fix: spring vulnerability (#1378)

zalando · Apr 5, 2022 · fe9b094 · fe9b094
1 parent 13b6be7
commit fe9b094
Show file tree

Hide file tree

Showing 42 changed files with 291 additions and 244 deletions.
diff --git a/server/build.gradle.kts b/server/build.gradle.kts
@@ -2,8 +2,8 @@ import org.jetbrains.dokka.gradle.DokkaTask
 import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
 plugins {
-    val kotlinVersion = "1.4.32"
-    val klintVersion = "9.2.1"
+    val kotlinVersion = "1.6.20"
+    val klintVersion = "10.2.1"
 
     // The buildscript is also kotlin, so we apply at the root level
     kotlin("jvm") version kotlinVersion
@@ -15,7 +15,7 @@ plugins {
     `maven-publish`
     signing
     id("com.github.ben-manes.versions") version "0.20.0"
-    id("org.jetbrains.dokka") version "1.4.32" apply false
+    id("org.jetbrains.dokka") version "1.6.10" apply false
 
     // We apply this so that ktlint can format the top level buildscript
     id("org.jlleitschuh.gradle.ktlint") version klintVersion
@@ -144,18 +144,19 @@ subprojects {
     }
 
     dependencies {
-        implementation(platform("com.fasterxml.jackson:jackson-bom:2.12.2"))
         implementation("org.jetbrains.kotlin:kotlin-stdlib")
 
         // We define this here so all subprojects use the same version of jackson
+        implementation(platform("com.fasterxml.jackson:jackson-bom:2.13.2.20220328"))
+        implementation("com.fasterxml.jackson.core:jackson-databind")
         implementation("com.fasterxml.jackson.module:jackson-module-parameter-names")
         implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
         implementation("com.fasterxml.jackson.datatype:jackson-datatype-jdk8")
         implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
-        implementation("org.yaml:snakeyaml:1.29")
+        implementation("org.yaml:snakeyaml:1.30")
 
-        testImplementation("com.jayway.jsonpath:json-path-assert:2.4.0")
-        testImplementation("org.mockito:mockito-core:2.23.4")
+        testImplementation("com.jayway.jsonpath:json-path-assert:2.7.0")
+        testImplementation("org.mockito:mockito-core:2.28.2")
     }
 
     jacoco {

diff --git a/server/gradle/wrapper/gradle-wrapper.properties b/server/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.0.2-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.2-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/server/zally-core/src/main/kotlin/org/zalando/zally/core/DefaultContext.kt b/server/zally-core/src/main/kotlin/org/zalando/zally/core/DefaultContext.kt
@@ -137,14 +137,16 @@ class DefaultContext(
      * @throws IllegalStateException if value is not an OpenAPI or Swagger model element.
      */
     override fun getJsonPointer(value: Any): JsonPointer = when (swaggerAst) {
-        null -> openApiAst
-            .getPointer(value)
-            ?: error("Expected OpenAPI model element, not: $value")
-        else -> when (val swaggerPointer = swaggerAst.getPointer(value)) {
-            null -> openApiAst
+        null ->
+            openApiAst
                 .getPointer(value)
-                ?.let { it.toSwaggerJsonPointer() ?: it }
-                ?: error("Expected OpenAPI or Swagger model element, not: $value")
+                ?: error("Expected OpenAPI model element, not: $value")
+        else -> when (val swaggerPointer = swaggerAst.getPointer(value)) {
+            null ->
+                openApiAst
+                    .getPointer(value)
+                    ?.let { it.toSwaggerJsonPointer() ?: it }
+                    ?: error("Expected OpenAPI or Swagger model element, not: $value")
             else -> swaggerPointer
         }
     }

diff --git a/server/zally-core/src/main/kotlin/org/zalando/zally/core/DefaultContextFactory.kt b/server/zally-core/src/main/kotlin/org/zalando/zally/core/DefaultContextFactory.kt
@@ -92,9 +92,11 @@ class DefaultContextFactory(
 
         val authorizationValue = when {
             authorization is String && propagateAuthorizationUrls.isNotEmpty() ->
-                mutableListOf(AuthorizationValue("Authorization", authorization, "header") { url ->
-                    propagateAuthorizationUrls.any { it.matcher(url.toString()).matches() }
-                })
+                mutableListOf(
+                    AuthorizationValue("Authorization", authorization, "header") { url ->
+                        propagateAuthorizationUrls.any { it.matcher(url.toString()).matches() }
+                    }
+                )
             else -> mutableListOf()
         }
 

