glassfish icon indicating copy to clipboard operation
glassfish copied to clipboard
verified publisher icon eclipse-ee4j

Adding fix to solve problem to access Restricted Directory when using context root as /

Open luiseufrasio opened this issue 3 years ago • 2 comments

This is a bug fix Adding fix to solve problem to access Restricted Directory when using context root as /

Added new test: StandardContextValveTest.java

This is a contribution from Payara team. Our original PRs: https://github.com/payara/Payara/pull/5396 https://github.com/payara/Payara/pull/5886

luiseufrasio avatar Aug 12 '22 18:08 luiseufrasio

Can one of the admins verify this patch?

glassfish-bot avatar Aug 12 '22 18:08 glassfish-bot

Also you need to sign the ECA (Eclipse Contributor Agreement), see https://accounts.eclipse.org/legal/eca/validation/116192 . Then we could help you to update the PR.

dmatej avatar Aug 16 '22 07:08 dmatej

Also you need to sign the ECA (Eclipse Contributor Agreement), see https://accounts.eclipse.org/legal/eca/validation/116192 . Then we could help you to update the PR.

I've just signed the ECA. Please check it again.

luiseufrasio avatar Aug 22 '22 09:08 luiseufrasio

I've just signed the ECA. Please check it again.

Checked:

There is no valid ECA on file for luis.eufrasio@****.com

pzygielo avatar Aug 22 '22 09:08 pzygielo

@luiseufrasio To contribute the fixes you need set the git account to the Eclipse Foundation account that signed to ECA and sign commit using the --signoff option.

hs536 avatar Aug 22 '22 10:08 hs536

and sign commit using the --signoff option.

no longer needed: https://www.eclipse.org/lists/eclipse.org-committers/msg01291.html

pzygielo avatar Aug 22 '22 10:08 pzygielo

Also you need to sign the ECA (Eclipse Contributor Agreement), see https://accounts.eclipse.org/legal/eca/validation/116192 . Then we could help you to update the PR.

I've just signed the ECA. Please check it again.

The ECA Validation still fails, do you use the same e-mail in commits and in your Eclipse account? I think it should be enough even if they are both set in the same github account (not sure).

And yet Jenkins failed, tests must be updasted to JUnit5, GlassFish is a bit ahead ;)

14:29:40  [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.10.1:testCompile (default-testCompile) on project web-core: Compilation failure: Compilation failure: 
14:29:40  [ERROR] /home/jenkins/agent/workspace/_test-using-jenkinsfile_PR-24077/appserver/web/web-core/src/test/java/org/apache/catalina/core/StandardContextValveTest.java:[50,24] cannot find symbol
14:29:40  [ERROR]   symbol:   class Assert
14:29:40  [ERROR]   location: package org.junit
14:29:40  [ERROR] /home/jenkins/agent/workspace/_test-using-jenkinsfile_PR-24077/appserver/web/web-core/src/test/java/org/apache/catalina/core/StandardContextValveTest.java:[55,24] package org.junit.runner does not exist
14:29:40  [ERROR] /home/jenkins/agent/workspace/_test-using-jenkinsfile_PR-24077/appserver/web/web-core/src/test/java/org/apache/catalina/core/StandardContextValveTest.java:[61,2] cannot find symbol
14:29:40  [ERROR]   symbol: class RunWith
14:29:40  [ERROR] -> [Help 1]

dmatej avatar Aug 22 '22 13:08 dmatej

Guys, this PR patches critical vulnerability found by me, allowing to read any file, by an remote unauthenticated attacker, in WEB-INF and META-INF folders. It affects both Glassfish and Payara. The patch code is public so someone could easily reproduce it. This should be merged, and the new version released ASAP. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37422 https://blog.payara.fish/august-community-5-release The Glassfish vulnerability is pending the CVE publication, but it will be published as CVE-2022-2712 and this PR fixes it.

