fix(deps): upgrade avro4s 1.8.2→4.1.2 to patch CVE-2024-47561 (CVSS 9.8); remove stale deps#2846
Merged
Merged
Conversation
flexmark-profile-pegdown:0.40.8 already pulls flexmark-util:0.40.8 which provides com.vladsch.flexmark.util.options.*. The explicit 0.64.0 direct dependency introduced an incompatible second tree of util submodules on the classpath with no corresponding core at that version.
…dator (fixes #10) Migrate JSONFactory1_4_0Test from the unmaintained everit SchemaLoader API to com.networknt json-schema-validator 1.0.87 (already on the classpath). Remove the everit dependency from obp-api/pom.xml. Update stale CVE-override comments in obp-api/pom.xml and pom.xml that referenced everit as the transitive source.
…ide loop Remove commons-beanutils:1.11.0 direct dependency from obp-api/pom.xml — no remaining transitive dep pulls it in after the everit removal, so the CVE override had no effect. Hoist new ObjectMapper() and JsonSchemaFactory.getInstance() above the for-comprehension in JSONFactory1_4_0Test so instances are shared across ~190 resource-doc iterations instead of being reconstructed per iteration.
build: replace tools.jackson 3.x yaml dep with com.fasterxml 2.x
build: remove redundant flexmark-util-options 0.64.0 dep
- Replace dispatch HTTP client in search.scala with OkHttp3 (already a compile-scope dep): migrate constructQuery/getAPIResponse/Async to use OkHttpClient + Promise-based callback; POST replaces GET-with-body for ES _search (ES accepts both verbs) - Move RequestSigner / Request2RequestSigner implicit from APIUtil.OAuth (main source) to SendServerRequests (test scope); all 170+ test subclasses inherit <@ operator with zero import changes - APIUtil.OAuth retains only Consumer, Token, oob (no dispatch ref) - Remove unused import dispatch.Future from JwtUtil.scala - Scope dispatch-core_2.12:0.13.1 to <scope>test</scope> After: mvn dependency:tree shows dispatch at test scope only; OkHttp3 4.12.0 remains at compile scope.
build: remove dispatch-core from production classpath (fixes #9)
CVE-2024-47561 (CVSS 9.8 RCE) in Apache Avro < 1.11.4 allows arbitrary code execution via crafted schema payloads during deserialization. - Upgrade avro4s-core 1.8.2 → 4.1.2 in parent pom - Pin org.apache.avro:avro to 1.11.4 explicitly (avro4s 4.1.2 only brings avro 1.9.2 transitively, which is still vulnerable) - Migrate AvroSerializer to avro4s 4.x API: ToRecord → Encoder, FromRecord → Decoder, AvroOutputStream.json[T](baos) → AvroOutputStream.json[T].to(baos).build(), AvroInputStream.json[T](stream).singleEntity → AvroInputStream.json[T].from(stream).build(schema).tryIterator - Remove avro4s SchemaFor[T] usage from AkkaConnector_vDec2018 (documentation-only fields; avro4s 4.x Magnolia derivation cannot auto-derive SchemaFor for complex OBP DTO type hierarchies)
…o property names
- Fix StringInputStream.read(): r.toInt & 0xFF to zero-extend bytes 0x80-0xFF
instead of sign-extending; signed Byte.toInt returns -1 for 0xFF which JSON
parser interprets as EOF, silently truncating any non-ASCII Avro payload
- Fix StringInputStream.getBytes: explicit UTF-8 charset to match the UTF-8
used in baos.toString("UTF-8") on the serialize side
- Rename <avro.version> to <avro4s.version> and introduce <apache.avro.version>
in parent pom so both versions are visible and independently bumpable
build: upgrade avro4s to 4.1.2 and pin avro to 1.11.4 (fixes #17)
- Remove explicit org.apache.httpcomponents:httpclient:4.5.14 declaration; the artifact was only referenced by an unused import in OBPAPIDynamicEndpoint (import only appeared in a comment). It remains available transitively via elasticsearch-rest-client for Elasticsearch's internal use. - Drop unused import org.apache.http.HttpStatus from OBPAPIDynamicEndpoint (the one call site using it was already commented out). - Move org.asynchttpclient:async-http-client to <scope>test</scope>; the sole direct usage is OPTIONSTest.scala (test class), not production code.
Remove imports that were only used in the commented-out Lift CORS block:
- net.liftweb.common.{Box, Full}
- code.api.dynamic.endpoint.helper.DynamicEndpoints (unused entirely)
- code.api.util.APIUtil (no live usages; keep VersionedOBPApis for extends clause)
…clients chore: remove httpclient direct dep and scope AHC to test
Dynamic-entity POST handlers run without withBusinessDBTransaction, so the TTL-based request-scope proxy is never set. DoobieUtil.runQuery uses Strategy.void on its fallback transactor, which means INSERT runs on a HikariCP connection (autoCommit=false) and is silently rolled back when the connection returns to the pool. Switch to DoobieUtil.runUpdate, which commits via fallbackUpdateTransactor (Strategy.default) when no proxy is present, and still reuses the request transaction via transactorFromConnection when a proxy is available. This makes obp_exists[parcel_on_chain] and obp_not_exists[parcel_on_chain] return correct results for the OGCR parcel/parcel_on_chain join queries.
hongwei1
changed the title
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
avro4s-core1.8.2 → 4.1.2 and pinorg.apache.avro:avroto 1.11.4. The vulnerability allows arbitrary code execution via crafted Avro schema input in all Avro releases before 1.11.3.org.everit.json.schema1.6.1 (abandoned upstream since 2020): migrateJSONFactory1_4_0Testto usecom.networknt:json-schema-validatorwhich is already a compile-scope dependency.commons-beanutils:1.11.0andcommons-validator:1.9.0pins that were introduced solely to override everit's transitive deps — no longer needed.org.apache.httpcomponents:httpclient:4.5.14— OBP uses OkHttp3 and http4s Ember; httpclient is not referenced in main sources.flexmark-util-options:0.64.0duplicate:flexmark-profile-pegdown:0.40.8already providesflexmark-util-optionstransitively at the same 0.40.8 series.dispatch-core_2.12:0.13.1totestonly (not referenced in main sources).Test plan
mvn compile -pl obp-api— clean compilation with the updated dep setJSONFactory1_4_0Testpasses — JSON schema validation via networknt replaces everitmvn dependency:tree -Dincludes="org.apache.avro:avro,com.sksamuel.avro4s:*"— confirmsavro:1.11.4andavro4s-core:4.1.2resolve