From 95c4a18352c097f8c885b24cfdcb5e1abc915d06 Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Thu, 6 Apr 2023 19:14:30 +0100 Subject: [PATCH 1/7] ENT-6336,ENT-6960 - upgrade snakeyaml to address security vulnerabilities --- build.gradle | 9 +++++++-- client/jackson/build.gradle | 2 +- constants.properties | 2 +- settings.gradle | 8 ++++---- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/build.gradle b/build.gradle index eaa2cbad34..f52f497f8c 100644 --- a/build.gradle +++ b/build.gradle @@ -63,7 +63,8 @@ buildscript { ext.asm_version = '7.1' ext.artemis_version = '2.6.2' // TODO Upgrade to Jackson 2.10+ only when corda is using kotlin 1.3.10 - ext.jackson_version = '2.9.8' + ext.jackson_version = '2.13.3' + ext.jackson_kotlin_version = '2.9.7' ext.jetty_version = '9.4.19.v20190610' ext.jersey_version = '2.25' ext.servlet_version = '4.0.1' @@ -259,7 +260,7 @@ allprojects { apply plugin: 'org.owasp.dependencycheck' apply plugin: 'kotlin-allopen' apply plugin: 'org.sonarqube' - + allOpen { annotations( "javax.persistence.Entity", @@ -417,6 +418,10 @@ allprojects { details.useVersion netty_version } } + + if (details.requested.group == 'org.yaml' && details.requested.name == 'snakeyaml') { + details.useVersion snake_yaml_version + } } } } diff --git a/client/jackson/build.gradle b/client/jackson/build.gradle index e586479b80..c5ba13cb74 100644 --- a/client/jackson/build.gradle +++ b/client/jackson/build.gradle @@ -9,7 +9,7 @@ dependencies { compile "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version" // Jackson and its plugins: parsing to/from JSON and other textual formats. - compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version" + compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version" // Yaml is useful for parsing strings to method calls. compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jackson_version" // This adds support for java.time types. diff --git a/constants.properties b/constants.properties index e7a496b5b8..9c0a7ff74f 100644 --- a/constants.properties +++ b/constants.properties @@ -25,7 +25,7 @@ disruptorVersion=3.4.2 typesafeConfigVersion=1.3.4 jsr305Version=3.0.2 artifactoryPluginVersion=4.7.3 -snakeYamlVersion=1.19 +snakeYamlVersion=1.33 caffeineVersion=2.7.0 metricsVersion=4.1.0 metricsNewRelicVersion=1.1.1 diff --git a/settings.gradle b/settings.gradle index 05bb5040fc..ebb271bcba 100644 --- a/settings.gradle +++ b/settings.gradle @@ -82,10 +82,10 @@ include 'tools:checkpoint-agent' include 'samples:attachment-demo:contracts' include 'samples:attachment-demo:workflows' include 'samples:trader-demo:workflows-trader' -include 'samples:irs-demo' -include 'samples:irs-demo:cordapp:contracts-irs' -include 'samples:irs-demo:cordapp:workflows-irs' -include 'samples:irs-demo:web' +// include 'samples:irs-demo' +// include 'samples:irs-demo:cordapp:contracts-irs' +// include 'samples:irs-demo:cordapp:workflows-irs' +// include 'samples:irs-demo:web' include 'samples:simm-valuation-demo' include 'samples:simm-valuation-demo:flows' include 'samples:simm-valuation-demo:contracts-states' From dfbfda5520342d85b653ce2d89593cb8cab4cb13 Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Tue, 18 Apr 2023 19:30:22 +0100 Subject: [PATCH 2/7] Upgrade corda/crash --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index f52f497f8c..d10f086c8c 100644 --- a/build.gradle +++ b/build.gradle @@ -107,7 +107,7 @@ buildscript { ext.dependency_checker_version = '5.2.0' ext.commons_collections_version = '4.3' ext.beanutils_version = '1.9.3' - ext.crash_version = '1.7.4' + ext.crash_version = '1.7.6' ext.jsr305_version = constants.getProperty("jsr305Version") ext.shiro_version = '1.4.1' ext.artifactory_plugin_version = constants.getProperty('artifactoryPluginVersion') @@ -260,7 +260,7 @@ allprojects { apply plugin: 'org.owasp.dependencycheck' apply plugin: 'kotlin-allopen' apply plugin: 'org.sonarqube' - + allOpen { annotations( "javax.persistence.Entity", From 29dfda3730fb47c09b0756dd680a254a99e331e1 Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Tue, 18 Apr 2023 20:34:42 +0100 Subject: [PATCH 3/7] Resolved build-check issues --- .../kotlin/net/corda/node/services/rpc/CheckpointDumperImpl.kt | 2 +- samples/irs-demo/cordapp/workflows-irs/build.gradle | 2 +- samples/irs-demo/web/build.gradle | 2 +- testing/test-cli/build.gradle | 2 +- tools/network-builder/build.gradle | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/node/src/main/kotlin/net/corda/node/services/rpc/CheckpointDumperImpl.kt b/node/src/main/kotlin/net/corda/node/services/rpc/CheckpointDumperImpl.kt index c3116f03cb..48154c44eb 100644 --- a/node/src/main/kotlin/net/corda/node/services/rpc/CheckpointDumperImpl.kt +++ b/node/src/main/kotlin/net/corda/node/services/rpc/CheckpointDumperImpl.kt @@ -440,7 +440,7 @@ class CheckpointDumperImpl(private val checkpointStorage: CheckpointStorage, pri private object MapSerializer : JsonSerializer>() { override fun serialize(map: Map, gen: JsonGenerator, serializers: SerializerProvider) { - gen.writeStartArray(map.size) + gen.writeStartArray() map.forEach { (key, value) -> gen.jsonObject { writeObjectField("key", key) diff --git a/samples/irs-demo/cordapp/workflows-irs/build.gradle b/samples/irs-demo/cordapp/workflows-irs/build.gradle index ce09b2a803..ff88428b24 100644 --- a/samples/irs-demo/cordapp/workflows-irs/build.gradle +++ b/samples/irs-demo/cordapp/workflows-irs/build.gradle @@ -16,7 +16,7 @@ dependencies { cordaCompile project(':core') - compile("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + compile("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version") // only included to control the `DemoClock` as part of the demo application // normally `:node` should not be depended on in any CorDapps diff --git a/samples/irs-demo/web/build.gradle b/samples/irs-demo/web/build.gradle index c7f130691c..4281e2df7f 100644 --- a/samples/irs-demo/web/build.gradle +++ b/samples/irs-demo/web/build.gradle @@ -70,7 +70,7 @@ dependencies { } compile('org.springframework.boot:spring-boot-starter-log4j2') runtimeOnly("org.apache.logging.log4j:log4j-web:$log4j_version") - compile("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + compile("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version") compile project(":client:rpc") compile project(":client:jackson") compile project(":finance:workflows") diff --git a/testing/test-cli/build.gradle b/testing/test-cli/build.gradle index a668c605f4..d4de7deba0 100644 --- a/testing/test-cli/build.gradle +++ b/testing/test-cli/build.gradle @@ -6,7 +6,7 @@ dependencies { compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version" compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jackson_version" compile "com.fasterxml.jackson.core:jackson-databind:$jackson_version" - compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version" + compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version" compile "org.junit.jupiter:junit-jupiter-api:${junit_jupiter_version}" compile "junit:junit:${junit_version}" diff --git a/tools/network-builder/build.gradle b/tools/network-builder/build.gradle index 3306ac7c15..7ff937e388 100644 --- a/tools/network-builder/build.gradle +++ b/tools/network-builder/build.gradle @@ -52,7 +52,7 @@ dependencies { compile "com.typesafe:config:$typesafe_config_version" compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jackson_version" compile "com.fasterxml.jackson.core:jackson-databind:$jackson_version" - compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version" + compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version" compile "info.picocli:picocli:$picocli_version" // TornadoFX: A lightweight Kotlin framework for working with JavaFX UI's. From c263ba7563c5fb0e1ecaf6167d6f8242525a1525 Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Wed, 19 Apr 2023 13:06:35 +0100 Subject: [PATCH 4/7] Updated to fix Jackson tests --- build.gradle | 2 +- client/jackson/build.gradle | 4 +++- .../kotlin/net/corda/client/jackson/JacksonSupport.kt | 3 +++ .../net/corda/client/jackson/internal/CordaModule.kt | 9 +++++++++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index d10f086c8c..b7c9c01874 100644 --- a/build.gradle +++ b/build.gradle @@ -63,7 +63,7 @@ buildscript { ext.asm_version = '7.1' ext.artemis_version = '2.6.2' // TODO Upgrade to Jackson 2.10+ only