From 05e197ffaddc21c73c73c297d6764a23f8b959ad Mon Sep 17 00:00:00 2001
From: mmichalek <mmichalek@jumpmind.com>
Date: Tue, 12 Dec 2017 16:32:11 -0500
Subject: [PATCH] 0003338: Upgrade 3rd Party Libraries to avoid security
 concerns

---
 symmetric-assemble/build.gradle               | 20 +++++++++++--------
 symmetric-assemble/common.gradle              | 13 +++++++-----
 .../db/sql/SqlPersistenceManager.java         | 20 +++++++++++++------
 3 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/symmetric-assemble/build.gradle b/symmetric-assemble/build.gradle
index a91dd9841f..24953e6b09 100644
--- a/symmetric-assemble/build.gradle
+++ b/symmetric-assemble/build.gradle
@@ -64,7 +64,7 @@ project(":symmetric-wrapper") {
     dependencies {
         compile "net.java.dev.jna:jna:$jnaVersion"
         compile "net.java.dev.jna:jna-platform:$jnaVersion"
-        compile "bouncycastle:bcprov-jdk15:$bouncyCastleVersion"
+        compile "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion"
         provided "org.codehaus.mojo:animal-sniffer-annotations:$animalSnifferVersion"
         testCompile project(path: ':symmetric-util', configuration: 'testArtifacts')
     }
@@ -86,7 +86,7 @@ project(':symmetric-util') {
         compile "commons-io:commons-io:$commonsIoVersion"
         compile "commons-codec:commons-codec:$commonsCodecVersion"
         compile "commons-collections:commons-collections:$commonsCollectionVersion"
-        compile "bouncycastle:bcprov-jdk15:$bouncyCastleVersion"
+        compile "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion"
         provided "org.codehaus.mojo:animal-sniffer-annotations:$animalSnifferVersion"
     }
 }
@@ -189,7 +189,13 @@ project(':symmetric-client') {
 
         provided "org.mongodb:mongo-java-driver:2.12.3"
         provided "org.codehaus.mojo:animal-sniffer-annotations:$animalSnifferVersion"
-        provided "com.amazonaws:aws-java-sdk:1.9.17"
+        provided ("com.amazonaws:aws-java-sdk:1.9.17") {
+			exclude group: 'org.apache.httpcomponents'
+            exclude group: 'commons-logging'
+            exclude group: 'com.fasterxml.jackson.core'
+            exclude group: 'commons-codec'            
+        }
+        provided 'org.apache.httpcomponents:httpclient:4.5.4' // This is required by com.amazonaws:aws-java-sdk.  It is called out here to upgrade the version because of a user's security concerns.
 
         testCompile project(path: ':symmetric-util', configuration: 'testArtifacts')
         testCompile project(path: ':symmetric-io', configuration: 'testArtifacts')
@@ -214,17 +220,15 @@ project(':symmetric-server') {
         compile "org.jdom:jdom:1.1"
         compile ("com.mangofactory:swagger-springmvc:0.6.5") {
             exclude group: 'asm'
+            exclude group: 'com.fasterxml.jackson.core'
         }
+        compile "com.fasterxml.jackson.core:jackson-databind:2.8.10" // This is required by com.mangofactory:swagger-springmvc. It is called out here to upgrade the version because of a user's security concerns.
+
         compile project(":symmetric-wrapper")
 
         provided "javax.jms:jms-api:1.1-rev-1"
         provided "org.mongodb:mongo-java-driver:2.12.3"
         provided "org.codehaus.mojo:animal-sniffer-annotations:$animalSnifferVersion"
-        provided ("com.amazonaws:aws-java-sdk:1.8.9.1") {
-            exclude group: 'commons-logging'
-            exclude group: 'com.fasterxml.jackson.core'
-            exclude group: 'commons-codec'
-        }
         compile "javax.servlet:javax.servlet-api:$servletVersion"
         provided "org.eclipse.jetty:jetty-annotations:$jettyVersion"
         provided "org.eclipse.jetty:jetty-servlets:$jettyVersion"
diff --git a/symmetric-assemble/common.gradle b/symmetric-assemble/common.gradle
index e7ecb04d53..8cd0306491 100644
--- a/symmetric-assemble/common.gradle
+++ b/symmetric-assemble/common.gradle
@@ -147,15 +147,15 @@ subprojects { subproject ->
 
