Resolve several critical vulnerabilities.

main
Paulo Gustavo Veiga 2022-10-27 20:28:37 -07:00
parent 49732ec06d
commit 23b0f7351e
10 changed files with 48 additions and 37 deletions

View File

@ -1,4 +1,5 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<artifactId>wise-webapp</artifactId> <artifactId>wise-webapp</artifactId>
<packaging>war</packaging> <packaging>war</packaging>
@ -219,10 +220,9 @@
<version>3.9.9</version> <version>3.9.9</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>log4j</groupId> <groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId> <artifactId>log4j-core</artifactId>
<version>1.2.17</version> <version>2.19.0</version>
<scope>compile</scope>
</dependency> </dependency>
<!-- https://mvnrepository.com/artifact/commons-validator/commons-validator --> <!-- https://mvnrepository.com/artifact/commons-validator/commons-validator -->
<dependency> <dependency>
@ -240,7 +240,7 @@
<dependency> <dependency>
<groupId>com.fasterxml.jackson.core</groupId> <groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId> <artifactId>jackson-databind</artifactId>
<version>2.13.1</version> <version>2.13.4.2</version>
</dependency> </dependency>
<dependency> <dependency>
<!-- This is required in case of Tomcat, do not remove --> <!-- This is required in case of Tomcat, do not remove -->
@ -296,7 +296,7 @@
<artifactId>mysql-connector-java</artifactId> <artifactId>mysql-connector-java</artifactId>
<version>8.0.31</version> <version>8.0.31</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.postgresql</groupId> <groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId> <artifactId>postgresql</artifactId>
@ -505,13 +505,13 @@
</configuration> </configuration>
</execution> </execution>
<!-- Confirm why there is a NPE --> <!-- Confirm why there is a NPE -->
<!-- <execution>--> <!-- <execution>-->
<!-- <id>default-report-integration</id>--> <!-- <id>default-report-integration</id>-->
<!-- <phase>verify</phase>--> <!-- <phase>verify</phase>-->
<!-- <goals>--> <!-- <goals>-->
<!-- <goal>report-integration</goal>--> <!-- <goal>report-integration</goal>-->
<!-- </goals>--> <!-- </goals>-->
<!-- </execution>--> <!-- </execution>-->
<execution> <execution>
<id>default-report</id> <id>default-report</id>
<phase>verify</phase> <phase>verify</phase>
@ -566,7 +566,9 @@
<daemon>true</daemon> <daemon>true</daemon>
<waitForChild>false</waitForChild> <waitForChild>false</waitForChild>
<maxStartupLines>200</maxStartupLines> <maxStartupLines>200</maxStartupLines>
<jvmArgs>${integrationTestArgLine} -Ddatabase.base.url=${project.build.directory} -Djetty.port=8080</jvmArgs> <jvmArgs>${integrationTestArgLine} -Ddatabase.base.url=${project.build.directory}
-Djetty.port=8080
</jvmArgs>
</configuration> </configuration>
</execution> </execution>
<execution> <execution>

View File

@ -24,8 +24,10 @@ import com.wisemapping.model.User;
import com.wisemapping.security.Utils; import com.wisemapping.security.Utils;
import com.wisemapping.service.LockManager; import com.wisemapping.service.LockManager;
import com.wisemapping.service.MindmapService; import com.wisemapping.service.MindmapService;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.NotNull;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils; import org.springframework.web.context.support.WebApplicationContextUtils;
@ -34,7 +36,7 @@ import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener; import javax.servlet.http.HttpSessionListener;
public class UnlockOnExpireListener implements HttpSessionListener { public class UnlockOnExpireListener implements HttpSessionListener {
private static final Logger logger = Logger.getLogger(UnlockOnExpireListener.class); private static final Logger logger = LogManager.getLogger();
@Override @Override
public void sessionCreated(@NotNull HttpSessionEvent event) { public void sessionCreated(@NotNull HttpSessionEvent event) {

View File

@ -24,7 +24,8 @@ import com.wisemapping.model.Mindmap;
import com.wisemapping.model.User; import com.wisemapping.model.User;
import com.wisemapping.rest.model.RestLogItem; import com.wisemapping.rest.model.RestLogItem;
import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringEscapeUtils;
import org.apache.log4j.Logger; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable; import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -42,7 +43,7 @@ import java.util.Map;
import java.util.stream.Collectors; import java.util.stream.Collectors;
final public class NotificationService { final public class NotificationService {
final private static Logger logger = Logger.getLogger(Mailer.class); final private static Logger logger = LogManager.getLogger();
private ResourceBundleMessageSource messageSource; private ResourceBundleMessageSource messageSource;
@Autowired @Autowired

View File

@ -24,14 +24,11 @@ import com.wisemapping.model.Collaboration;
import com.wisemapping.model.Label; import com.wisemapping.model.Label;
import com.wisemapping.model.Mindmap; import com.wisemapping.model.Mindmap;
import com.wisemapping.model.User; import com.wisemapping.model.User;
import com.wisemapping.rest.model.RestLogItem;
import com.wisemapping.rest.model.RestUser; import com.wisemapping.rest.model.RestUser;
import com.wisemapping.security.Utils; import com.wisemapping.security.Utils;
import com.wisemapping.service.LabelService; import com.wisemapping.service.LabelService;
import com.wisemapping.service.MindmapService; import com.wisemapping.service.MindmapService;
import com.wisemapping.service.UserService; import com.wisemapping.service.UserService;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
@ -41,7 +38,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpServletRequest;
import java.util.List; import java.util.List;
@Controller @Controller

