Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use standard java regex rather than commons-text string-substitutor #416

Merged
merged 2 commits into from
Oct 25, 2022
Merged

Use standard java regex rather than commons-text string-substitutor #416

merged 2 commits into from
Oct 25, 2022

Conversation

carterkozak
Copy link
Contributor

==COMMIT_MSG==
Use standard java regex rather than commons-text string-substitutor
==COMMIT_MSG==

Note that this project wasn't impacted by CVE-2022-42889 due to providing its own substitution function as opposed to the default, however in our investigation it became clear that this library is simple enough that it should not use such complex and powerful dependencies.

@carterkozak carterkozak requested a review from CRogers October 17, 2022 16:55
@changelog-app
Copy link

changelog-app bot commented Oct 17, 2022
edited by carterkozak
Loading

Generate changelog in changelog/@unreleased

Type

  • Feature
  • Improvement
  • Fix
  • Break
  • Deprecation
  • Manual task
  • Migration

Description

Use standard java regex rather than commons-text string-substitutor. Note that DecryptingVariableSubstitutor no longer extends commons-lang StringSubstitutor.

Check the box to generate changelog(s)

  • Generate changelog entry

carterkozak
carterkozak commented Oct 17, 2022
View reviewed changes
encrypted-config-value-module/build.gradle
@@ -6,7 +6,6 @@ dependencies {
api 'com.google.guava:guava'
api 'com.fasterxml.jackson.core:jackson-databind'
api 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml'
api 'org.apache.commons:commons-text'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically a break

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth the possibility of someone having used this. Hopefully our tooling would have made them put a direct dep on it anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I considered making this PR but keeping the commons-text dep as runtimeOnly to avoid abi breaks, but I don't think it's worth the trouble because it retains the entirety of the downside without changing much from our current behavior.

carterkozak
carterkozak commented Oct 17, 2022
View reviewed changes
...fig-value-module/src/main/java/com/palantir/config/crypto/DecryptingVariableSubstitutor.java
Comment on lines -24 to +23
public final class DecryptingVariableSubstitutor extends StringSubstitutor implements Substitutor {
public final class DecryptingVariableSubstitutor implements Substitutor {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also a break

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used internally in our biggest monorepo, our auth product, atlas and a few other places :(

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should try and get them off that first?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In atlas we don't rely on this class being a StringSubstitutor, it's only passed to JsonNodeStringReplacer (from this library) as a Substitutor (our own interface).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, all the other uses are like that too, so I guess we're good!

@CRogers
Copy link
Contributor

CRogers commented Oct 17, 2022

👍

@carterkozak carterkozak marked this pull request as ready for review October 17, 2022 17:06
@carterkozak carterkozak force-pushed the ckozak/fewer_dependencies branch from 76ae607 to 6cc6f13 Compare October 25, 2022 15:26
@bulldozer-bot bulldozer-bot bot merged commit a2ca1eb into develop Oct 25, 2022
@bulldozer-bot bulldozer-bot bot deleted the ckozak/fewer_dependencies branch October 25, 2022 15:37
@svc-autorelease
Copy link
Collaborator

Refusing to release a major rev - please do this manually at https://autorelease.general.dmz.palantir.tech/api/palantir/encrypted-config-value

@carterkozak carterkozak mentioned this pull request Oct 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CRogers CRogers Awaiting requested review from CRogers

Assignees
No one assigned
Labels
autorelease merge when ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@carterkozak @CRogers @svc-autorelease @svc-changelog