Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(commons): handle sofa-rpc desc type & mark TODO #2666

Merged
merged 7 commits into from
Oct 25, 2024
Merged

refactor(commons): handle sofa-rpc desc type & mark TODO #2666

merged 7 commits into from
Oct 25, 2024

Conversation

imbajin
Copy link
Member

@imbajin imbajin commented Sep 19, 2024
edited
Loading

Purpose of the PR

  • fix a deserialization vulnerability (CVE) was detected in SOFA-RPC (disable it by default now)

Main Changes

Test it in local env first:

  1. run hugegraph-commons/hugegraph-rpc/src/test/java/org/apache/hugegraph/unit/UnitTestSuite.java

Before (5.7.6)

image

After (5.12.0)

image image

Does this PR potentially affect the following parts?

@codecov Codecov

This comment was marked as outdated.

Sign in to view
@imbajin
Copy link
Member Author

imbajin commented Oct 23, 2024
edited
Loading

Keep the dependencies for future upgrade refer:

   <!-- for pom.xml in rpc  module -->
    <dependencies>
        <!-- hugegraph-common -->
        <dependency>
            <groupId>org.apache.hugegraph</groupId>
            <artifactId>hugegraph-common</artifactId>
            <version>${revision}</version>
        </dependency>

        <!-- sofa rpc -->
        <dependency>
            <groupId>com.lmax</groupId>
            <artifactId>disruptor</artifactId>
            <version>3.3.7</version>
        </dependency>
        <dependency>
            <groupId>com.alipay.sofa</groupId>
            <artifactId>bolt</artifactId>
            <version>1.6.2</version>
            <exclusions>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.alipay.sofa</groupId>
            <artifactId>sofa-rpc-all</artifactId>
            <version>5.7.6</version>
            <exclusions>
                <exclusion>
                    <groupId>org.jboss.resteasy</groupId>
                    <artifactId>resteasy-client</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.jboss.resteasy</groupId>
                    <artifactId>resteasy-netty4</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.jboss.resteasy</groupId>
                    <artifactId>resteasy-jackson2-provider</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpclient</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpcore</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpmime</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.jboss.logging</groupId>
                    <artifactId>jboss-logging</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-api</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>io.grpc</groupId>
                    <artifactId>grpc-core</artifactId>
                </exclusion>
<!--                <exclusion>-->
<!--                    <groupId>io.grpc</groupId>-->
<!--                    <artifactId>grpc-all</artifactId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>jackson-annotations</artifactId>-->
<!--                    <groupId>com.fasterxml.jackson.core</groupId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>jackson-core</artifactId>-->
<!--                    <groupId>com.fasterxml.jackson.core</groupId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>jackson-databind</artifactId>-->
<!--                    <groupId>com.fasterxml.jackson.core</groupId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>netty-all</artifactId>-->
<!--                    <groupId>io.netty</groupId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>commons-lang3</artifactId>-->
<!--                    <groupId>org.apache.commons</groupId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>protobuf-java</artifactId>-->
<!--                    <groupId>com.google.protobuf</groupId>-->
<!--                </exclusion>-->
            </exclusions>
        </dependency>
        <dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-core</artifactId>
            <version>1.28.1</version>
<!--            <exclusions>-->
<!--                <exclusion>-->
<!--                    <artifactId>jackson-core</artifactId>-->
<!--                    <groupId>com.fasterxml.jackson.core</groupId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>guava</artifactId>-->
<!--                    <groupId>com.google.guava</groupId>-->
<!--                </exclusion>-->
<!--            </exclusions>-->
        </dependency>
    </dependencies>

