Resolve several critical vulnerabilities.

main
Paulo Gustavo Veiga 2022-10-27 20:28:37 -07:00
parent 49732ec06d
commit 23b0f7351e
10 changed files with 48 additions and 37 deletions

View File

@ -1,4 +1,5 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>wise-webapp</artifactId>
<packaging>war</packaging>
@ -219,10 +220,9 @@
<version>3.9.9</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
<scope>compile</scope>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.19.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/commons-validator/commons-validator -->
<dependency>
@ -240,7 +240,7 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.1</version>
<version>2.13.4.2</version>
</dependency>
<dependency>
<!-- This is required in case of Tomcat, do not remove -->
@ -296,7 +296,7 @@
<artifactId>mysql-connector-java</artifactId>
<version>8.0.31</version>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
@ -505,13 +505,13 @@
</configuration>
</execution>
<!-- Confirm why there is a NPE -->
<!-- <execution>-->
<!-- <id>default-report-integration</id>-->
<!-- <phase>verify</phase>-->
<!-- <goals>-->
<!-- <goal>report-integration</goal>-->
<!-- </goals>-->
<!-- </execution>-->
<!-- <execution>-->
<!-- <id>default-report-integration</id>-->
<!-- <phase>verify</phase>-->
<!-- <goals>-->
<!-- <goal>report-integration</goal>-->
<!-- </goals>-->
<!-- </execution>-->
<execution>
<id>default-report</id>
<phase>verify</phase>
@ -566,7 +566,9 @@
<daemon>true</daemon>
<waitForChild>false</waitForChild>
<maxStartupLines>200</maxStartupLines>
<jvmArgs>${integrationTestArgLine} -Ddatabase.base.url=${project.build.directory} -Djetty.port=8080</jvmArgs>
<jvmArgs>${integrationTestArgLine} -Ddatabase.base.url=${project.build.directory}
-Djetty.port=8080
</jvmArgs>
</configuration>
</execution>
<execution>

View File

@ -24,8 +24,10 @@ import com.wisemapping.model.User;
import com.wisemapping.security.Utils;
import com.wisemapping.service.LockManager;
import com.wisemapping.service.MindmapService;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
@ -34,7 +36,7 @@ import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class UnlockOnExpireListener implements HttpSessionListener {
private static final Logger logger = Logger.getLogger(UnlockOnExpireListener.class);
private static final Logger logger = LogManager.getLogger();
@Override
public void sessionCreated(@NotNull HttpSessionEvent event) {

View File

@ -24,7 +24,8 @@ import com.wisemapping.model.Mindmap;
import com.wisemapping.model.User;
import com.wisemapping.rest.model.RestLogItem;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
@ -42,7 +43,7 @@ import java.util.Map;
import java.util.stream.Collectors;
final public class NotificationService {
final private static Logger logger = Logger.getLogger(Mailer.class);
final private static Logger logger = LogManager.getLogger();
private ResourceBundleMessageSource messageSource;
@Autowired

View File

@ -24,14 +24,11 @@ import com.wisemapping.model.Collaboration;
import com.wisemapping.model.Label;
import com.wisemapping.model.Mindmap;
import com.wisemapping.model.User;
import com.wisemapping.rest.model.RestLogItem;
import com.wisemapping.rest.model.RestUser;
import com.wisemapping.security.Utils;
import com.wisemapping.service.LabelService;
import com.wisemapping.service.MindmapService;
import com.wisemapping.service.UserService;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpStatus;
@ -41,7 +38,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpServletRequest;
import java.util.List;
@Controller

View File

@ -24,7 +24,8 @@ import com.wisemapping.model.User;
import com.wisemapping.rest.model.RestErrors;
import com.wisemapping.security.Utils;
import com.wisemapping.service.RegistrationException;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
@ -42,7 +43,7 @@ import java.util.Locale;
public class BaseController {
final private Logger logger = Logger.getLogger(BaseController.class);
final private Logger logger = LogManager.getLogger();
@Qualifier("messageSource")
@Autowired

View File

@ -25,7 +25,8 @@ import com.wisemapping.security.Utils;
import com.wisemapping.service.*;
import com.wisemapping.validator.MapInfoValidator;
import org.apache.commons.validator.routines.EmailValidator;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
@ -46,7 +47,7 @@ import java.util.stream.Collectors;
@Controller
public class MindmapController extends BaseController {
final Logger logger = Logger.getLogger(MindmapController.class);
final Logger logger = LogManager.getLogger();
private static final String LATEST_HISTORY_REVISION = "latest";

View File

@ -26,7 +26,8 @@ import com.wisemapping.rest.model.RestUserRegistration;
import com.wisemapping.service.*;
import com.wisemapping.validator.Messages;
import com.wisemapping.validator.UserValidator;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
@ -57,7 +58,7 @@ public class UserController extends BaseController {
@Value("${accounts.exclusion.domain:''}")
private String domainBanExclusion;
private static final Logger logger = Logger.getLogger(UserController.class);
private static final Logger logger = LogManager.getLogger();
private static final String REAL_IP_ADDRESS_HEADER = "X-Real-IP";
@RequestMapping(method = RequestMethod.POST, value = "/users", produces = {"application/json"})

View File

@ -18,7 +18,9 @@
package com.wisemapping.security;
import org.apache.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.crypto.codec.Utf8;
@ -29,7 +31,7 @@ import java.security.NoSuchAlgorithmException;
public class LegacyPasswordEncoder implements PasswordEncoder {
final private static Logger logger = Logger.getLogger(LegacyPasswordEncoder.class);
final private static Logger logger = LogManager.getLogger();
public static final String ENC_PREFIX = "ENC:";
private final ShaPasswordEncoder sha1Encoder = new ShaPasswordEncoder();

View File

@ -23,18 +23,21 @@ import com.wisemapping.exceptions.LockException;
import com.wisemapping.model.CollaborationRole;
import com.wisemapping.model.Mindmap;
import com.wisemapping.model.User;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.*;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
class LockManagerImpl implements LockManager {
private static final int ONE_MINUTE_MILLISECONDS = 1000 * 60;
private final Map<Integer, LockInfo> lockInfoByMapId;
private final static Timer expirationTimer = new Timer();
final private static Logger logger = Logger.getLogger(LockManagerImpl.class);
final private static Logger logger = LogManager.getLogger();
@Override
public boolean isLocked(@NotNull Mindmap mindmap) {

View File

@ -17,13 +17,15 @@
*/
package com.wisemapping.service;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.wisemapping.validator.Messages;
import org.apache.commons.lang.StringUtils;
import org.apache.http.NameValuePair;
import org.apache.http.client.fluent.Form;
import org.apache.http.client.fluent.Request;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.Nullable;
import javax.validation.constraints.NotNull;
@ -35,7 +37,7 @@ import java.util.Map;
public class RecaptchaService {
final private static Logger logger = Logger.getLogger(RecaptchaService.class);
final private static Logger logger = LogManager.getLogger();
final private static String GOOGLE_RECAPTCHA_VERIFY_URL =
"https://www.google.com/recaptcha/api/siteverify";