dendi-wang/thingsboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #13356 from smatvienko-tb/hotfix/rc-vulnerability-fix-090525

Browse Source 
Fix vulnerabilities
This commit is contained in:
Viacheslav Klimov 2025-05-13 14:38:32 +03:00 committed by GitHub
commit 7fe6710d52
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 151 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/cluster-api/pom.xml
View File

@ -60,10 +60,6 @@
<groupId>jakarta.annotation</groupId>
<artifactId>jakarta.annotation-api</artifactId>
</dependency>
<dependency>
<groupId>com.github.java-json-tools</groupId>
<artifactId>json-schema-validator</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>

4
common/dao-api/pom.xml
View File

@ -56,10 +56,6 @@
<groupId>jakarta.annotation</groupId>
<artifactId>jakarta.annotation-api</artifactId>
</dependency>
<dependency>
<groupId>com.github.java-json-tools</groupId>
<artifactId>json-schema-validator</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>

4
dao/pom.xml
View File

@ -59,6 +59,10 @@
<groupId>org.thingsboard.common</groupId>
<artifactId>util</artifactId>
</dependency>
<dependency>
<groupId>com.networknt</groupId>
<artifactId>json-schema-validator</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>

20
dao/src/main/java/org/thingsboard/server/dao/component/BaseComponentDescriptorService.java
View File

@ -16,10 +16,10 @@
package org.thingsboard.server.dao.component;
import com.fasterxml.jackson.databind.JsonNode;
import com.github.fge.jsonschema.core.exceptions.ProcessingException;
import com.github.fge.jsonschema.core.report.ProcessingReport;
import com.github.fge.jsonschema.main.JsonSchemaFactory;
import com.github.fge.jsonschema.main.JsonValidator;
import com.networknt.schema.JsonSchema;
import com.networknt.schema.JsonSchemaFactory;
import com.networknt.schema.SpecVersion;
import com.networknt.schema.ValidationMessage;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
@ -36,6 +36,7 @@ import org.thingsboard.server.dao.service.DataValidator;
import org.thingsboard.server.dao.service.Validator;
import java.util.Optional;
import java.util.Set;
/**
* @author Andrew Shvayka
@ -89,15 +90,18 @@ public class BaseComponentDescriptorService implements ComponentDescriptorServic
@Override
public boolean validate(TenantId tenantId, ComponentDescriptor component, JsonNode configuration) {
JsonValidator validator = JsonSchemaFactory.byDefault().getValidator();
try {
if (!component.getConfigurationDescriptor().has("schema")) {
throw new DataValidationException("Configuration descriptor doesn't contain schema property!");
}
JsonNode configurationSchema = component.getConfigurationDescriptor().get("schema");
ProcessingReport report = validator.validate(configurationSchema, configuration);
return report.isSuccess();
} catch (ProcessingException e) {
JsonSchemaFactory factory = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V4);
JsonSchema schema = factory.getSchema(configurationSchema);
Set<ValidationMessage> validationMessages = schema.validate(configuration);
return validationMessages.isEmpty();
} catch (Exception e) {
throw new IncorrectParameterException(e.getMessage(), e);
}
}

98
dao/src/test/java/org/thingsboard/server/dao/component/BaseComponentDescriptorServiceTest.java Normal file
View File

@ -0,0 +1,98 @@
/**
* Copyright © 2016-2025 The Thingsboard Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.thingsboard.server.dao.component;
import com.fasterxml.jackson.databind.JsonNode;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.plugin.ComponentClusteringMode;
import org.thingsboard.server.common.data.plugin.ComponentDescriptor;
import org.thingsboard.server.common.data.plugin.ComponentScope;
import org.thingsboard.server.common.data.plugin.ComponentType;
import org.thingsboard.server.dao.exception.IncorrectParameterException;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
class BaseComponentDescriptorServiceTest {
private BaseComponentDescriptorService service;
private ComponentDescriptor componentDescriptor;
private TenantId tenantId;
@BeforeEach
void setUp() {
service = Mockito.spy(BaseComponentDescriptorService.class);
tenantId = TenantId.SYS_TENANT_ID;
// Create a simple component descriptor
componentDescriptor = new ComponentDescriptor();
componentDescriptor.setType(ComponentType.ACTION);
componentDescriptor.setScope(ComponentScope.TENANT);
componentDescriptor.setClusteringMode(ComponentClusteringMode.ENABLED);
componentDescriptor.setName("Test Component");
componentDescriptor.setClazz("org.thingsboard.test.TestComponent");
// Create configuration descriptor with schema from JSON string
String configDescriptorJson = """
{
"schema": {
"type": "object",
"properties": {
"testField": {
"type": "string"
}
},
"required": ["testField"]
}
}""";
componentDescriptor.setConfigurationDescriptor(JacksonUtil.toJsonNode(configDescriptorJson));
}
@Test
void testValidate() {
// Create valid configuration from JSON string
String validConfigJson = "{\"testField\": \"test value\"}";
JsonNode validConfig = JacksonUtil.toJsonNode(validConfigJson);
// Create invalid configuration (missing required field) from JSON string
String invalidConfigJson = "{}";
JsonNode invalidConfig = JacksonUtil.toJsonNode(invalidConfigJson);
// Test valid configuration
boolean validResult = service.validate(tenantId, componentDescriptor, validConfig);
assertTrue(validResult, "Valid configuration should pass validation");
// Test invalid configuration
boolean invalidResult = service.validate(tenantId, componentDescriptor, invalidConfig);
assertFalse(invalidResult, "Invalid configuration should fail validation");
// Test with component descriptor without schema
ComponentDescriptor noSchemaDescriptor = new ComponentDescriptor(componentDescriptor);
noSchemaDescriptor.setConfigurationDescriptor(JacksonUtil.toJsonNode("{}"));
// Should throw exception when schema is missing
assertThrows(IncorrectParameterException.class, () -> {
service.validate(tenantId, noSchemaDescriptor, validConfig);
}, "Should throw exception when schema is missing");
}
}