when corda is using kotlin 1.3.10 - ext.jackson_version = '2.13.3' + ext.jackson_version = '2.13.5' ext.jackson_kotlin_version = '2.9.7' ext.jetty_version = '9.4.19.v20190610' ext.jersey_version = '2.25' diff --git a/client/jackson/build.gradle b/client/jackson/build.gradle index c5ba13cb74..b86798a8b3 100644 --- a/client/jackson/build.gradle +++ b/client/jackson/build.gradle @@ -9,7 +9,9 @@ dependencies { compile "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version" // Jackson and its plugins: parsing to/from JSON and other textual formats. - compile "com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version" + compile("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_kotlin_version") { + exclude module: "jackson-databind" + } // Yaml is useful for parsing strings to method calls. compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jackson_version" // This adds support for java.time types. diff --git a/client/jackson/src/main/kotlin/net/corda/client/jackson/JacksonSupport.kt b/client/jackson/src/main/kotlin/net/corda/client/jackson/JacksonSupport.kt index 5cd84f1ad0..ac8c23a2e9 100644 --- a/client/jackson/src/main/kotlin/net/corda/client/jackson/JacksonSupport.kt +++ b/client/jackson/src/main/kotlin/net/corda/client/jackson/JacksonSupport.kt @@ -6,6 +6,7 @@ import com.fasterxml.jackson.core.* import com.fasterxml.jackson.databind.* import com.fasterxml.jackson.databind.annotation.JsonDeserialize import com.fasterxml.jackson.databind.annotation.JsonSerialize +import com.fasterxml.jackson.databind.cfg.ConstructorDetector import com.fasterxml.jackson.databind.deser.BeanDeserializerModifier import com.fasterxml.jackson.databind.deser.std.NumberDeserializers import com.fasterxml.jackson.databind.node.ObjectNode @@ -179,6 +180,8 @@ object JacksonSupport { addMixIn(X500Principal::class.java, X500PrincipalMixin::class.java) addMixIn(X509Certificate::class.java, X509CertificateMixin::class.java) addMixIn(CertPath::class.java, CertPathMixin::class.java) + + setConstructorDetector(ConstructorDetector.DEFAULT.withAllowJDKTypeConstructors(true)) } } diff --git a/client/jackson/src/main/kotlin/net/corda/client/jackson/internal/CordaModule.kt b/client/jackson/src/main/kotlin/net/corda/client/jackson/internal/CordaModule.kt index 2adbccc93f..758f4e6a6d 100644 --- a/client/jackson/src/main/kotlin/net/corda/client/jackson/internal/CordaModule.kt +++ b/client/jackson/src/main/kotlin/net/corda/client/jackson/internal/CordaModule.kt @@ -19,6 +19,7 @@ import com.fasterxml.jackson.databind.deser.BeanDeserializerModifier import com.fasterxml.jackson.databind.deser.ContextualDeserializer import com.fasterxml.jackson.databind.deser.std.DelegatingDeserializer import com.fasterxml.jackson.databind.deser.std.FromStringDeserializer +import com.fasterxml.jackson.databind.introspect.AccessorNamingStrategy import com.fasterxml.jackson.databind.introspect.AnnotatedClass import com.fasterxml.jackson.databind.introspect.BasicClassIntrospector import com.fasterxml.jackson.databind.introspect.POJOPropertiesCollector @@ -114,6 +115,14 @@ private class CordaSerializableClassIntrospector(private val context: Module.Set } return super.constructPropertyCollector(config, ac, type, forSerialization, mutatorPrefix) } + + override fun constructPropertyCollector(config: MapperConfig<*>?, classDef: AnnotatedClass?, type: JavaType, forSerialization: Boolean, accNaming: AccessorNamingStrategy?): POJOPropertiesCollector { + if (hasCordaSerializable(type.rawClass)) { + // Adjust the field visibility of CordaSerializable classes on the fly as they are encountered. + context.configOverride(type.rawClass).visibility = Value.defaultVisibility().withFieldVisibility(Visibility.ANY) + } + return super.constructPropertyCollector(config, classDef, type, forSerialization, accNaming) + } } private class CordaSerializableBeanSerializerModifier : BeanSerializerModifier() { From 641a47bf32b4d60eed50835d8c7c531c1e21e5d8 Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Thu, 20 Apr 2023 07:37:00 +0100 Subject: [PATCH 5/7] Upgraded shiro to address security issues --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index b7c9c01874..51cda8bfa3 