[JBoss JIRA] (JBIDE-26865) Fix security warnig due to commons-validator 1.6
by André Dietisheim (Jira)
[ https://issues.jboss.org/browse/JBIDE-26865?page=com.atlassian.jira.plugi... ]
André Dietisheim commented on JBIDE-26865:
------------------------------------------
commons-beanutils was updated to 1.9.4 but the dependency wasn't updated in commons-validator.
Nevertheless we only use commons-validator proper, we're not using the commons-beanutils bits:
* we only use URLValidator and DomainValidator (which dont use beanutils)
* consistently, we only copy commons-validator into our lib/ folder, none of it's dependencies:
{code:title=https://github.com/jbosstools/jbosstools-openshift/blob/master/plugins/org.jboss.tools.openshift.ui/pom.xml#L39}
<configuration>
<skip>false</skip>
<outputDirectory>${basedir}/lib/</outputDirectory>
<!-- baseVersion is to avoid SNAPSHOT dependencies being copied with
ever daily changing timestamp -->
<useBaseVersion>true</useBaseVersion>
<artifactItems>
<artifactItem>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
<version>${commons-validator.version}</version>
</artifactItem>
</artifactItems>
</configuration>
{code}
> Fix security warnig due to commons-validator 1.6
> ------------------------------------------------
>
> Key: JBIDE-26865
> URL: https://issues.jboss.org/browse/JBIDE-26865
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.13.0.AM1
> Reporter: Jeff MAURY
> Assignee: André Dietisheim
> Priority: Major
> Fix For: 4.13.0.Final
>
>
> commons validator 1.6 has a dependency to commons-beanutils 1.9.2 which has a security vulnerability.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 12 months
[JBoss JIRA] (JBIDE-26868) Connection wizard: errors when login to https://api.openshift4-crs.crs.codereadyqe.com
by André Dietisheim (Jira)
[ https://issues.jboss.org/browse/JBIDE-26868?page=com.atlassian.jira.plugi... ]
André Dietisheim commented on JBIDE-26868:
------------------------------------------
the very same connection works in oc command line:
{code}
$ oc login --token=XXXXX --server=https://api.openshift4-crs.crs.codereadyqe.com:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
Logged into "https://api.openshift4-crs.crs.codereadyqe.com:6443" as "developer" using the token provided.
You have one project on this server: "sdfasdf"
Using project "sdfasdf".
{code}
> Connection wizard: errors when login to https://api.openshift4-crs.crs.codereadyqe.com
> --------------------------------------------------------------------------------------
>
> Key: JBIDE-26868
> URL: https://issues.jboss.org/browse/JBIDE-26868
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: openshift
> Affects Versions: 4.13.0.AM1
> Reporter: André Dietisheim
> Assignee: André Dietisheim
> Priority: Critical
> Labels: connection_wizard
> Fix For: 4.13.0.Final
>
>
> Steps:
> # EXEC: (VPN required) go to https://console-openshift-console.apps.openshift4-crs.crs.codereadyqe.com/ and login using: htpasswd > developer/developer
> # EXEC: once logged in, pick "Copy Login Command" from the menu in the top right corner - you'll have to log in again and hit "Display Token". You'll get a command displayed that you'll have to copy:
> {code}
> oc login --token=XXXXXX --server=https://api.openshift4-crs.crs.codereadyqe.com:6443
> {code}
> # EXEC: open connection wizard, hit "Paste Login Command" button & pick "Finish"
> Result:
> {code}
> com.openshift.restclient.authorization.ResourceForbiddenException: forbidden: User "system:anonymous" cannot get path "/apis" forbidden: User "system:anonymous" cannot get path "/apis"
> at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.createOpenShiftException(ResponseCodeInterceptor.java:111)
> at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:66)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
> at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
> at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
> at okhttp3.RealCall.execute(RealCall.kt:66)
> at com.openshift.internal.restclient.ApiTypeMapper.request(ApiTypeMapper.java:265)
> at com.openshift.internal.restclient.ApiTypeMapper.readEndpoint(ApiTypeMapper.java:257)
> at com.openshift.internal.restclient.ApiTypeMapper.getApiGroups(ApiTypeMapper.java:220)
> at com.openshift.internal.restclient.ApiTypeMapper.init(ApiTypeMapper.java:155)
> at com.openshift.internal.restclient.ApiTypeMapper.isSupported(ApiTypeMapper.java:84)
> at com.openshift.internal.restclient.URLBuilder.buildWithNamespaceInPath(URLBuilder.java:148)
> at com.openshift.internal.restclient.URLBuilder.build(URLBuilder.java:135)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:301)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:275)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:243)
> at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:226)
> at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:423)
> at com.openshift.internal.restclient.authorization.AuthorizationContext.isAuthorized(AuthorizationContext.java:63)
> at org.jboss.tools.openshift.core.connection.Connection.authorize(Connection.java:237)
> at org.jboss.tools.openshift.core.connection.Connection.connect(Connection.java:226)
> at org.jboss.tools.openshift.internal.common.ui.connection.ConnectionWizardPageModel.connect(ConnectionWizardPageModel.java:300)
> at org.jboss.tools.openshift.internal.common.ui.connection.ConnectionWizardPage$ConnectJob.doRun(ConnectionWizardPage.java:434)
> at org.jboss.tools.openshift.internal.common.core.job.AbstractDelegatingMonitorJob.run(AbstractDelegatingMonitorJob.java:37)
> at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 12 months