Feature/prodsec 10326 update commons fileupload 7.4.N (#3446)

Co-authored-by: Manish Kumar <manish.kumar@hyland.com>
2025-09-10 14:11:58 +00:00 · 2025-07-10 10:30:34 +02:00
parent 2e15def965
commit ed2b8d6c70
6 changed files with 238 additions and 93 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,6 +26,9 @@ env:
  CI_WORKSPACE: ${{ github.workspace }}
  TAS_ENVIRONMENT: ./packaging/tests/environment
  TAS_SCRIPTS: ../alfresco-community-repo/packaging/tests/scripts
  AUTH0_CLIENT_ID: ${{ secrets.AUTH0_OIDC_ADMIN_CLIENT_ID }}
  AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_OIDC_CLIENT_SECRET }}
  AUTH0_ADMIN_PASSWORD: ${{ secrets.AUTH0_OIDC_ADMIN_PASSWORD }}
 jobs:
  prepare:
@@ -36,8 +39,13 @@ jobs:
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+        with:
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+          fetch-depth: 0
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
 # 7.4.N does not have proper pre-commit support
 #      - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Prepare maven cache and check compilation"
@@ -45,45 +53,136 @@ jobs:
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
-  veracode:
+  veracode_sca:
    name: "Source Clear Scan (SCA)"
    runs-on: ubuntu-latest
    needs: [prepare]
    if: >
-      ((github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) && github.event_name != 'pull_request') &&
+      (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
-      - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.16.0
        continue-on-error: true
        with:
          srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
-        
+
  veracode_sast:
    name: "Pipeline SAST Scan"
    runs-on: ubuntu-latest
    needs: [prepare]
    if: >
      (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
      github.actor != 'dependabot[bot]' &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.16.0
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          repository: "Alfresco/veracode-baseline-archive"
          file-path: "alfresco-community-repo/alfresco-community-repo-baseline.json"
          target: "baseline.json"
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
          bash ./scripts/ci/init.sh
          bash ./scripts/ci/build.sh
      - name: "Remove excluded files"
        run: |
          mkdir temp-dir-for-sast
          bash ./scripts/ci/remove-sast-exclusions.sh ./packaging/war/target/alfresco.war temp-dir-for-sast/reduced.war
      - name: "Run SAST Scan"
        uses: veracode/Veracode-pipeline-scan-action@v1.0.16
        with:
          vid: ${{ secrets.VERACODE_API_ID }}
          vkey: ${{ secrets.VERACODE_API_KEY }}
          file: "temp-dir-for-sast/reduced.war"
          fail_build: true
          project_name: alfresco-community-repo
          issue_details: true
          veracode_policy_name: Alfresco Default
          summary_output: true
          summary_output_file: results.json
          summary_display: true
          baseline_file: baseline.json
      - name: Upload scan result
        if: success() || failure()
        run: zip readable_output.zip results.json
      - name: Upload Artifact
        if: success() || failure()
        uses: actions/upload-artifact@v4
        with:
          name: Veracode Pipeline-Scan Results (Human Readable)
          path: readable_output.zip
      - name: "Remove temporary directory"
        run: rm -rfv temp-dir-for-sast
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
  pmd_scan:
    name: "PMD Scan"
    runs-on: ubuntu-latest
    needs: [prepare]
    if: >
      github.event_name == 'pull_request' &&
      !contains(github.event.head_commit.message, '[skip pmd]') &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force]')
    steps:
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - uses: Alfresco/ya-pmd-scan@v4.3.0
        with:
          classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
  all_unit_tests_suite:
-    name: "Core, Data-Model, Repository - AllUnitTestsSuite - Build and test"
+    name: ${{ matrix.testName }} - AllUnitTestsSuite - Build and test
    runs-on: ubuntu-latest
    needs: [prepare]
    if: >
      !contains(github.event.head_commit.message, '[skip repo]') &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force')
    strategy:
      fail-fast: false
      matrix:
        include:
          - testName: Core
            testModule: core
            testAttributes: "-Dtest=AllCoreUnitTestSuite"
          - testName: Data-Model
            testModule: data-model
            testAttributes: "-Dtest=AllDataModelUnitTestSuite"
          - testName: Repository
            testModule: repository
            testAttributes: "-Dtest=AllUnitTestsSuite"
          - testName: Mmt
            testModule: mmt
            testAttributes: "-Dtest=AllMmtUnitTestSuite"
