Merge pull request #32 from granadacoder/feature/version-uplift-and-c…

…ode-chgs-2024-oct-a

Version uplifts for vulnerabilities. Fix for :no longer exists : org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload.

pom.xml

@@ -151,7 +151,7 @@
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
-			<version>2.14.0</version>
+			<version>2.17.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.jcraft</groupId>
@@ -167,7 +167,7 @@
 		<dependency>
 			<groupId>com.auth0</groupId>
 			<artifactId>java-jwt</artifactId>
-            <version>4.2.1</version>
+            <version>4.4.0</version>
 		</dependency>
 
 		<dependency>
@@ -246,17 +246,25 @@
 		<dependency>
 			<groupId>org.apache.tomcat.embed</groupId>
 			<artifactId>tomcat-embed-core</artifactId>
-			<version>9.0.90</version>
+			<version>9.0.95</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.apache.tomcat</groupId>
 			<artifactId>tomcat-jdbc</artifactId>
-			<version>9.0.71</version>
+			<version>9.0.95</version>
 		</dependency>
 
 
-		<!-- API, java.xml.bind module. Required for modern versions of MS SQL Server Drivers -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-fileupload2-javax</artifactId>
+            <version>2.0.0-M2</version>
+        </dependency>
+
+
+
+        <!-- API, java.xml.bind module. Required for modern versions of MS SQL Server Drivers -->
 		<dependency>
 		    <groupId>jakarta.xml.bind</groupId>
 		    <artifactId>jakarta.xml.bind-api</artifactId>

src/main/java/org/kawanfw/sql/api/server/blob/DefaultBlobUploadConfigurator.java

@@ -11,6 +11,19 @@
  */
 package org.kawanfw.sql.api.server.blob;
 
+//see https://commons.apache.org/proper/commons-fileupload/migration.html and https://stackoverflow.com/a/79047694
+import org.apache.commons.fileupload2.core.DiskFileItemFactory;
+import org.apache.commons.fileupload2.core.FileItemInput;
+import org.apache.commons.fileupload2.core.FileItemInputIterator;
+import org.apache.commons.fileupload2.javax.JavaxServletFileUpload;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.SystemUtils;
+import org.kawanfw.sql.util.FrameworkDebug;
+import org.kawanfw.sql.util.FrameworkFileUtil;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -21,20 +34,6 @@
 import java.nio.file.StandardCopyOption;
 import java.util.Date;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.commons.lang3.SystemUtils;
-import org.apache.tomcat.util.http.fileupload.FileItemIterator;
-import org.apache.tomcat.util.http.fileupload.FileItemStream;
-import org.apache.tomcat.util.http.fileupload.FileUploadException;
-import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
-import org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload;
-import org.apache.tomcat.util.http.fileupload.util.Streams;
-import org.kawanfw.sql.util.FrameworkDebug;
-import org.kawanfw.sql.util.FrameworkFileUtil;
-
 /**
  *
  * Class that allows uploading Blob/Clobs. Default implementation. <br>
@@ -57,15 +56,15 @@ public class DefaultBlobUploadConfigurator implements BlobUploadConfigurator {
      */
     @Override
     public void upload(HttpServletRequest request, HttpServletResponse response, File blobDirectory, long maxBlobLength)
-	    throws IOException, FileUploadException {
+	    throws IOException {
 
 	debug("in upload()");
 
 	response.setContentType("text/html");
 	// Prepare the response
 
 	// Check that we have a file upload request
-	boolean isMultipart = ServletFileUpload.isMultipartContent(request);
+	boolean isMultipart = JavaxServletFileUpload.isMultipartContent(request);
 	debug("isMultipart: " + isMultipart);
 
 	if (!isMultipart) {
@@ -78,12 +77,14 @@ public void upload(HttpServletRequest request, HttpServletResponse response, Fil
 	debug("tempRepository: " + tempRepository);
 
