Fix for issue #317 #323
Merged
Fix for issue #317 #323
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Tests of SpringBoot 2 are expected to fail for 2.0.x (enforcer plugin will complain, but there is no 2.0.x version beyond 2.0.9.RELEAS that fixes that spring CVE) and 2.2.x (one unit test seems to fail probably due to the new Spring Security dependency version, needed due to https://pivotal.io/security/cve-2020-5398) |
|
Issue link #317 |
sapessi
approved these changes
Mar 30, 2020
sapessi
added a commit
that referenced
this pull request
Apr 8, 2020
* Bump spring.version in /aws-serverless-java-container-spring (#319) Bumps `spring.version` from 5.1.9.RELEASE to 5.2.3.RELEASE. Updates `spring-webmvc` from 5.1.9.RELEASE to 5.2.3.RELEASE - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v5.2.3.RELEASE) Updates `spring-test` from 5.1.9.RELEASE to 5.2.3.RELEASE - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v5.2.3.RELEASE) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump spring-webflux in /aws-serverless-java-container-springboot2 (#318) Bumps [spring-webflux](https://github.com/spring-projects/spring-framework) from 5.1.9.RELEASE to 5.2.0.RELEASE. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v5.2.0.RELEASE) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: Fixing Spring build to use 5.2 as latest * chore(deps): Bump Spring 5.1 path release to address a security vulnerability * chore(deps): Fixing usual spring dependency mess with exlusions out of the spring-security package used in the tests * Fix for issue #317 (#323) * fix issue 317 - use charset from request * update dependencies * update build dependencies, remove spring boot 2.0.x * restoring ci config Co-authored-by: Stefano Buliani <[email protected]> * test: Fixed Spring security tests for SpringBoot 2, added validation tests and updated servlet tests to use the new servletApplication option * fix: Avoid flushing the response buffer if we are dispatching the request asynchronously. This was causing race conditions in the SpringBoot 2 WebFlux implementation - requests that had to run through security or validation filters took longer and the library flushed an empty request, which caused the status code to default to 200. This fix addresses issues #279, #304, and #306 * chore(deps): Bump spring dependency version and added webmvc optional dependency to truly support Servlet-only server * feat: New application type parameter to SpringBootLambdaContainerHandler that tells the framework whether to start a reactive or servlet-based embedded server. Also added a new servletApplication method to the builder object. * test: Fixed UTF-8 encoding test * ci: Fixed dependencies for CI run on SpringBoot 2 * ci: More Spring dependency convergence issues during CI * fix: Added null-check on getServerName in case the multi-value headers property is null. Unlikely outside of tests but better safe than sorry. This addresses #327 * fix: Changed servlet initialization mechanism so that servlet that requests load on startup are initialized right away, as part of the initialization() method call in LambdaServletContainerHandler. Also centralized the lazy Servlet initialization to the ServletExecutionFilter so that we don't have code scattered all around. This begins to address #287 * feat: Added new 0-parameter constructor for async initializer that uses the actual JVM start time to calculate the timeout milliseconds. Also added the new method to the builder object and deprecated the current method that receives a milliseconds epoch parameter. I'm not deprecating the constructor of the async initializer class that receives the parameter as it may still be useful for tests. This change was suggested in #287 * fix: Updated SpringBoot 1.x handler to use the new servlet initialization mechanism * ci: switch SpringBoot slow integration test to use a custom async time since the JVM is reused for both tests in the and we cannot reuse the actual JVM init time * feat: New models for HTTP API support for #329 * feat: First implementation of HTTP API servlet request, request reader, and security context writer - continuing to address #329 * test: Basic unit tests for the new HTTP API support in core library (#329) * feat: Updated log formatter to support both versions (1 and 2) of the proxy request model (#329) * feat: Further generified request readers to read to a generic HttpServletRequest rather than specific implementations of it. This makes it easier to create container handler implementations that support HTTP API, API Gateway, and ALB (#329) * test: Fixed tests for new logged and generified request readers * feat: Added HTTP API support to Jersey implementation with new getHttpApiV2ProxyHandler method (#329) * feat: Added HTTP API support to Spark implementation (#329) * feat: Added HTTP API support to Spring implementation (#329) * feat: HTTP API support in SpringBoot 2 implementation. bug: Fixed an issue with the implementation of AsyncContext where it wasn't dispatching if the handler wasn't set * feat: First pass of HTTP API support in struts 2 implementation (#329) * fix: Added support for HTTP APIs to the request dispatcher * chore(deps): Dependency bump all around. Rotated Jersey ci versions * fix: Updated stream handling logic to work with reactive applications as suggested in #316 * test: Added unit test to replicate #333 * feat: New configuration parameter to skip exception mapping and allow exception to bubble up from #307 * fix: Fixed spotbugs issue in RuntimeException cast * test: Added tests for more complex content types mentioned in issue #315 * docs: Updated samples to support SAM CLI operations out of the box to address #293 and switched to HTTP API by default * feat: Updated archetypes to work out of the box with the SAM CLI, continuing to address #293 * chore: License header pass on the entire project * fix: Set default value for setDisableException mapper in config to false * fix: Updated default initialization timeout to 20 seconds Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eran Medan <[email protected]>
jogep
pushed a commit
to jogep/aws-serverless-java-container
that referenced
this pull request
Dec 8, 2020
* fix issue 317 - use charset from request * update dependencies * update build dependencies, remove spring boot 2.0.x * restoring ci config Co-authored-by: Stefano Buliani <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
317
Description of changes:
in AwsHttpServletResponse#flushBuffer - charset was always taken from LambdaContainerHandler.getContainerConfig().getDefaultContentCharset(); even if characterEncoding and or headers.Content-Type contained ; charset=
updated Spring dependencies to address https://pivotal.io/security/cve-2020-5398
Note: com.amazonaws.serverless.proxy.spring.SecurityAppTest#helloRequest_withAuth_respondsWithSingleMessage succeeds on Spring Boot 2.1 but fails on 2.2 (-Dspringboot.version=2.2.3.RELEASE -Dspring.version=5.2.3.RELEASE -Dspringsecurity.version=5.2.2.RELEASE fails)
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.