iilyak
commented
2 years ago I am not sure it works as intended. The project has references to classes within org.apache.lucene:lucene-queryparser package. See for example here:
This means we cannot exclude the package completely. However the instructions in distribution.xml say to remove it completely.
Here is the result of my testing:
❯ git log --oneline -n 1
9ed5805 (HEAD -> github/pr/43) Remove CVE-implicated xml parser class
❯ mvn
....
[INFO] --- maven-assembly-plugin:2.3:single (default) @ clouseau ---
[INFO] Reading assembly descriptor: src/main/assembly/distribution.xml
[INFO] Building zip: /Users/iilyak@ca.ibm.com/dev/clouseau/target/clouseau-2.19.1-SNAPSHOT.zip
[INFO] Building tar: /Users/iilyak@ca.ibm.com/dev/clouseau/target/clouseau-2.19.1-SNAPSHOT.tar.gz
❯ unzip -l target/clouseau-2.19.1-SNAPSHOT.zip | grep queryparser
[nothing]While on master I am getting
❯ unzip -l target/clouseau-2.19.1-SNAPSHOT.zip | grep queryparser
383927 11-05-2021 05:11 clouseau-2.19.1-SNAPSHOT/lucene-queryparser-4.6.1.jarI don't know what correct syntax for distribution.xml is needed to exclude a single class file.
rnewson
tonysun83
The CoreParser class of lucene-queryparser's xml parser has an open CVE (CVE-2017-12629). This code is unreachable and unexploitable unless someone were to change Clouseau to permit users to submit queries in XML form.
We're removing the class anyway as we don't use it and never intend to.