Closed eydevelopment closed 3 years ago
Ring already uses common-fileupload 1.4, but this project has a dependency on an older version of Ring. I can certainly do a quick update to the dependencies of this project and update Ring.
However, I don't believe this issue would result in a vulnerability, as the InputStream from the request body will be closed on uncaught exceptions by the servlet container.
Thank you for the quick response! That would be really helpful if you could check the deps. I see - seems like whitesource was not able to find out that flow - InputStream from the request body will be closed on uncaught exceptions by the servlet container.
Okay, released 0.3.3.
That was quick! Thanks much, @weavejester !
WhiteSource flagged vulnerability issue in one of the dependent libraries - commons-fileupload version 1.3.3.
Following is the maven dependency tree for ring-defaults: [INFO] +- ring:ring-defaults:jar:0.3.2:compile [INFO] | +- (org.clojure:clojure:jar:1.5.1:compile - omitted for conflict with 1.10.1) [INFO] | +- ring:ring-core:jar:1.6.3:compile [INFO] | | +- (org.clojure:clojure:jar:1.5.1:compile - omitted for conflict with 1.10.1) [INFO] | | +- ring:ring-codec:jar:1.0.1:compile [INFO] | | | +- (org.clojure:clojure:jar:1.3.0:compile - omitted for conflict with 1.10.1) [INFO] | | | - (commons-codec:commons-codec:jar:1.6:compile - omitted for conflict with 1.10) [INFO] | | +- commons-io:commons-io:jar:2.5:compile [INFO] | | +- commons-fileupload:commons-fileupload:jar:1.3.3:compile [INFO] | | | - (commons-io:commons-io:jar:2.2:compile - omitted for conflict with 2.5) ...
This is the whitesource complain: The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
References: https://commons.apache.org/proper/commons-fileupload/changes-report.html https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814
We tried to update the version of common-fileuploads to 1.4 and run through the whitesource, and it went through successfully.
Would it be possible for you to update the version of file-uploads in "ring"? If yes, how soon can you provide updated build?