Merge pull request #14 from Accenture/security/xml-xxe-1-2020

v1.12.28 with rest-automation improvements and XXE patch

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+---
+## Version 1.12.28, 1/8/2020
+
+### Added
+
+Rest-automation will transport X-Trace-Id from/to Http request/response, therefore extending distributed trace across systems that support the X-Trace-Id HTTP header. 
+
+### Removed
+
+N/A
+
+### Changed
+
+Updated SimpleXmlParser with XML External Entity (XXE) injection prevention.
+
 ---
 ## Version 1.12.26, 1/4/2020
 

README.md

@@ -240,7 +240,7 @@ You can compile the rest-example as a microservices executable like this:
 cd mercury/examples
 cd rest-example
 mvn clean package
-java -Dcloud.connector=none -jar target/rest-example-1.12.26.jar
+java -Dcloud.connector=none -jar target/rest-example-1.12.28.jar
 # this will run the rest-example without a cloud connector
 ```
 
@@ -294,20 +294,20 @@ For simplicity, we are going to use the Event Node system to emulate a cloud env
 cd mercury/connectors
 cd event-node
 mvn clean package
-java -jar target/event-node-1.12.26.jar
+java -jar target/event-node-1.12.28.jar
 # the Event Node system will run. It emulates an event stream system.
 
 # Open another terminal and go to the project root
 cd mercury/examples
 cd lambda-example
 mvn clean package
-java -Dcloud.connector=event.node -jar target/lambda-example-1.12.26.jar
+java -Dcloud.connector=event.node -jar target/lambda-example-1.12.28.jar
 # the lambda-example microservices module will run and connect to the event node
 
 # Go to the terminal that runs the rest-example earlier
 Ctrl-C to quit the rest-example application
 # Then run the rest-example again with cloud.connector set to event.node
-java -Dcloud.connector=event.node -jar target/rest-example-1.12.26.jar
+java -Dcloud.connector=event.node -jar target/rest-example-1.12.28.jar
 # without the "-Dcloud.connector" parameter override, the rest-example will run and connect to a hazelcast cluster.
 
 ```
@@ -356,19 +356,19 @@ Members {size:1, ver:1} [
 cd mercury/connectors
 cd hazelcast/hazelcast-presence
 mvn clean package
-java -jar target/hazelcast-presence-1.12.26.jar
+java -jar target/hazelcast-presence-1.12.28.jar
 # this will start the "presence monitor" that will connect to the hazelcast cluster.
 ```
 
 - Run the lambda-example and rest-example again
 
 ```bash
 # go to the lambda-example project folder in one terminal
-java -Dcloud.connector=hazelcast -Dcloud.services=hazelcast.reporter -jar target/lambda-example-1.12.26.jar
+java -Dcloud.connector=hazelcast -Dcloud.services=hazelcast.reporter -jar target/lambda-example-1.12.28.jar
 # the lambda-example will connect to the hazelcast cluster and the "presence monitor"
 
 # go to the rest-example project folder in another terminal
-java -Dcloud.connector=hazelcast -Dcloud.services=hazelcast.reporter -jar target/rest-example-1.12.26.jar
+java -Dcloud.connector=hazelcast -Dcloud.services=hazelcast.reporter -jar target/rest-example-1.12.28.jar
 # the rest-example will also connect to the hazelcast cluster and the "presence monitor"
 
 ```
@@ -393,7 +393,7 @@ You may visit http://127.0.0.1:8080/info to see connection info. It may look lik
         "seq" : 123,
         "type" : "APP",
         "updated" : "2018-12-21T17:51:01Z",
-        "version" : "1.12.26"
+        "version" : "1.12.28"
       },
       "201812215ff40bbc36004637ac8cd18debf5cf95" : {
         "created" : "2018-12-21T17:11:49Z",
@@ -402,7 +402,7 @@ You may visit http://127.0.0.1:8080/info to see connection info. It may look lik
         "seq" : 117,
         "type" : "WEB",
         "updated" : "2018-12-21T17:50:55Z",
-        "version" : "1.12.26"
+        "version" : "1.12.28"
       }
     },
     "topics" : [ "201812215ff40bbc36004637ac8cd18debf5cf95", "201812213aed6381e8b543d48f3f288f64207019" ],
@@ -414,7 +414,7 @@ You may visit http://127.0.0.1:8080/info to see connection info. It may look lik
   "app" : {
     "description" : "Presence Monitor",
     "name" : "hazelcast-presence",
-    "version" : "1.12.26"
+    "version" : "1.12.28"
   },
   "memory" : {
     "allocated" : "737,673,216",
@@ -439,7 +439,7 @@ You may also check the health status of the presence monitor by visiting http://
   "status" : "UP",
   "upstream" : [ {
     "cluster" : [ "127.0.0.1:5701", "127.0.0.1:5702" ],
-    "message" : "Loopback test took 1 ms",
+    "message" : "Loopback test took 1 ms; presence-monitor connected.",
     "namespace" : "connector",
     "required" : true,
     "route" : "cloud.connector.health",
@@ -461,23 +461,23 @@ For rapid development and prototyping, we have implemented a convenient standalo
 cd mercury/connectors
 cd kafka/kafka-standalone
 mvn clean package
-java -jar target/kafka-standalone-1.12.26.jar
+java -jar target/kafka-standalone-1.12.28.jar
 # this will start a standalone kafka server with embedded zookeeper
 cd ../kafka-presence
 mvn clean package
-java -jar target/kafka-presence-1.12.26.jar
+java -jar target/kafka-presence-1.12.28.jar
 # this will start the "presence monitor" that will connect to the kafka cluster.
 ```
 
