From 924005e94e90744f2777526d7c85896a98341f5a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 11:59:07 +0200 Subject: [PATCH] Bump jetty-webapp from 8.2.0.v20160908 to 9.4.34.v20201102 in /remote-api (#270) * Bump jetty-webapp in /remote-api Upping jetty to 10.0.11 with a few necessary modifications to avoid errors Swapping charsets to lowercase, adding ignoring of ambiguous link security issues for jetty (since it is only used in Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mstrankowski --- remote-api/pom.xml | 6 +- .../repo/web/util/AbstractJettyComponent.java | 74 ++++++++----- .../api/tests/EnterpriseJettyComponent.java | 65 +++++------ .../rest/api/tests/ModulePackagesApiTest.java | 2 +- .../api/tests/PublicApiJettyComponent.java | 101 +++++------------- .../rest/api/tests/SharedLinkApiTest.java | 18 ++-- 6 files changed, 110 insertions(+), 156 deletions(-) diff --git a/remote-api/pom.xml b/remote-api/pom.xml index 9915b96500..bc996d9a50 100644 --- a/remote-api/pom.xml +++ b/remote-api/pom.xml @@ -130,7 +130,7 @@ org.eclipse.jetty jetty-server - 8.2.0.v20160908 + 10.0.11 test @@ -142,13 +142,13 @@ org.eclipse.jetty jetty-security - 8.2.0.v20160908 + 10.0.11 test org.eclipse.jetty jetty-webapp - 8.2.0.v20160908 + 10.0.11 test diff --git a/remote-api/src/test/java/org/alfresco/repo/web/util/AbstractJettyComponent.java b/remote-api/src/test/java/org/alfresco/repo/web/util/AbstractJettyComponent.java index 7f74b09a73..fe03e82b96 100644 --- a/remote-api/src/test/java/org/alfresco/repo/web/util/AbstractJettyComponent.java +++ b/remote-api/src/test/java/org/alfresco/repo/web/util/AbstractJettyComponent.java @@ -1,28 +1,28 @@ -/* - * #%L - * Alfresco Remote API - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Remote API + * %% + * Copyright (C) 2005 - 2022 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.repo.web.util; import java.io.BufferedReader; @@ -32,6 +32,7 @@ import java.io.InputStreamReader; import java.net.InetAddress; import java.net.ServerSocket; import java.net.Socket; +import java.util.Arrays; import java.util.Date; import javax.servlet.ServletContext; @@ -44,7 +45,8 @@ import org.alfresco.util.TempFileProvider; import org.alfresco.util.WebApplicationContextLoader; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.eclipse.jetty.security.HashLoginService; +import org.eclipse.jetty.http.UriCompliance; +import org.eclipse.jetty.server.HttpConnectionFactory; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.webapp.WebAppContext; import org.springframework.beans.BeanUtils; @@ -145,6 +147,8 @@ public abstract class AbstractJettyComponent implements JettyComponent configureWebAppContext(webAppContext); + ignoreAmbiguousLinks(server); + server.start(); if(logger.isDebugEnabled()) @@ -203,15 +207,27 @@ public abstract class AbstractJettyComponent implements JettyComponent } } }); - - // with a login-config in web.xml, jetty seems to require this in order to start successfully - webAppContext.getSecurityHandler().setLoginService(new HashLoginService()); // arbitrary temporary file location File tmp = new File(TempFileProvider.getSystemTempDir(), String.valueOf(System.currentTimeMillis())); webAppContext.setResourceBase(tmp.getAbsolutePath()); } + /** + * In newer jetty versions there is a stricter check for links e.g. "//" is not allowed, which clashes + * with some of our tests, because even a NodeRef triggers it - "workspace://..." + * Since Jetty is only used in tests it's alright to block this behaviour. + * + * @param server + */ + private void ignoreAmbiguousLinks(Server server) { + Arrays.stream(server.getConnectors()) + .flatMap(c -> c.getConnectionFactories().stream()) + .filter(cf -> cf instanceof HttpConnectionFactory) + .map(cf -> (HttpConnectionFactory) cf) + .forEach(hcf -> hcf.getHttpConfiguration().setUriCompliance(UriCompliance.RFC3986)); + } + public void shutdown() { try diff --git a/remote-api/src/test/java/org/alfresco/rest/api/tests/EnterpriseJettyComponent.java b/remote-api/src/test/java/org/alfresco/rest/api/tests/EnterpriseJettyComponent.java index bb93c253da..0d476b7c10 100644 --- a/remote-api/src/test/java/org/alfresco/rest/api/tests/EnterpriseJettyComponent.java +++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/EnterpriseJettyComponent.java @@ -1,34 +1,30 @@ -/* - * #%L - * Alfresco Remote API - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Remote API + * %% + * Copyright (C) 2005 - 2022 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.rest.api.tests; -import