2
monitoring/pom.xml
View File

@ -42,7 +42,7 @@
<pkg.implementationTitle>ThingsBoard Monitoring Service</pkg.implementationTitle>
<pkg.mainClass>org.thingsboard.monitoring.ThingsboardMonitoringApplication</pkg.mainClass>
<californium.version>2.6.1</californium.version>
<californium.version>2.7.4</californium.version>
<leshan.version>2.0.0-M4</leshan.version>
</properties>

49
pom.xml
View File

@ -42,13 +42,14 @@
<jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version>
<javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
<jaxb-runtime.version>4.0.5</jaxb-runtime.version>
<tomcat.version>10.1.39</tomcat.version> <!--Remove after update spring-boot to new version-->
<tomcat.version>10.1.40</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
<net.minidev.json-smart>2.5.2</net.minidev.json-smart> <!-- Vulnerability fix, CVE-2024-57699, Remove after update spring-boot 3.2.12 to a newer version-->
<spring-boot.version>3.2.12</spring-boot.version>
<spring-data.version>3.2.12</spring-data.version>
<spring-data-redis.version>3.2.12</spring-data-redis.version>
<spring.version>6.1.15</spring.version>
<spring-redis.version>6.2.11</spring-redis.version>
<spring-security.version>6.2.8</spring-security.version>
<spring-security.version>6.3.8</spring-security.version>
<jedis.version>5.1.5</jedis.version>
<jjwt.version>0.12.5</jjwt.version>
<slf4j.version>2.0.13</slf4j.version>
@ -57,7 +58,7 @@
<rat.version>0.10</rat.version> <!-- unused -->
<cassandra.version>4.17.0</cassandra.version>
<metrics.version>4.2.25</metrics.version>
<cassandra-all.version>3.11.17</cassandra-all.version> <!-- tools -->
<cassandra-all.version>5.0.4</cassandra-all.version> <!-- tools -->
<guava.version>33.1.0-jre</guava.version>
<caffeine.version>3.1.8</caffeine.version>
<commons-lang3.version>3.14.0</commons-lang3.version>
@ -74,7 +75,7 @@
<jackson-databind.version>2.17.2</jackson-databind.version>
<fasterxml-classmate.version>1.7.0</fasterxml-classmate.version>
<auth0-jwt.version>4.4.0</auth0-jwt.version>
<json-schema-validator.version>2.2.14</json-schema-validator.version>
<json-schema-validator.version>1.5.6</json-schema-validator.version>
<milo.version>0.6.12</milo.version>
<californium.version>3.12.1</californium.version>
<leshan.version>2.0.0-M15</leshan.version>
@ -102,7 +103,7 @@
<jts.version>1.19.0</jts.version>
<bouncycastle.version>1.78.1</bouncycastle.version>
<winsw.version>2.0.1</winsw.version>
<postgresql.driver.version>42.7.3</postgresql.driver.version>
<postgresql.driver.version>42.7.5</postgresql.driver.version>
<sonar.exclusions>org/thingsboard/server/gen/**/*,
org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/*
</sonar.exclusions>
@ -112,7 +113,7 @@
<!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the
org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.
Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network -->
<kafka.version>3.7.1</kafka.version>
<kafka.version>3.7.2</kafka.version>
<bucket4j.version>8.10.1</bucket4j.version>
<antlr.version>3.5.3</antlr.version>
<snakeyaml.version>2.2</snakeyaml.version>
@ -1163,6 +1164,13 @@
<artifactId>tomcat-embed-websocket</artifactId>
<version>${tomcat.version}</version>
</dependency>
<!-- Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>${net.minidev.json-smart}</version>
</dependency>
<!-- ...Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
@ -1183,6 +1191,18 @@
<artifactId>spring-security-oauth2-jose</artifactId>
<version>${spring-security.version}</version>
</dependency>
<!-- Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>
<!-- ... Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
@ -1600,15 +1620,9 @@
<version>${auth0-jwt.version}</version>
</dependency>
<dependency>
<groupId>com.github.java-json-tools</groupId>
<groupId>com.networknt</groupId>
<artifactId>json-schema-validator</artifactId>
<version>${json-schema-validator.version}</version>
<exclusions>
<exclusion>
<groupId>com.sun.mail</groupId>
<artifactId>mailapi</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.eclipse.leshan</groupId>
@ -1827,11 +1841,6 @@
<artifactId>cassandra-all</artifactId>
<version>${cassandra-all.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-thrift</artifactId>
<version>${cassandra-all.version}</version>
</dependency>
<dependency>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
@ -2224,7 +2233,7 @@
</dependency>
<dependency>
<groupId>org.mock-server</groupId>
<artifactId>mockserver-netty</artifactId>
<artifactId>mockserver-netty-no-dependencies</artifactId>
<version>${mock-server.version}</version>
<scope>test</scope>
<exclusions>
@ -2236,7 +2245,7 @@
</dependency>
<dependency>
<groupId>org.mock-server</groupId>
<artifactId>mockserver-client-java</artifactId>
<artifactId>mockserver-client-java-no-dependencies</artifactId>
<version>${mock-server.version}</version>
<scope>test</scope>
</dependency>

