karate icon indicating copy to clipboard operation
karate copied to clipboard

Published 20 hours ago verified publisher icon karatelabs

upgrade to apache httpclient 5

Open ptrthomas opened this issue 1 year ago • 12 comments

low priority CVE: commons-codec:commons-codec @ 1.11 vulnerability reported by @kdefives

description:

Summary

Apache commons-codec before 1.13 is vulnerable to information exposure. The Base32 and Base64 implementation blindly decode invalid string, which can be re-encoded again using the same implementation. This can result in a security exploitation such as tunneling additional information via seemingly valid base 32 strings.

How to fix

Migrate from usage of org.apache.httpcomponents:httpclient to org.apache.httpcomponents.client5:httpclient5

migration is non-trivial: https://hc.apache.org/httpcomponents-client-5.2.x/migration-guide/migration-to-classic.html and requires refactoring of the ApacheHttpClient

currently tagging as help wanted

ptrthomas avatar Apr 09 '23 05:04 ptrthomas

Hello @ptrthomas , I would like to contribute to this issue. Can I work on this?

pru-namikaze avatar May 31 '23 05:05 pru-namikaze

@pru-namikaze sure

ptrthomas avatar May 31 '23 06:05 ptrthomas

I hope this upgrade ships for the next release. We have recently updated to Spring Boot 3.1 in which support for Apache HttpClient4 is dropped (so we have only HttpClient5 on the classpath). Since Karate is using HttpClient4, transitive dependencies are causing a problem. We are not having problem running Karate tests on CI/CD, but when we run individual Karate tests during development (inside IntelliJ using the Karate plugin) tests are failing during initialization.

the error message is:

org.graalvm.polyglot.polyglotexception: 'java.lang.string org apache.http.client.utils.urlencodedutils.formatsegments(java.lang.iterable, java.nio.charset.charset)'
com.intuit.karate.core.ScenarioBridge.callSingle(ScenarioBridge.java:238)

We fixed it adding Apache HttpClient4 dependency explicitly in our projects dependency management. This helps ensuring Karate uses HttpClient4.

milikkan avatar Jun 08 '23 08:06 milikkan

@milikkan can you confirm that if you use <classifier>all</classifier> for your karate-core dependency, it should solve this problem. for an example, refer: https://github.com/karatelabs/karate-examples/blob/main/quarkus/README.md

ptrthomas avatar Jun 08 '23 08:06 ptrthomas

Hi @ptrthomas,

I have been swamped with personal commitments and will not be able to complete this issue. However, I have pushed the majority of the changes which have passed all but 3 test cases (related to cookies, which should be an easy fix to just find the right implementation from hc5).

I apologize for not letting you know sooner.

pru-namikaze avatar Jun 17 '23 07:06 pru-namikaze

Hi Team, I am new to Karate and seeing this warning in my pom.xml file. Can someone suggest a fix? I went through the conversations and didn't understand. Thanks in advance.

Cxeb68d52e-5509 3.7 Exposure of Sensitive Information to an Unauthorized Actor vulnerability

OS: Mac OS Ventura 13.6 OpenJDK 17 Intellij IDE

Using Karate-core as dependency in my pom.xml file with version 1.4.0 and scope

rajeshsrinivas1991 avatar Oct 05 '23 03:10 rajeshsrinivas1991

@rajeshsrinivas1991 see if this helps: https://stackoverflow.com/a/76399959/143475

else we have to wait for the apache http client to be upgraded. if anyone else has thoughts, please chime in

ptrthomas avatar Oct 05 '23 10:10 ptrthomas

I will try to have a look at this one, if it's ok.

Any requirements in terms of perfomance? I read somewhere that karate-gatling was using a special pooling/connection/whatever, so anything to check specifically?

f-delahaye avatar Dec 16 '23 08:12 f-delahaye

@f-delahaye thanks ! no particular requirements, karate-gatling would actually use this automatically

ptrthomas avatar Dec 16 '23 10:12 ptrthomas

Thanks.

It looks like apache http client 5.3 no longer supports ntlm: https://hc.apache.org/httpcomponents-client-5.3.x/current/httpclient5/apidocs/org/apache/hc/client5/http/impl/auth/NTLMScheme.html

Should we upgrade to client 5.3 and remove ntlm support altogether? Or upgrade to 5.2.1 and issue a warning, something like 'Will be removed in a future release"?

f-delahaye avatar Dec 18 '23 18:12 f-delahaye

tagging @dvargas46 who implemented this in https://github.com/karatelabs/karate/pull/2343

@f-delahaye I propose removing ntlm support. not many people use this, and supporting Apache and solving the CVE issues we have is a priority. hopefully the community can find a way to add ntlm back, perhaps the code in the apache project can be used as a reference

ptrthomas avatar Dec 19 '23 04:12 ptrthomas

Thanks for looping me in on this @ptrthomas . I agree that removing ntlm support is best here to be able to upgrade the apache client and resolve further CVEs. It's a bummer that apache deprecated support for ntlm, but it's understandable given the vulnerabilities around that auth scheme. If I find another way to bring ntlm support back to Karate then I'll create a PR.

dvargas46 avatar Dec 21 '23 16:12 dvargas46