detects and routes logging to SLF4J if in the classpath -->
<version>1.3.0</version>
<version>1.3.4</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
Expand All @@ -115,7 +115,7 @@
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
<version>2.16.1</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
Expand All @@ -125,17 +125,17 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.14.0</version>
<version>3.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.26.1</version>
<version>1.27.1</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.16.1</version>
<version>1.17.1</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
Expand Down Expand Up @@ -173,17 +173,38 @@
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5</artifactId>
<version>5.2.4</version>
<version>5.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5-h2</artifactId>
<version>5.2.4</version>
<version>5.2.5</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>33.1.0-jre</version>
<version>33.3.0-jre</version>
</dependency>
<dependency>
<groupId>com.google.errorprone</groupId>
<artifactId>error_prone_annotations</artifactId>
<version>2.31.0</version>
</dependency>

<!-- Required for HTML input sanitization of WTextArea -->
<!-- Antisamy as of 1.7.X does not support xhtml and will remove the closing tag on "void" elements which will break the XML-->
<!-- Once WComponents stops using xslt then the latest Antisamy can be used -->
<!-- https://html.spec.whatwg.org/multipage/syntax.html#void-elements -->
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<version>1.6.8</version>
</dependency>
<!-- Neko-htmlunit had a package rename as of 3.X.X and cannot be picked up until latest Antisamy can be used -->
<dependency>
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>neko-htmlunit</artifactId>
<version>2.70.0</version>
</dependency>

</dependencies>
Expand Down Expand Up @@ -267,7 +288,7 @@
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.10.12</version>
<version>1.10.15</version>
</dependency>
</dependencies>
</plugin>
Expand Down
4 changes: 0 additions & 4 deletions wcomponents-bundle/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,6 @@
and client-side artefacts.
</description>

<properties>
<suppressionFiles>${project.parent.basedir}/owasp-velocity-suppression.xml</suppressionFiles>
</properties>

<dependencies>
<dependency>
<groupId>com.github.bordertech.wcomponents</groupId>
Expand Down
28 changes: 10 additions & 18 deletions wcomponents-core/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@

<properties>
<spotbugs.excludeFilterFile>${basedir}/spotbugs-exclude-filter.xml</spotbugs.excludeFilterFile>
<suppressionFiles>${project.parent.basedir}/owasp-velocity-suppression.xml</suppressionFiles>
</properties>

<profiles>
Expand Down Expand Up @@ -208,9 +207,9 @@

<!-- Velocity template support. -->
<dependency>
<groupId>velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.5</version>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity-engine-core</artifactId>
<version>2.3</version>
</dependency>

<!-- Caching API. -->
Expand All @@ -235,23 +234,12 @@
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.10.1</version>
</dependency>

<!-- used only by WebUtilities.java -->
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
<version>2.11.0</version>
</dependency>

<!-- Required for HTML input sanitization of WTextArea -->
<!-- Antisamy as of 1.7.X does not support xhtml and will remove the closing tag on "void" elements which will break the XML-->
<!-- https://html.spec.whatwg.org/multipage/syntax.html#void-elements -->
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<version>1.6.8</version>
</dependency>
<dependency>
<groupId>org.apache.xmlgraphics</groupId>
Expand All @@ -263,6 +251,10 @@
<artifactId>xercesImpl</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>neko-htmlunit</artifactId>
</dependency>

<!-- Device detection -->
<dependency>
Expand All @@ -274,13 +266,13 @@
<dependency>
<groupId>com.github.spullara.mustache.java</groupId>
<artifactId>compiler</artifactId>
<version>0.9.11</version>
<version>0.9.14</version>
</dependency>

<dependency>
<groupId>org.apache.tika</groupId>
<artifactId>tika-core</artifactId>
<version>2.9.1</version>
<version>2.9.2</version>
</dependency>