4
rule-engine/rule-engine-components/pom.xml
View File

@ -141,12 +141,12 @@
</dependency>
<dependency>
<groupId>org.mock-server</groupId>
<artifactId>mockserver-netty</artifactId>
<artifactId>mockserver-netty-no-dependencies</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mock-server</groupId>
<artifactId>mockserver-client-java</artifactId>
<artifactId>mockserver-client-java-no-dependencies</artifactId>
<scope>test</scope>
</dependency>
<dependency>

3
rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/mqtt/TbMqttNodeTest.java
View File

@ -181,7 +181,8 @@ public class TbMqttNodeTest extends AbstractRuleNodeUpgradeTest {
SslContext actualSslContext = mqttClientConfig.getValue().getSslContext();
assertThat(actualSslContext)
.usingRecursiveComparison()
.ignoringFields("ctx", "ctxLock", "sessionContext.context.ctx", "sessionContext.context.ctxLock")
.ignoringFields("ctx", "ctxLock", "sessionContext.context.ctx", "sessionContext.context.ctxLock",
"sslContext")
.isEqualTo(SslContextBuilder.forClient().build());
}

4
tools/pom.xml
View File

@ -55,10 +55,6 @@
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-all</artifactId>
</dependency>
<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-thrift</artifactId>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>

6
tools/src/main/java/org/thingsboard/client/tools/migrator/WriterBuilder.java
View File

@ -59,7 +59,7 @@ public class WriterBuilder {
public static CQLSSTableWriter getTsWriter(File dir) {
return CQLSSTableWriter.builder()
.inDirectory(dir)
.inDirectory(dir.getAbsolutePath())
.forTable(tsSchema)
.using("INSERT INTO thingsboard.ts_kv_cf (entity_type, entity_id, key, partition, ts, bool_v, str_v, long_v, dbl_v, json_v) " +
"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
@ -68,7 +68,7 @@ public class WriterBuilder {
public static CQLSSTableWriter getLatestWriter(File dir) {
return CQLSSTableWriter.builder()
.inDirectory(dir)
.inDirectory(dir.getAbsolutePath())
.forTable(latestSchema)
.using("INSERT INTO thingsboard.ts_kv_latest_cf (entity_type, entity_id, key, ts, bool_v, str_v, long_v, dbl_v, json_v) " +
"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)")
@ -77,7 +77,7 @@ public class WriterBuilder {
public static CQLSSTableWriter getPartitionWriter(File dir) {
return CQLSSTableWriter.builder()
.inDirectory(dir)
.inDirectory(dir.getAbsolutePath())
.forTable(partitionSchema)
.using("INSERT INTO thingsboard.ts_kv_partitions_cf (entity_type, entity_id, key, partition) " +
"VALUES (?, ?, ?, ?)")