 - Run the lambda-example and rest-example again
 
 ```bash
 # go to the lambda-example project folder in one terminal
-java -Dcloud.connector=kafka -Dcloud.services=kafka.reporter -jar target/lambda-example-1.12.26.jar
+java -Dcloud.connector=kafka -Dcloud.services=kafka.reporter -jar target/lambda-example-1.12.28.jar
 # the lambda-example will connect to the kafka server and the "presence monitor"
 
 # go to the rest-example project folder in another terminal
-java -Dcloud.connector=kafka -Dcloud.services=kafka.reporter -jar target/rest-example-1.12.26.jar
+java -Dcloud.connector=kafka -Dcloud.services=kafka.reporter -jar target/rest-example-1.12.28.jar
 # the rest-example will also connect to the kafka server and the "presence monitor"
 
 ```

connectors/event-node/pom.xml

@@ -7,7 +7,7 @@
     <artifactId>event-node</artifactId>
 
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>Event Node - Platform-in-a-box</name>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -29,7 +29,7 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>rest-spring</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/junit/junit -->

connectors/hazelcast/hazelcast-connector/pom.xml

@@ -7,7 +7,7 @@
     <artifactId>hazelcast-connector</artifactId>
 
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>Cloud connector for Hazelcast cluster</name>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -29,7 +29,7 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>platform-core</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/com.hazelcast/hazelcast-client -->

connectors/hazelcast/hazelcast-presence/pom.xml

@@ -5,7 +5,7 @@
     <groupId>org.platformlambda</groupId>
     <artifactId>hazelcast-presence</artifactId>
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>hazelcast-presence-monitor</name>
 
     <properties>
@@ -28,13 +28,13 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>hazelcast-connector</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>rest-spring</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/junit/junit -->

connectors/kafka/kafka-connector/pom.xml

@@ -7,7 +7,7 @@
     <artifactId>kafka-connector</artifactId>
 
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>Cloud connector for Kafka cluster</name>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -29,7 +29,7 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>platform-core</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <dependency>

connectors/kafka/kafka-presence/pom.xml

@@ -5,7 +5,7 @@
 	<groupId>org.platformlambda</groupId>
 	<artifactId>kafka-presence</artifactId>	
 	<packaging>jar</packaging>
-	<version>1.12.25</version>
+	<version>1.12.28</version>
 	<name>kafka-presence-monitor</name>
 
   	<properties>
@@ -28,13 +28,13 @@
 		<dependency>
 			<groupId>org.platformlambda</groupId>
 			<artifactId>kafka-connector</artifactId>
-			<version>1.12.25</version>
+			<version>1.12.28</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.platformlambda</groupId>
 			<artifactId>rest-spring</artifactId>
-			<version>1.12.25</version>
+			<version>1.12.28</version>
 		</dependency>
 