     ext {
         bshVersion = '2.0b5'
-        commonsBeanUtilsVersion = '1.9.2'
+        commonsBeanUtilsVersion = '1.9.3'
         commonsCliVersion = '1.2'
         commonsDbcpVersion = '1.3'
-        commonsFileuploadVersion = '1.3'
+        commonsFileuploadVersion = '1.3.3'
         commonsIoVersion = '2.4'
         commonsLangVersion = '2.6'
         commonsNetVersion = '3.3'
         commonsCodecVersion = '1.3'
-        commonsCollectionVersion = '3.2'
+        commonsCollectionVersion = '3.2.2'
         hamcrestVersion = '1.3'
         h2Version = '1.3.176'
         derbyVersion = '10.10.2.0'
@@ -174,10 +174,10 @@ subprojects { subproject ->
         powerMockVersion = '1.5.3'
         mysqlVersion = '5.1.30'
         servletVersion = '3.1.0'
-        springVersion = '4.2.6.RELEASE'
+        springVersion = '4.3.13.RELEASE'
         jtdsVersion = '1.2.8'
         voltDbVersion = '6.2'
-        bouncyCastleVersion = '140'
+        bouncyCastleVersion = '1.58'
         animalSnifferVersion = '1.10'
         jnaVersion = '4.1.0'
         jettyVersion = '9.2.18.v20160721'
@@ -208,7 +208,10 @@ subprojects { subproject ->
             exclude group: 'geronimo-spec'
             exclude group: 'log4j'
             exclude group: 'junit'
+            exclude group: 'xalan'
+
         }
+        provided "xalan:xalan:2.7.1" // Required by  org.firebirdsql.jdbc:jaybird, but a user's security requirement was for a newer version of xalan.
         provided ("net.sf.jt400:jt400:$jt400Version")
         provided "com.nuodb.jdbc:nuodb-jdbc:$nuodbVersion"
         provided "jdbc.tibero:tibero:$tiberoVersion"
diff --git a/symmetric-db/src/main/java/org/jumpmind/db/sql/SqlPersistenceManager.java b/symmetric-db/src/main/java/org/jumpmind/db/sql/SqlPersistenceManager.java
index 4f5b47ab54..5082f5c384 100644
--- a/symmetric-db/src/main/java/org/jumpmind/db/sql/SqlPersistenceManager.java
+++ b/symmetric-db/src/main/java/org/jumpmind/db/sql/SqlPersistenceManager.java
@@ -8,8 +8,9 @@
 import java.util.Map;
 import java.util.Set;
 
-import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.beanutils.BeanUtilsBean;
 import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
 import org.jumpmind.db.model.Column;
 import org.jumpmind.db.model.Table;
 import org.jumpmind.db.platform.IDatabasePlatform;
@@ -19,9 +20,16 @@
 public class SqlPersistenceManager extends AbstractPersistenceManager {
 
     IDatabasePlatform databasePlatform;
+    
+    // [BEANUTILS-463]
+    // Added new SuppressPropertiesBeanIntrospector class to deal with a potential
+    // class loader vulnerability.
+    private final BeanUtilsBean BEAN_UTILS = new BeanUtilsBean();
 
     public SqlPersistenceManager(IDatabasePlatform databasePlatform) {
         this.databasePlatform = databasePlatform;
+        BEAN_UTILS.getPropertyUtils().addBeanIntrospector(
+                SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);        
     }
     
     @Override
@@ -33,7 +41,7 @@ public <T> T map(Map<String, Object> row, Class<T> clazz, String catalogName, St
             Set<String> propertyNames = objectToTableMapping.keySet();
             for (String propertyName : propertyNames) {
                 Object value = row.get(objectToTableMapping.get(propertyName).getName());
-                BeanUtils.copyProperty(object, propertyName, value);
+                BEAN_UTILS.copyProperty(object, propertyName, value);
             }
             return object;
         } catch (Exception e) {
@@ -213,7 +221,7 @@ public <T> List<T> find(Class<T> clazz, Map<String, Object> conditions, String c
                     Set<String> propertyNames = objectToTableMapping.keySet();
                     for (String propertyName : propertyNames) {
                         Object value = row.get(objectToTableMapping.get(propertyName).getName());
-                        BeanUtils.copyProperty(object, propertyName, value);
+                        BEAN_UTILS.copyProperty(object, propertyName, value);
                     }
                     objects.add(object);
                 }
@@ -251,7 +259,7 @@ public <T> List<T> find(Class<T> clazz, String catalogName, String schemaName, S
                 Set<String> propertyNames = objectToTableMapping.keySet();
                 for (String propertyName : propertyNames) {
                     Object value = row.get(objectToTableMapping.get(propertyName).getName());
-                    BeanUtils.copyProperty(object, propertyName, value);
+                    BEAN_UTILS.copyProperty(object, propertyName, value);
                 }
                 objects.add(object);
             }
@@ -292,7 +300,7 @@ public void refresh(Object object, String catalogName, String schemaName, String
                 Set<String> propertyNames = objectToTableMapping.keySet();
                 for (String propertyName : propertyNames) {
                     Object value = row.get(objectToTableMapping.get(propertyName).getName());
-                    BeanUtils.copyProperty(object, propertyName, value);
+                    BEAN_UTILS.copyProperty(object, propertyName, value);
                 }
             }
         } catch (Exception e) {
@@ -352,7 +360,7 @@ protected LinkedHashMap<String, Object> getObjectValuesByColumnName(Object objec
             Set<String> propertyNames = objectToTableMapping.keySet();
             for (String propertyName : propertyNames) {
                 objectValuesByColumnName.put(objectToTableMapping.get(propertyName).getName(),
-                        PropertyUtils.getProperty(object, propertyName));
+                        BEAN_UTILS.getProperty(object, propertyName));
             }
             return objectValuesByColumnName;
         } catch (IllegalAccessException e) {