search

mock-server / mockserver

MockServer enables easy mocking of any system you integrate with via HTTP or HTTPS with clients written in Java, JavaScript and Ruby. MockServer also includes a proxy that introspects all proxied traffic including encrypted SSL traffic and supports Port Forwarding, Web Proxying (i.e. HTTP proxy), HTTPS Tunneling Proxying (using HTTP CONNECT) and SOCKS Proxying (i.e. dynamic port forwarding).
http://mock-server.com
Apache License 2.0
4.61k stars 1.08k forks source link

mockserver-netty@5.14.0 loading wrong version from rhino and having CVEs #1544

Open jcthalys opened 2 years ago

jcthalys commented 2 years ago

Describe the issue When using the mockserver-netty@5.14.0, I'm having vulnerability issue reported.

What you are trying to do mockserver-netty@5.14.0

MockServer version The version you are using (i.e. 5.14.0)

To Reproduce Run some vulnerability check.

  1. How you are running MockServer (i.e maven plugin, docker, etc) gradle
  2. Code you used to create expectations. none
  3. What error you saw: 
    
Issues with no direct upgrade or patch:
✗ XML External Entity (XXE) Injection 
[High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGMOZILLA-1314295] in org.mozilla:rhino@1.7.7.2

introduced by org.mock-server:mockserver-netty@5.14.0 > org.mock-server:mockserver-core@5.14.0 > io.swagger.parser.v3:swagger-parser@2.1.2 > io.swagger.parser.v3:swagger-parser-v2-converter@2.1.2 > io.swagger:swagger-compat-spec-parser@1.0.61 > com.github.java-json-tools:json-schema-validator@2.2.14 > com.github.java-json-tools:json-schema-core@1.2.14 > org.mozilla:rhino@1.7.7.2 and 3 other path(s) This issue was fixed in versions: 1.7.12


**Expected behaviour**
I saw that on the parent pom.xml, this was supposed to be fixed but it seems not.
```xml
 <!-- open api -->
        <dependency>
            <groupId>io.swagger.parser.v3</groupId>
            <artifactId>swagger-parser</artifactId>
            <version>2.1.7</version>
            <exclusions>
                <exclusion>
                    <groupId>com.github.fge</groupId>
                    <artifactId>json-patch</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>javax.validation</groupId>
                    <artifactId>validation-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <!-- used by swagger-parser force version due to CVEs -->
        <dependency>
            <groupId>org.mozilla</groupId>
            <artifactId>rhino</artifactId>
            <version>1.7.14</version>
        </dependency>
+--- org.mock-server:mockserver-netty:5.14.0
|    +--- org.mock-server:mockserver-client-java:5.14.0
|    |    +--- org.mock-server:mockserver-core:5.14.0
|    |    |    +--- io.swagger.parser.v3:swagger-parser:2.1.2
|    |    |    |    +--- io.swagger.parser.v3:swagger-parser-v2-converter:2.1.2
|    |    |    |    |    +--- io.swagger:swagger-compat-spec-parser:1.0.61
|    |    |    |    |    |    +--- com.github.java-json-tools:json-schema-validator:2.2.14
|    |    |    |    |    |    |    +--- com.github.java-json-tools:json-schema-core:1.2.14
|    |    |    |    |    |    |    |    +--- org.mozilla:rhino:1.7.7.2

MockServer Log Log output, as INFO level (or lower)

jcthalys commented 1 year ago

Still on the new version 5.15.0 I'm having the same issue