From 76c0b3c00e211e83f7c0e2d035fc1eb52066c4c3 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 12:48:16 -0400 Subject: [PATCH 1/8] The version pf hibernate-validator that we were using, 5.0.3.Final was reported to allow an attacker to escalate permissions and access private values and create invalid instances - see CVE-2017-7536. It is reported to be fixed in versions 5.2.5.Final and greater. The upgraded library had changes to the api for constructing ConstaintValidatorContextImpl, used in URLValidatorTest.java. In investigating the changes, it was found that there were further changes to the api in recent versions and it was decided to adapt the code to the latest changes and use the latest available stable hibernate-validator library - 6.1.5.Final. It was also necessary to add a dependency to javax.el due to changes in the library starting with version 5.3.1.Final and later. --- pom.xml | 7 ++++++- .../edu/harvard/iq/dataverse/URLValidatorTest.java | 11 +++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 27d640e5ff3..6525eb84aff 100644 --- a/pom.xml +++ b/pom.xml @@ -296,7 +296,12 @@ org.hibernate hibernate-validator - 5.0.3.Final + 6.1.5.Final + + + org.glassfish + javax.el + 3.0.1-b11 commons-lang diff --git a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java index 292eeeab0e8..121e23f6142 100644 --- a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java @@ -7,6 +7,10 @@ import org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorContextImpl; import org.hibernate.validator.internal.engine.path.PathImpl; +//import org.hibernate.validator.internal.engine.time.DefaultTimeProvider; +import javax.validation.Validation; +import javax.validation.ValidatorFactory; +import javax.validation.ClockProvider; import org.junit.Test; /** @@ -14,6 +18,9 @@ * @author skraffmi */ public class URLValidatorTest { + //static DefaultTimeProvider timeProvider = DefaultTimeProvider.getInstance(); + ValidatorFactory vFac = Validation.buildDefaultValidatorFactory(); + @Test public void testIsURLValid() { @@ -35,7 +42,7 @@ public void testIsValidWithUnspecifiedContext() { @Test public void testIsValidWithContextAndValidURL() { String value = "https://twitter.com/"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(null, PathImpl.createPathFromString(""), null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(true, new URLValidator().isValid(value, context)); } @@ -43,7 +50,7 @@ public void testIsValidWithContextAndValidURL() { @Test public void testIsValidWithContextButInvalidURL() { String value = "cnn.com"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(null, PathImpl.createPathFromString(""), null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(false, new URLValidator().isValid(value, context)); } From 438a7d0b4a317abae32d0116beed5d377c8b1b6d Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 13:49:41 -0400 Subject: [PATCH 2/8] code cleanup --- .../java/edu/harvard/iq/dataverse/URLValidatorTest.java | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java index 121e23f6142..aae74861386 100644 --- a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java @@ -7,10 +7,8 @@ import org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorContextImpl; import org.hibernate.validator.internal.engine.path.PathImpl; -//import org.hibernate.validator.internal.engine.time.DefaultTimeProvider; import javax.validation.Validation; import javax.validation.ValidatorFactory; -import javax.validation.ClockProvider; import org.junit.Test; /** @@ -19,7 +17,7 @@ */ public class URLValidatorTest { //static DefaultTimeProvider timeProvider = DefaultTimeProvider.getInstance(); - ValidatorFactory vFac = Validation.buildDefaultValidatorFactory(); + ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); @Test @@ -42,7 +40,7 @@ public void testIsValidWithUnspecifiedContext() { @Test public void testIsValidWithContextAndValidURL() { String value = "https://twitter.com/"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(validatorFactory.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(true, new URLValidator().isValid(value, context)); } @@ -50,7 +48,7 @@ public void testIsValidWithContextAndValidURL() { @Test public void testIsValidWithContextButInvalidURL() { String value = "cnn.com"; - ConstraintValidatorContext context = new ConstraintValidatorContextImpl(vFac.getClockProvider(), PathImpl.createPathFromString(""),null, null); + ConstraintValidatorContext context = new ConstraintValidatorContextImpl(validatorFactory.getClockProvider(), PathImpl.createPathFromString(""),null, null); assertEquals(false, new URLValidator().isValid(value, context)); } From ab33496e6bc3b62c0de83e94a011dbd6a48142c1 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 13:53:40 -0400 Subject: [PATCH 3/8] sorry, one more line of commented code removed --- src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java index aae74861386..f994809a0c0 100644 --- a/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java @@ -16,7 +16,6 @@ * @author skraffmi */ public class URLValidatorTest { - //static DefaultTimeProvider timeProvider = DefaultTimeProvider.getInstance(); ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); From df442c5c4ccd84a02169adda11f0ebda52833833 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 16:31:45 -0400 Subject: [PATCH 4/8] Change ek dependency to jakarta.el provided by Payara --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 6525eb84aff..44499389ccd 100644 --- a/pom.xml +++ b/pom.xml @@ -300,8 +300,8 @@ org.glassfish - javax.el - 3.0.1-b11 + jakarta.el + provided commons-lang From a7fcdfa9a1891fb73c58467c5aaa6d09a369dd24 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Thu, 20 Aug 2020 17:50:13 -0400 Subject: [PATCH 5/8] Use hibernate-validator provided with Payara (still a 6.1.x -6.1.2 specifically at this point) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 44499389ccd..16141725a34 100644 --- a/pom.xml +++ b/pom.xml @@ -294,9 +294,9 @@ 1.7 - org.hibernate + org.hibernate.validator hibernate-validator - 6.1.5.Final + provided org.glassfish From 1dd243115af5e04eba4d3a4751fa42d20bcc7064 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Tue, 25 Aug 2020 17:52:16 -0400 Subject: [PATCH 6/8] changed hibernat-validator scope from provided to compile, because we were getting NoClassDefFoundError: org/hibernate/validator/internal/util/CollectionHelper at runtime while creating an account --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 16141725a34..b64ed833ad9 100644 --- a/pom.xml +++ b/pom.xml @@ -296,7 +296,7 @@ org.hibernate.validator hibernate-validator - provided + compile org.glassfish From 7f3051a93715a1780ea9c7a2e0a6ffcf3381ae6b Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Wed, 26 Aug 2020 09:44:35 -0400 Subject: [PATCH 7/8] Remove compile scope as unneccessary because it is the default scope --- pom.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index b64ed833ad9..47a889bf018 100644 --- a/pom.xml +++ b/pom.xml @@ -296,13 +296,12 @@ org.hibernate.validator hibernate-validator - compile - + commons-lang commons-lang From 5e3b6acb5b13ce7a11d863125eb6228f0f2c99e6 Mon Sep 17 00:00:00 2001 From: Robert Treacy Date: Wed, 26 Aug 2020 10:01:04 -0400 Subject: [PATCH 8/8] Last commit included experimental removal of jakarta.el, which does not work --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 47a889bf018..14bf0574d14 100644 --- a/pom.xml +++ b/pom.xml @@ -297,11 +297,11 @@ org.hibernate.validator hibernate-validator - + commons-lang commons-lang