Merge pull request #18 from Sylvain-Bugat/pom-update

Http client upgrade to fix CVE-2014-3577
2025-07-06 04:58:26 +00:00 · 2014-11-24 14:02:44 -08:00 · 2014-11-24 14:02:44 -08:00 · eeaf4a3944
commit eeaf4a3944
parent e548d640c0 008a8c3ce4
3 changed files with 57 additions and 31 deletions
--- a/dependencies-check-rules.xml
+++ b/dependencies-check-rules.xml
@ -0,0 +1,13 @@
+<ruleset comparisonMethod="maven"
+	xmlns="http://mojo.codehaus.org/versions-maven-plugin/rule/2.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://mojo.codehaus.org/versions-maven-plugin/rule/2.0.0 http://mojo.codehaus.org/versions-maven-plugin/xsd/rule-2.0.0.xsd">
+
+	<!--Ignore alpha, beta, release-candidate and draft versions-->
+	<ignoreVersions>
+		<ignoreVersion type="regex">.*[\.-](?i)alpha[0-9]*$</ignoreVersion>
+		<ignoreVersion type="regex">.*[\.-](?i)b(eta)?-?[0-9]*$</ignoreVersion>
+		<ignoreVersion type="regex">.*[\.-](?i)rc?[0-9]*$</ignoreVersion>
+		<ignoreVersion type="regex">.*[\.-](?i)draft.*$</ignoreVersion>
+	</ignoreVersions>
+</ruleset>
--- a/pom.xml
+++ b/pom.xml
@ -17,6 +17,10 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>

+  <prerequisites>
+     <maven>2.2.1</maven>
+  </prerequisites>
+
  <!-- For deploying to Sonatype OSS Nexus -->
  <parent>
    <groupId>org.sonatype.oss</groupId>
@ -88,6 +92,16 @@
    <project.build.targetJdk>1.6</project.build.targetJdk>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

+    <!-- Dependencies version -->
+    <apache.httpcomponents.version>4.3.6</apache.httpcomponents.version>
+    <commons-lang.version>2.6</commons-lang.version>
+    <commons-io.version>2.1</commons-io.version>
+    <dom4j.version>1.6.1</dom4j.version>
+    <jaxen.version>1.1.1</jaxen.version>
+    <junit.version>4.10</junit.version>
+    <betamax.version>1.0</betamax.version>
+    <groovy.version>1.8.4</groovy.version>
+
    <!-- Plugins version -->
    <plugin.antrun.version>1.7</plugin.antrun.version>
    <plugin.assembly.version>2.2.2</plugin.assembly.version>
@ -114,7 +128,7 @@
    <plugin.source.version>2.1.2</plugin.source.version>
    <plugin.surefire.version>2.10</plugin.surefire.version>
    <plugin.taglist.version>2.4</plugin.taglist.version>
-    <plugin.versions.version>1.2</plugin.versions.version>
+    <plugin.versions.version>2.1</plugin.versions.version>
  </properties>