100644 --- a/build.gradle +++ b/build.gradle @@ -109,7 +109,7 @@ buildscript { ext.beanutils_version = '1.9.3' ext.crash_version = '1.7.6' ext.jsr305_version = constants.getProperty("jsr305Version") - ext.shiro_version = '1.4.1' + ext.shiro_version = '1.10.0' ext.artifactory_plugin_version = constants.getProperty('artifactoryPluginVersion') ext.hikari_version = '3.3.1' ext.liquibase_version = '3.6.3' From fc758ab766ec5a0b2dcacce8db517f58d9cc701c Mon Sep 17 00:00:00 2001 From: Chris Cochrane <78791827+chriscochrane@users.noreply.github.com> Date: Thu, 20 Apr 2023 17:14:23 +0100 Subject: [PATCH 6/7] Update build.gradle Co-authored-by: Viktor Kolomeyko --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 3ac9411c1c..18fcdbcbe3 100644 --- a/build.gradle +++ b/build.gradle @@ -61,7 +61,7 @@ buildscript { ext.asm_version = '7.1' ext.artemis_version = '2.6.2' - // TODO Upgrade to Jackson 2.10+ only when corda is using kotlin 1.3.10 + // TODO Upgrade to Jackson Kotlin 2.10+ only when corda is using kotlin 1.3.10 ext.jackson_version = '2.13.5' ext.jackson_kotlin_version = '2.9.7' ext.jetty_version = '9.4.19.v20190610' From e5a6cac9e87fef0a433e4e58df1f3bc741e5cde7 Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Fri, 21 Apr 2023 16:00:19 +0100 Subject: [PATCH 7/7] Flakey test fix --- .../node/services/events/ScheduledFlowIntegrationTests.kt | 7 ++++++- .../kotlin/net/corda/testMessage/ScheduledState.kt | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/node/src/integration-test/kotlin/net/corda/node/services/events/ScheduledFlowIntegrationTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/events/ScheduledFlowIntegrationTests.kt index fcb98096d7..09b2a5999a 100644 --- a/node/src/integration-test/kotlin/net/corda/node/services/events/ScheduledFlowIntegrationTests.kt +++ b/node/src/integration-test/kotlin/net/corda/node/services/events/ScheduledFlowIntegrationTests.kt @@ -8,6 +8,7 @@ import net.corda.core.flows.* import net.corda.core.identity.Party import net.corda.core.internal.concurrent.transpose import net.corda.core.messaging.startFlow +import net.corda.core.node.services.StatesNotAvailableException import net.corda.core.node.services.queryBy import net.corda.core.node.services.vault.QueryCriteria import net.corda.core.transactions.TransactionBuilder @@ -69,7 +70,11 @@ class ScheduledFlowIntegrationTests { val state = results.states.firstOrNull() ?: return require(!state.state.data.processed) { "Cannot spend an already processed state" } val lock = UUID.randomUUID() - serviceHub.vaultService.softLockReserve(lock, NonEmptySet.of(state.ref)) + try { + serviceHub.vaultService.softLockReserve(lock, NonEmptySet.of(state.ref)) + } catch (e: StatesNotAvailableException) { + return + } val notary = state.state.notary val outputState = SpentState(identity, ourIdentity, state.state.data.destination) val builder = TransactionBuilder(notary) diff --git a/node/src/integration-test/kotlin/net/corda/testMessage/ScheduledState.kt b/node/src/integration-test/kotlin/net/corda/testMessage/ScheduledState.kt index 688be4fd33..cd6c99af46 100644 --- a/node/src/integration-test/kotlin/net/corda/testMessage/ScheduledState.kt +++ b/node/src/integration-test/kotlin/net/corda/testMessage/ScheduledState.kt @@ -4,6 +4,7 @@ import co.paralleluniverse.fibers.Suspendable import net.corda.core.contracts.* import net.corda.core.flows.* import net.corda.core.identity.Party +import net.corda.core.node.services.StatesNotAvailableException import net.corda.core.transactions.TransactionBuilder import net.corda.core.utilities.NonEmptySet import net.corda.testing.contracts.DummyContract @@ -25,7 +26,11 @@ class ScheduledFlow(private val stateRef: StateRef) : FlowLogic() { } require(!scheduledState.processed) { "State should not have been previously processed" } val lock = UUID.randomUUID() - serviceHub.vaultService.softLockReserve(lock, NonEmptySet.of(state.ref)) + try { + serviceHub.vaultService.softLockReserve(lock, NonEmptySet.of(state.ref)) + } catch (e: StatesNotAvailableException) { + return + } val notary = state.state.notary val newStateOutput = scheduledState.copy(processed = true) val builder = TransactionBuilder(notary)