Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE Fix: Update json-path version #15772

Merged
merged 13 commits into from
Feb 15, 2024
Merged

Conversation

pagrawal10
Copy link
Contributor

@pagrawal10 pagrawal10 commented Jan 29, 2024

Description

Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.
This PR modifies pom file, license file, OrcReaderTest and OWASP Dependency Check suppression file.
Append function has been added to json-path and so the unit test to check for the append function not present has been removed.

Release Note:

JSON-Path upgrade now allows append functionality. However, we do not support json-path append function for ORC format (see #11722). Earlier, if the user tried to use JsonPath function append earlier, it would have not appended the item, but now the same function will return an exception. We are overriding the parse function used when append is invoked. So, row.getDimension("append") results in java.lang.UnsupportedOperationException: Unused coming from

druid/processing/src/main/java/org/apache/druid/java/util/common/parsers/FlattenerJsonProvider.java

This is a potential issue to watch out for when upgrading.



This PR has:
  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

Comment on lines 317 to 318
//Support for append has been added in json-path-2.9.0
//Assert.assertEquals(Collections.emptyList(), row.getDimension("append"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if append is now supported, then let's update the test to check that it does what it needs to do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

row.getDimension("append") results in java.lang.UnsupportedOperationException: Unused coming from

as we have overriden the parse function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Therefore, while the upstream has added the capability of append , we are not using it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

understood, but there are two issues here:

  1. as a principle we don't leave commented code unless there's a very good reason.
  2. This is potentially being breaking change. Any json-path expression using append today would have silently been ignored, but would now cause an error.

My suggestion would be to:

  1. update the test to check that we do get the exception
  2. make a note in the PR description that we should call this out in the release notes as a potential issue to watch out for when upgrading.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

pagrawal10 and others added 2 commits February 9, 2024 09:17
…data/input/orc/OrcReaderTest.java

Co-authored-by: Xavier Léauté <[email protected]>
…data/input/orc/OrcReaderTest.java

Co-authored-by: Xavier Léauté <[email protected]>
@xvrl
Copy link
Member

xvrl commented Feb 15, 2024

I tried rerunning the flaky test. Didn’t seem to help. Since the failure doesn’t appear to related I’m ok merging this.

@xvrl xvrl merged commit 495e66f into apache:master Feb 15, 2024
88 of 89 checks passed
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Feb 15, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <[email protected]>
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Feb 15, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <[email protected]>
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Feb 15, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <[email protected]>
sreemanamala pushed a commit to sreemanamala/druid that referenced this pull request Feb 20, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <[email protected]>
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Mar 8, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)

* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage

* CVE Fix: Update json-path version (apache#15772)

Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <[email protected]>

* Update protocol for MemcachedCache (apache#16035)

---------

Co-authored-by: Keerthana Srikanth <[email protected]>
Co-authored-by: Xavier Léauté <[email protected]>
@adarshsanjeev adarshsanjeev added this to the 30.0.0 milestone May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants