Skip to content

Commit

Permalink
[NOID] Cherry picks from 4.4 to 5.4 (#3424)
Browse files Browse the repository at this point in the history 
* [qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-42004, CVE-2022-42003 (#3409)

* [H10zCpAQ] Fix CWE-73: Added check to prevent reading from outside metrics directory (#3245)
  • Loading branch information
@vga91
vga91 authored Jan 30, 2023
1 parent a7e24ef commit 7d8c34d
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 7 deletions.
2 changes: 1 addition & 1 deletion apoc-core
Submodule apoc-core updated 45 files
+4 −4 build.gradle
+30 −0 common/src/main/antlr/apoc/custom/Signature.g4
+8 −0 common/src/main/java/apoc/ApocConfig.java
+0 −1 common/src/main/java/apoc/ApocExtensionFactory.java
+16 −0 common/src/main/java/apoc/Description.java
+0 −1 common/src/main/java/apoc/RegisterComponentFactory.java
+7 −1 common/src/main/java/apoc/SystemLabels.java
+15 −0 common/src/main/java/apoc/SystemPropertyKeys.java
+4 −0 common/src/main/java/apoc/export/cypher/FileManagerFactory.java
+3 −0 common/src/main/java/apoc/load/LoadJsonUtils.java
+3 −0 common/src/main/java/apoc/load/Mapping.java
+66 −0 common/src/main/java/apoc/load/util/JdbcUtil.java
+130 −0 common/src/main/java/apoc/load/util/LoadCsvConfig.java
+85 −0 common/src/main/java/apoc/load/util/LoadJdbcConfig.java
+15 −0 common/src/main/java/apoc/result/BooleanResult.java
+20 −0 common/src/main/java/apoc/result/IdsResult.java
+42 −0 common/src/main/java/apoc/result/KernelInfoResult.java
+15 −0 common/src/main/java/apoc/result/KeyValueResult.java
+27 −0 common/src/main/java/apoc/result/NodeValueErrorMapResult.java
+27 −0 common/src/main/java/apoc/result/NodeWithMapResult.java
+37 −0 common/src/main/java/apoc/result/StoreInfoResult.java
+15 −0 common/src/main/java/apoc/result/StringResult.java
+33 −0 common/src/main/java/apoc/result/TransactionInfoResult.java
+0 −1 common/src/main/java/apoc/result/VirtualNode.java
+1 −1 common/src/main/java/apoc/result/VirtualPath.java
+0 −1 common/src/main/java/apoc/result/VirtualRelationship.java
+53 −0 common/src/main/java/apoc/util/FileUtils.java
+4 −0 common/src/main/java/apoc/util/JsonUtil.java
+43 −0 common/src/main/java/apoc/util/UrlResolver.java
+46 −0 common/src/main/java/apoc/util/Util.java
+50 −0 common/src/main/java/apoc/uuid/UuidConfig.java
+1 −2 core/src/main/java/apoc/text/Strings.java
+10 −9 core/src/main/java/apoc/trigger/TriggerHandlerNewProcedures.java
+1 −2 core/src/main/java/apoc/util/Utils.java
+0 −65 core/src/test/java/apoc/trigger/TriggerNewProceduresTest.java
+0 −17,166 log.txt
+3 −3 readme.adoc
+1 −1 test-utils/src/main/java/apoc/trigger/TriggerTestUtil.java
+32 −0 test-utils/src/main/java/apoc/util/GoogleCloudStorageContainerExtension.java
+23 −0 test-utils/src/main/java/apoc/util/MySQLContainerExtension.java
+0 −1 test-utils/src/main/java/apoc/util/Neo4jContainerExtension.java
+13 −1 test-utils/src/main/java/apoc/util/TestContainerUtil.java
+14 −1 test-utils/src/main/java/apoc/util/TestUtil.java
+7 −20 test-utils/src/main/java/apoc/util/s3/S3TestUtil.java
+5 −16 test-utils/src/main/java/org/neo4j/test/rule/DbmsRule.java
6 changes: 3 additions & 3 deletions extended/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,9 +94,9 @@ dependencies {
}
compileOnly group: 'com.couchbase.client', name: 'java-client', version: '3.3.0', withoutJacksons
compileOnly group: 'io.lettuce', name: 'lettuce-core', version: '6.1.1.RELEASE'
compileOnly group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.13.2', withoutJacksons
compileOnly group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.14.0', withoutJacksons
compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-s3', version: '1.11.270'
compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
compileOnly group: 'com.sun.mail', name: 'javax.mail', version: '1.6.0'
compileOnly group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib-jdk8', version: '1.6.0'

