feign-form uses commons-fileupload 1.4 with High Sev CVE

[vstoyanov]

With the last release 4 years ago and the last accepted pull request about 3 years ago, by all means it is a dead project now. It brings a High Sev CVE to the dependency graph, which is not really nice and certainly not in line with the rest of Spring Framework.

Over the weekend I will do some research on what it could be replaced with and report back.

0. https://central.sonatype.com/artifact/io.github.openfeign.form/feign-form/3.8.0/versions
1. GHSA-hfrx-6qgj-fp6c

[OlgaMaciaszek]

Hello @vstoyanov, thanks for reporting the issue. That dependency is still under official maintenance by the OpenFeign team. A PR has been submitted to fix the issue. We will monitor what is happening to that PR and try to offer a workaround if necessary.

[OlgaMaciaszek]

Have overridden it in Spring Cloud OpenFeign. Workaround can be removed once it's been fixed in Feign-Form.

[mgbardakov]

I'm not sure if this fixes the problem. If I'm not mistaken just changing a dependency version isn't enough. https://devhub.checkmarx.com/cve-details/CVE-2023-24998/ A new config FileUploadBase#setFileCountMax should be enabled also, so I guess we still need a collaboration with OpenFeign team

[OlgaMaciaszek]

Hi @mgbardakov, thanks for bringing this up, it's a good point. However, in order to verify this, I have gone through the code in feign-form that uses commons-fileupload and, actually, a lower-level API is used there only and the FileUpload API that is the entry-point for this CVE is not used, so actually, the code would not even be affected by this vulnerability with the 1.4 dep version.