Merge pull request #1741 from AOT-Technologies/vulnerability-5.2.1

Vulnerability 5.2.1

VERSION

@@ -1 +1 @@
-v5.2.1
+v5.2.2

forms-flow-api/Dockerfile

@@ -1,5 +1,5 @@
 #Author: Kurian Benoy
-FROM python:3.9-slim-buster
+FROM python:3.10.13-slim-bullseye
 
 # set label for image
 LABEL Name="formsflow"

forms-flow-bpm/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>org.camunda.bpm.extension</groupId>
@@ -22,14 +22,16 @@
 		<failOnMissingWebXml>false</failOnMissingWebXml>
 
 		<!-- versions -->
-		<version.camundaKeycloak>7.18.0</version.camundaKeycloak>
-		<version.camunda>7.18.0</version.camunda><!-- 7.17.0 - 7.18.0 -->
+		<version.camundaKeycloak>7.20.0</version.camundaKeycloak>
+		<version.camunda>7.20.0</version.camunda><!-- 7.17.0 - 7.18.0 -->
 		<version.camundaConnect>1.5.4</version.camundaConnect><!-- 1.5.4 -->
 		<version.camundaMail>1.5.0</version.camundaMail><!-- 1.5.0 -->
-		<version.springBoot>2.7.12</version.springBoot><!-- 2.6.6 - 2.7.12 -->
-		<version.springSecurityOauth2>2.6.7</version.springSecurityOauth2><!--
+		<version.springBoot>3.1.5</version.springBoot><!-- 2.6.6 - 2.7.12 -->
+		<version.springSecurityOauth2>2.6.8</version.springSecurityOauth2><!--
 			2.6.6 - 2.6.7 -->
 		<version.jackson>2.15.0</version.jackson>
+		<version.commonsFileUpload>1.5</version.commonsFileUpload>
+		<version.snakeyaml>2.0</version.snakeyaml>
 	</properties>
 
 	<dependencyManagement>
@@ -55,10 +57,19 @@
 				<version>${version.camundaKeycloak}</version>
 				<scope>provided</scope>
 			</dependency>
+
+
 		</dependencies>
 	</dependencyManagement>
 
 	<dependencies>
+		<!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml -->
+		<dependency>
+			<groupId>org.yaml</groupId>
+			<artifactId>snakeyaml</artifactId>
+			<version>2.2</version>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-webflux</artifactId>
@@ -70,6 +81,7 @@
 			<version>${version.camunda}</version>
 		</dependency>
 
+
 		<dependency>
 			<groupId>org.camunda.bpm.springboot</groupId>
 			<artifactId>camunda-bpm-spring-boot-starter-rest</artifactId>
@@ -146,6 +158,14 @@
 			<groupId>org.camunda.bpm</groupId>
 			<artifactId>camunda-engine-plugin-connect</artifactId>
 		</dependency>
+		<!--
+		https://mvnrepository.com/artifact/org.camunda.bpm/camunda-engine-rest -->
+		<dependency>
+			<groupId>org.camunda.bpm</groupId>
+			<artifactId>camunda-engine-rest-core</artifactId>
+			<version>7.20.0</version>
+		</dependency>
+
 
 		<dependency>
 			<groupId>com.sun.mail</groupId>
@@ -156,7 +176,7 @@
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
-			<version>1.7.29</version>
+			<version>2.0.6</version>
 		</dependency>
 
 		<!-- Freemarker Template -->
@@ -167,9 +187,9 @@
 		</dependency>
 
 		<dependency>
-			<groupId>org.camunda.template-engines</groupId>
-			<artifactId>camunda-template-engines-velocity</artifactId>
-			<version>2.1.0</version>
+			<groupId>org.camunda.community.template.engine</groupId>
+			<artifactId>camunda-7-template-engine-velocity</artifactId>
+			<version>2.2.0</version>
 		</dependency>
 
 		<!-- Database -->
@@ -227,19 +247,19 @@
 			<scope>test</scope>
 		</dependency>
 
-		<!-- java util logging => slf4j -->
+<!--		 java util logging => slf4j-->
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>jul-to-slf4j</artifactId>
 			<scope>test</scope>
 		</dependency>
 
-		<!-- Add your own dependencies here, if in compile scope, they are added 
+		<!-- Add your own dependencies here, if in compile scope, they are added
 			to the jar -->
 		<dependency>
 			<groupId>org.codehaus.groovy</groupId>
 			<artifactId>groovy-all</artifactId>
-			<version>3.0.17</version>
+			<version>3.0.19</version>
 			<type>pom</type>
 		</dependency>
 
@@ -252,25 +272,21 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>${version.jackson}</version>
 		</dependency>
 
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-core</artifactId>
-			<version>${version.jackson}</version>
 		</dependency>
 
 		<dependency>
 			<groupId>com.fasterxml.jackson.dataformat</groupId>
 			<artifactId>jackson-dataformat-xml</artifactId>
-			<version>${version.jackson}</version>
 		</dependency>
 
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-annotations</artifactId>
-			<version>${version.jackson}</version>
 		</dependency>
 
