Skip to content

Commit 69005e7

Browse files
dhoardSuperQ
andauthored
security: CVE fixes (#854)
security: Upgraded to Jetty 12 to resolve CVE issues Signed-off-by: dhoard <doug.hoard@gmail.com> Co-authored-by: Ben Kochie <superq@gmail.com>
1 parent 4810909 commit 69005e7

3 files changed

Lines changed: 26 additions & 16 deletions

File tree

pom.xml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -98,8 +98,13 @@
9898
</dependency>
9999
<dependency>
100100
<groupId>org.eclipse.jetty</groupId>
101-
<artifactId>jetty-servlet</artifactId>
102-
<version>11.0.26</version>
101+
<artifactId>jetty-server</artifactId>
102+
<version>12.0.36</version>
103+
</dependency>
104+
<dependency>
105+
<groupId>org.eclipse.jetty.ee10</groupId>
106+
<artifactId>jetty-ee10-servlet</artifactId>
107+
<version>12.0.36</version>
103108
</dependency>
104109
<dependency>
105110
<groupId>com.github.ben-manes.caffeine</groupId>
@@ -141,7 +146,7 @@
141146
<artifactId>maven-compiler-plugin</artifactId>
142147
<version>3.15.0</version>
143148
<configuration>
144-
<release>11</release>
149+
<release>17</release>
145150
</configuration>
146151
</plugin>
147152
<!-- Build a full jar with dependencies -->
@@ -195,7 +200,7 @@
195200
<artifactId>maven-surefire-plugin</artifactId>
196201
<version>3.5.6</version>
197202
<configuration>
198-
<argLine>-Djdk.net.URLClassPath.disableClassPathURLCheck=true</argLine>
203+
<argLine>-javaagent:${settings.localRepository}/org/mockito/mockito-core/5.23.0/mockito-core-5.23.0.jar -XX:+EnableDynamicAgentLoading -Djdk.net.URLClassPath.disableClassPathURLCheck=true</argLine>
199204
</configuration>
200205
</plugin>
201206
<plugin>

src/main/java/io/prometheus/cloudwatch/DisallowHttpMethods.java

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,23 +3,25 @@
33
import java.util.EnumSet;
44
import org.eclipse.jetty.http.HttpMethod;
55
import org.eclipse.jetty.http.HttpStatus;
6-
import org.eclipse.jetty.server.Connector;
7-
import org.eclipse.jetty.server.HttpConfiguration;
6+
import org.eclipse.jetty.server.Handler;
87
import org.eclipse.jetty.server.Request;
8+
import org.eclipse.jetty.server.Response;
9+
import org.eclipse.jetty.util.Callback;
910

10-
class DisallowHttpMethods implements HttpConfiguration.Customizer {
11+
class DisallowHttpMethods extends Handler.Wrapper {
1112
private final EnumSet<HttpMethod> disallowedMethods;
1213

1314
public DisallowHttpMethods(EnumSet<HttpMethod> disallowedMethods) {
1415
this.disallowedMethods = disallowedMethods;
1516
}
1617

1718
@Override
18-
public void customize(Connector connector, HttpConfiguration channelConfig, Request request) {
19-
HttpMethod httpMethod = HttpMethod.fromString(request.getMethod());
20-
if (disallowedMethods.contains(httpMethod)) {
21-
request.setHandled(true);
22-
request.getResponse().setStatus(HttpStatus.METHOD_NOT_ALLOWED_405);
19+
public boolean handle(Request request, Response response, Callback callback) throws Exception {
20+
if (disallowedMethods.contains(HttpMethod.fromString(request.getMethod()))) {
21+
response.setStatus(HttpStatus.METHOD_NOT_ALLOWED_405);
22+
callback.succeeded();
23+
return true;
2324
}
25+
return super.handle(request, response, callback);
2426
}
2527
}

src/main/java/io/prometheus/cloudwatch/WebServer.java

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,13 @@
44
import io.prometheus.client.servlet.jakarta.exporter.MetricsServlet;
55
import java.io.FileReader;
66
import java.util.EnumSet;
7+
import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
8+
import org.eclipse.jetty.ee10.servlet.ServletHolder;
79
import org.eclipse.jetty.http.HttpMethod;
810
import org.eclipse.jetty.server.HttpConfiguration;
911
import org.eclipse.jetty.server.HttpConnectionFactory;
1012
import org.eclipse.jetty.server.Server;
1113
import org.eclipse.jetty.server.ServerConnector;
12-
import org.eclipse.jetty.servlet.ServletContextHandler;
13-
import org.eclipse.jetty.servlet.ServletHolder;
1414

1515
public class WebServer {
1616

@@ -35,19 +35,22 @@ public static void main(String[] args) throws Exception {
3535
int port = Integer.parseInt(args[0]);
3636
Server server = new Server();
3737
HttpConfiguration httpConfig = new HttpConfiguration();
38-
httpConfig.addCustomizer(new DisallowHttpMethods(EnumSet.of(HttpMethod.TRACE)));
3938
ServerConnector connector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
4039
connector.setPort(port);
4140
server.addConnector(connector);
4241

4342
ServletContextHandler context = new ServletContextHandler();
4443
context.setContextPath("/");
45-
server.setHandler(context);
4644
context.addServlet(new ServletHolder(new MetricsServlet()), "/metrics");
4745
context.addServlet(new ServletHolder(new DynamicReloadServlet(collector)), "/-/reload");
4846
context.addServlet(new ServletHolder(new HealthServlet()), "/-/healthy");
4947
context.addServlet(new ServletHolder(new HealthServlet()), "/-/ready");
5048
context.addServlet(new ServletHolder(new HomePageServlet()), "/");
49+
50+
DisallowHttpMethods disallowHandler = new DisallowHttpMethods(EnumSet.of(HttpMethod.TRACE));
51+
disallowHandler.setHandler(context);
52+
server.setHandler(disallowHandler);
53+
5154
server.start();
5255
server.join();
5356
}

0 commit comments

Comments
 (0)