From 93d27ffad9967fa006293732228376c0b58dd1fc Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Fri, 1 Apr 2022 11:20:11 +0200
Subject: [PATCH 1/2] Upgrade spring to mitigate CVE-2022-22965

---
 pom.xml                                       |  4 +--
 .../ContainerProxyApplication.java            |  2 ++
 .../containerproxy/ui/ErrorController.java    |  5 ---
 .../PropertyOverrideContextInitializer.java   | 31 ++++++++++++++-----
 4 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/pom.xml b/pom.xml
index e1fa6688..96e48930 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.3.12.RELEASE</version>
+		<version>2.5.12</version>
 		<relativePath />
 	</parent>
 
@@ -132,7 +132,7 @@
 		<dependency>
 			<groupId>org.springframework.security.oauth.boot</groupId>
 			<artifactId>spring-security-oauth2-autoconfigure</artifactId>
-			<version>2.3.12.RELEASE</version>
+			<version>2.5.12</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index 29e1604e..1baab7ad 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -282,6 +282,8 @@ public static Properties getDefaultProperties() {
 
 		// ====================
 
+		properties.put("spring.config.use-legacy-processing", true);
+
 		return properties;
 	}
 
diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/ErrorController.java b/src/main/java/eu/openanalytics/containerproxy/ui/ErrorController.java
index aa0e47cb..98c33a84 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ui/ErrorController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ui/ErrorController.java
@@ -106,11 +106,6 @@ public ResponseEntity<Map<String, Object>> error(HttpServletRequest request, Htt
 		return new ResponseEntity<>(map, HttpStatus.valueOf(response.getStatus()));
 	}
 
-	@Override
-	public String getErrorPath() {
-		return "/error";
-	}
-
 	private String[] createMsgStack(Throwable exception) {
 		String message = "";
 		String stackTrace = "";
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/proxy/PropertyOverrideContextInitializer.java b/src/test/java/eu/openanalytics/containerproxy/test/proxy/PropertyOverrideContextInitializer.java
index 79710e81..d5177e4d 100644
--- a/src/test/java/eu/openanalytics/containerproxy/test/proxy/PropertyOverrideContextInitializer.java
+++ b/src/test/java/eu/openanalytics/containerproxy/test/proxy/PropertyOverrideContextInitializer.java
@@ -23,19 +23,34 @@
 import eu.openanalytics.containerproxy.ContainerProxyApplication;
 import org.springframework.context.ApplicationContextInitializer;
 import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.core.env.MutablePropertySources;
 import org.springframework.core.env.PropertiesPropertySource;
+import org.springframework.core.env.PropertySource;
 import org.springframework.test.context.support.TestPropertySourceUtils;
 
+import javax.annotation.Nonnull;
+import java.util.stream.Collectors;
+
 public class PropertyOverrideContextInitializer
-		implements ApplicationContextInitializer<ConfigurableApplicationContext> {
+        implements ApplicationContextInitializer<ConfigurableApplicationContext> {
+
+    @Override
+    public void initialize(@Nonnull ConfigurableApplicationContext configurableApplicationContext) {
+        TestPropertySourceUtils.addInlinedPropertiesToEnvironment(configurableApplicationContext,
+                "proxy.kubernetes.namespace=" + TestIntegrationOnKube.namespace);
 
-	@Override
-	public void initialize(ConfigurableApplicationContext configurableApplicationContext) {
-		TestPropertySourceUtils.addInlinedPropertiesToEnvironment(configurableApplicationContext,
-				"proxy.kubernetes.namespace=" + TestIntegrationOnKube.namespace);
+        MutablePropertySources propertySources = configurableApplicationContext.getEnvironment().getPropertySources();
+        PropertiesPropertySource defaultProperties = new PropertiesPropertySource("shinyProxyDefaultProperties", ContainerProxyApplication.getDefaultProperties());
+        propertySources.addFirst(defaultProperties);
 
-		PropertiesPropertySource defaultProperties = new PropertiesPropertySource("shinyProxyDefaultProperties", ContainerProxyApplication.getDefaultProperties());
-		configurableApplicationContext.getEnvironment().getPropertySources().addFirst(defaultProperties);
+		// remove any external, file-based property source
+		// we don't want any application.yml or application.properties to be loaded during the tests
+        propertySources
+                .stream()
+                .map(PropertySource::getName)
+                .filter(p -> p.contains("Config resource 'file ") && p.contains("via location 'optional:file:./'"))
+                .collect(Collectors.toList())
+                .forEach(propertySources::remove);
 
-	}
+    }
 }

From 218af779cf51ec3db171989bb883fa8d6612a7fc Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Fri, 1 Apr 2022 11:22:41 +0200
Subject: [PATCH 2/2] Bump version

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 96e48930..390aeb41 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
 
 	<groupId>eu.openanalytics</groupId>
 	<artifactId>containerproxy</artifactId>
-	<version>0.8.10</version>
+	<version>0.8.11</version>
 	<name>ContainerProxy</name>
 	<packaging>jar</packaging>