  <build>
@ -392,7 +406,7 @@
          </reportSet>
        </reportSets>
        <configuration>
-          <comparisonMethod>mercury</comparisonMethod>
+          <rulesUri>file:./dependencies-check-rules.xml</rulesUri>
        </configuration>
      </plugin>
      <plugin>
@ -423,52 +437,52 @@
    <dependency>
      <groupId>org.apache.httpcomponents</groupId>
      <artifactId>httpclient</artifactId>
-      <version>4.1.2</version>
+      <version>${apache.httpcomponents.version}</version>
    </dependency>
    <dependency>
      <groupId>org.apache.httpcomponents</groupId>
      <artifactId>httpmime</artifactId>
-      <version>4.1.2</version>
+      <version>${apache.httpcomponents.version}</version>
    </dependency>
    <!-- Commons -->
    <dependency>
      <groupId>commons-lang</groupId>
      <artifactId>commons-lang</artifactId>
-      <version>2.6</version>
+      <version>${commons-lang.version}</version>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
-      <version>2.1</version>
+      <version>${commons-io.version}</version>
    </dependency>
    <!-- XML Parsing -->
    <dependency>
      <groupId>dom4j</groupId>
      <artifactId>dom4j</artifactId>
-      <version>1.6.1</version>
+      <version>${dom4j.version}</version>
    </dependency>
    <dependency>
      <groupId>jaxen</groupId>
      <artifactId>jaxen</artifactId>
-      <version>1.1.1</version>
+      <version>${jaxen.version}</version>
    </dependency>
    <!-- Test -->
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
-      <version>4.10</version>
+      <version>${junit.version}</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>com.github.robfletcher</groupId>
      <artifactId>betamax</artifactId>
-      <version>1.0</version>
+      <version>${betamax.version}</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.codehaus.groovy</groupId>
      <artifactId>groovy-all</artifactId>
-      <version>1.8.4</version>
+      <version>${groovy.version}</version>
      <scope>test</scope>
    </dependency>
  </dependencies>
--- a/src/main/java/org/rundeck/api/ApiCall.java
+++ b/src/main/java/org/rundeck/api/ApiCall.java
@ -37,7 +37,6 @@ import org.apache.http.params.HttpProtocolParams;
 import org.apache.http.protocol.HTTP;
 import org.apache.http.protocol.HttpContext;
 import org.apache.http.util.EntityUtils;
-import org.dom4j.Document;
 import org.rundeck.api.RundeckApiException.RundeckApiLoginException;
 import org.rundeck.api.RundeckApiException.RundeckApiTokenException;
 import org.rundeck.api.parser.ParserHelper;
@ -59,7 +58,7 @@ import java.util.Map.Entry;

 /**
 * Class responsible for making the HTTP API calls
- * 
+ *
 * @author Vincent Behar
 */
 class ApiCall {
@ -72,10 +71,10 @@ class ApiCall {

    /** {@link RundeckClient} instance holding the RunDeck url and the credentials */
    private final RundeckClient client;
-    
+
    /**
     * Build a new instance, linked to the given RunDeck client
-     * 
+     *
     * @param client holding the RunDeck url and the credentials
     * @throws IllegalArgumentException if client is null
     */
@ -87,7 +86,7 @@ class ApiCall {

    /**
     * Try to "ping" the RunDeck instance to see if it is alive
-     * 
+     *
     * @throws RundeckApiException if the ping fails
     */
    public void ping() throws RundeckApiException {
@ -127,7 +126,7 @@ class ApiCall {

    /**
     * Test the login-based authentication on the RunDeck instance
-     * 
+     *
     * @throws RundeckApiLoginException if the login fails
     * @see #testAuth()
     */
@ -144,7 +143,7 @@ class ApiCall {

