From 23b0f7351e32102ed4b4548266e061ca3e5e3751 Mon Sep 17 00:00:00 2001 From: Paulo Gustavo Veiga Date: Thu, 27 Oct 2022 20:28:37 -0700 Subject: [PATCH] Resolve several critical vulnerabilities. --- wise-webapp/pom.xml | 32 ++++++++++--------- .../listener/UnlockOnExpireListener.java | 6 ++-- .../wisemapping/mail/NotificationService.java | 5 +-- .../wisemapping/rest/AccountController.java | 4 --- .../com/wisemapping/rest/BaseController.java | 5 +-- .../wisemapping/rest/MindmapController.java | 5 +-- .../com/wisemapping/rest/UserController.java | 5 +-- .../security/LegacyPasswordEncoder.java | 6 ++-- .../wisemapping/service/LockManagerImpl.java | 11 ++++--- .../wisemapping/service/RecaptchaService.java | 6 ++-- 10 files changed, 48 insertions(+), 37 deletions(-) diff --git a/wise-webapp/pom.xml b/wise-webapp/pom.xml index bfcba7c9..84b00d9f 100644 --- a/wise-webapp/pom.xml +++ b/wise-webapp/pom.xml @@ -1,4 +1,5 @@ - + 4.0.0 wise-webapp war @@ -219,10 +220,9 @@ 3.9.9 - log4j - log4j - 1.2.17 - compile + org.apache.logging.log4j + log4j-core + 2.19.0 @@ -240,7 +240,7 @@ com.fasterxml.jackson.core jackson-databind - 2.13.1 + 2.13.4.2 @@ -296,7 +296,7 @@ mysql-connector-java 8.0.31 - + org.postgresql postgresql @@ -505,13 +505,13 @@ - - - - - - - + + + + + + + default-report verify @@ -566,7 +566,9 @@ true false 200 - ${integrationTestArgLine} -Ddatabase.base.url=${project.build.directory} -Djetty.port=8080 + ${integrationTestArgLine} -Ddatabase.base.url=${project.build.directory} + -Djetty.port=8080 + diff --git a/wise-webapp/src/main/java/com/wisemapping/listener/UnlockOnExpireListener.java b/wise-webapp/src/main/java/com/wisemapping/listener/UnlockOnExpireListener.java index f49eeab1..008c8155 100644 --- a/wise-webapp/src/main/java/com/wisemapping/listener/UnlockOnExpireListener.java +++ b/wise-webapp/src/main/java/com/wisemapping/listener/UnlockOnExpireListener.java @@ -24,8 +24,10 @@ import com.wisemapping.model.User; import com.wisemapping.security.Utils; import com.wisemapping.service.LockManager; import com.wisemapping.service.MindmapService; -import org.apache.log4j.Logger; import org.jetbrains.annotations.NotNull; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.support.WebApplicationContextUtils; @@ -34,7 +36,7 @@ import javax.servlet.http.HttpSessionEvent; import javax.servlet.http.HttpSessionListener; public class UnlockOnExpireListener implements HttpSessionListener { - private static final Logger logger = Logger.getLogger(UnlockOnExpireListener.class); + private static final Logger logger = LogManager.getLogger(); @Override public void sessionCreated(@NotNull HttpSessionEvent event) { diff --git a/wise-webapp/src/main/java/com/wisemapping/mail/NotificationService.java b/wise-webapp/src/main/java/com/wisemapping/mail/NotificationService.java index 1a7aaf6c..ce52f098 100644 --- a/wise-webapp/src/main/java/com/wisemapping/mail/NotificationService.java +++ b/wise-webapp/src/main/java/com/wisemapping/mail/NotificationService.java @@ -24,7 +24,8 @@ import com.wisemapping.model.Mindmap; import com.wisemapping.model.User; import com.wisemapping.rest.model.RestLogItem; import org.apache.commons.lang.StringEscapeUtils; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; import org.springframework.beans.factory.annotation.Autowired; @@ -42,7 +43,7 @@ import java.util.Map; import java.util.stream.Collectors; final public class NotificationService { - final private static Logger logger = Logger.getLogger(Mailer.class); + final private static Logger logger = LogManager.getLogger(); private ResourceBundleMessageSource messageSource; @Autowired diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java b/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java index d6f0921b..2601a934 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java @@ -24,14 +24,11 @@ import com.wisemapping.model.Collaboration; import com.wisemapping.model.Label; import com.wisemapping.model.Mindmap; import com.wisemapping.model.User; -import com.wisemapping.rest.model.RestLogItem; import com.wisemapping.rest.model.RestUser; import com.wisemapping.security.Utils; import com.wisemapping.service.LabelService; import com.wisemapping.service.MindmapService; import com.wisemapping.service.UserService; -import org.apache.log4j.Logger; -import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.http.HttpStatus; @@ -41,7 +38,6 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseStatus; -import javax.servlet.http.HttpServletRequest; import java.util.List; @Controller diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/BaseController.java b/wise-webapp/src/main/java/com/wisemapping/rest/BaseController.java index 5c9f0fde..2eadc4a9 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/BaseController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/BaseController.java @@ -24,7 +24,8 @@ import com.wisemapping.model.User; import com.wisemapping.rest.model.RestErrors; import com.wisemapping.security.Utils; import com.wisemapping.service.RegistrationException; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -42,7 +43,7 @@ import java.util.Locale; public class BaseController { - final private Logger logger = Logger.getLogger(BaseController.class); + final private Logger logger = LogManager.getLogger(); @Qualifier("messageSource") @Autowired diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java b/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java index 416233f8..2b01d6ec 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java @@ -25,7 +25,8 @@ import com.wisemapping.security.Utils; import com.wisemapping.service.