Fix for Jongo 1.3.0 depending on Jackson-databind 2.7.3 which is affe…

…cted by CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-5968 The issue and pull request has been submitted to Jongo project, but not yet part of a release: bguerout/jongo#327 In the meantime, the fix is to force version of dependency jackson-databind to 2.9.4.
authzforce · Feb 16, 2018 · d09f861 · d09f861
1 parent 17217f0
commit d09f861
Show file tree

Hide file tree

Showing 5 changed files with 167 additions and 89 deletions.
diff --git a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/BasePdpEngine.java b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/BasePdpEngine.java
@@ -177,14 +177,14 @@ private IssuedToNonIssuedAttributeCopyingRequestBuilder(final int expectedNumOfA
 		}
 
 		@Override
-		public Bag<?> putNamedAttributeIfAbsent(final AttributeFqn AttributeFqn, final AttributeBag<?> attributeValues)
+		public Bag<?> putNamedAttributeIfAbsent(final AttributeFqn attributeFqn, final AttributeBag<?> attributeValues)
 		{
 			/*
 			 * Put the non-issued version of the attribute first
 			 */
-			final AttributeFqn nonAttributeFqn = AttributeFqns.newInstance(AttributeFqn.getCategory(), Optional.empty(), AttributeFqn.getId());
+			final AttributeFqn nonAttributeFqn = AttributeFqns.newInstance(attributeFqn.getCategory(), Optional.empty(), attributeFqn.getId());
 			super.putNamedAttributeIfAbsent(nonAttributeFqn, attributeValues);
-			return super.putNamedAttributeIfAbsent(AttributeFqn, attributeValues);
+			return super.putNamedAttributeIfAbsent(attributeFqn, attributeValues);
 		}
 	}
 
@@ -255,9 +255,9 @@ public IndividualDecisionRequestContext(final Map<AttributeFqn, AttributeBag<?>>
 
 		/** {@inheritDoc} */
 		@Override
-		public <AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(final AttributeFqn AttributeFqn, final BagDatatype<AV> attributeBagDatatype) throws IndeterminateEvaluationException
+		public <AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(final AttributeFqn attributeFqn, final BagDatatype<AV> attributeBagDatatype) throws IndeterminateEvaluationException
 		{
-			final AttributeBag<?> bagResult = namedAttributes.get(AttributeFqn);
+			final AttributeBag<?> bagResult = namedAttributes.get(attributeFqn);
 			if (bagResult == null)
 			{
 				return null;
@@ -270,7 +270,7 @@ public <AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(final
 						"Datatype ("
 								+ bagResult.getElementDatatype()
 								+ ") of AttributeDesignator "
-								+ AttributeFqn
+								+ attributeFqn
 								+ " in context is different from expected/requested ("
 								+ expectedElementDatatype
 								+ "). May be caused by refering to the same Attribute Category/Id/Issuer with different Datatypes in different policy elements and/or attribute providers, which is not allowed.",
@@ -281,26 +281,26 @@ public <AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(final
 			 * If datatype classes match, bagResult should have same type as datatypeClass.
 			 */
 			final AttributeBag<AV> result = (AttributeBag<AV>) bagResult;
-			this.listeners.forEach((lt, l) -> l.namedAttributeValueConsumed(AttributeFqn, result));
+			this.listeners.forEach((lt, l) -> l.namedAttributeValueConsumed(attributeFqn, result));
 			return result;
 		}
 
 		@Override
-		public boolean putNamedAttributeValueIfAbsent(final AttributeFqn AttributeFqn, final AttributeBag<?> result)
+		public boolean putNamedAttributeValueIfAbsent(final AttributeFqn attributeFqn, final AttributeBag<?> result)
 		{
-			final Bag<?> duplicate = namedAttributes.putIfAbsent(AttributeFqn, result);
+			final Bag<?> duplicate = namedAttributes.putIfAbsent(attributeFqn, result);
 			if (duplicate != null)
 			{
 				/*
 				 * This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no further call to
 				 * putAttributeDesignatorResultIfAbsent() in this case. In any case, we do not support setting a different result for same id (but different datatype URI/datatype class) in the same
 				 * context
 				 */
-				LOGGER.warn("Attempt to override value of AttributeDesignator {} already set in evaluation context. Overriding value: {}", AttributeFqn, result);
+				LOGGER.warn("Attempt to override value of AttributeDesignator {} already set in evaluation context. Overriding value: {}", attributeFqn, result);
 				return false;
 			}
 
-			this.listeners.forEach((lt, l) -> l.namedAttributeValueProduced(AttributeFqn, result));
+			this.listeners.forEach((lt, l) -> l.namedAttributeValueProduced(attributeFqn, result));
 			/*
 			 * Attribute value cannot change during evaluation context, so if old value already there, put it back
 			 */