Expand All @@ -120,7 +120,7 @@ dependencies {
testImplementation group: 'io.lettuce', name: 'lettuce-core', version: '6.1.1.RELEASE'
testImplementation group: 'org.mock-server', name: 'mockserver-netty', version: '5.6.0'
testImplementation group: 'org.mock-server', name: 'mockserver-client-java', version: '5.6.0'
testImplementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
testImplementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
testImplementation group: 'us.fatehi', name: 'schemacrawler-mysql', version: '15.04.01'
testImplementation group: 'org.xmlunit', name: 'xmlunit-core', version: '2.2.1'
testImplementation group: 'com.github.adejanovski', name: 'cassandra-jdbc-wrapper', version: '3.1.0'
Expand Down
14 changes: 13 additions & 1 deletion extended/src/main/java/apoc/metrics/Metrics.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@

import java.io.File;
import java.io.FilenameFilter;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
Expand All @@ -29,6 +30,9 @@
*/
@Extended
public class Metrics {
public static final String OUTSIDE_DIR_ERR_MSG = "The path you are trying to access is outside the metrics directory and " +
"this procedure is only permitted to access files in it. " +
"This may occur if the path in question is a symlink or other link.";
@Context
public Log log;

Expand Down Expand Up @@ -171,7 +175,15 @@ public Stream<GenericMetric> loadCsvForMetric(String metricName, Map<String,Obje
"https://neo4j.com/docs/operations-manual/current/monitoring/metrics/expose/#metrics-csv");
}

String url = new File(metricsDir, metricName + ".csv").getAbsolutePath();
final File file = new File(metricsDir, metricName + ".csv");
try {
if (!file.getCanonicalPath().startsWith(metricsDir.getAbsolutePath())) {
throw new RuntimeException(OUTSIDE_DIR_ERR_MSG);
}
} catch (IOException ioe) {
throw new RuntimeException("Unable to resolve basic metric file canonical path", ioe);
}
String url = file.getAbsolutePath();
CountingReader reader = null;
try {
reader = FileUtils.getStreamConnection(SupportedProtocols.file, url, null, null)
Expand Down
14 changes: 14 additions & 0 deletions extended/src/test/java/apoc/metrics/MetricsTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import apoc.util.Neo4jContainerExtension;
import apoc.util.TestContainerUtil.ApocPackage;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
Expand All @@ -16,9 +17,11 @@
import java.util.stream.Collectors;
import java.util.stream.Stream;

import static apoc.metrics.Metrics.OUTSIDE_DIR_ERR_MSG;
import static apoc.util.FileUtils.NEO4J_DIRECTORY_CONFIGURATION_SETTING_NAMES;
import static apoc.util.TestContainerUtil.*;
import static apoc.util.Util.map;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.neo4j.test.assertion.Assert.assertEventually;

Expand Down Expand Up @@ -48,7 +51,18 @@ public static void beforeAll() throws InterruptedException {
public static void afterAll() {
neo4jContainer.close();
}


@Test
public void shouldNotGetFileOutsideMetricsDir() {
try {
testCall(session, "CALL apoc.metrics.get('../external')",
(r) -> Assert.fail("Should fail because the path is outside the dir "));
} catch (RuntimeException e) {
assertEquals("Failed to invoke procedure `apoc.metrics.get`: Caused by: java.lang.RuntimeException: " + OUTSIDE_DIR_ERR_MSG, e.getMessage());
}
}

// TODO: Investigate broken test. It hangs for more than 30 seconds for no reason.
@Test
@Ignore
Expand Down
4 changes: 2 additions & 2 deletions extra-dependencies/nlp/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ def withoutJacksons = {
}

dependencies {
implementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.13.2', withoutJacksons
implementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.14.0', withoutJacksons
implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.0'
}

Expand Down

0 comments on commit 7d8c34d

Please sign in to comment.