<!-- commons-logging as of 1.3.X detects SLF4J and the performance unit tests fail when SLF4J doeesnot have a backing provider -->
Expand Down
5 changes: 5 additions & 0 deletions wcomponents-core/spotbugs-exclude-filter.xml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,11 @@
<Bug pattern="PDP_POORLY_DEFINED_PARAMETER,LUI_USE_SINGLETON_LIST,IMC_IMMATURE_CLASS_BAD_SERIALVERSIONUID,BED_BOGUS_EXCEPTION_DECLARATION,PMB_POSSIBLE_MEMORY_BLOAT,MUI_CONTAINSKEY_BEFORE_GET,SUI_CONTAINS_BEFORE_ADD,CLI_CONSTANT_LIST_INDEX,SPP_EQUALS_ON_ENUM,CRLF_INJECTION_LOGS,HTTP_RESPONSE_SPLITTING,LSYC_LOCAL_SYNCHRONIZED_COLLECTION,PCOA_PARTIALLY_CONSTRUCTED_OBJECT_ACCESS,FCCD_FIND_CLASS_CIRCULAR_DEPENDENCY" />
</Match>

<!-- To be reviewed and give reasons why excluded. -->
<Match>
<Bug pattern="POTENTIAL_XML_INJECTION,ENMI_EQUALS_ON_ENUM,ENMI_ONE_ENUM_VALUE,NMI_NULL_ENUM_VALUE,ENMI_NULL_ENUM_VALUE,SPP_PASSING_THIS_AS_PARM"/>
</Match>

<!-- Security Bugs -->
<Match>
<Bug pattern="OBJECT_DESERIALIZATION" />
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@
import java.util.Date;
import java.util.Map;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.util.URIUtil;
import org.apache.commons.lang3.text.translate.AggregateTranslator;
import org.apache.commons.lang3.text.translate.CharSequenceTranslator;
import org.apache.commons.lang3.text.translate.CodePointTranslator;
Expand Down Expand Up @@ -275,43 +273,6 @@ public static WComponent getTop(final WComponent comp) {
return top;
}

/**
* Encode URL for XML.
*
* @param urlStr the URL to escape
* @return the URL percent encoded
*/
public static String encodeUrl(final String urlStr) {
if (Util.empty(urlStr)) {
return urlStr;
}
// Percent Encode
String percentEncode = percentEncodeUrl(urlStr);
// XML Enocde
return encode(percentEncode);
}

/**
* Percent encode a URL to include in HTML.
*
* @param urlStr the URL to escape
* @return the URL percent encoded
*/
public static String percentEncodeUrl(final String urlStr) {
if (Util.empty(urlStr)) {
return urlStr;
}

try {
// Avoid double encoding
String decode = URIUtil.decode(urlStr);
URI uri = new URI(decode, false);
return uri.getEscapedURIReference();
} catch (Exception e) {
return urlStr;
}
}

/**
* Escapes the given string to make it presentable in a URL. This follows RFC 3986, with some extensions for UTF-8.
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,42 +25,32 @@ public class VelocityCacheImpl implements ResourceCache {
*/
private static final String CACHE_NAME = "wc-velocity-templates";

/**
* {@inheritDoc}
*/
@Override
public void initialize(final RuntimeServices rs) {
// Do nothing
}

/**
* {@inheritDoc}
*/
@Override
public void clear() {
getCache().clear();
}

@Override
public Resource get(final Object resourceKey) {
return getCache().get(resourceKey);
}

/**
* {@inheritDoc}
*/
@Override
public Resource put(final Object resourceKey, final Resource resource) {
getCache().put(resourceKey, resource);
return resource;
}

/**
* {@inheritDoc}
*/
@Override
public Resource remove(final Object resourceKey) {
return getCache().getAndRemove(resourceKey);
}

/**
* {@inheritDoc}
*/
@Override
public Iterator enumerateKeys() {
return getCache().iterator();
Expand Down
Loading

0 comments on commit 2a592ae

Please sign in to comment.