From 7d8c34d85128bdb7601a5f86bb4601806c1612e2 Mon Sep 17 00:00:00 2001
From: Giuseppe Villani <giuseppe.villani@larus-ba.it>
Date: Mon, 30 Jan 2023 11:12:13 +0100
Subject: [PATCH] [NOID] Cherry picks from 4.4 to 5.4 (#3424)

* [qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-42004, CVE-2022-42003 (#3409)

* [H10zCpAQ] Fix CWE-73: Added check to prevent reading from outside metrics directory (#3245)
---
 apoc-core                                          |  2 +-
 extended/build.gradle                              |  6 +++---
 extended/src/main/java/apoc/metrics/Metrics.java   | 14 +++++++++++++-
 .../src/test/java/apoc/metrics/MetricsTest.java    | 14 ++++++++++++++
 extra-dependencies/nlp/build.gradle                |  4 ++--
 5 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/apoc-core b/apoc-core
index f08caee913..9e12f49fc8 160000
--- a/apoc-core
+++ b/apoc-core
@@ -1 +1 @@
-Subproject commit f08caee9130a50005923469de4042cf21ec6c04c
+Subproject commit 9e12f49fc817a06a8373b05c99f35ffe71c5074e
diff --git a/extended/build.gradle b/extended/build.gradle
index 587dddbf36..887df46f2f 100644
--- a/extended/build.gradle
+++ b/extended/build.gradle
@@ -94,9 +94,9 @@ dependencies {
     }
     compileOnly group: 'com.couchbase.client', name: 'java-client', version: '3.3.0', withoutJacksons
     compileOnly group: 'io.lettuce', name: 'lettuce-core', version: '6.1.1.RELEASE'
-    compileOnly group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.13.2', withoutJacksons
+    compileOnly group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.14.0', withoutJacksons
     compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-s3', version: '1.11.270'
-    compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
+    compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
     compileOnly group: 'com.sun.mail', name: 'javax.mail', version: '1.6.0'
     compileOnly group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib-jdk8', version: '1.6.0'
 
@@ -120,7 +120,7 @@ dependencies {
     testImplementation group: 'io.lettuce', name: 'lettuce-core', version: '6.1.1.RELEASE'
     testImplementation group: 'org.mock-server', name: 'mockserver-netty', version: '5.6.0'
     testImplementation group: 'org.mock-server', name: 'mockserver-client-java', version: '5.6.0'
-    testImplementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
+    testImplementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
     testImplementation group: 'us.fatehi', name: 'schemacrawler-mysql', version: '15.04.01'
     testImplementation group: 'org.xmlunit', name: 'xmlunit-core', version: '2.2.1'
     testImplementation group: 'com.github.adejanovski', name: 'cassandra-jdbc-wrapper', version: '3.1.0'
diff --git a/extended/src/main/java/apoc/metrics/Metrics.java b/extended/src/main/java/apoc/metrics/Metrics.java
index a854b27bd3..dac01eed61 100644
--- a/extended/src/main/java/apoc/metrics/Metrics.java
+++ b/extended/src/main/java/apoc/metrics/Metrics.java
@@ -14,6 +14,7 @@
 
 import java.io.File;
 import java.io.FilenameFilter;
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
@@ -29,6 +30,9 @@
  */
 @Extended
 public class Metrics {
+    public static final String OUTSIDE_DIR_ERR_MSG = "The path you are trying to access is outside the metrics directory and " +
+            "this procedure is only permitted to access files in it. " +
+            "This may occur if the path in question is a symlink or other link.";
     @Context
     public Log log;
 
@@ -171,7 +175,15 @@ public Stream<GenericMetric> loadCsvForMetric(String metricName, Map<String,Obje
                     "https://neo4j.com/docs/operations-manual/current/monitoring/metrics/expose/#metrics-csv");
         }
 
-        String url = new File(metricsDir, metricName + ".csv").getAbsolutePath();
+        final File file = new File(metricsDir, metricName + ".csv");
+        try {
+            if (!file.getCanonicalPath().startsWith(metricsDir.getAbsolutePath())) {
+                throw new RuntimeException(OUTSIDE_DIR_ERR_MSG);
+            }
+        } catch (IOException ioe) {
+            throw new RuntimeException("Unable to resolve basic metric file canonical path", ioe);
+        }
+        String url = file.getAbsolutePath();
         CountingReader reader = null;
         try {
             reader = FileUtils.getStreamConnection(SupportedProtocols.file, url, null, null)
diff --git a/extended/src/test/java/apoc/metrics/MetricsTest.java b/extended/src/test/java/apoc/metrics/MetricsTest.java
index 2dabbe4e5b..3f4d80efbc 100644
--- a/extended/src/test/java/apoc/metrics/MetricsTest.java
+++ b/extended/src/test/java/apoc/metrics/MetricsTest.java
@@ -3,6 +3,7 @@
 import apoc.util.Neo4jContainerExtension;
 import apoc.util.TestContainerUtil.ApocPackage;
 import org.junit.AfterClass;
+import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Ignore;
 import org.junit.Test;
@@ -16,9 +17,11 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import static apoc.metrics.Metrics.OUTSIDE_DIR_ERR_MSG;
 import static apoc.util.FileUtils.NEO4J_DIRECTORY_CONFIGURATION_SETTING_NAMES;
 import static apoc.util.TestContainerUtil.*;
 import static apoc.util.Util.map;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.neo4j.test.assertion.Assert.assertEventually;
 
@@ -48,7 +51,18 @@ public static void beforeAll() throws InterruptedException {
     public static void afterAll() {
         neo4jContainer.close();
     }
+    
 
+    @Test
+    public void shouldNotGetFileOutsideMetricsDir() {
+        try {
+            testCall(session, "CALL apoc.metrics.get('../external')",
+                    (r) -> Assert.fail("Should fail because the path is outside the dir "));
+        } catch (RuntimeException e) {
+            assertEquals("Failed to invoke procedure `apoc.metrics.get`: Caused by: java.lang.RuntimeException: " + OUTSIDE_DIR_ERR_MSG, e.getMessage());
+        }
+    }
+    
     // TODO: Investigate broken test. It hangs for more than 30 seconds for no reason.
     @Test
     @Ignore
diff --git a/extra-dependencies/nlp/build.gradle b/extra-dependencies/nlp/build.gradle
index f1a075cd66..2c3b484a14 100644
--- a/extra-dependencies/nlp/build.gradle
+++ b/extra-dependencies/nlp/build.gradle
@@ -23,8 +23,8 @@ def withoutJacksons = {
 }
 
 dependencies {
-    implementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
-    implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.13.2', withoutJacksons
+    implementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
+    implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.14.0', withoutJacksons
     implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.0'
 }