From 8fa4eb7d75d82858931fc741d309b6091731309d Mon Sep 17 00:00:00 2001 From: kezhenxu94 Date: Thu, 23 Dec 2021 21:37:00 +0800 Subject: [PATCH] Upgrade H2 version to 2.0.202 to fix CVE-2021-23463 (#8332) --- CHANGES.md | 2 ++ dist-material/release-docs/LICENSE | 2 +- oap-server-bom/pom.xml | 2 +- .../core/storage/annotation/ValueColumnMetadata.java | 12 +++++++++--- .../oap/server/core/storage/model/StorageModels.java | 1 + .../plugin/jdbc/h2/dao/H2AggregationQueryDAO.java | 9 +++++---- .../plugin/jdbc/h2/dao/H2MetricsQueryDAO.java | 6 +++--- .../storage/plugin/jdbc/h2/dao/H2TableInstaller.java | 1 + .../main/java/org/apache/skywalking/e2e/User.java | 2 ++ test/e2e-v2/java-test-service/pom.xml | 2 +- .../dependencies/known-oap-backend-dependencies.txt | 2 +- 11 files changed, 27 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 11530c091b..9593314e2d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -20,6 +20,8 @@ Release Notes. * Add the analysis of metrics in Satellite MetricsService. * Fix `Can't split endpoint id into 2 parts` bug for endpoint ID. In the TCP in service mesh observability, endpoint name doesn't exist in TCP traffic. +* Upgrade H2 version to 2.0.202 to fix CVE-2021-23463. +* Extend column name override mechanism working for `ValueColumnMetadata`. #### UI diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index a74ee36cab..a3c4cd06d7 100755 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -381,7 +381,7 @@ MPL 2.0 licenses The following components are provided under a MPL 2.0 license. See project link for details. The text of each license is also included at licenses/LICENSE-[project].txt. - H2 Database 1.4.196: http://www.h2database.com/html/main.html , MPL 2.0 or EPL 1.0 + H2 Database 2.0.202: http://www.h2database.com/html/main.html , MPL 2.0 or EPL 1.0 ======================================== CC0-1.0 licenses diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml index a906768047..d8fc50c9dc 100644 --- a/oap-server-bom/pom.xml +++ b/oap-server-bom/pom.xml @@ -34,7 +34,7 @@ 8.0 3.14.9 4.5.13 - 1.4.196 + 2.0.202 2.10.5 3.5.7 28.1-jre diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/annotation/ValueColumnMetadata.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/annotation/ValueColumnMetadata.java index 67b2318108..d9c0bde809 100644 --- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/annotation/ValueColumnMetadata.java +++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/annotation/ValueColumnMetadata.java @@ -32,7 +32,8 @@ import org.apache.skywalking.oap.server.core.query.sql.Function; public enum ValueColumnMetadata { INSTANCE; - private Map mapping = new HashMap<>(); + private final Map mapping = new HashMap<>(); + private final HashMap columnNameOverrideRule = new HashMap<>(); /** * Register the new metadata for the given model name. @@ -46,11 +47,16 @@ public enum ValueColumnMetadata { mapping.putIfAbsent(modelName, new ValueColumn(valueCName, dataType, function, defaultValue, scopeId)); } + public void overrideColumnName(String oldName, String newName) { + columnNameOverrideRule.put(oldName, newName); + } + /** * Fetch the value column name of the given metrics name. */ public String getValueCName(String metricsName) { - return findColumn(metricsName).valueCName; + final String valueCName = findColumn(metricsName).valueCName; + return columnNameOverrideRule.getOrDefault(valueCName, valueCName); } /** @@ -88,7 +94,7 @@ public enum ValueColumnMetadata { @Getter @RequiredArgsConstructor - public class ValueColumn { + public static class ValueColumn { private final String valueCName; private final Column.ValueDataType dataType; private final Function function; diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/model/StorageModels.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/model/StorageModels.java index 2413c3eac4..6c9e496f30 100644 --- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/model/StorageModels.java +++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/model/StorageModels.java @@ -166,6 +166,7 @@ public class StorageModels implements IModelManager, ModelCreator, ModelManipula public void overrideColumnName(String columnName, String newName) { columnNameOverrideRule.put(columnName, newName); models.forEach(this::followColumnNameRules); + ValueColumnMetadata.INSTANCE.overrideColumnName(columnName, newName); } private void followColumnNameRules(Model model) { diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AggregationQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AggregationQueryDAO.java index d686cc51cb..97fddf5f6d 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AggregationQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AggregationQueryDAO.java @@ -61,8 +61,9 @@ public class H2AggregationQueryDAO implements IAggregationQueryDAO { }); } sql.append(" group by ").append(Metrics.ENTITY_ID); - sql.append(") as T order by value ") - .append(metrics.getOrder().equals(Order.ASC) ? "asc" : "desc") + sql.append(") as T order by ") + .append(valueColumnName) + .append(metrics.getOrder().equals(Order.ASC) ? " asc" : " desc") .append(" limit ") .append(metrics.getTopN()); List topNEntities = new ArrayList<>(); @@ -72,7 +73,7 @@ public class H2AggregationQueryDAO implements IAggregationQueryDAO { while (resultSet.next()) { SelectedRecord topNEntity = new SelectedRecord(); topNEntity.setId(resultSet.getString(Metrics.ENTITY_ID)); - topNEntity.setValue(resultSet.getString("value")); + topNEntity.setValue(resultSet.getString("result")); topNEntities.add(topNEntity); } } catch (SQLException e) { @@ -85,7 +86,7 @@ public class H2AggregationQueryDAO implements IAggregationQueryDAO { StringBuilder sql = new StringBuilder(); sql.append("select * from (select avg(") .append(valueColumnName) - .append(") value,") + .append(") result,") .append(Metrics.ENTITY_ID) .append(" from ") .append(metricsName) diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java index d6e86fe57d..66fbb67373 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java @@ -82,8 +82,8 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO sql.toString(), parameters.toArray(new Object[0]) )) { - while (resultSet.next()) { - return resultSet.getLong("value"); + if (resultSet.next()) { + return resultSet.getLong("result"); } } } catch (SQLException e) { @@ -94,7 +94,7 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO protected StringBuilder buildMetricsValueSql(String op, String valueColumnName, String conditionName) { return new StringBuilder( - "select " + Metrics.ENTITY_ID + " id, " + op + "(" + valueColumnName + ") value from " + conditionName + " where "); + "select " + Metrics.ENTITY_ID + " id, " + op + "(" + valueColumnName + ") result from " + conditionName + " where "); } @Override diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TableInstaller.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TableInstaller.java index e7b35b652e..c3eb2f3070 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TableInstaller.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TableInstaller.java @@ -56,6 +56,7 @@ public class H2TableInstaller extends ModelInstaller { super(client, moduleManager); this.maxSizeOfArrayColumn = maxSizeOfArrayColumn; this.numOfSearchableValuesPerTag = numOfSearchableValuesPerTag; + overrideColumnName("value", "value_"); } @Override diff --git a/test/e2e-v2/java-test-service/e2e-service-provider/src/main/java/org/apache/skywalking/e2e/User.java b/test/e2e-v2/java-test-service/e2e-service-provider/src/main/java/org/apache/skywalking/e2e/User.java index 2acc78a797..5acb60d286 100644 --- a/test/e2e-v2/java-test-service/e2e-service-provider/src/main/java/org/apache/skywalking/e2e/User.java +++ b/test/e2e-v2/java-test-service/e2e-service-provider/src/main/java/org/apache/skywalking/e2e/User.java @@ -22,6 +22,7 @@ import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; import javax.persistence.Id; +import javax.persistence.Table; import lombok.AllArgsConstructor; import lombok.Builder; import lombok.Data; @@ -29,6 +30,7 @@ import lombok.RequiredArgsConstructor; @Data @Entity +@Table(name = "users") @Builder @AllArgsConstructor @RequiredArgsConstructor diff --git a/test/e2e-v2/java-test-service/pom.xml b/test/e2e-v2/java-test-service/pom.xml index c87e67dce9..1a3784e6c5 100644 --- a/test/e2e-v2/java-test-service/pom.xml +++ b/test/e2e-v2/java-test-service/pom.xml @@ -48,7 +48,7 @@ 5.6.0 2.9.7 30.1.1-jre - 1.4.199 + 2.0.202 8.0.13 1.18.20 2.4.1 diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt index e74dbe1bbb..d2e3e7812f 100755 --- a/tools/dependencies/known-oap-backend-dependencies.txt +++ b/tools/dependencies/known-oap-backend-dependencies.txt @@ -55,7 +55,7 @@ gson-2.8.6.jar gson-fire-1.8.5.jar guava-28.1-jre.jar guice-4.1.0.jar -h2-1.4.196.jar +h2-2.0.202.jar httpasyncclient-4.1.3.jar httpclient-4.5.13.jar httpcore-4.4.13.jar -- GitLab