 		<!-- https://mvnrepository.com/artifact/junit/junit -->

connectors/kafka/kafka-standalone/pom.xml

@@ -7,7 +7,7 @@
     <artifactId>kafka-standalone</artifactId>
 
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>Standalone kafka system for development and testing</name>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -29,7 +29,7 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>platform-core</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper -->

examples/lambda-example/pom.xml

@@ -7,7 +7,7 @@
     <artifactId>lambda-example</artifactId>
 
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>Example for simple microservices executable</name>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -29,7 +29,7 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>platform-core</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- select your cloud connector (hazelcast-connector or kafka-connector).
@@ -42,12 +42,12 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>kafka-connector</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>hazelcast-connector</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/junit/junit -->

examples/lambda-example/src/main/java/org/platformlambda/example/MainApp.java

@@ -23,7 +23,6 @@
 import org.platformlambda.core.models.LambdaFunction;
 import org.platformlambda.core.system.AppStarter;
 import org.platformlambda.core.system.Platform;
-import org.platformlambda.core.system.ServerPersonality;
 import org.platformlambda.services.HelloGeneric;
 import org.platformlambda.services.HelloPoJo;
 import org.slf4j.Logger;

examples/lambda-example/src/main/java/org/platformlambda/services/HelloGeneric.java

@@ -33,19 +33,17 @@ public class HelloGeneric implements LambdaFunction {
 
     @Override
     public Object handleEvent(Map<String, String> headers, Object body, int instance) throws AppException, IOException {
-
         String id = headers.get("id");
         if (id == null) {
             throw new IllegalArgumentException("Missing parameter 'id'");
         }
-
         if (id.equals("1")) {
             // to set status, key-values or parametric types, we can use EventEnvelope as a result wrapper
             EventEnvelope result = new EventEnvelope();
-
             ObjectWithGenericType<SamplePoJo> genericObject = new ObjectWithGenericType<>();
             // return some place-holder values to demonstrate the PoJo can be transported over the network
-            SamplePoJo mock = new SamplePoJo(1, "Class with generic type resolved at run-time to be SamplePoJo", "200 World Blvd, Planet Earth");
+            SamplePoJo mock = new SamplePoJo(1, "Generic class with parametric type SamplePoJo",
+                                    "200 World Blvd, Planet Earth");
             // set current timestamp to indicate that the object is a new one
             mock.setDate(new Date());
             // set instance count and service origin ID to show that the object comes from a different instance
@@ -62,7 +60,6 @@ public Object handleEvent(Map<String, String> headers, Object body, int instance
         } else {
             throw new AppException(404, "Not found. Try id = 1");
         }
-
     }
 
 }

examples/lambda-example/src/main/java/org/platformlambda/services/HelloPoJo.java

@@ -34,12 +34,10 @@ public class HelloPoJo implements LambdaFunction {
 
     @Override
     public Object handleEvent(Map<String, String> headers, Object body, int instance) throws AppException, IOException {
-
         String id = headers.get("id");
         if (id == null) {
             throw new IllegalArgumentException("Missing parameter 'id'");
         }
-
         if (id.equals("1")) {
             // return some place-holder values to demonstrate the PoJo can be transported over the network
             SamplePoJo mock = new SamplePoJo(1, "Simple PoJo class", "100 World Blvd, Planet Earth");
@@ -53,7 +51,6 @@ public Object handleEvent(Map<String, String> headers, Object body, int instance
         } else {
             throw new AppException(404, "Not found. Try id = 1");
         }
-
     }
 
 }

examples/rest-example/pom.xml

@@ -7,7 +7,7 @@
     <artifactId>rest-example</artifactId>
 
     <packaging>jar</packaging>
-    <version>1.12.26</version>
+    <version>1.12.28</version>
     <name>REST example application</name>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -29,7 +29,7 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>rest-spring</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- select your cloud connector (hazelcast-connector or kafka-connector).
@@ -42,12 +42,12 @@
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>kafka-connector</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
         <dependency>
             <groupId>org.platformlambda</groupId>
             <artifactId>hazelcast-connector</artifactId>
-            <version>1.12.26</version>
+            <version>1.12.28</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/junit/junit -->

examples/rest-example/src/main/java/com/accenture/examples/rest/HelloPoJo.java

@@ -53,7 +53,6 @@ public Object getPoJo(@PathParam("id") Integer id) throws TimeoutException, AppE
                         SamplePoJo.class.getName() + ", actual: " + response.getBody().getClass().getName());
             }
         }
-
     }
 
     @GET