    /**
     * Test the token-based authentication on the RunDeck instance
-     * 
+     *
     * @throws RundeckApiTokenException if the token is invalid
     * @see #testAuth()
     */
@ -161,7 +160,7 @@ class ApiCall {
    /**
     * Execute an HTTP GET request to the RunDeck instance, on the given path. We will login first, and then execute the
     * API call. At the end, the given parser will be used to convert the response to a more useful result object.
-     * 
+     *
     * @param apiPath on which we will make the HTTP request - see {@link ApiPathBuilder}
     * @param parser used to parse the response
     * @return the result of the call, as formatted by the parser
@ -181,7 +180,7 @@ class ApiCall {
    /**
     * Execute an HTTP GET request to the RunDeck instance, on the given path. We will login first, and then execute the
     * API call.
-     * 
+     *
     * @param apiPath on which we will make the HTTP request - see {@link ApiPathBuilder}
     * @return a new {@link InputStream} instance, not linked with network resources
     * @throws RundeckApiException in case of error when calling the API
@ -206,7 +205,7 @@ class ApiCall {
    /**
     * Execute an HTTP GET request to the RunDeck instance, on the given path. We will login first, and then execute the
     * API call without appending the API_ENDPOINT to the URL.
-     * 
+     *
     * @param apiPath on which we will make the HTTP request - see {@link ApiPathBuilder}
     * @return a new {@link InputStream} instance, not linked with network resources
     * @throws RundeckApiException in case of error when calling the API
@ -248,11 +247,11 @@ class ApiCall {
            return get(apiPath, parser);
        }
    }
-    
+
    /**
     * Execute an HTTP POST request to the RunDeck instance, on the given path. We will login first, and then execute
     * the API call. At the end, the given parser will be used to convert the response to a more useful result object.
-     * 
+     *
     * @param apiPath on which we will make the HTTP request - see {@link ApiPathBuilder}
     * @param parser used to parse the response
     * @return the result of the call, as formatted by the parser
@ -322,7 +321,7 @@ class ApiCall {
    /**
     * Execute an HTTP DELETE request to the RunDeck instance, on the given path. We will login first, and then execute
     * the API call. At the end, the given parser will be used to convert the response to a more useful result object.
-     * 
+     *
     * @param apiPath on which we will make the HTTP request - see {@link ApiPathBuilder}
     * @param parser used to parse the response
     * @return the result of the call, as formatted by the parser
@ -354,7 +353,7 @@ class ApiCall {
    /**
     * Execute an HTTP request to the RunDeck instance. We will login first, and then execute the API call. At the end,
     * the given parser will be used to convert the response to a more useful result object.
-     * 
+     *
     * @param request to execute. see {@link HttpGet}, {@link HttpDelete}, and so on...
     * @param parser used to parse the response
     * @return the result of the call, as formatted by the parser
@ -400,7 +399,7 @@ class ApiCall {
    }
    /**
     * Execute an HTTP request to the RunDeck instance. We will login first, and then execute the API call.
-     * 
+     *
     * @param request to execute. see {@link HttpGet}, {@link HttpDelete}, and so on...
     * @return a new {@link InputStream} instance, not linked with network resources
     * @throws RundeckApiException in case of error when calling the API
@ -594,7 +593,7 @@ class ApiCall {
    /**
     * Do the actual work of login, using the given {@link HttpClient} instance. You'll need to re-use this instance
     * when making API calls (such as running a job). Only use this in case of login-based authentication.
-     * 
+     *
     * @param httpClient pre-instantiated
     * @throws RundeckApiLoginException if the login failed
     */
@ -639,11 +638,11 @@ class ApiCall {
        while (true) {
            try {
                HttpPost postLogin = new HttpPost(location);
-                List params = new ArrayList();
+                List<BasicNameValuePair> params = new ArrayList<BasicNameValuePair>();
                params.add(new BasicNameValuePair("j_username", client.getLogin()));
                params.add(new BasicNameValuePair("j_password", client.getPassword()));
                params.add(new BasicNameValuePair("action", "login"));
-                postLogin.setEntity(new UrlEncodedFormEntity(params, HTTP.UTF_8));
+                postLogin.setEntity(new UrlEncodedFormEntity(params, Consts.UTF_8));
                HttpResponse response = httpClient.execute(postLogin);

                if (response.getStatusLine().getStatusCode() / 100 == 3) {
@ -663,7 +662,7 @@ class ApiCall {
                }

                try {
-                    String content = EntityUtils.toString(response.getEntity(), HTTP.UTF_8);
+                    String content = EntityUtils.toString(response.getEntity(), Consts.UTF_8);
                    if (StringUtils.contains(content, "j_security_check")) {
                        throw new RundeckApiLoginException("Login failed for user " + client.getLogin());
                    }
@ -689,7 +688,7 @@ class ApiCall {

    /**
     * Instantiate a new {@link HttpClient} instance, configured to accept all SSL certificates
-     * 
+     *
     * @return an {@link HttpClient} instance - won't be null
     */
    private HttpClient instantiateHttpClient() {