HIVE-25054: Upgrade jodd-core dependency to get rid of CVE-2018-21234…

… (Abhay Chennagiri, reviewed by Jesus Camacho Rodriguez) Closes apache#2217
zabetak · May 21, 2021 · fd6e701 · fd6e701
1 parent bf608ce
commit fd6e701
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 16 deletions.
diff --git a/pom.xml b/pom.xml
@@ -166,7 +166,7 @@
     <jline.version>2.14.6</jline.version>
     <jms.version>2.0.2</jms.version>
     <joda.version>2.9.9</joda.version>
-    <jodd.version>3.5.2</jodd.version>
+    <jodd.version>6.0.0</jodd.version>
     <json.version>1.8</json.version>
     <junit.version>4.13</junit.version>
     <junit.jupiter.version>5.6.2</junit.jupiter.version>

diff --git a/ql/pom.xml b/ql/pom.xml
@@ -387,7 +387,7 @@
     </dependency>
     <dependency>
       <groupId>org.jodd</groupId>
-      <artifactId>jodd-core</artifactId>
+      <artifactId>jodd-util</artifactId>
       <version>${jodd.version}</version>
     </dependency>
     <dependency>
@@ -1088,7 +1088,7 @@
                   <include>org.datanucleus:javax.jdo</include>
                   <include>commons-lang:commons-lang</include>
                   <include>org.apache.commons:commons-lang3</include>
-                  <include>org.jodd:jodd-core</include>
+                  <include>org.jodd:jodd-util</include>
                   <include>com.tdunning:json</include>
                   <include>org.apache.avro:avro</include>
                   <include>org.apache.avro:avro-mapred</include>

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java
@@ -21,9 +21,9 @@
 import java.util.TimeZone;
 import java.util.concurrent.TimeUnit;
 
-import org.apache.hadoop.hive.common.type.Timestamp;
+import jodd.time.JulianDate;
 
-import jodd.datetime.JDateTime;
+import org.apache.hadoop.hive.common.type.Timestamp;
 import org.apache.hadoop.hive.common.type.TimestampTZUtil;
 
 /**
@@ -79,9 +79,10 @@ public static NanoTime getNanoTime(Timestamp ts, boolean skipConversion, ZoneId
     if (calendar.get(Calendar.ERA) == GregorianCalendar.BC) {
       year = 1 - year;
     }
-    JDateTime jDateTime = new JDateTime(year,
+    JulianDate jDateTime;
+    jDateTime = JulianDate.of(year,
         calendar.get(Calendar.MONTH) + 1,  //java calendar index starting at 1.
-        calendar.get(Calendar.DAY_OF_MONTH));
+        calendar.get(Calendar.DAY_OF_MONTH), 0, 0, 0, 0);
     int days = jDateTime.getJulianDayNumber();
 
     long hour = calendar.get(Calendar.HOUR_OF_DAY);
@@ -131,11 +132,12 @@ public static Timestamp getTimestamp(NanoTime nt, boolean skipConversion, ZoneId
       julianDay--;
     }
 
-    JDateTime jDateTime = new JDateTime((double) julianDay);
+    JulianDate jDateTime;
+    jDateTime = JulianDate.of((double) julianDay);
     Calendar calendar = getGMTCalendar();
-    calendar.set(Calendar.YEAR, jDateTime.getYear());
-    calendar.set(Calendar.MONTH, jDateTime.getMonth() - 1); //java calendar index starting at 1.
-    calendar.set(Calendar.DAY_OF_MONTH, jDateTime.getDay());
+    calendar.set(Calendar.YEAR, jDateTime.toLocalDateTime().getYear());
+    calendar.set(Calendar.MONTH, jDateTime.toLocalDateTime().getMonth().getValue() - 1); //java calendar index starting at 1.
+    calendar.set(Calendar.DAY_OF_MONTH, jDateTime.toLocalDateTime().getDayOfMonth());
 
     int hour = (int) (remainder / (NANOS_PER_HOUR));
     remainder = remainder % (NANOS_PER_HOUR);

diff --git a/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp b/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp
@@ -32,7 +32,7 @@
   import="java.util.Collection"
   import="java.util.Date"
   import="java.util.List"
-  import="jodd.util.HtmlEncoder"
+  import="jodd.net.HtmlEncoder"
 %>
 
 <%
@@ -159,7 +159,7 @@ for (HiveSession hiveSession: hiveSessions) {
     %>
     <tr>
         <td><%= operation.getUserName() %></td>
-        <td><%= HtmlEncoder.strict(operation.getQueryDisplay() == null ? "Unknown" : operation.getQueryDisplay().getQueryString()) %></td>
+        <td><%= HtmlEncoder.text(operation.getQueryDisplay() == null ? "Unknown" : operation.getQueryDisplay().getQueryString()) %></td>
         <td><%= operation.getExecutionEngine() %>
         <td><%= operation.getState() %></td>
         <td><%= new Date(operation.getBeginTime()) %></td>
@@ -203,7 +203,7 @@ for (HiveSession hiveSession: hiveSessions) {
     %>
     <tr>
         <td><%= operation.getUserName() %></td>
-        <td><%= HtmlEncoder.strict(operation.getQueryDisplay() == null ? "Unknown" : operation.getQueryDisplay().getQueryString()) %></td>
+        <td><%= HtmlEncoder.text(operation.getQueryDisplay() == null ? "Unknown" : operation.getQueryDisplay().getQueryString()) %></td>
         <td><%= operation.getExecutionEngine() %>
         <td><%= operation.getState() %></td>
         <td><%= operation.getElapsedTime()/1000 %></td>

diff --git a/service/src/resources/hive-webapps/hiveserver2/logconf.jsp b/service/src/resources/hive-webapps/hiveserver2/logconf.jsp
@@ -32,7 +32,7 @@
          import="java.util.Collection"
          import="java.util.Date"
          import="java.util.List"
-         import="jodd.util.HtmlEncoder"
+         import="jodd.net.HtmlEncoder"
 %>
 
 <%
@@ -142,4 +142,4 @@
     </div>
 
 </body>
-</html>
+</html>