[fix][sec] Bump commons-io version to 2.18.0 #23684
Conversation
There was a problem hiding this comment.
Thanks for the PR. The newest commons-io version is 2.18.0 (release notes). Please use the latest stable release.
What is the vulnerability in question?
|
My guess would be apache/commons-io@841b5fa . @ZachChuba Just curious how you spotted this? I don't think that we use commons-io for XML parsing in Pulsar, so perhaps there's no impact at all for Pulsar, however, obviously it's worthwhile to keep dependencies up-to-date. |
@lhotari This vulnerability is indeed the one patched via apache/commons-io@841b5fa. It was identified through an internal analysis tool. It's unlikely that pulsar is susceptible to this, as you suggested, but it's always a good idea to in case an enhancement inadvertently opens an attack vector through that susceptible dependency. Will upgrade to 2.18.0. |
Addresses a potential ReDos security vulnerability with commons-io
ZachChuba
force-pushed
the
bump-commons-io
branch
from
8e98a45 to
69ce162
Compare
ZachChuba
changed the title
@ZachChuba What internal analysis tool do you use? It seems that GitHub CodeQL had also flagged this. Just curious to know what are your specific security requirements for Apache Pulsar? |
lhotari
changed the title
|
@lhotari Sonatype Lifecycle has flagged this as a high severity vulnerability. My organization's risk posture treats any vulnerabilities that can significantly hinder application performance as either high or severe. Our risk posture also assumes any shaded dependency with a vulnerability makes the application equally as vulnerable. Sonatype has cataloged this as sonatype-2023-4396 and rated it high severity with a score of 8.7 based on our risk policy. |
Thanks for sharing the context! |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #23684 +/- ##
============================================
+ Coverage 73.57% 74.43% +0.85%
- Complexity 32624 34575 +1951
============================================
Files 1877 1945 +68
Lines 139502 147448 +7946
Branches 15299 16270 +971
============================================
+ Hits 102638 109747 +7109
- Misses 28908 29233 +325
- Partials 7956 8468 +512
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Thanks for contributing @ZachChuba |
Co-authored-by: Zach Chuba <[email protected]> (cherry picked from commit e6f421e)
Co-authored-by: Zach Chuba <[email protected]> (cherry picked from commit e6f421e)
Co-authored-by: Zach Chuba <[email protected]> (cherry picked from commit e6f421e)
Co-authored-by: Zach Chuba <[email protected]> (cherry picked from commit e6f421e) (cherry picked from commit f16cf67)
Co-authored-by: Zach Chuba <[email protected]> (cherry picked from commit e6f421e) (cherry picked from commit f16cf67)
Fixes security risk
Motivation
Dependency common-io, shaded in pulsar-client, is susceptable to a reDos attack prior to version 2.15.0
Modifications
Bump commons-io version to 2.18.0
Verifying this change
(Please pick either of the following options)
This change is a trivial rework / code cleanup without any test coverage.
Does this pull request potentially affect one of the following parts:
If the box was checked, please highlight the changes
Documentation
docdoc-requireddoc-not-neededdoc-completeMatching PR in forked repository
PR in forked repository: ZachChuba#2
CI only failed at upload stages