View File

@ -24,7 +24,8 @@ import com.wisemapping.model.User;
import com.wisemapping.rest.model.RestErrors; import com.wisemapping.rest.model.RestErrors;
import com.wisemapping.security.Utils; import com.wisemapping.security.Utils;
import com.wisemapping.service.RegistrationException; import com.wisemapping.service.RegistrationException;
import org.apache.log4j.Logger; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Qualifier;
@ -42,7 +43,7 @@ import java.util.Locale;
public class BaseController { public class BaseController {
final private Logger logger = Logger.getLogger(BaseController.class); final private Logger logger = LogManager.getLogger();
@Qualifier("messageSource") @Qualifier("messageSource")
@Autowired @Autowired

View File

@ -25,7 +25,8 @@ import com.wisemapping.security.Utils;
import com.wisemapping.service.*; import com.wisemapping.service.*;
import com.wisemapping.validator.MapInfoValidator; import com.wisemapping.validator.MapInfoValidator;
import org.apache.commons.validator.routines.EmailValidator; import org.apache.commons.validator.routines.EmailValidator;
import org.apache.log4j.Logger; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Qualifier;
@ -46,7 +47,7 @@ import java.util.stream.Collectors;
@Controller @Controller
public class MindmapController extends BaseController { public class MindmapController extends BaseController {
final Logger logger = Logger.getLogger(MindmapController.class); final Logger logger = LogManager.getLogger();
private static final String LATEST_HISTORY_REVISION = "latest"; private static final String LATEST_HISTORY_REVISION = "latest";

View File

@ -26,7 +26,8 @@ import com.wisemapping.rest.model.RestUserRegistration;
import com.wisemapping.service.*; import com.wisemapping.service.*;
import com.wisemapping.validator.Messages; import com.wisemapping.validator.Messages;
import com.wisemapping.validator.UserValidator; import com.wisemapping.validator.UserValidator;
import org.apache.log4j.Logger; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Qualifier;
@ -57,7 +58,7 @@ public class UserController extends BaseController {
@Value("${accounts.exclusion.domain:''}") @Value("${accounts.exclusion.domain:''}")
private String domainBanExclusion; private String domainBanExclusion;
private static final Logger logger = Logger.getLogger(UserController.class); private static final Logger logger = LogManager.getLogger();
private static final String REAL_IP_ADDRESS_HEADER = "X-Real-IP"; private static final String REAL_IP_ADDRESS_HEADER = "X-Real-IP";
@RequestMapping(method = RequestMethod.POST, value = "/users", produces = {"application/json"}) @RequestMapping(method = RequestMethod.POST, value = "/users", produces = {"application/json"})

View File

@ -18,7 +18,9 @@
package com.wisemapping.security; package com.wisemapping.security;
import org.apache.log4j.Logger; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.crypto.codec.Base64; import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.crypto.codec.Hex; import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.crypto.codec.Utf8; import org.springframework.security.crypto.codec.Utf8;
@ -29,7 +31,7 @@ import java.security.NoSuchAlgorithmException;
public class LegacyPasswordEncoder implements PasswordEncoder { public class LegacyPasswordEncoder implements PasswordEncoder {
final private static Logger logger = Logger.getLogger(LegacyPasswordEncoder.class); final private static Logger logger = LogManager.getLogger();
public static final String ENC_PREFIX = "ENC:"; public static final String ENC_PREFIX = "ENC:";
private final ShaPasswordEncoder sha1Encoder = new ShaPasswordEncoder(); private final ShaPasswordEncoder sha1Encoder = new ShaPasswordEncoder();

View File

@ -23,18 +23,21 @@ import com.wisemapping.exceptions.LockException;
import com.wisemapping.model.CollaborationRole; import com.wisemapping.model.CollaborationRole;
import com.wisemapping.model.Mindmap; import com.wisemapping.model.Mindmap;
import com.wisemapping.model.User; import com.wisemapping.model.User;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.*; import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
class LockManagerImpl implements LockManager { class LockManagerImpl implements LockManager {
private static final int ONE_MINUTE_MILLISECONDS = 1000 * 60; private static final int ONE_MINUTE_MILLISECONDS = 1000 * 60;
private final Map<Integer, LockInfo> lockInfoByMapId; private final Map<Integer, LockInfo> lockInfoByMapId;
private final static Timer expirationTimer = new Timer(); private final static Timer expirationTimer = new Timer();
final private static Logger logger = Logger.getLogger(LockManagerImpl.class); final private static Logger logger = LogManager.getLogger();
@Override @Override
public boolean isLocked(@NotNull Mindmap mindmap) { public boolean isLocked(@NotNull Mindmap mindmap) {

View File

@ -17,13 +17,15 @@
*/ */
package com.wisemapping.service; package com.wisemapping.service;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import com.wisemapping.validator.Messages; import com.wisemapping.validator.Messages;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.http.NameValuePair; import org.apache.http.NameValuePair;
import org.apache.http.client.fluent.Form; import org.apache.http.client.fluent.Form;
import org.apache.http.client.fluent.Request; import org.apache.http.client.fluent.Request;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.Nullable; import org.jetbrains.annotations.Nullable;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
@ -35,7 +37,7 @@ import java.util.Map;
public class RecaptchaService { public class RecaptchaService {
final private static Logger logger = Logger.getLogger(RecaptchaService.class); final private static Logger logger = LogManager.getLogger();
final private static String GOOGLE_RECAPTCHA_VERIFY_URL = final private static String GOOGLE_RECAPTCHA_VERIFY_URL =
"https://www.google.com/recaptcha/api/siteverify"; "https://www.google.com/recaptcha/api/siteverify";