search

metosin / compojure-api

Sweet web apis with Compojure & Swagger
http://metosin.github.io/compojure-api/doc/
Eclipse Public License 1.0
1.11k stars 149 forks source link

Vulnerability issue in dependent lib #451

Open eydevelopment opened 3 years ago

eydevelopment commented 3 years ago

WhiteSource flagged vulnerability issue in one of the dependent libraries - jackson-databind version 2.10.1

Following is the maven dependency tree for ring-defaults: [INFO] +- metosin:compojure-api:jar:2.0.0-alpha31:compile [INFO] | +- potemkin:potemkin:jar:0.4.5:compile [INFO] | | +- (clj-tuple:clj-tuple:jar:0.2.2:compile - omitted for duplicate) [INFO] | | - (riddley:riddley:jar:0.1.12:compile - omitted for conflict with 0.1.14) [INFO] | +- prismatic:schema:jar:1.1.12:compile [INFO] | +- prismatic:plumbing:jar:0.5.5:compile [INFO] | | +- (prismatic:schema:jar:1.1.7:compile - omitted for conflict with 1.1.12) [INFO] | | - de.kotka:lazymap:jar:3.1.0:compile [INFO] | +- ikitommi:linked:jar:1.3.1-alpha1:compile [INFO] | +- metosin:muuntaja:jar:0.6.6:compile [INFO] | | +- metosin:jsonista:jar:0.2.5:compile [INFO] | | | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile - omitted for conflict with 2.10.1) [INFO] | | | - com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.0:compile [INFO] | | | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.10.0:compile - omitted for duplicate) [INFO] | | | +- (com.fasterxml.jackson.core:jackson-core:jar:2.10.0:compile - omitted for conflict with 2.9.0) [INFO] | | | - (com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile - omitted for duplicate) [INFO] | | - com.cognitect:transit-clj:jar:0.8.319:compile [INFO] | | - com.cognitect:transit-java:jar:0.8.337:compile [INFO] | | +- (com.fasterxml.jackson.core:jackson-core:jar:2.8.7:compile - omitted for conflict with 2.9.0) [INFO] | | +- org.msgpack:msgpack:jar:0.6.12:compile [INFO] | | | +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile [INFO] | | | - org.javassist:javassist:jar:3.18.1-GA:compile [INFO] | | +- (commons-codec:commons-codec:jar:1.6:compile - omitted for conflict with 1.11) [INFO] | | - javax.xml.bind:jaxb-api:jar:2.3.0:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.1:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.10.1:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.1:compile [INFO] | | | +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile - omitted for duplicate) [INFO] | | | - (com.fasterxml.jackson.core:jackson-core:jar:2.10.1:compile - omitted for duplicate) [INFO] | | - (joda-time:joda-time:jar:2.9.9:compile - omitted for conflict with 2.10.5)

...

This is the whitesource complain: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

References: https://github.com/FasterXML/jackson-databind/issues/2589 https://bugzilla.redhat.com/show_bug.cgi?id=1887664 https://github.com/FasterXML/jackson-databind/issues/2589

We tried to update the version of jackson-databind to 2.11.0 and run through the whitesource, and it went through successfully.

Would it be possible for you to update the version of jackson-databind in "compojure-api"? If yes, how soon can you provide updated build?

Also, from the above dep tree you can see that metosin:jsonista:jar:0.2.5 also used jackson-databind. Probably, that one also needs to be changed..?

FYI: I know that similar ticket exists - https://github.com/metosin/compojure-api/issues/433 . But, it's description is a bit different than mine, that's why opening new one.