Merge pull request #551 from mbfreder/commons

Remove commons-fileupload
aws · May 19, 2023 · 51ea4a4 · 51ea4a4
2 parents 04d8509 + ac04f4c
commit 51ea4a4
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 53 deletions.
diff --git a/aws-serverless-java-container-core/pom.xml b/aws-serverless-java-container-core/pom.xml
@@ -67,9 +67,9 @@
         </dependency>
 
         <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-fileupload2</artifactId>
-            <version>2.0-SNAPSHOT</version>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.12.0</version>
         </dependency>
 
         <dependency>

diff --git a/.../src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsHttpServletRequest.java b/.../src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsHttpServletRequest.java
@@ -22,11 +22,6 @@
 import com.amazonaws.serverless.proxy.model.MultiValuedTreeMap;
 import com.amazonaws.services.lambda.runtime.Context;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-import org.apache.commons.fileupload2.FileItem;
-import org.apache.commons.fileupload2.FileUploadException;
-import org.apache.commons.fileupload2.disk.DiskFileItemFactory;
-import org.apache.commons.fileupload2.jaksrvlt.JakSrvltFileUpload;
-import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.input.NullInputStream;
 import org.slf4j.Logger;
@@ -508,39 +503,7 @@ protected Map<String, List<String>> getFormUrlEncodedParametersMap() {
 
     @SuppressFBWarnings({"FILE_UPLOAD_FILENAME", "WEAK_FILENAMEUTILS"})
     protected Map<String, Part> getMultipartFormParametersMap() {
-        if (multipartFormParameters != null) {
-            return multipartFormParameters;
-        }
-        if (!JakSrvltFileUpload.isMultipartContent(this)) { // isMultipartContent also checks the content type
-            multipartFormParameters = new HashMap<>();
-            return multipartFormParameters;
-        }
-        Timer.start("SERVLET_REQUEST_GET_MULTIPART_PARAMS");
-        multipartFormParameters = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
-
-        JakSrvltFileUpload upload = new JakSrvltFileUpload(new DiskFileItemFactory());
-
-        try {
-            List<FileItem> items = upload.parseRequest(this);
-            for (FileItem item : items) {
-                String fileName = FilenameUtils.getName(item.getName());
-                AwsProxyRequestPart newPart = new AwsProxyRequestPart(item.get());
-                newPart.setName(item.getFieldName());
-                newPart.setSubmittedFileName(fileName);
-                newPart.setContentType(item.getContentType());
-                newPart.setSize(item.getSize());
-                item.getHeaders().getHeaderNames().forEachRemaining(h -> {
-                    newPart.addHeader(h, item.getHeaders().getHeader(h));
-                });
-
-                multipartFormParameters.put(item.getFieldName(), newPart);
-            }
-        } catch (FileUploadException e) {
-            Timer.stop("SERVLET_REQUEST_GET_MULTIPART_PARAMS");
-            log.error("Could not read multipart upload file", e);
-        }
-        Timer.stop("SERVLET_REQUEST_GET_MULTIPART_PARAMS");
-        return multipartFormParameters;
+        throw new UnsupportedOperationException();
     }
 
     protected String[] getQueryParamValues(MultiValuedTreeMap<String, String> qs, String key, boolean isCaseSensitive) {

diff --git a/...a/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequestFormTest.java b/...a/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequestFormTest.java
@@ -7,7 +7,8 @@
 import org.apache.commons.io.IOUtils;
 import org.apache.hc.core5.http.ContentType;
 import org.apache.hc.core5.http.HttpEntity;
-import org.apache.hc.client5.http.entity.mime.MultipartEntityBuilder;;
+import org.apache.hc.client5.http.entity.mime.MultipartEntityBuilder;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import jakarta.servlet.ServletException;
@@ -51,6 +52,7 @@ public class AwsProxyHttpServletRequestFormTest {
                                                                                   .build();
     private static final String ENCODED_FORM_ENTITY = PART_KEY_1 + "=" + ENCODED_VALUE + "&" + PART_KEY_2 + "=" + PART_VALUE_2;
 
+    @Disabled("Disabled until new release of commons-fileupload based on Jakarta APIs")
     @Test
     void postForm_getParam_getEncodedFullValue() {
         try {
@@ -67,6 +69,7 @@ void postForm_getParam_getEncodedFullValue() {
         }
     }
 
+    @Disabled("Disabled until new release of commons-fileupload based on Jakarta APIs")
     @Test
     void postForm_getParts_parsing() {
         try {
@@ -86,6 +89,7 @@ void postForm_getParts_parsing() {
         }
     }
 
+    @Disabled("Disabled until new release of commons-fileupload based on Jakarta APIs")
     @Test
     void multipart_getParts_binary() {
         try {

diff --git a/...c/test/java/com/amazonaws/serverless/proxy/internal/testutils/AwsProxyRequestBuilder.java b/...c/test/java/com/amazonaws/serverless/proxy/internal/testutils/AwsProxyRequestBuilder.java
@@ -155,12 +155,7 @@ public AwsProxyRequestBuilder form(String key, String value) {
     }
 
     public AwsProxyRequestBuilder formFilePart(String fieldName, String fileName, byte[] content) throws IOException {
-        if (multipartBuilder == null) {
-            multipartBuilder = MultipartEntityBuilder.create();
-        }
-        multipartBuilder.addPart(fieldName, new ByteArrayBody(content, fileName));
-        buildMultipartBody();
-        return this;
+        throw new UnsupportedOperationException();
     }
 
     public AwsProxyRequestBuilder formTextFieldPart(String fieldName, String fieldValue)

diff --git a/...r-jersey/src/test/java/com/amazonaws/serverless/proxy/jersey/JerseyParamEncodingTest.java b/...r-jersey/src/test/java/com/amazonaws/serverless/proxy/jersey/JerseyParamEncodingTest.java
@@ -263,6 +263,7 @@ void queryParam_listOfString_expectCorrectLength(String reqType) {
         validateSingleValueModel(resp, "3");
     }
 
+    @Disabled("Disabled until new release of commons-fileupload based on Jakarta APIs")
     @MethodSource("data")
     @ParameterizedTest
     void multipart_getFileSize_expectCorrectLength(String reqType)

diff --git a/...tainer-spring/src/test/java/com/amazonaws/serverless/proxy/spring/SpringAwsProxyTest.java b/...tainer-spring/src/test/java/com/amazonaws/serverless/proxy/spring/SpringAwsProxyTest.java
@@ -19,6 +19,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.codec.binary.Base64;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.web.servlet.DispatcherServlet;
@@ -468,6 +469,7 @@ void contextPath_generateLink_returnsCorrectPath(String reqType) {
         SpringLambdaContainerHandler.getContainerConfig().setUseStageAsServletContext(false);
     }
 
+    @Disabled("Disabled until new release of commons-fileupload based on Jakarta APIs")
     @MethodSource("data")
     @ParameterizedTest
     void multipart_getFileName_returnsCorrectFileName(String reqType)

diff --git a/aws-serverless-java-container-struts/pom.xml b/aws-serverless-java-container-struts/pom.xml
@@ -94,11 +94,6 @@
 
     <dependencyManagement>
         <dependencies>
-            <dependency><!-- [CVE-2021-29425] commons-fileupload ships with 2.2 -->
-                <groupId>commons-io</groupId>
-                <artifactId>commons-io</artifactId>
-                <version>2.11.0</version>
-            </dependency>
             <dependency><!-- [CVE-2022-42889] transitive dep via Struts -->
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-text</artifactId>