Merge branch 'apache:trunk' into trunk #4074
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [express](https://github.com/expressjs/express) from 4.15.2 to 4.21.2. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](expressjs/express@4.15.2...4.21.2) --- updated-dependencies: - dependency-name: express dependency-version: 4.21.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…ib/views/wfmanager/src/main/resources/ui/express-4.21.2 Actualización de la dependencia Express de la versión 4.15.2 a 4.21.2 en /contrib/views/wfmanager/src/main/resources/ui Este Pull Request realiza una actualización crítica de la librería Express utilizada en el módulo UI del gestor de flujos (wfmanager). La actualización de la versión 4.15.2 a la 4.21.2 incluye correcciones de seguridad, mejoras de rendimiento y compatibilidad con dependencias más recientes. Detalles principales: Motivo: Resolver 2 alertas de seguridad detectadas por Dependabot sobre la versión actual de Express, incluyendo una vulnerabilidad de severidad moderada que puede impactar la estabilidad y seguridad de la aplicación. Impacto: La actualización mejora la seguridad general de la aplicación sin cambios disruptivos en la API, manteniendo la compatibilidad con el código existente. Cambios técnicos: Se reemplaza la versión antigua con la más reciente estable (4.21.2) en el archivo package.json y se actualizan los archivos de lock para asegurar la integridad de las dependencias. Verificación: Se recomienda ejecutar pruebas funcionales y de integración para validar que la actualización no afecta el comportamiento esperado del UI. Beneficios: Mitigación de riesgos de seguridad asociados a vulnerabilidades conocidas en versiones anteriores de Express. Mejor compatibilidad con ecosistemas modernos y futuras actualizaciones. Refuerzo de la política de mantenimiento proactivo de dependencias.
Author
|
retest this please |
Author
|
Hi @apache-ambari-maintainers, Thank you! |
Contributor
|
@zRains cc |
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-30627
…s-directory-viewer/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
…r/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
…b79b9a7c63124 [Snyk] Security upgrade ember-cli-htmlbars from 1.3.5 to 7.0.0
Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.7 to 1.4.21. - [Release notes](https://github.com/x-stream/xstream/releases) - [Commits](https://github.com/x-stream/xstream/commits) --- updated-dependencies: - dependency-name: com.thoughtworks.xstream:xstream dependency-version: 1.4.21 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
…ari-scom/ambari-scom-server/com.thoughtworks.xstream-xstream-1.4.21 Bump com.thoughtworks.xstream:xstream from 1.4.7 to 1.4.21 in /contrib/ambari-scom/ambari-scom-server
…a35eb7698601f [Snyk] Security upgrade ember-cli-htmlbars from 1.3.5 to 7.0.0
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078
…ef6c445584874 [Snyk] Security upgrade org.apache.commons:commons-configuration2 from 2.8.0 to 2.13.0
Bumps [org.springframework:spring-beans](https://github.com/spring-projects/spring-framework) from 3.1.2.RELEASE to 5.2.22.RELEASE. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v3.1.2.RELEASE...v5.2.22.RELEASE) --- updated-dependencies: - dependency-name: org.springframework:spring-beans dependency-version: 5.2.22.RELEASE dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
…s/examples/phone-list-upgrade-view/org.springframework-spring-beans-5.2.22.RELEASE Bump org.springframework:spring-beans from 3.1.2.RELEASE to 5.2.22.RELEASE in /ambari-views/examples/phone-list-upgrade-view
… entity in user-controlled data ### Context This commit addresses a critical CodeQL finding (`java/xxe`) related to XML External Entity (XXE) processing in user-controlled XML data. The affected code path parses XML input without explicitly disabling DTDs and external entity resolution, which could allow XXE-based attacks such as: - Arbitrary file access - Server-side request forgery (SSRF) - Denial of service ### Change summary This change hardens the XML parsing configuration in `VersionDefinitionXml.load(InputStream)` by applying defensive parser settings recommended by OWASP and standard Java security guidance: **XMLInputFactory** - Explicitly disables DTD support - Explicitly disables external entity resolution **SchemaFactory** - Enables JAXP secure processing - Disables access to external DTDs and schemas (where supported) All settings are applied defensively using try/catch blocks to preserve compatibility with different JAXP implementations. ### Impact - No functional or behavioral changes for valid XML inputs - Malicious XML relying on external entities or DTDs will now fail to parse - Improves overall security posture without affecting business logic ### Notes - This change is limited in scope to XML parser hardening - No changes were made to higher-level logic or data flow - The fix is intentionally minimal and focused on security hardening Fixes: CodeQL alert apache#146 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Fixes CodeQL alert apache#146. This merge hardens XML parsing against XXE by disabling DTDs and external entity resolution. The change is intentionally minimal and limited to parser configuration only. No functional or behavioral changes outside XML parsing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
(Please fill in changes proposed in this fix)
How was this patch tested?
(Please explain how this patch was tested. Ex: unit tests, manual tests)
(If this patch involves UI changes, please attach a screen-shot; otherwise, remove this)
Please review Ambari Contributing Guide before opening a pull request.