Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring版本太低有漏洞 #8169

Closed
plane636 opened this issue Apr 15, 2022 · 19 comments
Closed

spring版本太低有漏洞 #8169

plane636 opened this issue Apr 15, 2022 · 19 comments
Labels
dependencies Pull requests that update a dependency file
Milestone
2.1.1

Comments

@plane636
Copy link

spring-projects/spring-boot#30492
目前版本可能存在spring4shell漏洞
@liqipeng
Copy link
Contributor

@ i will solve it @

@liqipeng
Copy link
Contributor

我来参考 GHSA-36p3-wjmg-h94x 升级一下版本

This was referenced Apr 17, 2022
Merged
Merged
liqipeng added a commit to liqipeng/nacos that referenced this issue Apr 17, 2022
@liqipeng
fix alibaba#8169: Upgrade spring-boot version to 2.6.6
39bda27
@liqipeng
Copy link
Contributor

liqipeng commented Apr 17, 2022
edited

已提PR升级Spring:

  1. [ISSUE #8169] Upgrade spring-boot version to 2.6.6(2.x) #8184
  2. [ISSUE #8169] Upgrade spring-boot version to 2.6.6(1.x) #8185

升级spring-boot到2.6.6时遇到如下问题:

  1. 遇到循环依赖报错,原来是spring boot 2.6默认不允许循环依赖,如果要允许循环依赖则需要添加配置文件显式声明允许循环依赖,当前解决办法:添加了此配置项;(但如果后续版本升级将会需要添加配置,如果不小心忘记则会踩坑,待优化)
  2. 集成测试ClientBeatCheckTaskTest依赖了一个挺久没有维护的库 commonOkHttp ,这个库依赖了OkHttp组件,导致集成测试执行失败,解决办法:去除了此依赖,基于httpclient调整了此测试;

liqipeng added a commit to liqipeng/nacos that referenced this issue Apr 17, 2022
@liqipeng
fix alibaba#8169: Upgrade spring-boot version to 2.6.6
64fb78d
liqipeng added a commit to liqipeng/nacos that referenced this issue Apr 17, 2022
@liqipeng
fix alibaba#8169: Upgrade spring-boot version to 2.6.6
0202957
@KomachiSion KomachiSion added the dependencies Pull requests that update a dependency file label Apr 18, 2022
@liqipeng
Copy link
Contributor

补充一下上面关于循环依赖:

  1. 循环依赖问题出现在 develop 分支,1.x分支未遇到循环依赖问题;
  2. 对于 develop 分支的循环依赖问题,已调整处理方式为在 SpringApplicationRunListener 里通过System.setProperty硬编码方式设置,见 fc0d3c4 ,这样就不需要增加额外配置影响后续升版 ;

@KomachiSion
Copy link
Collaborator

能再具体点吗?,直接把循环依赖的报错日志信息贴出来比较好,循环依赖是需要解决的。 2.1版本应该就已经会检测循环依赖了。

@liqipeng
Copy link
Contributor

能再具体点吗?,直接把循环依赖的报错日志信息贴出来比较好,循环依赖是需要解决的。 2.1版本应该就已经会检测循环依赖了。

不好意思,循环依赖的错误我同步到PR上了,忘记同步到这边了我, 转一下:

#8184 (comment)

循环依赖是哪里报的? 信息是什么? 我记得2.1版本的就已经是不允许循环依赖的了。

可以看下这个CI https://github.com/alibaba/nacos/runs/6051513004?check_suite_focus=true 日志里搜“circular reference”

The dependencies of some of the beans in the application context form a cycle:

   nacosAuthManager (field private com.alibaba.nacos.plugin.auth.impl.JwtTokenManager com.alibaba.nacos.plugin.auth.impl.NacosAuthManager.tokenManager)
┌─────┐
|  jwtTokenManager (field private com.alibaba.nacos.plugin.auth.impl.NacosAuthConfig com.alibaba.nacos.plugin.auth.impl.JwtTokenManager.nacosAuthConfig)
↑     ↓
|  nacosAuthConfig (field private com.alibaba.nacos.plugin.auth.impl.JwtTokenManager com.alibaba.nacos.plugin.auth.impl.NacosAuthConfig.tokenProvider)
└─────┘

当我手动调整代码让这个依赖解除后,发现又遇到了另外更复杂的循环依赖(印象中好像是5个类的依赖,代码未提交就撤销了,暂时不能提供具体的)。

(建议 循环依赖的问题 我们统一在2.x的这个PR #8184 讨论吧,因为只有2.x出现了循环依赖)

@KomachiSion
Copy link
Collaborator

循环依赖问题可能是重构引入的,需要单独解决一下,不需要加那个参数。解决之后再升spring版本也可以。

@liqipeng liqipeng mentioned this issue May 18, 2022
Closed
@CherishCai
Copy link
Contributor

