Merge branch 'apache:trunk' into trunk

ambari-agent/pom.xml

@@ -56,7 +56,7 @@
 
     <commons-cli.version>1.5.0</commons-cli.version>
     <commons-collections.version>3.2.2</commons-collections.version>
-    <commons-configuration2.version>2.8.0</commons-configuration2.version>
+    <commons-configuration2.version>2.13.0</commons-configuration2.version>
     <commons-lang.version>2.6</commons-lang.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>
     <commons-io.version>2.14.0</commons-io.version>
@@ -821,7 +821,7 @@
       <executable.python>${project.basedir}/../ambari-common/src/main/unix/ambari-python-wrap</executable.python>
       <executable.shell>sh</executable.shell>
       <fileextension.shell>sh</fileextension.shell>
-      <fileextension.dot.shell-default></fileextension.dot.shell-default>
+      <fileextension.dot.shell-default/>
       <path.python.1>${project.basedir}/../ambari-common/src/main/python:${project.basedir}/../ambari-agent/src/main/python:${project.basedir}/../ambari-common/src/main/python/ambari_jinja2:${project.basedir}/../ambari-agent/src/main/python:${project.basedir}/../ambari-common/src/main/python/ambari_commons:${project.basedir}/../ambari-common/src/test/python:${project.basedir}/src/main/python:${project.basedir}/src/main/python/ambari_agent:${project.basedir}/src/main/python/resource_management:${project.basedir}/src/test/python:${project.basedir}/src/test/python/ambari_agent:${project.basedir}/src/test/python/resource_management:${project.basedir}/../ambari-server/src/test/python:${project.basedir}/../ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/files</path.python.1>
      </properties>
     </profile>

ambari-server/src/main/java/org/apache/ambari/server/state/repository/VersionDefinitionXml.java

@@ -583,6 +583,17 @@ public static VersionDefinitionXml load(String xml) throws Exception {
   private static VersionDefinitionXml load(InputStream stream) throws Exception {
 
     XMLInputFactory xmlFactory = XMLInputFactory.newInstance();
+    // Harden the XMLInputFactory against XXE
+    try {
+      xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    } catch (IllegalArgumentException ignored) {
+      // Property not supported by this implementation; ignore.
+    }
+    try {
+      xmlFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE);
+    } catch (IllegalArgumentException ignored) {
+      // Property not supported by this implementation; ignore.
+    }
     XMLStreamReader xmlReader = xmlFactory.createXMLStreamReader(stream);
 
     xmlReader.nextTag();
@@ -602,6 +613,22 @@ private static VersionDefinitionXml load(InputStream stream) throws Exception {
     Unmarshaller unmarshaller = ctx.createUnmarshaller();
 
     SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+    // Harden the SchemaFactory against XXE and external resource loading
+    try {
+      factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+    } catch (Exception ignored) {
+      // Feature not supported; ignore.
+    }
+    try {
+      factory.setProperty("http://apache.org/xml/properties/accessExternalDTD", "");
+    } catch (IllegalArgumentException ignored) {
+      // Property not supported by this implementation; ignore.
+    }
+    try {
+      factory.setProperty("http://apache.org/xml/properties/accessExternalSchema", "");
+    } catch (IllegalArgumentException ignored) {
+      // Property not supported by this implementation; ignore.
+    }
     Schema schema = factory.newSchema(new StreamSource(xsdStream));
     unmarshaller.setSchema(schema);
 

ambari-views/examples/phone-list-upgrade-view/pom.xml

@@ -70,7 +70,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-beans</artifactId>
-      <version>3.1.2.RELEASE</version>
+      <version>5.2.22.RELEASE</version>
     </dependency>
   </dependencies>
 

contrib/ambari-scom/ambari-scom-server/pom.xml

@@ -74,7 +74,7 @@
         <dependency>
           <groupId>com.thoughtworks.xstream</groupId>
           <artifactId>xstream</artifactId>
-          <version>1.4.7</version>
+          <version>1.4.21</version>
         </dependency>
     </dependencies>
 

contrib/ambari-scom/metrics-sink/pom.xml

@@ -88,7 +88,7 @@
                 <dependency>
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>
-                    <version>2.2.0</version>
+                    <version>2.6.5</version>
                 </dependency>
             </dependencies>
             <build>

contrib/views/commons/src/main/resources/ui/hdfs-directory-viewer/package.json

@@ -24,7 +24,7 @@
     "ember-cli-app-version": "^1.0.0",
     "ember-cli-dependency-checker": "^1.2.0",
     "ember-cli-font-awesome": "1.5.0",
-    "ember-cli-htmlbars": "^1.0.1",
+    "ember-cli-htmlbars": "^7.0.0",
     "ember-cli-htmlbars-inline-precompile": "^0.3.1",
     "ember-cli-inject-live-reload": "^1.3.1",
     "ember-cli-qunit": "^1.1.0",
@@ -46,7 +46,7 @@
   ],
   "dependencies": {
     "ember-cli-babel": "^5.1.5",
-    "ember-cli-htmlbars": "^1.0.1"
+    "ember-cli-htmlbars": "^7.0.0"
   },
   "ember-addon": {
     "configPath": "tests/dummy/config"

contrib/views/wfmanager/src/main/resources/ui/externaladdons/hdfs-directory-viewer/package.json

@@ -24,7 +24,7 @@
     "ember-cli-app-version": "^1.0.0",
     "ember-cli-dependency-checker": "^1.2.0",
     "ember-cli-font-awesome": "1.5.0",
-    "ember-cli-htmlbars": "^1.0.1",
+    "ember-cli-htmlbars": "^7.0.0",
     "ember-cli-htmlbars-inline-precompile": "^0.3.1",
     "ember-cli-inject-live-reload": "^1.3.1",
     "ember-cli-qunit": "^1.1.0",
@@ -46,7 +46,7 @@
   ],
   "dependencies": {
     "ember-cli-babel": "^5.1.5",
-    "ember-cli-htmlbars": "^1.0.1"
+    "ember-cli-htmlbars": "^7.0.0"
   },
   "ember-addon": {
     "configPath": "tests/dummy/config"