From e4e351c0925b5cd5edc71244c1baced54ca48a37 Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Fri, 8 Dec 2023 15:36:38 +0530 Subject: [PATCH 01/11] Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 --- extensions-core/druid-pac4j/pom.xml | 2 +- .../druid/security/pac4j/Pac4jFilter.java | 17 ++++++++------- .../security/pac4j/Pac4jSessionStore.java | 21 ++++++++++--------- .../security/pac4j/Pac4jSessionStoreTest.java | 4 ++-- licenses.yaml | 4 ++-- owasp-dependency-check-suppressions.xml | 8 ------- 6 files changed, 25 insertions(+), 31 deletions(-) diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml index 7e629f05549a..8e479124dc32 100644 --- a/extensions-core/druid-pac4j/pom.xml +++ b/extensions-core/druid-pac4j/pom.xml @@ -34,7 +34,7 @@ - 3.8.3 + 4.5.5 1.7 diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java index 4463e43ca29d..452a22609460 100644 --- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java +++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java @@ -23,14 +23,15 @@ import org.apache.druid.server.security.AuthConfig; import org.apache.druid.server.security.AuthenticationResult; import org.pac4j.core.config.Config; -import org.pac4j.core.context.J2EContext; +import org.pac4j.core.context.JEEContext; import org.pac4j.core.context.session.SessionStore; import org.pac4j.core.engine.CallbackLogic; import org.pac4j.core.engine.DefaultCallbackLogic; import org.pac4j.core.engine.DefaultSecurityLogic; import org.pac4j.core.engine.SecurityLogic; +import org.pac4j.core.exception.http.HttpAction; import org.pac4j.core.http.adapter.HttpActionAdapter; -import org.pac4j.core.profile.CommonProfile; +import org.pac4j.core.profile.UserProfile; import javax.servlet.Filter; import javax.servlet.FilterChain; @@ -47,12 +48,12 @@ public class Pac4jFilter implements Filter { private static final Logger LOGGER = new Logger(Pac4jFilter.class); - private static final HttpActionAdapter NOOP_HTTP_ACTION_ADAPTER = (int code, J2EContext ctx) -> null; + private static final HttpActionAdapter NOOP_HTTP_ACTION_ADAPTER = (HttpAction code, JEEContext ctx) -> null; private final Config pac4jConfig; - private final SecurityLogic securityLogic; - private final CallbackLogic callbackLogic; - private final SessionStore sessionStore; + private final SecurityLogic securityLogic; + private final CallbackLogic callbackLogic; + private final SessionStore sessionStore; private final String name; private final String authorizerName; @@ -88,7 +89,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; - J2EContext context = new J2EContext(httpServletRequest, httpServletResponse, sessionStore); + JEEContext context = new JEEContext(httpServletRequest, httpServletResponse, sessionStore); if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) { callbackLogic.perform( @@ -101,7 +102,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo String uid = securityLogic.perform( context, pac4jConfig, - (J2EContext ctx, Collection profiles, Object... parameters) -> { + (JEEContext ctx, Collection profiles, Object... parameters) -> { if (profiles.isEmpty()) { LOGGER.warn("No profiles found after OIDC auth."); return null; diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java index 069a4ff2eb9a..6c5c57a33198 100644 --- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java +++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java @@ -25,12 +25,12 @@ import org.apache.druid.java.util.common.logger.Logger; import org.pac4j.core.context.ContextHelper; import org.pac4j.core.context.Cookie; -import org.pac4j.core.context.Pac4jConstants; import org.pac4j.core.context.WebContext; import org.pac4j.core.context.session.SessionStore; import org.pac4j.core.exception.TechnicalException; import org.pac4j.core.profile.CommonProfile; import org.pac4j.core.util.JavaSerializationHelper; +import org.pac4j.core.util.Pac4jConstants; import javax.annotation.Nullable; import java.io.ByteArrayInputStream; @@ -38,6 +38,7 @@ import java.io.IOException; import java.io.Serializable; import java.util.Map; +import java.util.Optional; import java.util.zip.GZIPInputStream; import java.util.zip.GZIPOutputStream; @@ -78,7 +79,7 @@ public String getOrCreateSessionId(WebContext context) @Nullable @Override - public Object get(WebContext context, String key) + public Optional get(WebContext context, String key) { final Cookie cookie = ContextHelper.getCookie(context, PAC4J_SESSION_PREFIX + key); Object value = null; @@ -86,7 +87,7 @@ public