Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update spring-boot version to 3.1.2 #22933

Merged
merged 32 commits into from
Aug 19, 2023
Merged

Update spring-boot version to 3.1.2 #22933

merged 32 commits into from
Aug 19, 2023

Conversation

DanielFran
Copy link
Member


Please make sure the below checklist is followed for Pull Requests.

When you are still working on the PR, consider converting it to Draft (below reviewers) and adding skip-ci label, you can still see CI build result at your branch.

@DanielFran
Copy link
Member Author

@mshima The root cause:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterChain' defined in class path resource [tech/jhipster/sample/config/SecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'filterChain' threw exception with message: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).

@mshima
Copy link
Member

mshima commented Jul 21, 2023

@DanielFran just posted spring-projects/spring-boot#36500

@mshima
Copy link
Member

mshima commented Jul 21, 2023

Caused by spring-projects/spring-security#13568

@DanielFran DanielFran added $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ $200 https://www.jhipster.tech/bug-bounties/ labels Jul 23, 2023
@mshima
Copy link
Member

mshima commented Aug 11, 2023

@DanielFran are you planning to finish the update soon?

@DanielFran
Copy link
Member Author

@mshima No, I am away 2 weeks from my laptop :P

@mraible
Copy link
Contributor

mraible commented Aug 15, 2023

@mshima How can I help move this along?

@mshima
Copy link
Member

mshima commented Aug 16, 2023

The remaining error is:

2023-08-16T13:19:44.870Z ERROR 1 --- [or-http-epoll-3] io.netty.util.ResourceLeakDetector       : LEAK: ByteBuf.release() was not called before it's garbage-collected. See https://netty.io/wiki/reference-counted-objects.html for more information._Recent access records: _Created at:__io.netty.buffer.SimpleLeakAwareByteBuf.unwrappedDerived(SimpleLeakAwareByteBuf.java:144)__io.netty.buffer.SimpleLeakAwareByteBuf.readRetainedSlice(SimpleLeakAwareByteBuf.java:67)__org.mariadb.r2dbc.client.MariadbFrameDecoder.decode(MariadbFrameDecoder.java:92)__io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)__io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)__io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)__io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)__io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)__io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)__io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)__io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)__io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)__io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)__io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)__io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:499)__io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:397)__io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)__io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)__io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)__java.base/java.lang.Thread.run(Unknown Source) 

@mshima
Copy link
Member

mshima commented Aug 18, 2023

From https://github.com/jzheaux/cve-2023-34035-mitigations#mitigations.
We probably should match controllers urls using mvc matcher.
Don't know about /management and /v3/api-docs/.

@mraible
Copy link
Contributor

mraible commented Aug 18, 2023

@gmarziou @mshima I don't know if I agree that we should use Ant matchers in JHipster 8, even if it makes upgrading easier. Using MVC matchers is the recommended pattern from Spring Boot and I believe we should follow it.

@mshima
Copy link
Member

mshima commented Aug 18, 2023

@gmarziou @mshima I don't know if I agree that we should use Ant matchers in JHipster 8, even if it makes upgrading easier. Using MVC matchers is the recommended pattern from Spring Boot and I believe we should follow it.

I think this recommendation was before the security issue was found at the link I've passed:

This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use `requestMatchers(MvcRequestMatcher)`;
otherwise, please use `requestMatchers(AntPathRequestMatcher)`.

My initial understanding is that every resource except /h2-console and /websocket are considered Spring MVC endpoint. I have doubts about the ResourceHandler and management

@mraible
Copy link
Contributor

mraible commented Aug 18, 2023

@mshima OK. Thanks for the clarification. That makes sense.

@mshima
Copy link
Member

mshima commented Aug 18, 2023

After going through the issue and mitigation process, my understanding is that everything that goes through a DispatcherServlet should use a mvc matcher. ResourceHandler, actuator endpoints and websocket uses the DispatcherServlet.

So we should use mvc matcher for every url except h2-console which is served by a custom servlet.

I will check if actuator uses a second DispatcherServlet instance.

mraible
mraible previously approved these changes Aug 19, 2023
@mshima mshima marked this pull request as draft August 19, 2023 09:28
@gmarziou
Copy link
Contributor

gmarziou commented Aug 19, 2023

What about images and other static resources? Aren't they served by an Undertow servlet?

I'm still in favor of backward compatibility and stability over time.
Migration to Spring Boot 3 is already in itself a pain for app developers due to JDK 17, Spring Security, jakarta package, Springfox to Spring Docs, ...

@mshima
Copy link
Member

mshima commented Aug 19, 2023

What about images and other static resources? Aren't they served by an Undertow servlet?

They are served through spring‘s ResourceHandler that is served using DispatcherServlet.
If you extract the jar/war you will see resources inside classes/static folder instead of root folder.
I’m not sure about websocket. After a quick search seems that stomp is served by socksHandler or something like it.

I'm still in favor of backward compatibility and stability over time.

In this case jhipster v7 using antMatcher are wrong. The best explanation I’ve found is spring-projects/spring-security#13568 (comment).

@gmarziou
Copy link
Contributor

gmarziou commented Aug 19, 2023

In this case jhipster v7 using antMatcher are wrong. The best explanation I’ve found is spring-projects/spring-security#13568 (comment).

Good explanation yes but later comments show that there are issues with other servlets like h2 console (probably also when using h2 db as a server) and devtools, I suspect others may appear for any kind of embedded servers (e.g. distributed caches?)

This CVE is still open so I guess there is no conclusive answer yet.

@mshima
Copy link
Member

mshima commented Aug 19, 2023

Good explanation yes but later comments show that there are issues with other servlets like h2 console

There are a other things been discussed in the issue not only the security issue and fixes.

  • why it needs to be a breaking change in a patch release?
  • why not deprecate requestMatcher(string)?

If you take a look at the first commit from this PR, most of runs succeed. That happens if only 1 servlet is registered.
The issue about h2-console is that it requires an additional servlet so requestMatcher(string) cannot be used.

I didn’t investigate the reason for each sample failure.

The current fix for the security issue is to use mvcMatcher for Spring MVC, and make sure an DispatcherServlet with context-path (additional or not) to use like MvcPatternBuilder.servletPath(context-path).pattern('/**').
And use antMatcher for non-spring servlets like h2-console.

@mshima mshima marked this pull request as ready for review August 19, 2023 20:09
@mshima mshima enabled auto-merge (squash) August 19, 2023 20:12
@mshima mshima merged commit 7a9a174 into main Aug 19, 2023
@mshima mshima deleted the skip_ci-spring-boot_3.1.2 branch August 19, 2023 21:17
deepu105 pushed a commit to dinu0000/generator-jhipster that referenced this pull request Aug 20, 2023
* Use MvcRequestMatcher in SecurityFilterChain

See https://spring.io/security/cve-2023-34035

* Update spring-boot version to 3.1.2

* Update hibernate version to 6.2.6.Final

* replace mariadb with mysql at reactive samples

* fix to swagger-ui

* fix jdlSamples variable

---------

Co-authored-by: Marcelo Shima <[email protected]>
@deepu105 deepu105 added this to the 8.0.0-beta.3 milestone Sep 5, 2023
@mshima mshima mentioned this pull request Nov 8, 2023
6 tasks
@DanielFran
Copy link
Member Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
$$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ theme: CI builds theme: front theme: java theme: jhipster-internals $500 https://www.jhipster.tech/bug-bounties/
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants