You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@linkis.apache.org by GitBox <gi...@apache.org> on 2022/07/05 12:06:46 UTC
[GitHub] [incubator-linkis] duhanmin opened a new pull request, #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
duhanmin opened a new pull request, #2413:
URL: https://github.com/apache/incubator-linkis/pull/2413
https://github.com/spring-projects/spring-framework/issues/27092
1 . SynchronossPartHttpMessageReader should only create temp directory when needed
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
2. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
### Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): (yes)
https://github.com/apache/incubator-linkis/issues/2395
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] jackxu2011 commented on pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
jackxu2011 commented on PR #2413:
URL: https://github.com/apache/incubator-linkis/pull/2413#issuecomment-1181370036
LGTM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] codecov[bot] commented on pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
codecov[bot] commented on PR #2413:
URL: https://github.com/apache/incubator-linkis/pull/2413#issuecomment-1179687793
# [Codecov](https://codecov.io/gh/apache/incubator-linkis/pull/2413?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#2413](https://codecov.io/gh/apache/incubator-linkis/pull/2413?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (963c04b) into [dev-1.2.0](https://codecov.io/gh/apache/incubator-linkis/commit/b4627300e2dc80ff3031a5d8140cb34c26941cba?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (b462730) will **increase** coverage by `0.25%`.
> The diff coverage is `n/a`.
```diff
@@ Coverage Diff @@
## dev-1.2.0 #2413 +/- ##
===============================================
+ Coverage 17.83% 18.09% +0.25%
- Complexity 1077 1093 +16
===============================================
Files 595 597 +2
Lines 17667 17788 +121
Branches 2635 2651 +16
===============================================
+ Hits 3151 3218 +67
- Misses 14092 14135 +43
- Partials 424 435 +11
```
| [Impacted Files](https://codecov.io/gh/apache/incubator-linkis/pull/2413?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...apache/linkis/scheduler/future/BDPFutureTask.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLXNjaGVkdWxlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2xpbmtpcy9zY2hlZHVsZXIvZnV0dXJlL0JEUEZ1dHVyZVRhc2suc2NhbGE=) | `70.00% <0.00%> (-5.00%)` | :arrow_down: |
| [...s/scheduler/queue/fifoqueue/FIFOUserConsumer.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLXNjaGVkdWxlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2xpbmtpcy9zY2hlZHVsZXIvcXVldWUvZmlmb3F1ZXVlL0ZJRk9Vc2VyQ29uc3VtZXIuc2NhbGE=) | `35.55% <0.00%> (-2.23%)` | :arrow_down: |
| [...s/manager/engineplugin/jdbc/ConnectionManager.java](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWVuZ2luZWNvbm4tcGx1Z2lucy9qZGJjL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9saW5raXMvbWFuYWdlci9lbmdpbmVwbHVnaW4vamRiYy9Db25uZWN0aW9uTWFuYWdlci5qYXZh) | `42.65% <0.00%> (-0.48%)` | :arrow_down: |
| [...org/apache/linkis/common/utils/VariableUtils.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLWNvbW1vbi9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2xpbmtpcy9jb21tb24vdXRpbHMvVmFyaWFibGVVdGlscy5zY2FsYQ==) | `59.77% <0.00%> (-0.35%)` | :arrow_down: |
| [...a/org/apache/linkis/scheduler/event/LogEvent.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLXNjaGVkdWxlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2xpbmtpcy9zY2hlZHVsZXIvZXZlbnQvTG9nRXZlbnQuc2NhbGE=) | `50.00% <0.00%> (ø)` | |
| [...ache/linkis/common/listener/ListenerEventBus.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLWNvbW1vbi9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2xpbmtpcy9jb21tb24vbGlzdGVuZXIvTGlzdGVuZXJFdmVudEJ1cy5zY2FsYQ==) | `0.00% <0.00%> (ø)` | |
| [...he/linkis/common/utils/VariableOperationUtils.java](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLWNvbW1vbi9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvbGlua2lzL2NvbW1vbi91dGlscy9WYXJpYWJsZU9wZXJhdGlvblV0aWxzLmphdmE=) | `43.20% <0.00%> (ø)` | |
| [...on/exception/VariableOperationFailedException.java](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLWNvbW1vbi9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvbGlua2lzL2NvbW1vbi9leGNlcHRpb24vVmFyaWFibGVPcGVyYXRpb25GYWlsZWRFeGNlcHRpb24uamF2YQ==) | `0.00% <0.00%> (ø)` | |
| [...org/apache/linkis/jobhistory/util/QueryUtils.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLXB1YmxpYy1lbmhhbmNlbWVudHMvbGlua2lzLXB1YmxpY3NlcnZpY2UvbGlua2lzLWpvYmhpc3Rvcnkvc3JjL21haW4vc2NhbGEvb3JnL2FwYWNoZS9saW5raXMvam9iaGlzdG9yeS91dGlsL1F1ZXJ5VXRpbHMuc2NhbGE=) | `22.22% <0.00%> (+1.09%)` | :arrow_up: |
| [...rg/apache/linkis/scheduler/AbstractScheduler.scala](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bGlua2lzLWNvbW1vbnMvbGlua2lzLXNjaGVkdWxlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2xpbmtpcy9zY2hlZHVsZXIvQWJzdHJhY3RTY2hlZHVsZXIuc2NhbGE=) | `42.30% <0.00%> (+3.84%)` | :arrow_up: |
| ... and [3 more](https://codecov.io/gh/apache/incubator-linkis/pull/2413/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-linkis/pull/2413?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-linkis/pull/2413?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [b462730...963c04b](https://codecov.io/gh/apache/incubator-linkis/pull/2413?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] duhanmin commented on a diff in pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
duhanmin commented on code in PR #2413:
URL: https://github.com/apache/incubator-linkis/pull/2413#discussion_r918685695
##########
pom.xml:
##########
@@ -811,6 +812,17 @@
<version>${spring.boot.version}</version>
<type>pom</type>
<scope>import</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-web</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
Review Comment:
ok
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] jackxu2011 commented on pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
jackxu2011 commented on PR #2413:
URL: https://github.com/apache/incubator-linkis/pull/2413#issuecomment-1181266958
建议,直接在parent的pom文件中, 加入springframe-bom的import, 放到springboot dependency之前就可以了
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] duhanmin closed pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
duhanmin closed pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
URL: https://github.com/apache/incubator-linkis/pull/2413
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] duhanmin closed pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
duhanmin closed pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
URL: https://github.com/apache/incubator-linkis/pull/2413
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] jackxu2011 commented on a diff in pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
jackxu2011 commented on code in PR #2413:
URL: https://github.com/apache/incubator-linkis/pull/2413#discussion_r918513128
##########
pom.xml:
##########
@@ -811,6 +812,17 @@
<version>${spring.boot.version}</version>
<type>pom</type>
<scope>import</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-web</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
Review Comment:
这个spring web的配置无效,会被spring boot的配置覆盖, 你可以按照我在comment中写的那样,重新试一下
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [incubator-linkis] duhanmin closed pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
Posted by GitBox <gi...@apache.org>.
duhanmin closed pull request #2413: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296
URL: https://github.com/apache/incubator-linkis/pull/2413
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org