Object get(WebContext context, String key) value = uncompressDecryptBase64(cookie.getValue()); } LOGGER.debug("Get from session: [%s] = [%s]", key, value); - return value; + return Optional.ofNullable(value); } @Override @@ -142,7 +143,7 @@ private Serializable uncompressDecryptBase64(final String v) if (v != null && !v.isEmpty()) { byte[] bytes = StringUtils.decodeBase64String(v); if (bytes != null) { - return javaSerializationHelper.unserializeFromBytes(unCompress(cryptoService.decrypt(bytes))); + return javaSerializationHelper.deserializeFromBytes(unCompress(cryptoService.decrypt(bytes))); } } return null; @@ -176,19 +177,19 @@ private Object clearUserProfile(final Object value) { if (value instanceof Map) { final Map profiles = (Map) value; - profiles.forEach((name, profile) -> profile.clearSensitiveData()); + profiles.forEach((name, profile) -> profile.removeLoginData()); return profiles; } else { final CommonProfile profile = (CommonProfile) value; - profile.clearSensitiveData(); + profile.removeLoginData(); return profile; } } @Override - public SessionStore buildFromTrackableSession(WebContext arg0, Object arg1) + public Optional> buildFromTrackableSession(WebContext arg0, Object arg1) { - return null; + return Optional.empty(); } @Override @@ -198,9 +199,9 @@ public boolean destroySession(WebContext arg0) } @Override - public Object getTrackableSession(WebContext arg0) + public Optional getTrackableSession(WebContext arg0) { - return null; + return Optional.empty(); } @Override diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index 0349a98a7ccd..ca599ec2c920 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -27,6 +27,7 @@ import org.pac4j.core.context.WebContext; import java.util.Collections; +import java.util.Objects; public class Pac4jSessionStoreTest { @@ -54,7 +55,6 @@ public void testSetAndGet() WebContext webContext2 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie)); EasyMock.replay(webContext2); - - Assert.assertEquals("value", sessionStore.get(webContext2, "key")); + Assert.assertEquals("value", Objects.requireNonNull(sessionStore.get(webContext2, "key")).orElse(null)); } } diff --git a/licenses.yaml b/licenses.yaml index b922b33bfdd0..dccd4c128faf 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -776,7 +776,7 @@ name: pac4j-oidc java security library license_category: binary module: extensions/druid-pac4j license_name: Apache License version 2.0 -version: 3.8.3 +version: 4.5.5 libraries: - org.pac4j: pac4j-oidc @@ -786,7 +786,7 @@ name: pac4j-core java security library license_category: binary module: extensions/druid-pac4j license_name: Apache License version 2.0 -version: 3.8.3 +version: 4.5.5 libraries: - org.pac4j: pac4j-core diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml index f9c3146e3588..84490d356183 100644 --- a/owasp-dependency-check-suppressions.xml +++ b/owasp-dependency-check-suppressions.xml @@ -330,14 +330,6 @@ CVE-2022-25647 - - - - CVE-2021-44878 - - Date: Mon, 11 Dec 2023 17:14:40 +0530 Subject: [PATCH 02/11] Fix licenses.yaml --- licenses.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/licenses.yaml b/licenses.yaml index dccd4c128faf..31be7145b96d 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -837,7 +837,7 @@ name: com.sun.mail javax.mail license_category: binary module: extensions/druid-pac4j license_name: CDDL 1.1 -version: 1.6.1 +version: 1.6.2 libraries: - com.sun.mail: javax.mail From 9286dc43e8e3de60301e7ac3470b671a1caf7ac2 Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Mon, 11 Dec 2023 22:09:56 +0530 Subject: [PATCH 03/11] Bump to version 4.5.7 --- extensions-core/druid-pac4j/pom.xml | 2 +- licenses.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml index 8e479124dc32..620a926d26a6 100644 --- a/extensions-core/druid-pac4j/pom.xml +++ b/extensions-core/druid-pac4j/pom.xml @@ -34,7 +34,7 @@ - 4.5.5 + 4.5.7 1.7 diff --git a/licenses.yaml b/licenses.yaml index 31be7145b96d..f49a4b7fc17b 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -776,7 +776,7 @@ name: pac4j-oidc java security library license_category: binary module: extensions/druid-pac4j license_name: Apache License version 2.0 -version: 4.5.5 +version: 4.5.7 libraries: - org.pac4j: pac4j-oidc @@ -786,7 +786,7 @@ name: pac4j-core java security library license_category: binary module: extensions/druid-pac4j license_name: Apache License version 2.0 -version: 4.5.5 +version: 4.5.7 libraries: - org.pac4j: pac4j-core From 7b87a5aa74595481b6fc1a534277be3bf76b6940 Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Tue, 12 Dec 2023 16:39:57 +0530 Subject: [PATCH 04/11] Add tests to improve coverage --- .../security/pac4j/Pac4jSessionStoreTest.java | 74 ++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index ca599ec2c920..8fa5a6123b5b 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -25,16 +25,21 @@ import org.junit.Test; import org.pac4j.core.context.Cookie; import org.pac4j.core.context.WebContext; +import org.pac4j.core.profile.CommonProfile; +import org.pac4j.core.profile.definition.CommonProfileDefinition; import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import java.util.Objects; +import java.util.Optional; public class Pac4jSessionStoreTest { @Test public void testSetAndGet() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore<>("test-cookie-passphrase"); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -57,4 +62,71 @@ public void testSetAndGet() EasyMock.replay(webContext2); Assert.assertEquals("value", Objects.requireNonNull(sessionStore.get(webContext2, "key")).orElse(null)); } + + @Test + public void testSetAndGetClearUserProfile() + { + Pac4jSessionStore sessionStore = new Pac4jSessionStore<>("test-cookie-passphrase"); + + WebContext webContext1 = EasyMock.mock(WebContext.class); + EasyMock.expect(webContext1.getScheme()).andReturn("https"); + Capture cookieCapture = EasyMock.newCapture(); + + webContext1.addResponseCookie(EasyMock.capture(cookieCapture)); + EasyMock.replay(webContext1); + + CommonProfile profile = new CommonProfile(); + profile.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name"); + sessionStore.set(webContext1, "pac4jUserProfiles", profile); + + Cookie cookie = cookieCapture.getValue(); + Assert.assertTrue(cookie.isSecure()); + Assert.assertTrue(cookie.isHttpOnly()); + Assert.assertTrue(cookie.isSecure()); + Assert.assertEquals(900, cookie.getMaxAge()); + + + WebContext webContext2 = EasyMock.mock(WebContext.class); + EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie)); + EasyMock.replay(webContext2); + Optional value = sessionStore.get(webContext2, "pac4jUserProfiles"); + Assert.assertTrue(Objects.requireNonNull(value).isPresent()); + Assert.assertEquals("name", ((CommonProfile) value.get()).getAttribute(CommonProfileDefinition.DISPLAY_NAME)); + } + + @Test + public void testSetAndGetClearUserMultipleProfile() + { + Pac4jSessionStore sessionStore = new Pac4jSessionStore<>("test-cookie-passphrase"); + + WebContext webContext1 = EasyMock.mock(WebContext.class); + EasyMock.expect(webContext1.getScheme()).andReturn("https"); + Capture cookieCapture = EasyMock.newCapture(); + + webContext1.addResponseCookie(EasyMock.capture(cookieCapture)); + EasyMock.replay(webContext1); + + CommonProfile profile1 = new CommonProfile(); + profile1.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name1"); + CommonProfile profile2 = new CommonProfile(); + profile2.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name2"); + Map profiles = new HashMap<>(); + profiles.put("profile1", profile1); + profiles.put("profile2", profile2); + sessionStore.set(webContext1, "pac4jUserProfiles", profiles); + + Cookie cookie = cookieCapture.getValue(); + Assert.assertTrue(cookie.isSecure()); + Assert.assertTrue(cookie.isHttpOnly()); + Assert.assertTrue(cookie.isSecure()); + Assert.assertEquals(900, cookie.getMaxAge()); + + + WebContext webContext2 = EasyMock.mock(WebContext.class); + EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie)); + EasyMock.replay(webContext2); + Optional value = sessionStore.get(webContext2, "pac4jUserProfiles"); + Assert.assertTrue(Objects.requireNonNull(value).isPresent()); + Assert.assertEquals(2, ((Map) value.get()).size()); + } } From 59f4af054f3013c31bbdba78d217f80bed835dcd Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Tue, 12 Dec 2023 22:11:01 +0530 Subject: [PATCH 05/11] Remove passphrase --- .../apache/druid/security/pac4j/Pac4jSessionStoreTest.