Update jsoup (#1276)

* upgraded jsoup to 1.15.3
* removed deprecated safe html annotation
* added own valid string jsoup validator, disabled hibernate parallel method declaration constraint
* adapted valid string validator
* static method
* return invalid value in case of processing exception

Signed-off-by: Bogdan Bondar <Bogdan.Bondar@bosch.io>

hawkbit-repository/hawkbit-repository-api/pom.xml

@@ -71,6 +71,10 @@
          <groupId>cz.jirutka.rsql</groupId>
          <artifactId>rsql-parser</artifactId>
       </dependency>
+      <dependency>
+         <groupId>org.jsoup</groupId>
+         <artifactId>jsoup</artifactId>
+      </dependency>
 
       <!-- TEST -->
       <dependency>

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidString.java

@@ -16,18 +16,14 @@ import java.lang.annotation.Target;
 import javax.validation.Constraint;
 import javax.validation.Payload;
 
-import org.hibernate.validator.constraints.SafeHtml;
-import org.hibernate.validator.constraints.SafeHtml.WhiteListType;
-
 /**
  * Constraint for strings submitted into the repository.
  *
  */
-@Constraint(validatedBy = {})
+@Constraint(validatedBy = ValidStringValidator.class)
 @Target({ ElementType.METHOD, ElementType.FIELD, ElementType.ANNOTATION_TYPE, ElementType.CONSTRUCTOR,
         ElementType.PARAMETER, ElementType.TYPE_USE })
 @Retention(RetentionPolicy.RUNTIME)
-@SafeHtml(whitelistType = WhiteListType.NONE)
 public @interface ValidString {
 
     String message() default "Invalid characters in string";

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidStringValidator.java

@@ -0,0 +1,56 @@
+/**
+ * Copyright (c) 2022 Bosch.IO GmbH and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.eclipse.hawkbit.repository;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.parser.Parser;
+import org.jsoup.safety.Cleaner;
+import org.jsoup.safety.Safelist;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.cronutils.utils.StringUtils;
+
+/**
+ * Safe html constraint validator for strings submitted into the repository.
+ *
+ */
+public class ValidStringValidator implements ConstraintValidator<ValidString, String> {
+    private static final Logger LOG = LoggerFactory.getLogger(ValidStringValidator.class);
+
+    private final Cleaner cleaner = new Cleaner(Safelist.none());
+
+    @Override
+    public boolean isValid(final String value, final ConstraintValidatorContext context) {
+        return StringUtils.isEmpty(value) || isValidString(value);
+    }
+
+    private boolean isValidString(final String value) {
+        try {
+            return cleaner.isValid(stringToDocument(value));
+        } catch (final Exception ex) {
+            LOG.error(String.format("There was an exception during bean field value (%s) validation", value), ex);
+            return false;
+        }
+    }
+
+    private static Document stringToDocument(final String value) {
+        final Document xmlFragment = Jsoup.parse(value, "", Parser.xmlParser());
+        final Document resultingDocument = Document.createShell("");
+
+        xmlFragment.childNodes().forEach(xmlNode -> resultingDocument.body().appendChild(xmlNode.clone()));
+
+        return resultingDocument;
+    }
+
+}

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/model/ArtifactUpload.java

@@ -13,8 +13,7 @@ import java.io.InputStream;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
 
-import org.hibernate.validator.constraints.SafeHtml;
-import org.hibernate.validator.constraints.SafeHtml.WhiteListType;
+import org.eclipse.hawkbit.repository.ValidString;
 
 /**
  * Use to create a new artifact.
@@ -28,7 +27,7 @@ public class ArtifactUpload {
     private final long moduleId;
 
     @NotEmpty
-    @SafeHtml(whitelistType = WhiteListType.NONE, message = "Invalid characters in string")
+    @ValidString
     private final String filename;
 
     private final String providedMd5Sum;

hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/RepositoryApplicationConfiguration.java

@@ -14,6 +14,7 @@ import java.util.concurrent.ScheduledExecutorService;
 
 import javax.persistence.EntityManager;
 import javax.sql.DataSource;
+import javax.validation.Validation;
 
 import org.eclipse.hawkbit.artifact.repository.ArtifactRepository;
 import org.eclipse.hawkbit.repository.ArtifactEncryption;
@@ -107,6 +108,7 @@ import org.eclipse.hawkbit.security.SecurityTokenGenerator;
 import org.eclipse.hawkbit.security.SystemSecurityContext;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.eclipse.persistence.config.PersistenceUnitProperties;
+import org.hibernate.validator.HibernateValidatorConfiguration;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -385,7 +387,12 @@ public class RepositoryApplicationConfiguration extends JpaBaseConfiguration {
      */
     @Bean
     public MethodValidationPostProcessor methodValidationPostProcessor() {
-        return new MethodValidationPostProcessor();
+        final MethodValidationPostProcessor processor = new MethodValidationPostProcessor();
+        processor.setValidator(Validation.byDefaultProvider().configure()
+                .addProperty(HibernateValidatorConfiguration.ALLOW_PARALLEL_METHODS_DEFINE_PARAMETER_CONSTRAINTS,
+                        "true")
+                .buildValidatorFactory().getValidator());
+        return processor;
     }
 
     /**

pom.xml

@@ -143,9 +143,7 @@
       <!-- Newer versions needed than defined in Boot -->
       <!-- Fixed dependencies -->
       <rabbitmq.http-client.version>3.5.0.RELEASE</rabbitmq.http-client.version>
-      <!-- Newer version contains new rule that we violate. Needs to be fixed first -->
-      <hibernate-validator.version>6.0.20.Final</hibernate-validator.version>
-       <!-- Spring boot version overrides - END -->
+      <!-- Spring boot version overrides - END -->
 
       <!-- Vaadin versions - START -->
       <vaadin.version>8.14.1</vaadin.version>
@@ -163,7 +161,7 @@
 
       <!-- Misc libraries versions - START -->      
       <cron-utils.version>9.1.6</cron-utils.version>
-      <jsoup.version>1.14.2</jsoup.version>
+      <jsoup.version>1.15.3</jsoup.version>
       <allure.version>2.13.6</allure.version>
       <eclipselink.version>2.7.9</eclipselink.version>
       <gwtmockito.version>1.1.8</gwtmockito.version>