From 86e58cea3a2f069e1e1fe1d1860bdc535d41d212 Mon Sep 17 00:00:00 2001 From: randomnicode Date: Fri, 14 Dec 2018 23:27:51 -0800 Subject: [PATCH 1/6] Update dependencies in airsonic-main --- airsonic-main/pom.xml | 50 +++++++------------ .../airsonic/player/ajax/LyricsService.java | 8 +-- .../player/controller/JAXBWriter.java | 6 +-- .../controller/StatusChartController.java | 6 +-- .../controller/UserChartController.java | 4 +- .../player/service/JWTSecurityService.java | 7 +-- .../player/service/PodcastService.java | 18 ++++--- .../upnp/ApacheUpnpServiceConfiguration.java | 8 +-- 8 files changed, 46 insertions(+), 61 deletions(-) diff --git a/airsonic-main/pom.xml b/airsonic-main/pom.xml index b6f08b75..234d5f6c 100755 --- a/airsonic-main/pom.xml +++ b/airsonic-main/pom.xml @@ -13,7 +13,6 @@ - 3.1.0 1.2.1-RELEASE provided @@ -58,7 +57,6 @@ io.dropwizard.metrics metrics-core - ${metrics.version} @@ -76,7 +74,7 @@ javax.servlet.jsp javax.servlet.jsp-api - 2.3.1 + 2.3.3 provided @@ -104,7 +102,7 @@ com.auth0 java-jwt - 3.3.0 + 3.4.1 org.springframework.ldap @@ -139,7 +137,7 @@ cglib cglib - 2.1_3 + 3.2.9 runtime @@ -152,13 +150,11 @@ commons-codec commons-codec - 1.10 commons-io commons-io - 2.5 @@ -170,7 +166,6 @@ org.apache.commons commons-lang3 - 3.3.2 @@ -201,18 +196,17 @@ 1.0-b2 - org.directwebremoting dwr - 3.0.rc1 + 3.0.2-RELEASE com.yahoo.platform.yui yuicompressor - 2.3.6 + 2.4.8 runtime @@ -229,9 +223,9 @@ - jfree + org.jfree jfreechart - 1.0.11 + 1.5.0 junit @@ -245,9 +239,9 @@ - jdom + org.jdom jdom - 1.0 + 2.0.2 @@ -259,33 +253,30 @@ org.eclipse.persistence org.eclipse.persistence.moxy - 2.5.1 + 2.7.3 javax.servlet javax.servlet-api - 3.1.0 provided javax.servlet jstl - 1.2 runtime - stax + javax.xml.stream stax-api - 1.0.1 + 1.0-2 javax.mail javax.mail-api - 1.5.5 @@ -297,7 +288,6 @@ junit junit - 4.12 test @@ -310,7 +300,6 @@ org.mockito mockito-core - 1.10.19 test @@ -322,19 +311,19 @@ org.fourthline.cling cling-core - 2.0.1 + 2.1.2 org.fourthline.cling cling-support - 2.0.1 + 2.1.2 org.seamless seamless-util - 1.1.0 + 1.1.2 @@ -390,7 +379,7 @@ org.apache.commons commons-configuration2 - 2.1.1 + 2.4 commons-logging @@ -402,13 +391,12 @@ com.mattbertolini liquibase-slf4j - 1.2.1 + 2.0.0 runtime commons-beanutils commons-beanutils - 1.9.3 runtime @@ -421,7 +409,7 @@ org.apache.maven maven-artifact - 3.3.9 + 3.6.0 @@ -447,7 +435,6 @@ javax.validation validation-api - 1.1.0.Final @@ -493,7 +480,6 @@ com.sun.mail javax.mail - 1.5.5 runtime diff --git a/airsonic-main/src/main/java/org/airsonic/player/ajax/LyricsService.java b/airsonic-main/src/main/java/org/airsonic/player/ajax/LyricsService.java index 823e5af6..827e25a3 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/ajax/LyricsService.java +++ b/airsonic-main/src/main/java/org/airsonic/player/ajax/LyricsService.java @@ -27,10 +27,10 @@ import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.BasicResponseHandler; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; -import org.jdom.Document; -import org.jdom.Element; -import org.jdom.Namespace; -import org.jdom.input.SAXBuilder; +import org.jdom2.Document; +import org.jdom2.Element; +import org.jdom2.Namespace; +import org.jdom2.input.SAXBuilder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/JAXBWriter.java b/airsonic-main/src/main/java/org/airsonic/player/controller/JAXBWriter.java index cf7c32fb..93dcd4b1 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/JAXBWriter.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/JAXBWriter.java @@ -23,9 +23,9 @@ import org.airsonic.player.util.StringUtil; import org.apache.commons.io.IOUtils; import org.eclipse.persistence.jaxb.JAXBContext; import org.eclipse.persistence.jaxb.MarshallerProperties; -import org.jdom.Attribute; -import org.jdom.Document; -import org.jdom.input.SAXBuilder; +import org.jdom2.Attribute; +import org.jdom2.Document; +import org.jdom2.input.SAXBuilder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.subsonic.restapi.Error; diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/StatusChartController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/StatusChartController.java index b384ce2e..dffbcea9 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/StatusChartController.