New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency upgrade: xstream 1.4.19, jettison 1.4.1 #5552
Conversation
Supersedes #4572 |
AFAIK the vulnerabilities occur only when the XStream security subsystem is not configured. The GeoServer code does initialize it (although I cannot guarantee it happens everywhere), so it should not actually be vulnerable? Communication about potential vulnerabilities should be done in a responsible way, without spreading panic, and done only once fixes are released to the public, please. |
Spreading panic? sigh. Ok, I'm sorry for mentioning XStream has vulnerabilities although it's public information, and even more sorry for not realizing they don't affect GeoServer, wouldn't go through all 29 of them to verify though. |
Build's failing on I wonder why JSONArray coverages = json.getJSONObject("coverages").getJSONArray("coverage");
assertThat(coverages.size(), is(1)); While JSONObject coverage = ((JSONObject) json).getJSONObject("coverage");
assertNotNull(coverage); |
@groldan yes spreading panic, it should be obvious to anyone that has had exposure to customers, which go nuts over the off-chance possibility anything is wrong. The Log4J2 case should serve as an emblematic example, we got grilled over a case of "run a RCE with any HTTP request" when that was not even affecting GeoServer, and ended up fixing one that required pre-existing access to the server file system in order to be triggered. Why that? Because people panic before checking if they are even affected. Even just mentioning "vulnerability" makes some people trigger... and those same people typically don't check CVEs and don't do research (the latter kind normally checks if an issue is an actual one, and how it can be triggered, before taking out the big guns). We have multiple sections about responsible disclosure: Please read them and be more careful in the future, even for issues that are already listed (and even more so for the ones that are not, or for which you have an attack vector), the more they are discussed in public, the more the nutjobs mentioned above will start panicking. |
I guessing it's a simple "because XStream used to generate outputs like this"... historically XStream was used for the configuration, the REST API came some time after tha, and that's when we also got a JSON encoding... I believe it was accepted as-is, and tests kept on being written using that "untouchable" behavior. In #4572 I could not find a set of settings that made the output match the previous one. As weird as it is, and as much as I don't like the inconsistency, the test spotted a backwards incompatible change. We can have such change, it just requires discussion with the PSC and an indication to the users that the upgrade might break some REST automation. I'll be +1 on breaking the JSON encoding expectations for more correct output, btw. |
Hi, for the moment I fixed the test to expect an object, under the assumption that since it's already the expected behavior, seems more like a fix than anything else, like in we at least have a consistent output? Let me know what you think. |
The read side is safer... it all depends on the specific client, on whether it has been built to match specific behavior, or written to be general... but in Javascript, it's easy to just read JSON into a variable and then hard-code an access path to the bit of information required, which might cross one of these weird points. The write side is more problematic, will the change make the REST API stop accepting JSON it used to read? Again, not against the change, but it should be managed properly: PSC vote and warning to the users in the documentation (there is an upgrade section in the docs). I don't think we need a proposal, just a mail on devel explaining the situation (that the change actually brings better, more consistent behavior) and a set of votes. |
Haven't changed anything related to writes (POST requests), relying on the existing set of tests. Is that what you mean? just checking we're on the same page |
I believe we are not on the same page. The change in encoding happens because XStream + Jettison behavior changed, right? A deployed system is normally a complex beast, made of different components, built by different people (and sometimes different companies, on contract). Upgrading GeoServer (maybe to get a security fix?) should not require changing the other components of the deployment. If it does, then it should be clearly advertised in the docs (and discussed by the PSC). |
I'm not sure if you realize what I'm trying to do is to preserve the old behavior? working on that |
I am. But tests failing means there is currently a breakage in backward compatibility.
I was not aware it was limited to that converter, no previous message mentioned it. It's good news though, that's a converter under our control, so hopefully, it can be fixed. |
@@ -216,7 +217,13 @@ public void encodeCollectionLink(String link, HierarchicalStreamWriter writer) { | |||
|
|||
@Override | |||
protected XStream createXStreamInstance() { | |||
return new SecureXStream(new JettisonMappedXmlDriver()); | |||
// needed for Jettison 1.4.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ha!
All green, well done! I can't do a review right now, will try to look at this in the next few days. |
Actually I'm trying to revert that test case to its original form and get exactly the same output as before out of Problem is I either get
or
But not the expected
|
b1b11da
to
75925d3
Compare
ok, managed to preserve |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see boolean useSerializeAsArray = false;
in several classes and I'm wondering if it would be a good idea to move that into a public final in eg. XStreamPersister.java
(not sure how that would work out dependency-wise
@@ -310,6 +311,7 @@ public void testDirectoryXML() throws Exception { | |||
} | |||
|
|||
@Test | |||
@Ignore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment as to why this test should be ignored?
@Ignore | |
@Ignore("why is this ignored....") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it wasn't intentional, met me check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep it was part of the work in progress, that branch was not meant to be committed as-is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good in general! Agree with the two points raised by @mprins (ignored test, and sharing duplicated code if possible).
@@ -72,6 +72,7 @@ public void testGetAsJSON() throws Exception { | |||
@Test | |||
public void testGetAllAsJSON() throws Exception { | |||
JSON json = getAsJSON(ROOT_PATH + "/workspaces/sf/datastores.json"); | |||
print(json); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd get rid of all the extra "print" in this PR.
75925d3
to
cbd1ade
Compare
Looks like there are legit test failures (at one point I believe the build was green though? maybe I'm confusing it with something else...) |
It was green, but haven't seen that one that was |
This comment has been minimized.
This comment has been minimized.
just a heads up that I'm resuming work on this |
How are things going @groldan ? |
e9afe67
to
a06a726
Compare
back from vacations, finally working on this for good |
Pass `false` to `JettisonMappedXmlDriver` constructor's `useSerializeAsArray` parameter to preserve the legacy (1.1) single-element-arrar-as-object behavior after upgrading to Jettison 1.4.1.
… single-element collections The upgrade to Jettison 1.4.1 makes it impossible to preserve the single-collection JSON encoding as-is. Use a helper class to ensure single-element collections are encoded as it used to be before the upgrade, and add tests.
…and multiple children cases
a70400c
to
acca593
Compare
c0555fa
to
efc4e30
Compare
Closing as superseded by #5730 with a single commit and corrected branch name. |
Current XStream version has several (29) vulnerabilities, though they won't affect GeoServer, since it properly configures the security subsystem, an upgrade seems to be in place anyways.
This upgrades to the latest
1.4.19
version and Jettison1.4.1
with a patch to preserve Jettison's legacybehaviour when encoding single-element arrays.
Checklist
main
branch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOS-XYZWV] Title of the Jira ticket
.