请把 prometheus-simpleclient 一并升级了,0.5.0 -> 0.12.0

<prometheus-simpleclient.version>0.12.0</prometheus-simpleclient.version>

image

@CherishCai
Copy link
Contributor

还可以去掉 HikariCP 的版本自定义,让 spring-boot-dependencies 统一管理版本号,会跟随其升级。

           <HikariCP.version>3.4.2</HikariCP.version>

            <!-- HikariCP -->
            <dependency>
                <groupId>com.zaxxer</groupId>
                <artifactId>HikariCP</artifactId>
                <version>${HikariCP.version}</version>
            </dependency>

liqipeng added a commit to liqipeng/nacos that referenced this issue May 29, 2022
@liqipeng
fix alibaba#8169: Upgrade spring-boot version to 2.6.6
946e1d8
@CherishCai
Copy link
Contributor

CherishCai commented May 30, 2022
edited

升级 spring 版本,也 nacos jar 方式部署起来看看。应该会遇到 server.tomcat.basedir 的错误,反正我是遇到了。。。

很可能是新版本,这里改成了 File 吧。
image

liqipeng added a commit to liqipeng/nacos that referenced this issue Jun 3, 2022
@liqipeng
fix alibaba#8169: Upgrade spring-boot version to 2.6.6
045154c
KomachiSion pushed a commit that referenced this issue Jun 6, 2022
@liqipeng
fix #8169: Upgrade spring-boot version to 2.6.6 (#8185)
4c50868
@KomachiSion KomachiSion added this to the 2.1.1 milestone Jun 6, 2022
@liqipeng
Copy link
Contributor

liqipeng commented Jun 6, 2022
edited

升级 spring 版本,也 nacos jar 方式部署起来看看。应该会遇到 server.tomcat.basedir 的错误,反正我是遇到了。。。

很可能是新版本,这里改成了 File 吧。 image

确实是有这个问题,报错如下:

org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'tomcatServletWebServerFactory' defined in class path resource [org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryConfiguration$EmbeddedTomcat.class]: Initialization of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'servletWebServerFactoryCustomizer' defined in class path resource [org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryAutoConfiguration.class]: Unsatisfied dependency expressed through method 'servletWebServerFactoryCustomizer' parameter 0; nested exception is org.springframework.boot.context.properties.ConfigurationPropertiesBindException: Error creating bean with name 'server-org.springframework.boot.autoconfigure.web.ServerProperties': Could not bind properties to 'ServerProperties' : prefix=server, ignoreInvalidFields=false, ignoreUnknownFields=true; nested exception is org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'server.tomcat.basedir' to java.io.File
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:163)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:577)
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:740)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:415)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1312)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1301)
at com.alibaba.nacos.Nacos.main(Nacos.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)

我来修复一下

@CherishCai
Copy link
Contributor

我来修复一下

@liqipeng HikariCP prometheus-simpleclient 也都可以考虑下

@liqipeng
Copy link
Contributor

liqipeng commented Jun 6, 2022

我来修复一下

@liqipeng HikariCP prometheus-simpleclient 也都可以考虑下

我先解决下已知问题,尽量不扩大变更范围了。
这两个组件按你说的升级版本跨度也挺大的,有大版本变更,有兴趣的你可以先看看,建议都单独PR。

@liqipeng
Copy link
Contributor

liqipeng commented Jun 7, 2022

server.tomcat.basedir问题暂未找到完全兼容默认配置的解决办法(默认配置是空字符串),找到临时解决办法是

server.tomcat.basedir=file:

or

server.tomcat.basedir=.

@onewe
Copy link
Collaborator

onewe commented Jun 7, 2022

我提了一个pr: 用的是 file:.
#8529

@liqipeng
Copy link
Contributor

liqipeng commented Jun 7, 2022

我提了一个pr: 用的是 file:. #8529

可能会有向后兼容性影响,后续需在升级文档里说明一下。我再找找有没有更兼容的解决办法。

@liqipeng liqipeng mentioned this issue Jun 8, 2022
Closed
@liqipeng
Copy link
Contributor

liqipeng commented Jun 8, 2022

我来修复一下

@liqipeng HikariCP prometheus-simpleclient 也都可以考虑下

@CherishCai prometheus-simpleclient确实是存在兼容性问题,见 #8539 。你之前反馈 HikariCP 需升版也是遇到过问题了吗?

@CherishCai
Copy link
Contributor

@liqipeng HikariCP prometheus-simpleclient 也都可以考虑下

@CherishCai prometheus-simpleclient确实是存在兼容性问题,见 #8539 。你之前反馈 HikariCP 需升版也是遇到过问题了吗?

那倒没有,只是想让 HikariCP 跟随 spring 统一管理的版本而已。

@liqipeng
Copy link
Contributor

liqipeng commented Jun 9, 2022
edited

@liqipeng HikariCP prometheus-simpleclient 也都可以考虑下

@CherishCai prometheus-simpleclient确实是存在兼容性问题,见 #8539 。你之前反馈 HikariCP 需升版也是遇到过问题了吗?

那倒没有,只是想让 HikariCP 跟随 spring 统一管理的版本而已。

ok

godhth added a commit to godhth/nacos that referenced this issue Oct 11, 2022
@godhth
[ISSUE alibaba#8169] add CustomEnvironmentPlugin (alibaba#8169)
7962aaf 
* fix issue alibaba#8169 .

* reset properties.
@godhth godhth mentioned this issue Oct 11, 2022
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
2.1.1
Development

No branches or pull requests
5 participants
@liqipeng @plane636 @CherishCai @KomachiSion @onewe