for server-api module

<groupId>org.apache.hugegraph</groupId>
            <artifactId>hugegraph-core</artifactId>
            <version>${revision}</version>
            <exclusions>
                <exclusion>
                    <artifactId>bolt</artifactId>
                    <groupId>com.alipay.sofa</groupId>
                </exclusion>
<!--                <exclusion>-->
<!--                    <artifactId>hessian</artifactId>-->
<!--                    <groupId>com.alipay.sofa</groupId>-->
<!--                </exclusion>-->
                <exclusion>
                    <artifactId>guava</artifactId>
                    <groupId>com.google.guava</groupId>
                </exclusion>
                <exclusion>
                    <artifactId>netty-all</artifactId>
                    <groupId>io.netty</groupId>
                </exclusion>
                <exclusion>
                    <artifactId>sofa-common-tools</artifactId>
                    <groupId>com.alipay.sofa.common</groupId>
                </exclusion>
                <exclusion>
                    <artifactId>hessian</artifactId>
                    <groupId>com.alipay.sofa</groupId>
                </exclusion>
                <exclusion>
                    <artifactId>jackson-databind</artifactId>
                    <groupId>com.fasterxml.jackson.core</groupId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>

@@ -41,36 +71,68 @@
            <!-- Keep consistent with grpc dependency version (pd/store) -->
<!--            <version>1.47.0</version>-->
            <version>1.39.0</version>
            <exclusions>
                <exclusion>
                    <artifactId>guava</artifactId>
                    <groupId>com.google.guava</groupId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>org.apache.hugegraph</groupId>
            <artifactId>hugegraph-rpc</artifactId>
<!--            <exclusions>-->
<!--                <exclusion>-->
<!--                    <groupId>io.grpc</groupId>-->
<!--                    <artifactId>grpc-netty-shaded</artifactId>-->
<!--                </exclusion>-->
<!--                &lt;!&ndash; conflict with jraft &ndash;&gt;-->
<!--                <exclusion>-->
<!--                    <groupId>com.alipay.sofa</groupId>-->
<!--                    <artifactId>bolt</artifactId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <groupId>com.alipay.sofa.common</groupId>-->
<!--                    <artifactId>sofa-common-tools</artifactId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <groupId>com.alipay.sofa</groupId>-->
<!--                    <artifactId>hessian</artifactId>-->
<!--                </exclusion>-->
<!--                &lt;!&ndash; conflict with cassandra-netty/tinkerpop-server  &ndash;&gt;-->
<!--                <exclusion>-->
<!--                    <groupId>io.netty</groupId>-->
<!--                    <artifactId>netty-all</artifactId>-->
<!--                </exclusion>-->
<!--                <exclusion>-->
<!--                    <artifactId>okio</artifactId>-->
<!--                    <groupId>com.squareup.okio</groupId>-->
<!--                </exclusion>-->
<!--            </exclusions>-->
        </dependency>
        <dependency>
            <groupId>com.alipay.sofa</groupId>
            <artifactId>bolt</artifactId>
            <version>1.6.6</version>
            <scope>compile</scope>
            <exclusions>
                <exclusion>
                    <artifactId>netty-all</artifactId>
                    <groupId>io.netty</groupId>
                </exclusion>
                <exclusion>
                    <artifactId>sofa-common-tools</artifactId>
                    <groupId>com.alipay.sofa.common</groupId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
          <groupId>io.netty</groupId>
          <artifactId>netty-all</artifactId>
          <version>4.1.44.Final</version>
          <scope>compile</scope>
        </dependency>

@apache apache deleted a comment from github-actions bot Oct 23, 2024
@imbajin imbajin marked this pull request as ready for review October 23, 2024 10:49
@imbajin imbajin changed the title chore: upgrade sofa-rpc to latest version refactor(commons): handle sofa-rpc desc type & mark TODO Oct 23, 2024
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. dependencies Incompatible dependencies of package labels Oct 23, 2024
@github-actions github-actions bot removed the inactive label Oct 23, 2024
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Oct 24, 2024
@simon824 simon824 merged commit 21855c6 into master Oct 25, 2024
18 of 19 checks passed
@simon824 simon824 deleted the sofa-rpc branch October 25, 2024 03:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simon824 simon824 simon824 approved these changes

@VGalaxies VGalaxies VGalaxies approved these changes

Assignees
No one assigned
Labels
dependencies Incompatible dependencies of package lgtm This PR has been approved by a maintainer size:L This PR changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imbajin @simon824 @VGalaxies