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/StatusChartController.java @@ -22,7 +22,7 @@ package org.airsonic.player.controller; import org.airsonic.player.domain.TransferStatus; import org.airsonic.player.service.StatusService; import org.jfree.chart.ChartFactory; -import org.jfree.chart.ChartUtilities; +import org.jfree.chart.ChartUtils; import org.jfree.chart.JFreeChart; import org.jfree.chart.axis.AxisLocation; import org.jfree.chart.axis.ValueAxis; @@ -79,7 +79,7 @@ public class StatusChartController extends AbstractChartController { } TransferStatus status = statuses.get(index); - TimeSeries series = new TimeSeries("Kbps", Millisecond.class); + TimeSeries series = new TimeSeries("Kbps"); TransferStatus.SampleHistory history = status.getHistory(); long to = System.currentTimeMillis(); long from = to - status.getHistoryLengthMillis(); @@ -154,7 +154,7 @@ public class StatusChartController extends AbstractChartController { rangeAxis.setTickMarkPaint(fgColor); rangeAxis.setAxisLinePaint(fgColor); - ChartUtilities.writeChartAsPNG(response.getOutputStream(), chart, IMAGE_WIDTH, IMAGE_HEIGHT); + ChartUtils.writeChartAsPNG(response.getOutputStream(), chart, IMAGE_WIDTH, IMAGE_HEIGHT); return null; } diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/UserChartController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/UserChartController.java index 16128c97..b6145a87 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/UserChartController.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/UserChartController.java @@ -22,7 +22,7 @@ package org.airsonic.player.controller; import org.airsonic.player.domain.User; import org.airsonic.player.service.SecurityService; import org.jfree.chart.ChartFactory; -import org.jfree.chart.ChartUtilities; +import org.jfree.chart.ChartUtils; import org.jfree.chart.JFreeChart; import org.jfree.chart.axis.AxisLocation; import org.jfree.chart.axis.CategoryAxis; @@ -69,7 +69,7 @@ public class UserChartController extends AbstractChartController { int imageHeight = Math.max(IMAGE_MIN_HEIGHT, 15 * dataset.getColumnCount()); - ChartUtilities.writeChartAsPNG(response.getOutputStream(), chart, IMAGE_WIDTH, imageHeight); + ChartUtils.writeChartAsPNG(response.getOutputStream(), chart, IMAGE_WIDTH, imageHeight); return null; } diff --git a/airsonic-main/src/main/java/org/airsonic/player/service/JWTSecurityService.java b/airsonic-main/src/main/java/org/airsonic/player/service/JWTSecurityService.java index df81c6ae..935a2d87 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/service/JWTSecurityService.java +++ b/airsonic-main/src/main/java/org/airsonic/player/service/JWTSecurityService.java @@ -13,7 +13,6 @@ import org.springframework.stereotype.Service; import org.springframework.web.util.UriComponents; import org.springframework.web.util.UriComponentsBuilder; -import java.io.UnsupportedEncodingException; import java.math.BigInteger; import java.security.SecureRandom; import java.util.Date; @@ -41,11 +40,7 @@ public class JWTSecurityService { } public static Algorithm getAlgorithm(String jwtKey) { - try { - return Algorithm.HMAC256(jwtKey); - } catch (UnsupportedEncodingException e) { - throw new RuntimeException(e); - } + return Algorithm.HMAC256(jwtKey); } private static String createToken(String jwtKey, String path, Date expireDate) { diff --git a/airsonic-main/src/main/java/org/airsonic/player/service/PodcastService.java b/airsonic-main/src/main/java/org/airsonic/player/service/PodcastService.java index d5fad1d6..062ce2cd 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/service/PodcastService.java +++ b/airsonic-main/src/main/java/org/airsonic/player/service/PodcastService.java @@ -42,10 +42,10 @@ import org.apache.http.client.methods.HttpGet; import