 	// Create a factory for disk-based file items
-	DiskFileItemFactory factory = new DiskFileItemFactory();
-	factory.setRepository(tempRepository);
+	//DiskFileItemFactory factory = new DiskFileItemFactory();
+	//factory.setRepository(tempRepository);
+	DiskFileItemFactory factory =
+			new DiskFileItemFactory.Builder().setPath(tempRepository.getPath()).get();
 
 	// Create a new file upload handler using the factory
 	// that define the secure temp dir
-	ServletFileUpload upload = new ServletFileUpload(factory);
+	JavaxServletFileUpload upload = new JavaxServletFileUpload(factory);
 
 	debug("maxBlobLength: " + maxBlobLength);
 	if (DEBUG) {
@@ -99,22 +100,22 @@ public void upload(HttpServletRequest request, HttpServletResponse response, Fil
 	}
 
 	// Parse the request
-	FileItemIterator iter = upload.getItemIterator(request);
+	FileItemInputIterator iter = upload.getItemIterator(request);
 
 	String blobId = null;
 	// Parse the request
 	while (iter.hasNext()) {
-	    FileItemStream item = iter.next();
+	    FileItemInput item = iter.next();
 	    String name = item.getFieldName();
 	    debug("name: " + name);
 
 	    // The input Stream for the File
 
-	    try (InputStream inputstream = item.openStream()) {
+	    try (InputStream inputstream = item.getInputStream()) {
 
 		if (item.isFormField()) {
 		    if (name.equals("blob_id")) {
-			blobId = Streams.asString(inputstream);
+			blobId = IOUtils.toString(inputstream, StandardCharsets.UTF_8);
 			debug("blob_id: " + blobId);
 		    }
 		} else {

src/main/java/org/kawanfw/sql/servlet/ServerSqlDispatch.java

@@ -11,22 +11,9 @@
  */
 package org.kawanfw.sql.servlet;
 
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.sql.Connection;
-import java.sql.DatabaseMetaData;
-import java.sql.SQLException;
-import java.util.Date;
-import java.util.Enumeration;
-import java.util.Set;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
+//see https://commons.apache.org/proper/commons-fileupload/migration.html and https://stackoverflow.com/a/79047694
+import org.apache.commons.fileupload2.javax.JavaxServletFileUpload;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.apache.tomcat.util.http.fileupload.FileUploadException;
-import org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload;
 import org.kawanfw.sql.api.server.DatabaseConfigurator;
 import org.kawanfw.sql.api.server.firewall.SqlFirewallManager;
 import org.kawanfw.sql.metadata.dto.DatabaseInfoDto;
@@ -51,6 +38,18 @@
 import org.kawanfw.sql.util.FrameworkDebug;
 import org.kawanfw.sql.version.VersionWrapper;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.sql.Connection;
+import java.sql.DatabaseMetaData;
+import java.sql.SQLException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Set;
+
 /**
  * @author Nicolas de Pomereu
  *
@@ -74,10 +73,9 @@ public class ServerSqlDispatch {
      * @param out
      * @throws IOException         if any IOException occurs
      * @throws SQLException
-     * @throws FileUploadException
      */
     public void executeRequestInTryCatch(HttpServletRequest request, HttpServletResponse response, OutputStream out)
-	    throws IOException, SQLException, FileUploadException {
+	    throws IOException, SQLException {
 
 	if (doBlobUpload(request, response, out)) {
 	    return;
@@ -517,15 +515,14 @@ private void treatCloseAction(HttpServletResponse response, OutputStream out, St
      * @param response
      * @param out    
      * @throws IOException
-     * @throws FileUploadException
      * @throws SQLException
      */
     private boolean doBlobUpload(HttpServletRequest request, HttpServletResponse response, OutputStream out)
-	    throws IOException, FileUploadException, SQLException {
+	    throws IOException, SQLException {
 	// Immediate catch if we are asking a file upload, because
 	// parameters are in unknown sequence.
 	// We know it's a upload action if it's mime Multipart
-	if (ServletFileUpload.isMultipartContent(request)) {
+	if (JavaxServletFileUpload.isMultipartContent(request)) {
 	    BlobUploader blobUploader = new BlobUploader(request, response, out);
 	    blobUploader.blobUpload();
 	    return true;