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index 8fa5a6123b5b..fc80bb37aea9 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -39,7 +39,7 @@ public class Pac4jSessionStoreTest @Test public void testSetAndGet() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore<>("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore<>(""); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -66,7 +66,7 @@ public void testSetAndGet() @Test public void testSetAndGetClearUserProfile() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore<>("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore<>(""); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -97,7 +97,7 @@ public void testSetAndGetClearUserProfile() @Test public void testSetAndGetClearUserMultipleProfile() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore<>("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore<>(""); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); From 8c6f4f9ae36bcab255651ed46e1d74834d1be98f Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Tue, 12 Dec 2023 22:23:28 +0530 Subject: [PATCH 06/11] Fix tests --- .../apache/druid/security/pac4j/Pac4jSessionStoreTest.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index fc80bb37aea9..d7d87ccf6f51 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -39,7 +39,7 @@ public class Pac4jSessionStoreTest @Test public void testSetAndGet() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore<>(""); + Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -66,7 +66,7 @@ public void testSetAndGet() @Test public void testSetAndGetClearUserProfile() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore<>(""); + Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -97,7 +97,7 @@ public void testSetAndGetClearUserProfile() @Test public void testSetAndGetClearUserMultipleProfile() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore<>(""); + Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); From 285bbccf4003da48983ff6a95d35f3d36640a2d6 Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Tue, 12 Dec 2023 23:16:11 +0530 Subject: [PATCH 07/11] Create constant for passphrase --- .../apache/druid/security/pac4j/Pac4jSessionStoreTest.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index d7d87ccf6f51..6bf3104a3650 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -36,10 +36,11 @@ public class Pac4jSessionStoreTest { + private static final String COOKIE_PASSPHRASE = "test-cookie-passphrase"; @Test public void testSetAndGet() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -66,7 +67,7 @@ public void testSetAndGet() @Test public void testSetAndGetClearUserProfile() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); @@ -97,7 +98,7 @@ public void testSetAndGetClearUserProfile() @Test public void testSetAndGetClearUserMultipleProfile() { - Pac4jSessionStore sessionStore = new Pac4jSessionStore("test-cookie-passphrase"); + Pac4jSessionStore sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE); WebContext webContext1 = EasyMock.mock(WebContext.class); EasyMock.expect(webContext1.getScheme()).andReturn("https"); From afe180e5e40cf61332ba6959af62d4610992ae8e Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Tue, 12 Dec 2023 23:20:37 +0530 Subject: [PATCH 08/11] Formatting --- .../org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java | 1 + 1 file changed, 1 insertion(+) diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index 6bf3104a3650..c5f5c0a7d692 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -37,6 +37,7 @@ public class Pac4jSessionStoreTest { private static final String COOKIE_PASSPHRASE = "test-cookie-passphrase"; + @Test public void testSetAndGet() { From d5ea7ffc85503b76afb3769ae3732fcb60e93840 Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Wed, 13 Dec 2023 09:34:28 +0530 Subject: [PATCH 09/11] Add CVE suppression --- .../org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java index c5f5c0a7d692..772bef7ef6c3 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java @@ -37,7 +37,7 @@ public class Pac4jSessionStoreTest { private static final String COOKIE_PASSPHRASE = "test-cookie-passphrase"; - + @Test public void testSetAndGet() { From 8eae70b462a963ea418c34ab1051321d28135822 Mon Sep 17 00:00:00 2001 From: Keerthana Srikanth Date: Wed, 13 Dec 2023 09:37:04 +0530 Subject: [PATCH 10/11] Add CVE suppression --- owasp-dependency-check-suppressions.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml index 84490d356183..b72558acc69b 100644 --- a/owasp-dependency-check-suppressions.xml +++ b/owasp-dependency-check-suppressions.xml @@ -330,6 +330,16 @@ CVE-2022-25647 + + + + + + CVE-2021-44878 + + Date: Wed, 13 Dec 2023 12:36:31 +0530 Subject: [PATCH 11/11] Update comment --- owasp-dependency-check-suppressions.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml index b72558acc69b..f533fc8b13b4 100644 --- a/owasp-dependency-check-suppressions.xml +++ b/owasp-dependency-check-suppressions.xml @@ -332,8 +332,8 @@ - - + +