diff --git a/server/zally-core/src/main/kotlin/org/zalando/zally/core/RulesValidator.kt b/server/zally-core/src/main/kotlin/org/zalando/zally/core/RulesValidator.kt
@@ -62,7 +62,8 @@ abstract class RulesValidator<RootT : Any>(val rules: RulesManager) : ApiValidat
         } catch (e: InvocationTargetException) {
             throw RuntimeException(
                 "check invocation failed: id=${details.rule.id} " +
-                    "title=${details.rule.title} checkName=${details.method.name} reason=${e.targetException}", e
+                    "title=${details.rule.title} checkName=${details.method.name} reason=${e.targetException}",
+                e
             )
         }
 

diff --git a/server/zally-core/src/main/kotlin/org/zalando/zally/core/ast/ReverseAstBuilder.kt b/server/zally-core/src/main/kotlin/org/zalando/zally/core/ast/ReverseAstBuilder.kt
@@ -83,9 +83,11 @@ class ReverseAstBuilder<T : Any> internal constructor(root: T) {
         handleArray(set.toTypedArray(), pointer, marker)
 
     private fun handleArray(objects: Array<*>, pointer: JsonPointer, marker: Marker?): Deque<Node> =
-        ArrayDeque(objects.filterNotNull().mapIndexed { i, value ->
-            Node(value, pointer + i.toString().toEscapedJsonPointer(), marker)
-        })
+        ArrayDeque(
+            objects.filterNotNull().mapIndexed { i, value ->
+                Node(value, pointer + i.toString().toEscapedJsonPointer(), marker)
+            }
+        )
 
     private fun handleObject(obj: Any, pointer: JsonPointer, defaultMarker: Marker?): Deque<Node> {
         val nodes = ArrayDeque<Node>()
@@ -164,8 +166,10 @@ class ReverseAstBuilder<T : Any> internal constructor(root: T) {
                     Modifier.isPublic(it.modifiers) &&
                     !it.isAnnotationPresent(JsonIgnore::class.java)
             }
-            .sortedWith(Comparator
-                .comparing { method: Method -> method.name == "getPaths" }
-                .thenComparing { method: Method -> method.name })
+            .sortedWith(
+                Comparator
+                    .comparing { method: Method -> method.name == "getPaths" }
+                    .thenComparing { method: Method -> method.name }
+            )
     }
 }
diff --git a/server/zally-core/src/test/kotlin/org/zalando/zally/core/DefaultContextFactoryTest.kt b/server/zally-core/src/test/kotlin/org/zalando/zally/core/DefaultContextFactoryTest.kt
@@ -81,7 +81,7 @@ class DefaultContextFactoryTest {
                   version: 1.0.0
                   title: Pets API
                 paths: {}
-            """.trimIndent()
+        """.trimIndent()
         val result = defaultContextFactory.parseOpenApiContext(content)
         assertThat(result).resultsInNotApplicable()
     }
@@ -123,7 +123,7 @@ class DefaultContextFactoryTest {
                   oa: {}
                     # type: oauth2
                 paths: {}
-            """.trimIndent()
+        """.trimIndent()
         val result = defaultContextFactory.parseSwaggerContext(content)
         assertThat(result).resultsInSuccess()
     }
@@ -145,7 +145,7 @@ class DefaultContextFactoryTest {
                     # scopes:
                     #   foo: Description of 'foo'
                 paths: {}
-            """.trimIndent()
+        """.trimIndent()
         val result = defaultContextFactory.parseSwaggerContext(content)
         assertThat(result).resultsInSuccess()
     }
@@ -159,7 +159,7 @@ class DefaultContextFactoryTest {
                   title: Bleh
                   version: 1.0.0
                 paths: {}
-            """.trimIndent()
+        """.trimIndent()
         val result = defaultContextFactory.parseSwaggerContext(content)
         assertThat(result).resultsInSuccess()
         val success = result as ContentParseResult.ParsedSuccessfully
@@ -203,7 +203,7 @@ class DefaultContextFactoryTest {
                         type: array
                         items:
                           ${'$'}ref: '#/definitions/ReadNode'
-            """.trimIndent()
+        """.trimIndent()
         val result = defaultContextFactory.parseSwaggerContext(content)
         assertThat(result).resultsInSuccess()
         val success = result as ContentParseResult.ParsedSuccessfully

diff --git a/server/zally-core/src/test/kotlin/org/zalando/zally/core/JsonSchemaValidatorTest.kt b/server/zally-core/src/test/kotlin/org/zalando/zally/core/JsonSchemaValidatorTest.kt
@@ -40,10 +40,13 @@ class JsonSchemaValidatorTest {
         val file = "schemas/swagger-schema.json"
         val schemaUrl = Resources.getResource(file)
         val json = ObjectTreeReader().read(schemaUrl)
-        var jsonSchemaValidator = JsonSchemaValidator(json, mapOf(
-            onlineSchema to localResource,
-            "http://swagger.io/v2/schema.json" to schemaUrl.toString()
-        ))
+        var jsonSchemaValidator = JsonSchemaValidator(
+            json,
+            mapOf(
+                onlineSchema to localResource,
+                "http://swagger.io/v2/schema.json" to schemaUrl.toString()
+            )
+        )
         val specJson = ObjectTreeReader().read(Resources.getResource("fixtures/api_tinbox.yaml"))
 