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Run tests"
        run: |
-          mvn -B test -pl core,data-model -am -DfailIfNoTests=false
+          mvn -B test -pl ${{ matrix.testModule }} -am ${{ matrix.testAttributes }} -DfailIfNoTests=false "${args[@]}"
          mvn -B test -pl "repository,mmt" -am "-Dtest=AllUnitTestsSuite,AllMmtUnitTestSuite" -DfailIfNoTests=false
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
@@ -113,8 +212,9 @@ jobs:
      REQUIRES_INSTALLED_ARTIFACTS: true
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
@@ -123,9 +223,10 @@ jobs:
      - name: "Set transformers tag"
        run: echo "TRANSFORMERS_TAG=$(mvn help:evaluate -Dexpression=dependency.alfresco-transform-core.version -q -DforceStdout)" >> $GITHUB_ENV
      - name: "Set up the environment"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
      - name: "Run tests"
-        run: mvn -B test -pl remote-api -Dtest=${{ matrix.testSuite }} -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco
+        run: mvn -B test -pl remote-api -Dtest=${{ matrix.testSuite }} -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco  # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
@@ -143,11 +244,12 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        version: ['10.2.18', '10.4', '10.5']
+        version: ['10.2.18', '10.4', '10.5', '10.6']
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: Run MariaDB ${{ matrix.version }} database
@@ -155,33 +257,7 @@ jobs:
        env:
          MARIADB_VERSION: ${{ matrix.version }}
      - name: "Run tests"
-        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.name=alfresco -Ddb.url=jdbc:mariadb://localhost:3307/alfresco?useUnicode=yes\&characterEncoding=UTF-8 -Ddb.username=alfresco -Ddb.password=alfresco -Ddb.driver=org.mariadb.jdbc.Driver
+        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.name=alfresco -Ddb.url=jdbc:mariadb://localhost:3307/alfresco?useUnicode=yes\&characterEncoding=UTF-8 -Ddb.username=alfresco -Ddb.password=alfresco -Ddb.driver=org.mariadb.jdbc.Driver # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
  repository_mariadb_10_6_tests:
    name: "Repository - MariaDB 10.6 tests"
    runs-on: ubuntu-latest
    needs: [prepare]
    if: >
      (((github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
      !contains(github.event.head_commit.message, '[skip db]')) ||
      contains(github.event.head_commit.message, '[latest db]') ||
      contains(github.event.head_commit.message, '[db]')) &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Run MariaDB 10.6 database"
        run: docker compose -f ./scripts/ci/docker-compose/docker-compose-db.yaml --profile mariadb up -d
        env:
          MARIADB_VERSION: 10.6
      - name: "Run tests"
        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.name=alfresco -Ddb.url=jdbc:mariadb://localhost:3307/alfresco?useUnicode=yes\&characterEncoding=UTF-8 -Ddb.username=alfresco -Ddb.password=alfresco -Ddb.driver=org.mariadb.jdbc.Driver
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
@@ -198,8 +274,9 @@ jobs:
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Run MySQL 8 database"
@@ -207,7 +284,7 @@ jobs:
        env:
          MYSQL_VERSION: 8
      - name: "Run tests"
-        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=com.mysql.jdbc.Driver -Ddb.name=alfresco -Ddb.url=jdbc:mysql://localhost:3307/alfresco -Ddb.username=alfresco -Ddb.password=alfresco
+        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=com.mysql.jdbc.Driver -Ddb.name=alfresco -Ddb.url=jdbc:mysql://localhost:3307/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
@@ -223,8 +300,9 @@ jobs:
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Run PostgreSQL 13.7 database"
@@ -232,24 +310,25 @@ jobs:
        env:
          POSTGRES_VERSION: 13.7
      - name: "Run tests"
-        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco
+        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
  repository_postgresql_14_4_tests:
    name: "Repository - PostgreSQL 14.4 tests"
    runs-on: ubuntu-latest
-    needs: [prepare]
+    needs: [ prepare ]
    if: >
-      (!contains(github.event.head_commit.message, '[skip db]') ||
+      (((github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) && github.event_name != 'pull_request' &&
-      contains(github.event.head_commit.message, '[latest db]') ||
+      !contains(github.event.head_commit.message, '[skip db]')) ||
      contains(github.event.head_commit.message, '[db]')) &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Run PostgreSQL 14.4 database"
@@ -257,10 +336,11 @@ jobs:
        env:
          POSTGRES_VERSION: 14.4
      - name: "Run tests"
-        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco
+        run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
  repository_messaging_tests:
    name: Repository - Messaging tests
    runs-on: ubuntu-latest
@@ -271,19 +351,20 @@ jobs:
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Run ActiveMQ"
        run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile activemq up -d
      - name: "Run tests"
-        run: mvn -B test -pl repository -am -Dtest=CamelRoutesTest,CamelComponentsTest -DfailIfNoTests=false
+        run: mvn -B test -pl repository -am -Dtest=CamelRoutesTest,CamelComponentsTest -DfailIfNoTests=false # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
  repository_app_context_test_suites:
-    name: Repository - ${{ matrix.testSuite }}
+    name: Repository - ${{ matrix.testSuite }} ${{ matrix.idp }}
    runs-on: ubuntu-latest
    needs: [prepare]
    if: >
@@ -304,7 +385,12 @@ jobs:
            compose-profile: with-transform-core-aio
          - testSuite: AppContext05TestSuite
            compose-profile: with-sso
-            mvn-options: '"-Didentity-service.auth-server-url=http://${HOST_IP}:8999/auth"'
+            mvn-options: '-Didentity-service.auth-server-url=http://${HOST_IP}:8999/auth -Dauthentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm'
            idp: Keycloak
          - testSuite: AppContext05TestSuite
            compose-profile: default
            mvn-options: '-Didentity-service.auth-server-url=https://dev-ps-alfresco.auth0.com/ -Dauthentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm -Didentity-service.audience=http://localhost:3000 -Didentity-service.resource=${AUTH0_CLIENT_ID} -Didentity-service.credentials.secret=${AUTH0_CLIENT_SECRET} -Didentity-service.public-client=false -Didentity-service.realm= -Didentity-service.client-id.validation.disabled=false -Dadmin.user=admin@alfresco.com -Dadmin.password=${AUTH0_ADMIN_PASSWORD} -Dauth0.enabled=true -Dauth0.admin.password=${AUTH0_ADMIN_PASSWORD} -Didentity-service.principal-attribute=nickname'
            idp: Auth0
          - testSuite: AppContext06TestSuite
            compose-profile: with-transform-core-aio
          - testSuite: AppContextExtraTestSuite
@@ -321,8 +407,9 @@ jobs:
            mvn-options: '-Dencryption.ssl.keystore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.keystore -Dencryption.ssl.truststore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.truststore'
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
      - name: "Set transformers tag"
@@ -341,9 +428,10 @@ jobs:
            echo "HOSTNAME_VERIFICATION_DISABLED=false" >> "$GITHUB_ENV"
          fi
      - name: "Set up the environment"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
      - name: "Run tests"
-        run: mvn -B test -pl repository -am -Dtest=${{ matrix.testSuite }} -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco ${{ matrix.mvn-options }}
+        run: mvn -B test -pl repository -am -Dtest=${{ matrix.testSuite }} -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco ${{ matrix.mvn-options }} # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
@@ -383,26 +471,22 @@ jobs:
            pom-dir: tas-email
          - test-name: "WebDAV TAS tests"
            pom-dir: tas-webdav
-          - test-name: "Integration TAS tests (Java 17)"
+          - test-name: "Integration TAS tests"
            pom-dir: tas-integration
          - test-name: "Integration TAS tests (Java 11)"
            pom-dir: tas-integration
            jre-version: 11
    env:
      REQUIRES_LOCAL_IMAGES: true
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-        with:
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
          java-version: ${{ matrix.jre-version || '17' }}
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
          bash ./scripts/ci/init.sh
          export BUILD_OPTIONS="-Ddocker.buildArg.JRE_VERSION=${{ matrix.jre-version }} ${BUILD_OPTIONS}"
          bash ./scripts/ci/build.sh
      - name: "Set up the environment"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
          ${{ env.TAS_SCRIPTS }}/start-compose.sh ${{ env.TAS_ENVIRONMENT }}/docker-compose-minimal+transforms.yml
          ${{ env.TAS_SCRIPTS }}/wait-for-alfresco-start.sh "http://localhost:8082/alfresco"
@@ -432,14 +516,15 @@ jobs:
      !contains(github.event.head_commit.message, '[force')
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
-      - name: "Run Postgres 14.4 database"
+      - name: "Run Postgres 16.6 database"
        run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile postgres up -d
      - name: "Run tests"
-        run: mvn -B test -pl :alfresco-share-services -am -Dtest=ShareServicesTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco
+        run: mvn -B test -pl :alfresco-share-services -am -Dtest=ShareServicesTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