MDudek-ICS avatar Aug 22 '22 18:08 MDudek-ICS

Guys, this PR patches critical vulnerability found by me, allowing to read any file, by an remote unauthenticated attacker, in WEB-INF and META-INF folders. It affects both Glassfish and Payara. The patch code is public so someone could easily reproduce it. This should be merged, and the new version released ASAP. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37422 https://blog.payara.fish/august-community-5-release The Glassfish vulnerability is pending the patch publication, but it will be published as CVE-2022-2712 and this PR fixes it.

If @luiseufrasio can just recheck the ECA validation, so the validation would pass, I can fix the rest so we would pass the build on Jenkins. Or we would have to create a new PR with own implementation. But I hope we are able to merge this PR this week, just ... those two things must be resolved ;)

dmatej avatar Aug 22 '22 23:08 dmatej

I've just signed the ECA. Please check it again.

Checked:

There is no valid ECA on file for luis.eufrasio@****.com

I changed my email account and signed again.

luiseufrasio avatar Aug 23 '22 08:08 luiseufrasio

Guys, this PR patches critical vulnerability found by me, allowing to read any file, by an remote unauthenticated attacker, in WEB-INF and META-INF folders. It affects both Glassfish and Payara. The patch code is public so someone could easily reproduce it. This should be merged, and the new version released ASAP. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37422 https://blog.payara.fish/august-community-5-release The Glassfish vulnerability is pending the patch publication, but it will be published as CVE-2022-2712 and this PR fixes it.

If @luiseufrasio can just recheck the ECA validation, so the validation would pass, I can fix the rest so we would pass the build on Jenkins. Or we would have to create a new PR with own implementation. But I hope we are able to merge this PR this week, just ... those two things must be resolved ;)

My e-mail was the payara one, but I just changed it to my gmail (the correct one).

luiseufrasio avatar Aug 23 '22 08:08 luiseufrasio

There are yet some compilation errors. You can run just mvn clean install -Pfastest && mvn clean install -pl :web-core to detect them much faster than waiting for Jenkins ;)

dmatej avatar Aug 23 '22 10:08 dmatej

mvn clean install -Pfastest && mvn clean install -pl :web-core

Could you please send to my email ([email protected]) the maven setting.xml file you use to build the project?

luiseufrasio avatar Aug 23 '22 11:08 luiseufrasio

mvn clean install -Pfastest && mvn clean install -pl :web-core

Could you please send to my email ([email protected]) the maven setting.xml file you use to build the project?

There's nothing special, the profile fastest is already in GlassFish poms. It is also documented here: https://github.com/eclipse-ee4j/glassfish#execution

dmatej avatar Aug 23 '22 11:08 dmatej

Seems I will be able to fix the test soon, if you let me help you ;) Working with EasyMock is bit different than with Mockito, and it's annotations in 4.3 don't yet support JDK17 and JUnit5. People are asking EasyMock to release 5RC1 soon ... but I believe I can still make it work without it.

dmatej avatar Aug 23 '22 12:08 dmatej

Seems I will be able to fix the test soon, if you let me help you ;) Working with EasyMock is bit different than with Mockito, and it's annotations in 4.3 don't yet support JDK17 and JUnit5. People are asking EasyMock to release 5RC1 soon ... but I believe I can still make it work without it.

Thanks @dmatej! I appreciate your help. I tried to migrate the tests from mockito to easymock without success.

luiseufrasio avatar Aug 23 '22 13:08 luiseufrasio

Seems I will be able to fix the test soon, if you let me help you ;) Working with EasyMock is bit different than with Mockito, and it's annotations in 4.3 don't yet support JDK17 and JUnit5. People are asking EasyMock to release 5RC1 soon ... but I believe I can still make it work without it.

Thanks @dmatej! I appreciate your help. I tried to migrate the tests from mockito to easymock without success.

Now when you review my PR and merge it, it should be done. The build passed on my laptop, Jenkins will run the rest of tests afterwards. https://github.com/luiseufrasio/glassfish/pull/1

dmatej avatar Aug 23 '22 15:08 dmatej