dikhan / pagerduty-client Goto Github PK

Update jackson-databind artifact version to 2.8.11.1 as suggested by GitHub after finding potential security vulnerabilities:

Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11.1 or later. For example:

<dependency>
  <groupId>com.fasterxml.jackson.core</groupId>
  <artifactId>jackson-databind</artifactId>
  <version>[2.8.11.1,)</version>
</dependency>

Details:

CVE-2017-17485 (high severity)
Vulnerable versions: < 2.8.11
Patched version: 2.8.11
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

CVE-2017-15095 (high severity)
Vulnerable versions: < 2.8.11
Patched version: 2.8.11
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVE-2018-7489 (high severity)
Vulnerable versions: < 2.8.11.1
Patched version: 2.8.11.1
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

CVE-2017-7525 (high severity)
Vulnerable versions: >= 2.8.0, < 2.8.9
Patched version: 2.8.9
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

FYI -

[error] While parsing annotations in /com/github/dikhan/pagerduty-client/3.0.2/pagerduty-client-3.0.2.jar(com/github/dikhan/pagerduty/client/events/domain/Incident.class), could not find NON_NULL in enum object Include.
[error] This is likely due to an implementation restriction: an annotation argument cannot refer to a member of the annotated class (SI-7014).

SI-7014 is - https://issues.scala-lang.org/browse/SI-7014

Possible this is caused by various collisions of class versions and needing to shade one or the other. But, this is the default behavior I am getting without doing finicky configurations.

Talked to PagerDuty support earlier today and got the following response:

The reason you will sometimes get something other than a 200 response code is because the Events API is asynchronous. It sends back a response immediately, so if it is still processing or it hasn’t been completed yet, it may send back a 201 or a 202 response.

Currently HttpApiServiceImpl only looks for 200 so it needs some minor changes

From what i can tell PagerDuty Events API V2 will always return success if everything was ok.

When using FakePagerDutyEventsClient in a test i instead received success-trigger.

Can this be changed to match PagerDuty API?

Regards,
Andreas

Hello,

I'm not sure if it's the right place where to fill the issue but let's go..

I setup the Jenkins PagerDuty plugin where Jenkins is running behind a proxy.

Jenkins is started with the following JVM args:

java -Dhttp.proxyHost=xxx -Dhttp.proxyPort=8080 -Dhttps.proxyHost=xxxx -Dhttps.proxyPort=xxx

But when the job trigger the pagerduty plugin, which use the current library, I have the following exception:

events.pagerduty.com/54.245.165.68] failed: Connection refused (Connection refused)
	at com.github.dikhan.HttpApiServiceImpl.notifyEvent(HttpApiServiceImpl.java:52)
	at com.github.dikhan.PagerDutyEventsClient.trigger(PagerDutyEventsClient.java:78)
	at org.jenkinsci.plugins.pagerduty.util.PagerDutyUtils.triggerPagerDuty(PagerDutyUtils.java:106)
	at org.jenkinsci.plugins.pagerduty.PagerDutyTrigger.perform(PagerDutyTrigger.java:217)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
	at hudson.model.Build$BuildExecution.post2(Build.java:186)
	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
	at hudson.model.Run.execute(Run.java:1752)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)

So I'm wondering if it's the expected behavior, and if there a way to setup a proxy on this lib

Cheers

Hi,

There's a thread leak coming with the usage of unirest in pagerduty-client.

We are using pagerduty-client through pagerduty-plugin in Jenkins.

Issue was logged here, but under pagerduty-plugin : https://issues.jenkins.io/browse/JENKINS-53214

It would be good to update the jackson version so this fix can be included in there:
FasterXML/jackson-databind#2704

We are using the client to submit a trigger using the following code:

 
            Payload payload = Payload.Builder.newBuilder()
                    .setSummary(createSummary(operation))
                    .setSource(operation.getAttribute().getId())
                    .setComponent(IdManager.getAncestorId(IdManager.Service.NODE_NODE, operation.getAttribute().getId()))
                    .setGroup(IdManager.getAncestorId(IdManager.Service.NODE_ECU, operation.getAttribute().getId()))
                    .setSeverity(convertHealthToSeverity(operation.getAttribute().getHealth()))
                    .setTimestamp(OffsetDateTime.ofInstant(Instant.ofEpochSecond(operation.getTimestamp()), ZoneOffset.UTC))
                    .setCustomDetails(Json.writeValueToString(operation.getAttribute()))
                    .build();

            TriggerIncident incident = TriggerIncident.TriggerIncidentBuilder
                    .newBuilder(routingKey, payload)
                    .setDedupKey(operation.getAttribute().getId())
                    .setClient(client)
                    .build();
                    
           this.client.trigger(incident);    

The serialized incident as a json looks like this:

{
    "client":"--removed_for_security--",
    "dedup_key":"cu3fbbe4-ne30773e-nnd17182-na11f804",
    "event_action":"trigger",
    "payload":{
       "component":"cu3fbbe4-ne30773e-nnd17182",
       "custom_details":"{\"ecuId\":\"cu3fbbe4-ne30773e\",\"health\":500,\"id\":\"cu3fbbe4-ne30773e-nnd17182-na11f804\",\"nodeId\":\"cu3fbbe4-ne30773e-nnd17182\",\"projectId\":\"cu3fbbe4-np932c1d\",\"read\":{\"type\":\"STRING\"},\"reference\":\"s1_server_disconnected_on_system_initialisation_alarm!\",\"value\":\"Critical\"}",
       "group":"cu3fbbe4-ne30773e",
       "severity":"critical",
       "source":"cu3fbbe4-ne30773e-nnd17182-na11f804",
       "summary":"The value of 's1_server_disconnected_on_system_initialisation_alarm' changed to Critical",
       "timestamp":"2022-07-29T13:45:32Z"
    },
    "routing_key":"--removed_for_security--"
 }

However, we are unexpectedly getting the following error:

com.github.dikhan.pagerduty.client.events.exceptions.NotifyEventException: com.mashape.unirest.http.exceptions.UnirestException: java.lang.RuntimeException: java.lang.RuntimeException: org.json.JSONException: A JSONArray text must start with '[' at 1 [character 2 line 1]

Any ideas?

The version used in this client has a security vulnerability:
https://snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109