@@ -461,8 +546,9 @@ jobs:
      REQUIRES_INSTALLED_ARTIFACTS: true
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
@@ -492,8 +578,9 @@ jobs:
      REQUIRES_INSTALLED_ARTIFACTS: true
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
@@ -519,8 +606,9 @@ jobs:
      REQUIRES_LOCAL_IMAGES: true
    steps:
      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
@@ -551,3 +639,28 @@ jobs:
          aws s3 cp --acl private ./amps/ags/rm-automation/rm-automation-community-rest-api/target/reports/rm-automation-community-rest-api.log s3://ags-travis-artifacts/community/${{ github.run_number }}/AGS-Community-Rest-API-Tests/rm-automation-community-rest-api.log
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
  ags_start_api_explorer:
    name: "Test Tomcat deployment of api explorer"
    runs-on: ubuntu-latest
    needs: [ prepare ]
    if: >
      (((github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request' ) &&
      !contains(github.event.head_commit.message, '[skip ags]')) ||
      contains(github.event.head_commit.message, '[ags]')) &&
      !contains(github.event.head_commit.message, '[skip tests]') &&
      !contains(github.event.head_commit.message, '[force]')
    steps:
      - uses: actions/checkout@v4
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Build"
        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
        run: |
          bash ./scripts/ci/init.sh
          bash ./scripts/ci/build.sh
      - name: "Test Tomcat deployment"
        run: |
          mvn verify -Pags,start-api-explorer -DskipTests &
          ${{ env.TAS_SCRIPTS }}/wait-for-alfresco-start.sh "http://localhost:8085/api-explorer"
--- a/.github/workflows/master_release.yml
+++ b/.github/workflows/master_release.yml
@@ -34,11 +34,12 @@ jobs:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
-      - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v8.16.0
        with:
          username: ${{ env.GIT_USERNAME }}
          email: ${{ env.GIT_EMAIL }}
@@ -62,11 +63,12 @@ jobs:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
      - name: "Init"
        run: bash ./scripts/ci/init.sh
-      - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v8.16.0
        with:
          username: ${{ env.GIT_USERNAME }}
          email: ${{ env.GIT_EMAIL }}
--- a/packaging/war/pom.xml
+++ b/packaging/war/pom.xml
@@ -115,6 +115,11 @@
            <artifactId>mysql-connector-java</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.owasp.encoder</groupId>
            <artifactId>encoder</artifactId>
            <version>1.2.3</version>
        </dependency>
    </dependencies>
    <build>
--- a/packaging/war/src/main/webapp/index.jsp
+++ b/packaging/war/src/main/webapp/index.jsp
@@ -34,6 +34,7 @@
 <%@ page import="org.alfresco.service.cmr.module.ModuleDetails" %>
 <%@ page import="org.alfresco.service.cmr.module.ModuleInstallState" %>
 <%@ page import="java.util.Calendar" %>
 <%@ page import="org.owasp.encoder.Encode" %>
 <!-- Enterprise index-jsp placeholder -->
 <%
@@ -88,7 +89,7 @@ ModuleDetails shareServicesModule = moduleService.getModule("alfresco-share-serv
            <p></p>
            <p><a href="./s/index">Alfresco WebScripts Home</a> (admin only - INTERNAL)</p>
            <p></p>
-            <p><a href="<%=UrlUtil.getApiExplorerUrl(sysAdminParams, request.getRequestURL().toString(), request.getRequestURI())%>">Alfresco API Explorer</a></p>
+            <p><a href="<%=Encode.forHtmlAttribute(UrlUtil.getApiExplorerUrl(sysAdminParams, request.getRequestURL().toString(), request.getRequestURI()))%>">Alfresco API Explorer</a></p>
 <%
   if (descriptorService.getLicenseDescriptor() == null && transactionService.isReadOnly())
   {
--- a/pom.xml
+++ b/pom.xml
@@ -403,7 +403,7 @@
            <dependency>
                <groupId>commons-fileupload</groupId>
                <artifactId>commons-fileupload</artifactId>
-                <version>1.5</version>
+                <version>1.6.0</version>
            </dependency>
            <dependency>
--- a/scripts/ci/remove-sast-exclusions.sh
+++ b/scripts/ci/remove-sast-exclusions.sh
@@ -0,0 +1,24 @@
 #!/usr/bin/env bash
 echo "=========================== Excluding Files from Veracode SAST ==========================="
 set -ex
 pushd "$(dirname "${BASH_SOURCE[0]}")/../../"
 # Copy war file to temporary directory
 cp -f "$1" "$2"
 # Remove files to be excluded from Veracode SAST
 exclusions="./scripts/ci/SAST-exclusion-list.txt"
 if [ -e $exclusions ]
 then
    while read -r line
    do
      echo "Removing WEB-INF/lib/$line"
      zip -d "$2" "WEB-INF/lib/$line" || true
    done < "$exclusions"
 else
    echo "No files to be excluded from SAST"
 fi
 popd
 set +ex
 echo "=========================== Finishing Excluding Files from Veracode SAST =========================="