search

ring-clojure / ring-defaults

A library to provide sensible Ring middleware defaults
MIT License
343 stars 32 forks source link

Vulnerability issue in dependent lib #37

Closed eydevelopment closed 3 years ago

eydevelopment commented 3 years ago

WhiteSource flagged vulnerability issue in one of the dependent libraries - commons-fileupload version 1.3.3.

Following is the maven dependency tree for ring-defaults: [INFO] +- ring:ring-defaults:jar:0.3.2:compile [INFO] | +- (org.clojure:clojure:jar:1.5.1:compile - omitted for conflict with 1.10.1) [INFO] | +- ring:ring-core:jar:1.6.3:compile [INFO] | | +- (org.clojure:clojure:jar:1.5.1:compile - omitted for conflict with 1.10.1) [INFO] | | +- ring:ring-codec:jar:1.0.1:compile [INFO] | | | +- (org.clojure:clojure:jar:1.3.0:compile - omitted for conflict with 1.10.1) [INFO] | | | - (commons-codec:commons-codec:jar:1.6:compile - omitted for conflict with 1.10) [INFO] | | +- commons-io:commons-io:jar:2.5:compile [INFO] | | +- commons-fileupload:commons-fileupload:jar:1.3.3:compile [INFO] | | | - (commons-io:commons-io:jar:2.2:compile - omitted for conflict with 2.5) ...

This is the whitesource complain: The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.

References: https://commons.apache.org/proper/commons-fileupload/changes-report.html https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814

We tried to update the version of common-fileuploads to 1.4 and run through the whitesource, and it went through successfully.

Would it be possible for you to update the version of file-uploads in "ring"? If yes, how soon can you provide updated build?

weavejester commented 3 years ago

Ring already uses common-fileupload 1.4, but this project has a dependency on an older version of Ring. I can certainly do a quick update to the dependencies of this project and update Ring.

However, I don't believe this issue would result in a vulnerability, as the InputStream from the request body will be closed on uncaught exceptions by the servlet container.

eydevelopment commented 3 years ago

Thank you for the quick response! That would be really helpful if you could check the deps. I see - seems like whitesource was not able to find out that flow - InputStream from the request body will be closed on uncaught exceptions by the servlet container.

weavejester commented 3 years ago

Okay, released 0.3.3.

eydevelopment commented 3 years ago

That was quick! Thanks much, @weavejester !