From 76c0b3c00e211e83f7c0e2d035fc1eb52066c4c3 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 12:48:16 -0400 Subject: [PATCH 1/6] The version pf hibernate-validator that we were using, 5.0.3.Final was reported to allow an attacker to escalate permissions and access private values and create invalid instances - see CVE-2017-7536. It is reported to be fixed in versions 5.2.5.Final and greater. The upgraded library had changes to the api for constructing ConstaintValidatorContextImpl, used in URLValidatorTest.java. In investigating the changes, it was found that there were further changes to the api in recent versions and it was decided to adapt the code to the latest changes and use the latest available stable hibernate-validator library - 6.1.5.Final. It was also necessary to add a dependency to javax.el due to changes in the library starting with version 5.3.1.Final and later. --- pom.xml | 7 ++++++- .../edu/harvard/iq/dataverse/URLValidatorTest.java | 11 +++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 27d640e5ff3..6525eb84aff 100644 --- a/pom.xml +++ b/pom.xml @@ -296,7 +296,12 @@ org.hibernate hibernate-validator - 5.0.3.Final + 6.1.5.Final + + + org.glassfish + javax.el + 3.0.1-b11 commons-lang diff --git a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java index 292eeeab0e8..121e23f6142 100644 --- a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java @@ -7,6 +7,10 @@ import org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorContextImpl; import org.hibernate.validator.internal.engine.path.PathImpl; +//import org.hibernate.validator.internal.engine.time.DefaultTimeProvider; +import javax.validation.Validation; +import javax.validation.ValidatorFactory; +import javax.validation.ClockProvider; import org.junit.Test; /** @@ -14,6 +18,9 @@ * @author skraffmi */ public class URLValidatorTest { + //static DefaultTimeProvider timeProvider = DefaultTimeProvider.getInstance(); + ValidatorFactory vFac = Validation.buildDefaultValidatorFactory(); + @Test public void testIsURLValid() { @@ -35,7 +42,7 @@ public void testIsValidWithUnspecifiedContext() { @Test public void testIsValidWithContextAndValidURL() { String value = "https://twitter.com/"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(null, PathImpl.createPathFromString(""), null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(true, new URLValidator().isValid(value, context)); } @@ -43,7 +50,7 @@ public void testIsValidWithContextAndValidURL() { @Test public void testIsValidWithContextButInvalidURL() { String value = "cnn.com"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(null, PathImpl.createPathFromString(""), null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(false, new URLValidator().isValid(value, context)); } From 438a7d0b4a317abae32d0116beed5d377c8b1b6d Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 13:49:41 -0400 Subject: [PATCH 2/6] code cleanup --- .../java/edu/harvard/iq/dataverse/URLValidatorTest.java | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java index 121e23f6142..aae74861386 100644 --- a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java @@ -7,10 +7,8 @@ import org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorContextImpl; import org.hibernate.validator.internal.engine.path.PathImpl; -//import org.hibernate.validator.internal.engine.time.DefaultTimeProvider; import javax.validation.Validation; import javax.validation.ValidatorFactory; -import javax.validation.ClockProvider; import org.junit.Test; /** @@ -19,7 +17,7 @@ */ public class URLValidatorTest { //static DefaultTimeProvider timeProvider = DefaultTimeProvider.getInstance(); - ValidatorFactory vFac = Validation.buildDefaultValidatorFactory(); + ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); @Test @@ -42,7 +40,7 @@ public void testIsValidWithUnspecifiedContext() { @Test public void testIsValidWithContextAndValidURL() { String value = "https://twitter.com/"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(validatorFactory.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(true, new URLValidator().isValid(value, context)); } @@ -50,7 +48,7 @@ public void testIsValidWithContextAndValidURL() { @Test public void testIsValidWithContextButInvalidURL() { String value = "cnn.com"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(validatorFactory.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(false, new URLValidator().isValid(value, context)); } From ab33496e6bc3b62c0de83e94a011dbd6a48142c1 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 13:53:40 -0400 Subject: [PATCH 3/6] sorry, one more line of commented code removed --- src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java index aae74861386..f994809a0c0 100644 --- a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java @@ -16,7 +16,6 @@ * @author skraffmi */ public class URLValidatorTest { - //static DefaultTimeProvider timeProvider = DefaultTimeProvider.getInstance(); ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); From df442c5c4ccd84a02169adda11f0ebda52833833 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 16:31:45 -0400 Subject: [PATCH 4/6] Change ek dependency to jakarta.el provided by Payara --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 6525eb84aff..44499389ccd 100644 --- a/pom.xml +++ b/pom.xml @@ -300,8 +300,8 @@ org.glassfish - javax.el - 3.0.1-b11 + jakarta.el + provided commons-lang From a7fcdfa9a1891fb73c58467c5aaa6d09a369dd24 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 17:50:13 -0400 Subject: [PATCH 5/6] Use hibernate-validator provided with Payara (still a 6.1.x -6.1.2 specifically at this point) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 44499389ccd..16141725a34 100644 --- a/pom.xml +++ b/pom.xml @@ -294,9 +294,9 @@ 1.7 - org.hibernate + org.hibernate.validator hibernate-validator - 6.1.5.Final + provided org.glassfish From 83c2d3b3b415fe06ab9d097beb2856464e559c3b Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Fri, 21 Aug 2020 13:13:24 -0400 Subject: [PATCH 6/6] update guava version from 16.0.1 to 29.0-jre. Addresses potential denial of service attack due to unbounded mmemory allocation. see CVE-2018-10237 dataverse-security#17 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 16141725a34..96a9797b9a6 100644 --- a/pom.xml +++ b/pom.xml @@ -264,7 +264,7 @@ com.google.guava guava - 16.0.1 + 29.0-jre jar