         val valResult = jsonSchemaValidator.validate(specJson)

diff --git a/server/zally-core/src/test/kotlin/org/zalando/zally/core/ObjectTreeReaderTest.kt b/server/zally-core/src/test/kotlin/org/zalando/zally/core/ObjectTreeReaderTest.kt
@@ -20,7 +20,7 @@ class ObjectTreeReaderTest {
                 "version": "1.0.0"
               }
             }
-            """.trimIndent()
+        """.trimIndent()
 
         val node = cut.read(contents)
 
@@ -55,7 +55,7 @@ class ObjectTreeReaderTest {
               title: Things API
               description: Description of things
               version: 1.0.0
-            """.trimIndent()
+        """.trimIndent()
 
         val node = cut.read(contents)
 
@@ -104,7 +104,7 @@ class ObjectTreeReaderTest {
               properties:
                 id: *standard-id-property
                 <<: *thing-editable-properties
-            """.trimIndent()
+        """.trimIndent()
 
         val node = cut.read(contents)
 

diff --git a/server/zally-core/src/test/kotlin/org/zalando/zally/core/OpenApiRulesValidatorTest.kt b/server/zally-core/src/test/kotlin/org/zalando/zally/core/OpenApiRulesValidatorTest.kt
@@ -51,7 +51,7 @@ class OpenApiRulesValidatorTest {
                     more: 12
               title: Lorem Ipsum
             paths: {}
-            """.trimIndent()
+        """.trimIndent()
 
         val validator = openApiRulesValidator(listOf(TestExtensionRule()), DefaultContextFactory())
         val results = validator.validate(openApiContent, RulesPolicy(emptyList()))

diff --git a/server/zally-core/src/test/kotlin/org/zalando/zally/core/ast/ReverseAstTest.kt b/server/zally-core/src/test/kotlin/org/zalando/zally/core/ast/ReverseAstTest.kt
@@ -31,7 +31,7 @@ class ReverseAstTest {
                   responses:
                     '200':
                       description: OK
-            """.trimIndent()
+        """.trimIndent()
 
         val spec = SwaggerParser().parse(content)
         val ast = ReverseAst.fromObject(spec).build()
@@ -61,7 +61,7 @@ class ReverseAstTest {
                   responses:
                     '200':
                       description: OK
-            """.trimIndent()
+        """.trimIndent()
 
         val spec = SwaggerParser().parse(content)
         val ast = ReverseAst.fromObject(spec).withExtensionMethodNames("getVendorExtensions").build()
@@ -124,7 +124,7 @@ class ReverseAstTest {
                   responses:
                     '200':
                       description: OK
-            """.trimIndent()
+        """.trimIndent()
 
         val json = ObjectTreeReader().read(content)
         val map = Json.mapper().convertValue(json, Map::class.java)
@@ -182,7 +182,7 @@ class ReverseAstTest {
                     default: "SchemaDefault!!"
                     example: "SchemaExample!!"
                   example: "ParameterExample!!"
-            """.trimIndent()
+        """.trimIndent()
 
         val parsed = OpenAPIParser().readContents(content, null, null).openAPI
         val resolved = OpenAPIResolver(parsed).resolve()
@@ -213,7 +213,7 @@ class ReverseAstTest {
                 email: team@x.com
                 url: https://team.x.com
             paths: {}
-            """.trimIndent()
+        """.trimIndent()
 
         val swagger = SwaggerParser().parse(content)
         val ast = ReverseAst.fromObject(swagger).withExtensionMethodNames("getVendorExtensions").build()
@@ -232,7 +232,7 @@ class ReverseAstTest {
               title: Some API
               x-test-extension: 4
             paths: {}
-            """.trimIndent()
+        """.trimIndent()
 
         val parsed = OpenAPIParser().readContents(content, null, null).openAPI
         val ast = ReverseAst.fromObject(parsed).withExtensionMethodNames("getExtensions").build()
@@ -254,7 +254,7 @@ class ReverseAstTest {
                   and:
                     another: 2
             paths: {}
-            """.trimIndent()
+        """.trimIndent()
 
         val swagger = SwaggerParser().parse(content)
         val ast = ReverseAst.fromObject(swagger).withExtensionMethodNames("getVendorExtensions").build()
@@ -278,7 +278,7 @@ class ReverseAstTest {
               x-zally-ignore: [IGNORED_AT_INFO]
             paths: {}
             x-zally-ignore: [IGNORED_AT_ROOT]
-            """.trimIndent()
+        """.trimIndent()
 
         val swagger = SwaggerParser().parse(content)
         val ast = ReverseAst.fromObject(swagger)