*; import com.wisemapping.validator.MapInfoValidator; import org.apache.commons.validator.routines.EmailValidator; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -46,7 +47,7 @@ import java.util.stream.Collectors; @Controller public class MindmapController extends BaseController { - final Logger logger = Logger.getLogger(MindmapController.class); + final Logger logger = LogManager.getLogger(); private static final String LATEST_HISTORY_REVISION = "latest"; diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java b/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java index 2574ae79..0b7a1ec1 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java @@ -26,7 +26,8 @@ import com.wisemapping.rest.model.RestUserRegistration; import com.wisemapping.service.*; import com.wisemapping.validator.Messages; import com.wisemapping.validator.UserValidator; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -57,7 +58,7 @@ public class UserController extends BaseController { @Value("${accounts.exclusion.domain:''}") private String domainBanExclusion; - private static final Logger logger = Logger.getLogger(UserController.class); + private static final Logger logger = LogManager.getLogger(); private static final String REAL_IP_ADDRESS_HEADER = "X-Real-IP"; @RequestMapping(method = RequestMethod.POST, value = "/users", produces = {"application/json"}) diff --git a/wise-webapp/src/main/java/com/wisemapping/security/LegacyPasswordEncoder.java b/wise-webapp/src/main/java/com/wisemapping/security/LegacyPasswordEncoder.java index eb89d119..45ac1c39 100755 --- a/wise-webapp/src/main/java/com/wisemapping/security/LegacyPasswordEncoder.java +++ b/wise-webapp/src/main/java/com/wisemapping/security/LegacyPasswordEncoder.java @@ -18,7 +18,9 @@ package com.wisemapping.security; -import org.apache.log4j.Logger; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + import org.springframework.security.crypto.codec.Base64; import org.springframework.security.crypto.codec.Hex; import org.springframework.security.crypto.codec.Utf8; @@ -29,7 +31,7 @@ import java.security.NoSuchAlgorithmException; public class LegacyPasswordEncoder implements PasswordEncoder { - final private static Logger logger = Logger.getLogger(LegacyPasswordEncoder.class); + final private static Logger logger = LogManager.getLogger(); public static final String ENC_PREFIX = "ENC:"; private final ShaPasswordEncoder sha1Encoder = new ShaPasswordEncoder(); diff --git a/wise-webapp/src/main/java/com/wisemapping/service/LockManagerImpl.java b/wise-webapp/src/main/java/com/wisemapping/service/LockManagerImpl.java index b7247559..526ec36f 100644 --- a/wise-webapp/src/main/java/com/wisemapping/service/LockManagerImpl.java +++ b/wise-webapp/src/main/java/com/wisemapping/service/LockManagerImpl.java @@ -23,18 +23,21 @@ import com.wisemapping.exceptions.LockException; import com.wisemapping.model.CollaborationRole; import com.wisemapping.model.Mindmap; import com.wisemapping.model.User; -import org.apache.log4j.Logger; import org.jetbrains.annotations.NotNull; -import org.jetbrains.annotations.Nullable; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; -import java.util.*; +import java.util.Map; +import java.util.Set; +import java.util.Timer; +import java.util.TimerTask; import java.util.concurrent.ConcurrentHashMap; class LockManagerImpl implements LockManager { private static final int ONE_MINUTE_MILLISECONDS = 1000 * 60; private final Map lockInfoByMapId; private final static Timer expirationTimer = new Timer(); - final private static Logger logger = Logger.getLogger(LockManagerImpl.class); + final private static Logger logger = LogManager.getLogger(); @Override public boolean isLocked(@NotNull Mindmap mindmap) { diff --git a/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java b/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java index 2064734d..e947090f 100644 --- a/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java +++ b/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java @@ -17,13 +17,15 @@ */ package com.wisemapping.service; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + import com.fasterxml.jackson.databind.ObjectMapper; import com.wisemapping.validator.Messages; import org.apache.commons.lang.StringUtils; import org.apache.http.NameValuePair; import org.apache.http.client.fluent.Form; import org.apache.http.client.fluent.Request; -import org.apache.log4j.Logger; import org.jetbrains.annotations.Nullable; import javax.validation.constraints.NotNull; @@ -35,7 +37,7 @@ import java.util.Map; public class RecaptchaService { - final private static Logger logger = Logger.getLogger(RecaptchaService.class); + final private static Logger logger = LogManager.getLogger(); final private static String GOOGLE_RECAPTCHA_VERIFY_URL = "https://www.google.com/recaptcha/api/siteverify";