org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet; -import org.eclipse.jetty.servlet.ServletHolder; -import org.eclipse.jetty.webapp.WebAppContext; - /** * Manages an embedded jetty server, hooking it up to the repository spring context and providing * authenticated, tenant-based access through the tenant servlet. @@ -42,15 +38,4 @@ public class EnterpriseJettyComponent extends PublicApiJettyComponent { super(port, contextPath, configLocations, classLocations); } - - @Override - protected void configureWebAppContext(WebAppContext webAppContext) - { - super.configureWebAppContext(webAppContext); - - // the tenant servlet with alfresco managed authentication - ServletHolder servletHolder = new ServletHolder(CmisAtomPubServlet.class); - servletHolder.setInitParameter("callContextHandler", "org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler"); - webAppContext.addServlet(servletHolder, "/cmisatom/*"); - } } diff --git a/remote-api/src/test/java/org/alfresco/rest/api/tests/ModulePackagesApiTest.java b/remote-api/src/test/java/org/alfresco/rest/api/tests/ModulePackagesApiTest.java index 6b7b6eb30b..a77542471c 100644 --- a/remote-api/src/test/java/org/alfresco/rest/api/tests/ModulePackagesApiTest.java +++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/ModulePackagesApiTest.java @@ -123,7 +123,7 @@ public class ModulePackagesApiTest extends AbstractBaseApiTest assertNotNull(response); assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode()); assertEquals("no-cache", response.getHeaders().get("Cache-Control")); - assertEquals("application/json;charset=UTF-8", response.getHeaders().get("Content-Type")); + assertEquals("application/json;charset=utf-8", response.getHeaders().get("Content-Type")); PublicApiClient.ExpectedErrorResponse errorResponse = RestApiUtil.parseErrorResponse(response.getJsonResponse()); assertNotNull(errorResponse); diff --git a/remote-api/src/test/java/org/alfresco/rest/api/tests/PublicApiJettyComponent.java b/remote-api/src/test/java/org/alfresco/rest/api/tests/PublicApiJettyComponent.java index 8924fc1678..7728491a79 100644 --- a/remote-api/src/test/java/org/alfresco/rest/api/tests/PublicApiJettyComponent.java +++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/PublicApiJettyComponent.java @@ -1,28 +1,28 @@ -/* - * #%L - * Alfresco Remote API - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Remote API + * %% + * Copyright (C) 2005 - 2022 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.rest.api.tests; import org.alfresco.repo.web.util.AbstractJettyComponent; @@ -48,63 +48,16 @@ public class PublicApiJettyComponent extends AbstractJettyComponent @Override protected void configureWebAppContext(WebAppContext webAppContext) { -// ServletContext servletContext = webAppContext.getServletContext(); // the tenant servlet with alfresco managed authentication ServletHolder servletHolder = new ServletHolder(PublicApiWebScriptServlet.class); servletHolder.setInitParameter("authenticator", "publicapi.authenticator"); webAppContext.addServlet(servletHolder, "/" + publicApiServletName + "/*"); - -// DependencyInjectedFilter apiFilter = (DependencyInjectedFilter)getApplicationContext().getBean("publicAPICMISFilter"); -// BeanProxyFilter filter = new BeanProxyFilter(servletContext, apiFilter); -// FilterHolder filterHolder = new FilterHolder(filter); -// webAppContext.addFilter(filterHolder, "/" + publicApiServletName + "/*", null); + // the tenant servlet with alfresco managed authentication servletHolder = new ServletHolder(CmisAtomPubServlet.class); servletHolder.setInitParameter("callContextHandler", "org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler"); - webAppContext.addServlet(servletHolder, "/cmisatom/*"); + webAppContext.addServlet(servletHolder, "/cmisatom/*"); } - -// private static class BeanProxyFilter implements Filter -// { -// private DependencyInjectedFilter filter; -// private ServletContext context; -// -// private BeanProxyFilter(ServletContext context, DependencyInjectedFilter filter) -// { -// this.context = context; -// this.filter = filter; -// } -// -// /** -// * Initialize the filter. -// * -// * @param args -// * FilterConfig -// * @throws ServletException -// * the servlet exception -// * @exception ServletException -// */ -// public void init(FilterConfig args) throws ServletException -// { -// } -// -// /* (non-Javadoc) -// * @see javax.servlet.Filter#destroy() -// */ -// public void destroy() -// { -// this.filter = null; -// } -// -// /* (non-Javadoc) -// * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) -// */ -// public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, -// ServletException -// { -// this.filter.doFilter(this.context, request, response, chain); -// } -// } } diff --git a/remote-api/src/test/java/org/alfresco/rest/api/tests/SharedLinkApiTest.java b/remote-api/src/test/java/org/alfresco/rest/api/tests/SharedLinkApiTest.java index fa64a0af42..3faadffb97 100644 --- a/remote-api/src/test/java/org/alfresco/rest/api/tests/SharedLinkApiTest.java +++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/SharedLinkApiTest.java @@ -303,7 +303,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertArrayEquals(file1_originalBytes, response.getResponseAsBytes()); Map responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(file1_MimeType+";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(file1_MimeType+";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get("Expires")); assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", responseHeaders.get("Content-Disposition")); String lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER); @@ -319,7 +319,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertArrayEquals(file1_originalBytes, response.getResponseAsBytes()); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(file1_MimeType+";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(file1_MimeType+";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER)); assertNotNull(responseHeaders.get("Expires")); assertNull(responseHeaders.get("Content-Disposition")); @@ -330,7 +330,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertArrayEquals(content2Text.getBytes(), response.getResponseAsBytes()); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(file2_MimeType+";charset=ISO-8859-1", responseHeaders.get("Content-Type")); + assertEquals(file2_MimeType+";charset=iso-8859-1", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get("Expires")); assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER)); assertEquals("attachment; filename=\"" + fileName2 + "\"; filename*=UTF-8''" + fileName2 + "", responseHeaders.get("Content-Disposition")); @@ -392,7 +392,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertTrue(response.getResponseAsBytes().length > 0); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER)); assertNotNull(responseHeaders.get("Expires")); String docName = "doclib"; @@ -405,7 +405,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertTrue(response.getResponseAsBytes().length > 0); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get("Expires")); assertNull(responseHeaders.get("Content-Disposition")); lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER); @@ -816,7 +816,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertArrayEquals(file1_originalBytes, response.getResponseAsBytes()); Map responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(file1_MimeType + ";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(file1_MimeType + ";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get("Expires")); assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", responseHeaders.get("Content-Disposition")); String lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER); @@ -832,7 +832,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertArrayEquals(file1_originalBytes, response.getResponseAsBytes()); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(file1_MimeType + ";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(file1_MimeType + ";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER)); assertNotNull(responseHeaders.get("Expires")); assertNull(responseHeaders.get("Content-Disposition")); @@ -888,7 +888,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertTrue(response.getResponseAsBytes().length > 0); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER)); assertNotNull(responseHeaders.get("Expires")); String docName = "doclib"; @@ -901,7 +901,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertTrue(response.getResponseAsBytes().length > 0); responseHeaders = response.getHeaders(); assertNotNull(responseHeaders); - assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=UTF-8", responseHeaders.get("Content-Type")); + assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=utf-8", responseHeaders.get("Content-Type")); assertNotNull(responseHeaders.get("Expires")); assertNull(responseHeaders.get("Content-Disposition")); lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER);