Close #235: Add support for Jetty 12 to address CVE-2024-6763
#236
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kevin-lee
force-pushed
the
issue/235/support-jetty-12
branch
2 times, most recently
from
c197c26
to
c865ba6
Compare
kevin-lee
commented
Nov 13, 2024
Comment on lines
+140
to
+141
| private def enqueueSync(item: Item)(cb: Either[Throwable, Unit] => F[Unit]): Unit = | ||
| dispatcher.unsafeRunSync(queue.offer(item.some).attempt.flatMap(cb)) |
There was a problem hiding this comment.
I had to add it to use it for onContent. With fire-and-forget, some tests fail. My guess is:
- There's no longer a
callbackto report success or failure inonContent(JettyResponse, ByteBuffer): UnitinContentListener(Listener), whichResponseListenerinherits from. onContentwithoutcallbackis used byonContent(Response response, Content.Chunk chunk, Runnable demander)inContentListener.- If the body of
onContentwithoutcallbackis executed with fire-and-forget, there might be a chance thatdemander.run()inContentListener.onContent(Response, Content.Chunk, Runnable)is executed in an incorrect state. Please have a look at the method body ofContentListener.onContent(Response, Content.Chunk, Runnable):default void onContent(Response response, Content.Chunk chunk, Runnable demander) throws Exception { onContent(response, chunk.getByteBuffer()); demander.run(); }
- So I had to make
onContent(response, chunk.getByteBuffer())sync withenqueueSyncthat I added.
There was a problem hiding this comment.
Regarding the failed tests when enqueue is used instead of enqueueSync, they are as shown below. Sometimes three of them fail, and other times only two fail.
Click to expand
org.http4s.jetty.client.JettyClientSuite:
==> X org.http4s.jetty.client.JettyClientSuite.JettyClient Repeat a simple request 0.332s munit.ComparisonFailException: value is not true
=> Obtained
false
=> Diff (- obtained, + expected)
-false
+true
at munit.Assertions.failComparison(Assertions.scala:278)
at apply @ munit.CatsEffectAssertions.$anonfun$assertIO$1(CatsEffectAssertions.scala:52)
at unsafeToFuture @ munit.CatsEffectSuite$$anonfun$1.applyOrElse(CatsEffectSuite.scala:82)
at parTraverse$extension @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$new$1(ClientRouteTestBattery.scala:81)
at parTraverse$extension @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$new$1(ClientRouteTestBattery.scala:81)
at parTraverse$extension @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$new$1(ClientRouteTestBattery.scala:81)
+ JettyClient POST an empty body 0.015s
+ JettyClient POST a normal body 0.009s
+ JettyClient POST a chunked body 0.009s
+ JettyClient POST a multipart body 0.048s
+ JettyClient Execute GET /chunked 0.012s
==> X org.http4s.jetty.client.JettyClientSuite.JettyClient Execute GET /large 0.036s munit.ComparisonFailException: value is not true
=> Obtained
false
=> Diff (- obtained, + expected)
-false
+true
at munit.Assertions.failComparison(Assertions.scala:278)
at apply @ munit.CatsEffectAssertions.$anonfun$assertIO$1(CatsEffectAssertions.scala:52)
at apply @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$checkResponse$5(ClientRouteTestBattery.scala:190)
at map @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$checkResponse$5(ClientRouteTestBattery.scala:190)
at flatMap @ munit.CatsEffectAssertions.assertIO(CatsEffectAssertions.scala:52)
at flatMap @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$checkResponse$5(ClientRouteTestBattery.scala:190)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at modify @ fs2.internal.Scope.close(Scope.scala:262)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at rethrow$extension @ fs2.Compiler$Target.$anonfun$compile$1(Compiler.scala:157)
==> X org.http4s.jetty.client.JettyClientSuite.JettyClient Execute GET /not-found 0.027s munit.ComparisonFailException: value is not true
=> Obtained
false
=> Diff (- obtained, + expected)
-false
+true
at munit.Assertions.failComparison(Assertions.scala:278)
at apply @ munit.CatsEffectAssertions.$anonfun$assertIO$1(CatsEffectAssertions.scala:52)
at apply @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$checkResponse$5(ClientRouteTestBattery.scala:190)
at map @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$checkResponse$5(ClientRouteTestBattery.scala:190)
at flatMap @ munit.CatsEffectAssertions.assertIO(CatsEffectAssertions.scala:52)
at flatMap @ org.http4s.client.testkit.ClientRouteTestBattery.$anonfun$checkResponse$5(ClientRouteTestBattery.scala:190)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at modify @ fs2.internal.Scope.close(Scope.scala:262)
at flatMap @ fs2.Compiler$Target.flatMap(Compiler.scala:163)
at rethrow$extension @ fs2.Compiler$Target.$anonfun$compile$1(Compiler.scala:157)
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - The current version of http4s-jetty uses Jetty 10. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s-jetty should use Jetty 12, the current stable version. - Jetty 12 requires Java 17, so dropping support for Java 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
kevin-lee
force-pushed
the
issue/235/support-jetty-12
branch
from
c865ba6
to
cff1987
Compare
kevin-lee
changed the title
12 to address CVE-2024-6763
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Close #235: Add support for Jetty
12to addressCVE-2024-67637.0.0up to12.0.11are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).http4s-jettyuses Jetty10.10and Jetty11ended in January 2024.http4s-jettyshould use Jetty12, the current stable version.12requires Java17, so dropping support for Java11is necessary.12, it is better to support only Jakarta EE8to minimize changes, as the API namespace moved fromjavaxtojakartastarting with Jakarta EE9.