From 7cfa19c55a828bf8f6e8f0a6fdd92fa2815b68e1 Mon Sep 17 00:00:00 2001 From: "vaughn.zhang" Date: Fri, 19 Jan 2024 13:49:58 +0800 Subject: [PATCH 1/4] fix: security bug --- hugegraph-server/hugegraph-api/pom.xml | 6 ++++++ .../hugegraph/api/filter/AuthenticationFilter.java | 11 ++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml index 459a22e0ea..bcfbdbc34c 100644 --- a/hugegraph-server/hugegraph-api/pom.xml +++ b/hugegraph-server/hugegraph-api/pom.xml @@ -164,6 +164,12 @@ arthas-packaging ${arthas.version} + + org.gridkit.jvmtool + sjk-core + 0.14 + compile + diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index d3da3af6d0..4bb1a047d6 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -41,6 +41,7 @@ import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException; import org.glassfish.grizzly.http.server.Request; import org.glassfish.grizzly.utils.Charsets; +import org.gridkit.jvmtool.cmd.AntPathMatcher; import org.slf4j.Logger; import com.alipay.remoting.util.StringUtils; @@ -71,10 +72,11 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); private static final List WHITE_API_LIST = ImmutableList.of( - "auth/login", - "versions", - "openapi.json" + "**/auth/login", + "**/versions", + "**/openapi.json" ); + private static final AntPathMatcher MATCHER = new AntPathMatcher(); private static String whiteIpStatus; @@ -314,9 +316,8 @@ public boolean equals(Object obj) { public static boolean isWhiteAPI(ContainerRequestContext context) { String path = context.getUriInfo().getPath(); - for (String whiteApi : WHITE_API_LIST) { - if (path.endsWith(whiteApi)) { + if (MATCHER.match(whiteApi, path)) { return true; } } From 555f35c62f083a4354f1df1aaad4706c48815c35 Mon Sep 17 00:00:00 2001 From: "vaughn.zhang" Date: Fri, 19 Jan 2024 14:52:17 +0800 Subject: [PATCH 2/4] improve --- hugegraph-server/hugegraph-api/pom.xml | 2 +- .../apache/hugegraph/api/filter/AuthenticationFilter.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hugegraph-server/hugegraph-api/pom.xml b/hugegraph-server/hugegraph-api/pom.xml index bcfbdbc34c..c2cfd807e1 100644 --- a/hugegraph-server/hugegraph-api/pom.xml +++ b/hugegraph-server/hugegraph-api/pom.xml @@ -167,7 +167,7 @@ org.gridkit.jvmtool sjk-core - 0.14 + 0.22 compile diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java index 4bb1a047d6..8f1e486915 100644 --- a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java @@ -72,9 +72,9 @@ public class AuthenticationFilter implements ContainerRequestFilter { private static final Logger LOG = Log.logger(AuthenticationFilter.class); private static final List WHITE_API_LIST = ImmutableList.of( - "**/auth/login", - "**/versions", - "**/openapi.json" + "graphs/*/auth/login", + "versions", + "openapi.json" ); private static final AntPathMatcher MATCHER = new AntPathMatcher(); From 14f198343d221528e102e0e0e792587257def35e Mon Sep 17 00:00:00 2001 From: imbajin Date: Fri, 8 Mar 2024 16:56:13 +0800 Subject: [PATCH 3/4] enhance PR template & enhance dep --- .github/PULL_REQUEST_TEMPLATE.md | 5 +++-- .github/workflows/ci.yml | 1 + .../scripts/dependency/known-dependencies.txt | 22 ++++++++++++++----- .../regenerate_known_dependencies.sh | 4 ++-- 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 356c8341d9..c03986f530 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -51,11 +51,12 @@ For example: -- [ ] Nope -- [ ] Dependencies (add/update license info) +- [ ] Dependencies ([add/update license](https://hugegraph.apache.org/docs/contribution-guidelines/contribute/#321-check-licenses) info & [regenerate_known_dependencies.sh](../hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh)) - [ ] Modify configurations - [ ] The public API - [ ] Other affects (typed here) +- [ ] Nope + ## Documentation Status diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d439c31337..e1130bdc4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,7 @@ on: jobs: build: + # TODO: we need test & replace it to ubuntu-24.04 or ubuntu-latest runs-on: ubuntu-20.04 env: USE_STAGE: 'false' # Whether to include the stage repository. diff --git a/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt b/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt index 92e406a122..c1319ffea8 100644 --- a/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt +++ b/hugegraph-server/hugegraph-dist/scripts/dependency/known-dependencies.txt @@ -1,8 +1,10 @@ +HdrHistogram-2.1.9.jar +ST4-4.0.8.jar accessors-smart-1.2.jar airline-0.8.jar animal-sniffer-annotations-1.19.jar -annotations-4.1.1.4.jar annotations-13.0.jar +annotations-4.1.1.4.jar ansj_seg-5.1.6.jar antlr-runtime-3.5.2.jar aopalliance-repackaged-3.0.1.jar @@ -100,7 +102,6 @@ hamcrest-2.2.jar hamcrest-core-1.3.jar hanlp-portable-1.8.3.jar hbase-shaded-endpoint-2.0.6.jar -HdrHistogram-2.1.9.jar hessian-3.3.6.jar high-scale-lib-1.0.6.jar hk2-api-3.0.1.jar @@ -172,8 +173,8 @@ jersey-media-json-jackson-3.0.3.jar jersey-server-3.0.3.jar jersey-test-framework-core-3.0.3.jar jersey-test-framework-provider-grizzly2-3.0.3.jar -jffi-1.2.16.jar jffi-1.2.16-native.jar +jffi-1.2.16.jar jflex-1.8.2.jar jieba-analysis-1.0.2.jar jjwt-api-0.11.5.jar @@ -253,21 +254,31 @@ parser-9.0-9.0.20190305.jar perfmark-api-0.25.0.jar picocli-4.3.2.jar postgresql-42.4.3.jar -protobuf-java-3.21.7.jar proto-google-common-protos-1.17.0.jar +protobuf-java-3.21.7.jar psjava-0.1.19.jar -reporter-config3-3.0.3.jar reporter-config-base-3.0.3.jar +reporter-config3-3.0.3.jar rewriting-9.0-9.0.20190305.jar rocksdbjni-7.2.2.jar scala-java8-compat_2.12-0.8.0.jar scala-library-2.12.7.jar scala-reflect-2.12.7.jar sigar-1.6.4.jar +sjk-agent-0.22.jar sjk-cli-0.14.jar +sjk-cli-0.22.jar sjk-core-0.14.jar +sjk-core-0.22.jar +sjk-hflame-0.22.jar +sjk-jfr-standalone-0.7.jar +sjk-jfr5-0.5.jar +sjk-jfr6-0.7.jar sjk-json-0.14.jar +sjk-json-0.22.jar +sjk-nps-0.9.jar sjk-stacktrace-0.14.jar +sjk-stacktrace-0.22.jar slf4j-api-1.7.25.jar snakeyaml-1.26.jar snakeyaml-1.27.jar @@ -277,7 +288,6 @@ snowball-stemmer-1.3.0.581.1.jar sofa-common-tools-1.0.12.jar sofa-rpc-all-5.7.6.jar sourcecode_2.12-0.1.4.jar -ST4-4.0.8.jar stream-2.5.2.jar swagger-annotations-1.5.18.jar swagger-annotations-jakarta-2.2.18.jar diff --git a/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh b/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh index b555bd6470..64bb5718fa 100644 --- a/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh +++ b/hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh @@ -16,7 +16,7 @@ # limitations under the License. # -BASE_PATH=$(cd $(dirname $0); pwd) +BASE_PATH=$(cd "$(dirname $0)" || exit; pwd) DEP_PATH=$BASE_PATH/all_dependencies FILE_NAME=${1:-known-dependencies.txt} @@ -25,7 +25,7 @@ if [[ -d $DEP_PATH ]];then rm -r -f $DEP_PATH fi -cd $BASE_PATH/../../../ +cd "$BASE_PATH"/../../../ || exit mvn dependency:copy-dependencies -DincludeScope=runtime -DoutputDirectory=$DEP_PATH From 7fb1a00f15d6d17dbdf3d6641bd2cb66c810ba4f Mon Sep 17 00:00:00 2001 From: imbajin Date: Fri, 8 Mar 2024 16:58:36 +0800 Subject: [PATCH 4/4] Update PULL_REQUEST_TEMPLATE.md --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index c03986f530..c71e5e4a6a 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -51,7 +51,7 @@ For example: -- [ ] Dependencies ([add/update license](https://hugegraph.apache.org/docs/contribution-guidelines/contribute/#321-check-licenses) info & [regenerate_known_dependencies.sh](../hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh)) +- [ ] Dependencies ([add/update license](https://hugegraph.apache.org/docs/contribution-guidelines/contribute/#321-check-licenses) info & [regenerate_dependencies](../hugegraph-server/hugegraph-dist/scripts/dependency/regenerate_known_dependencies.sh)) - [ ] Modify configurations - [ ] The public API - [ ] Other affects (typed here)