Re: [PR] upgrade commons-net to 3.10.0 due to cve [incubator-pekko-connectors]

["He-Pin (via GitHub)" <gi...@apache.org>]

He-Pin commented on code in PR #171:
URL: https://github.com/apache/incubator-pekko-connectors/pull/171#discussion_r1480406341


##########
ftp/src/main/java/org/apache/pekko/stream/connectors/ftp/impl/LegacyFtpsClient.java:
##########
@@ -0,0 +1,836 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.pekko.stream.connectors.ftp.impl;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.net.Inet6Address;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.Base64;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+
+import org.apache.commons.net.ftp.*;
+import org.apache.commons.net.util.SSLContextUtils;
+import org.apache.commons.net.util.SSLSocketUtils;
+import org.apache.commons.net.util.TrustManagerUtils;
+
+/**
+ * This class is a workaround for code introduced in commons-net 3.9.0 that breaks
+ * FTPS support when HTTP proxies are used.
+ * See https://issues.apache.org/jira/browse/NET-718
+ * 
+ * Derived from https://github.com/apache/commons-net/blob/master/src/main/java/org/apache/commons/net/ftp/FTPSClient.java
+ */
+final class LegacyFtpsClient extends FTPClient {
+
+// From http://www.iana.org/assignments/port-numbers
+
+//    ftps-data   989/tcp    ftp protocol, data, over TLS/SSL
+//    ftps-data   989/udp    ftp protocol, data, over TLS/SSL
+//    ftps        990/tcp    ftp protocol, control, over TLS/SSL
+//    ftps        990/udp    ftp protocol, control, over TLS/SSL
+
+    public static final int DEFAULT_FTPS_DATA_PORT = 989;
+    public static final int DEFAULT_FTPS_PORT = 990;
+
+    /** The value that I can set in PROT command (C = Clear, P = Protected) */
+    private static final String[] PROT_COMMAND_VALUE = { "C", "E", "S", "P" };
+    /** Default PROT Command */
+    private static final String DEFAULT_PROT = "C";
+    /** Default secure socket protocol name, i.e. TLS */
+    private static final String DEFAULT_PROTOCOL = "TLS";
+
+    /** The AUTH (Authentication/Security Mechanism) command. */
+    private static final String CMD_AUTH = "AUTH";
+    /** The ADAT (Authentication/Security Data) command. */
+    private static final String CMD_ADAT = "ADAT";
+    /** The PROT (Data Channel Protection Level) command. */
+    private static final String CMD_PROT = "PROT";
+    /** The PBSZ (Protection Buffer Size) command. */
+    private static final String CMD_PBSZ = "PBSZ";
+    /** The MIC (Integrity Protected Command) command. */
+    private static final String CMD_MIC = "MIC";
+    /** The CONF (Confidentiality Protected Command) command. */
+    private static final String CMD_CONF = "CONF";
+    /** The ENC (Privacy Protected Command) command. */
+    private static final String CMD_ENC = "ENC";
+    /** The CCC (Clear Command Channel) command. */
+    private static final String CMD_CCC = "CCC";
+
+    /** @deprecated - not used - may be removed in a future release */
+    @Deprecated
+    public static String KEYSTORE_ALGORITHM;
+    /** @deprecated - not used - may be removed in a future release */
+    @Deprecated
+    public static String TRUSTSTORE_ALGORITHM;
+    /** @deprecated - not used - may be removed in a future release */
+    @Deprecated
+    public static String PROVIDER;
+    /** @deprecated - not used - may be removed in a future release */
+    @Deprecated
+    public static String STORE_TYPE;
+    /** The security mode. (True - Implicit Mode / False - Explicit Mode) */
+    private final boolean isImplicit;
+    /** The secure socket protocol to be used, e.g. SSL/TLS. */
+    private final String protocol;
+    /** The AUTH Command value */
+    private String auth = DEFAULT_PROTOCOL;
+    /** The context object. */
+    private SSLContext context;
+    /** The socket object. */
+    private Socket plainSocket;
+    /** Controls whether a new SSL session may be established by this socket. Default true. */
+    private boolean isCreation = true;
+    /** The use client mode flag. */
+    private boolean isClientMode = true;
+
+    /** The need client auth flag. */
+    private boolean isNeedClientAuth;
+
+    /** The want client auth flag. */
+    private boolean isWantClientAuth;
+
+    /** The cipher suites */
+    private String[] suites;
+
+    /** The protocol versions */
+    private String[] protocols;
+
+    /**
+     * The FTPS {@link TrustManager} implementation, default validate only {@link TrustManagerUtils#getValidateServerCertificateTrustManager()}.
+     */
+    private TrustManager trustManager = TrustManagerUtils.getValidateServerCertificateTrustManager();
+
+    /** The {@link KeyManager}, default null (i.e. use system default). */
+    private KeyManager keyManager;
+
+    /** The {@link HostnameVerifier} to use post-TLS, default null (i.e. no verification). */
+    private HostnameVerifier hostnameVerifier;
+
+    /** Use Java 1.7+ HTTPS Endpoint Identification Algorithm. */
+    private boolean tlsEndpointChecking;
+
+    /**
+     * Constructor for LegacyFtpsClient calls.
+     *
+     * Sets protocol to {@link #DEFAULT_PROTOCOL} - i.e. TLS - and security mode to explicit (isImplicit = false)
+     */
+    LegacyFtpsClient() {
+        this(false);
+    }
+
+    /**
+     * Constructor for LegacyFtpsClient calls.
+     *
+     * Sets protocol to {@link #DEFAULT_PROTOCOL} - i.e. TLS
+     * @param isImplicit True - Implicit Mode / False - Explicit Mode
+     */
+    LegacyFtpsClient(final boolean isImplicit) {
+        this(DEFAULT_PROTOCOL, isImplicit);
+    }
+
+    private LegacyFtpsClient(final String protocol, final boolean isImplicit) {
+        this.protocol = protocol;
+        this.isImplicit = isImplicit;
+        if (isImplicit) {
+            setDefaultPort(DEFAULT_FTPS_PORT);
+        }
+    }
+
+    /**
+     * Because there are so many connect() methods, the _connectAction_() method is provided as a means of performing some action immediately after establishing
+     * a connection, rather than reimplementing all the connect() methods.
+     *
+     * @throws IOException If there is any problem with establishing the connection.
+     * @see org.apache.commons.net.SocketClient#_connectAction_()
+     */
+    @Override
+    protected void _connectAction_() throws IOException {
+        // Implicit mode.
+        if (isImplicit) {
+            applySocketAttributes();
+            sslNegotiation();
+        }
+        super._connectAction_();
+        // Explicit mode.
+        if (!isImplicit) {
+            execAUTH();
+            sslNegotiation();
+        }
+    }
+
+    /**
+     * Returns a socket of the data connection. Wrapped as an {@link SSLSocket}, which carries out handshake processing.
+     *
+     * @param command The int representation of the FTP command to send.
+     * @param arg     The arguments to the FTP command. If this parameter is set to null, then the command is sent with no arguments.
+     * @return corresponding to the established data connection. Null is returned if an FTP protocol error is reported at any point during the establishment and
+     *         initialization of the connection.
+     * @throws IOException If there is any problem with the connection.
+     * @see FTPClient#_openDataConnection_(int, String)
+     * @deprecated (3.3) Use {@link FTPClient#_openDataConnection_(FTPCmd, String)} instead

Review Comment:
   Should we adopt the @since version in this file ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org