 		<dependency>
@@ -287,27 +303,27 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-websocket</artifactId>
-			<version>5.3.20</version>
+			<version>6.0.11</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-messaging</artifactId>
-			<version>5.3.20</version>
+			<version>6.0.11</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.graalvm.js</groupId>
 			<artifactId>js-scriptengine</artifactId>
-			<version>22.3.2</version>
+			<version>22.3.3</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.graalvm.js</groupId>
 			<artifactId>js</artifactId>
-			<version>22.3.2</version>
+			<version>22.3.3</version>
 		</dependency>
-		
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-jersey</artifactId>
@@ -319,6 +335,13 @@
 			<artifactId>spring-boot-starter-data-redis-reactive</artifactId>
 		</dependency>
 
+		<!-- Adding common file upload -->
+		<dependency>
+			<groupId>commons-fileupload</groupId>
+			<artifactId>commons-fileupload</artifactId>
+			<version>${version.commonsFileUpload}</version>
+		</dependency>
+
 	</dependencies>
 
 	<repositories>
@@ -330,7 +353,8 @@
 		<repository>
 			<id>camunda-bpm-nexus-snapshot</id>
 			<name>Camunda Maven Repository</name>
-			<url>https://app.camunda.com/nexus/repository/camunda-bpm-community-extensions-snapshots</url>
+			<url>
+				https://app.camunda.com/nexus/repository/camunda-bpm-community-extensions-snapshots</url>
 		</repository>
 
 	</repositories>
@@ -352,31 +376,55 @@
 					<excludes>
 						<exclude>org/camunda/bpm/extension/keycloak/sso/*.class</exclude>
 						<exclude>org/camunda/bpm/extension/keycloak/rest/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/keycloak/rest/oauth2client/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/keycloak/plugin/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/controllers/mapper/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/controllers/data/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/listeners/data/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/services/IUser.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/delegates/data/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/io/socket/message/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/io/socket/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/connector/auth/FormioConfiguration.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/connector/auth/FormioContext.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/connector/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/CamundaApplication.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/exceptions/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/keycloak/rest/oauth2client/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/keycloak/plugin/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/controllers/mapper/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/controllers/data/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/listeners/data/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/services/IUser.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/delegates/data/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/io/socket/message/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/io/socket/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/connector/auth/FormioConfiguration.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/connector/auth/FormioContext.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/connector/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/CamundaApplication.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/exceptions/*.class</exclude>
 						<exclude>org/camunda/bpm/extension/commons/utils/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/controllers/mapper/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/exceptions/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/listeners/execution/FormAccessTokenCacheListener.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/rest/exception/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/exceptions/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/commons/config/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/rest/constant/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/services/IMessageEvent.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/rest/dto/*.class</exclude>
-						<exclude>org/camunda/bpm/extension/hooks/rest/impl/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/controllers/mapper/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/exceptions/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/listeners/execution/FormAccessTokenCacheListener.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/rest/exception/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/exceptions/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/commons/config/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/rest/constant/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/services/IMessageEvent.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/rest/dto/*.class</exclude>
+						<exclude>
+							org/camunda/bpm/extension/hooks/rest/impl/*.class</exclude>
 					</excludes>
 				</configuration>
 				<executions>

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/config/AppConfig.java

@@ -7,7 +7,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
-import javax.annotation.PostConstruct;
+import jakarta.annotation.PostConstruct;
 
 /**
  * AppConfig

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/config/FormsFlowJerseyResourceConfig.java

@@ -8,7 +8,7 @@
 import org.glassfish.jersey.jackson.JacksonFeature;
 import org.springframework.stereotype.Component;
 
-import javax.ws.rs.ApplicationPath;
+import jakarta.ws.rs.ApplicationPath;
 
 /**
  * Extension to camunda Jersey resources

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/connector/FormioTokenServiceProvider.java

@@ -9,8 +9,8 @@
 import org.springframework.stereotype.Service;
 import org.springframework.web.reactive.function.client.WebClient;
 
-import javax.annotation.PostConstruct;
-import javax.annotation.Resource;
+import jakarta.annotation.PostConstruct;
+import jakarta.annotation.Resource;
 import java.util.Properties;
 
 

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/connector/HTTPServiceInvoker.java

@@ -9,7 +9,7 @@
 import org.springframework.http.*;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 import java.io.IOException;
 import java.util.Map;
 import java.util.Properties;

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/connector/support/ApplicationAccessHandler.java

@@ -47,7 +47,8 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, String pay
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body(Mono.just(payload), String.class)
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                    clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(String.class)
                 .block();
 
@@ -71,7 +72,8 @@ public ResponseEntity<IResponse> exchange(String url, HttpMethod method, IReques
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null?BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                    clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(responseClazz)
                 .block();
         return new ResponseEntity<>(response.getBody(), response.getStatusCode());

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/connector/support/BPMAccessHandler.java

@@ -8,6 +8,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.HttpStatusCode;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Service;
@@ -49,8 +50,10 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, Map<String
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null? BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
-                .onStatus(HttpStatus::is5xxServerError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.INTERNAL_SERVER_ERROR)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                    clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
+                .onStatus(HttpStatusCode::is5xxServerError,
+                    clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(String.class)
                 .block();
 

forms-flow-bpm/src/main/java/org/camunda/bpm/extension/commons/connector/support/CustomSubmissionAccessHandler.java

@@ -50,7 +50,8 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, String pay
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body(Mono.just(payload), String.class)
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(String.class)
                 .block();
 
@@ -73,7 +74,8 @@ public ResponseEntity<IResponse> exchange(String url, HttpMethod method, IReques
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null?BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(responseClazz)
                 .block();
         return new ResponseEntity<>(response.getBody(), response.getStatusCode());