org.apache.http.entity.ContentType; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; -import org.jdom.Document; -import org.jdom.Element; -import org.jdom.Namespace; -import org.jdom.input.SAXBuilder; +import org.jdom2.Document; +import org.jdom2.Element; +import org.jdom2.Namespace; +import org.jdom2.input.SAXBuilder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -94,6 +94,7 @@ public class PodcastService { public PodcastService() { ThreadFactory threadFactory = new ThreadFactory() { + @Override public Thread newThread(Runnable r) { Thread t = Executors.defaultThreadFactory().newThread(r); t.setDaemon(true); @@ -125,6 +126,7 @@ public class PodcastService { public synchronized void schedule() { Runnable task = new Runnable() { + @Override public void run() { LOG.info("Starting scheduled Podcast refresh."); refreshAllChannels(true); @@ -232,7 +234,7 @@ public class PodcastService { } private List filterAllowed(List episodes) { - List result = new ArrayList(episodes.size()); + List result = new ArrayList<>(episodes.size()); for (PodcastEpisode episode : episodes) { if (episode.getPath() == null || securityService.isReadAllowed(new File(episode.getPath()))) { result.add(episode); @@ -291,6 +293,7 @@ public class PodcastService { private void refreshChannels(final List channels, final boolean downloadEpisodes) { for (final PodcastChannel channel : channels) { Runnable task = new Runnable() { + @Override public void run() { doRefreshChannel(channel, downloadEpisodes); } @@ -299,7 +302,6 @@ public class PodcastService { } } - @SuppressWarnings({"unchecked"}) private void doRefreshChannel(PodcastChannel channel, boolean downloadEpisodes) { InputStream in = null; @@ -408,6 +410,7 @@ public class PodcastService { public void downloadEpisode(final PodcastEpisode episode) { Runnable task = new Runnable() { + @Override public void run() { doDownloadEpisode(episode); } @@ -417,7 +420,7 @@ public class PodcastService { private void refreshEpisodes(PodcastChannel channel, List episodeElements) { - List episodes = new ArrayList(); + List episodes = new ArrayList<>(); for (Element episodeElement : episodeElements) { @@ -461,6 +464,7 @@ public class PodcastService { // Sort episode in reverse chronological order (newest first) Collections.sort(episodes, new Comparator() { + @Override public int compare(PodcastEpisode a, PodcastEpisode b) { long timeA = a.getPublishDate() == null ? 0L : a.getPublishDate().getTime(); long timeB = b.getPublishDate() == null ? 0L : b.getPublishDate().getTime(); diff --git a/airsonic-main/src/main/java/org/airsonic/player/service/upnp/ApacheUpnpServiceConfiguration.java b/airsonic-main/src/main/java/org/airsonic/player/service/upnp/ApacheUpnpServiceConfiguration.java index 966c3c45..751f05b0 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/service/upnp/ApacheUpnpServiceConfiguration.java +++ b/airsonic-main/src/main/java/org/airsonic/player/service/upnp/ApacheUpnpServiceConfiguration.java @@ -20,10 +20,10 @@ package org.airsonic.player.service.upnp; import org.fourthline.cling.DefaultUpnpServiceConfiguration; -import org.fourthline.cling.transport.impl.apache.StreamClientConfigurationImpl; -import org.fourthline.cling.transport.impl.apache.StreamClientImpl; -import org.fourthline.cling.transport.impl.apache.StreamServerConfigurationImpl; -import org.fourthline.cling.transport.impl.apache.StreamServerImpl; +import org.fourthline.cling.transport.impl.StreamClientConfigurationImpl; +import org.fourthline.cling.transport.impl.StreamClientImpl; +import org.fourthline.cling.transport.impl.StreamServerConfigurationImpl; +import org.fourthline.cling.transport.impl.StreamServerImpl; import org.fourthline.cling.transport.spi.NetworkAddressFactory; import org.fourthline.cling.transport.spi.StreamClient; import org.fourthline.cling.transport.spi.StreamServer; From 7d227a231daa9a3fbe135a3ecc9f034d8918f8d9 Mon Sep 17 00:00:00 2001 From: randomnicode Date: Fri, 14 Dec 2018 23:32:47 -0800 Subject: [PATCH 2/6] Update dependencies in integration-test --- integration-test/pom.xml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/integration-test/pom.xml b/integration-test/pom.xml index cb7de4f0..92f803c7 100644 --- a/integration-test/pom.xml +++ b/integration-test/pom.xml @@ -13,7 +13,7 @@ UTF-8 - 2.3.1 + 4.2.0 @@ -59,7 +59,6 @@ junit junit - 4.12 test @@ -90,7 +89,7 @@ com.spotify docker-client - 8.13.1 + 8.14.5 test @@ -116,13 +115,13 @@ org.xmlunit xmlunit-core - 2.6.0 + 2.6.2 test org.xmlunit xmlunit-matchers - 2.6.0 + 2.6.2 test From 325938a574538d6b9bfe1d19e4c5894e5322c4a3 Mon Sep 17 00:00:00 2001 From: randomnicode Date: Fri, 14 Dec 2018 23:36:54 -0800 Subject: [PATCH 3/6] Update main pom --- pom.xml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/pom.xml b/pom.xml index 9fa99f11..42a3a1a9 100644 --- a/pom.xml +++ b/pom.xml @@ -93,8 +93,7 @@ org.liquibase liquibase-core - - 3.5.1 + 3.6.2 @@ -106,32 +105,32 @@ org.apache.commons commons-lang3 - 3.3.2 + 3.8.1 commons-io commons-io - 2.5 + 2.6 com.fasterxml.jackson.core jackson-core - 2.9.6 + 2.9.7 com.fasterxml.jackson.core jackson-databind - 2.9.6 + 2.9.7 com.fasterxml.jackson.core jackson-annotations - 2.9.0 + 2.9.7 com.google.guava guava - 27.0-jre + 27.0.1-jre From 9d33ec255b0a3a05286ef89128c12cba0c77767d Mon Sep 17 00:00:00 2001 From: randomnicode Date: Sat, 15 Dec 2018 08:18:54 -0800 Subject: [PATCH 4/6] Declare used and remove unused dependencies --- airsonic-main/pom.xml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/airsonic-main/pom.xml b/airsonic-main/pom.xml index 234d5f6c..fc754969 100755 --- a/airsonic-main/pom.xml +++ b/airsonic-main/pom.xml @@ -140,6 +140,13 @@ 3.2.9 runtime + + + org.apache.ant + ant + 1.10.3 + runtime + commons-fileupload @@ -210,12 +217,6 @@ runtime - - ant-zip - ant-zip - 1.6.2 - - net.jthink jaudiotagger @@ -269,9 +270,9 @@ - javax.xml.stream + stax stax-api - 1.0-2 + 1.0.1 From f2339e09427f7ce3fe83cac061964810ab7a4b34 Mon Sep 17 00:00:00 2001 From: randomnicode Date: Sat, 15 Dec 2018 08:27:54 -0800 Subject: [PATCH 5/6] Change zip to java.util --- .../org/airsonic/player/controller/UploadController.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java index eac94260..25b1fbdd 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java +++ b/airsonic-main/src/main/java/org/airsonic/player/controller/UploadController.java @@ -32,8 +32,6 @@ import org.apache.commons.fileupload.FileItem; import org.apache.commons.fileupload.FileItemFactory; import org.apache.commons.fileupload.servlet.ServletFileUpload; import org.apache.commons.io.IOUtils; -import org.apache.tools.zip.ZipEntry; -import org.apache.tools.zip.ZipFile; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -49,6 +47,8 @@ import java.io.FileOutputStream; import java.io.InputStream; import java.io.OutputStream; import java.util.*; +import java.util.zip.ZipEntry; +import java.util.zip.ZipFile; /** * Controller which receives uploaded files. @@ -170,7 +170,7 @@ public class UploadController { try { - Enumeration entries = zipFile.getEntries(); + Enumeration entries = zipFile.entries(); while (entries.hasMoreElements()) { ZipEntry entry = (ZipEntry) entries.nextElement(); @@ -231,10 +231,12 @@ public class UploadController { start = System.currentTimeMillis(); } + @Override public void start(String fileName) { status.setFile(new File(fileName)); } + @Override public void bytesRead(long bytesRead) { // Throttle bitrate. From 94f4a85bb7c438b33db38992def6c035a1493684 Mon Sep 17 00:00:00 2001 From: randomnicode Date: Sat, 15 Dec 2018 09:11:52 -0800 Subject: [PATCH 6/6] Suppress CVE-2018-8088 --- airsonic-main/cve-suppressed.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/airsonic-main/cve-suppressed.xml b/airsonic-main/cve-suppressed.xml index 20c4a161..985cf354 100644 --- a/airsonic-main/cve-suppressed.xml +++ b/airsonic-main/cve-suppressed.xml @@ -149,4 +149,9 @@ ^javax\.xml\.stream:stax.*$ CVE-2017-16224 + + + ^org\.slf4j:.*slf4j.*:1.7.25$ + CVE-2018-8088 +