vulnerability fixes and related code changes + bug fixes (#1767)

* vulnerability fixes and related code changes + bug fixes

* fix

* fixws

* fixes

* Update pom.xml

---------

Co-authored-by: auslin-aot <[email protected]>

forms-flow-bpm/forms-flow-bpm-camunda/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <parent>
@@ -27,14 +27,16 @@
         <failOnMissingWebXml>false</failOnMissingWebXml>
 
         <!-- versions -->
-        <version.camundaKeycloak>7.18.0</version.camundaKeycloak>
-        <version.camunda>7.18.0</version.camunda><!-- 7.17.0 - 7.18.0 -->
+        <version.camundaKeycloak>7.20.0</version.camundaKeycloak>
+        <version.camunda>7.20.0</version.camunda><!-- 7.18.0 - 7.20.0 -->
         <version.camundaConnect>1.5.4</version.camundaConnect><!-- 1.5.4 -->
         <version.camundaMail>1.5.0</version.camundaMail><!-- 1.5.0 -->
-        <version.springBoot>2.7.12</version.springBoot><!-- 2.6.6 - 2.7.12 -->
-        <version.springSecurityOauth2>2.6.7</version.springSecurityOauth2><!--
-			2.6.6 - 2.6.7 -->
+        <version.springBoot>3.1.5</version.springBoot><!-- 2.7.12 - 3.1.5 -->
+        <version.springSecurityOauth2>2.6.8</version.springSecurityOauth2><!--
+			2.6.7 - 2.6.8 -->
         <version.jackson>2.15.0</version.jackson>
+        <version.commonsFileUpload>1.5</version.commonsFileUpload>
+        <version.snakeyaml>2.0</version.snakeyaml>
     </properties>
 
     <dependencyManagement>
@@ -70,6 +72,13 @@
             <version>5.2.0</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml -->
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>2.2</version>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-webflux</artifactId>
@@ -156,6 +165,13 @@
             <artifactId>camunda-engine-plugin-connect</artifactId>
         </dependency>
 
+<!--		https://mvnrepository.com/artifact/org.camunda.bpm/camunda-engine-rest -->
+        <dependency>
+            <groupId>org.camunda.bpm</groupId>
+            <artifactId>camunda-engine-rest-core</artifactId>
+            <version>7.20.0</version>
+        </dependency>
+
         <dependency>
             <groupId>com.sun.mail</groupId>
             <artifactId>javax.mail</artifactId>
@@ -165,7 +181,7 @@
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.29</version>
+            <version>2.0.6</version>
         </dependency>
 
         <!-- Freemarker Template -->
@@ -176,9 +192,9 @@
         </dependency>
 
         <dependency>
-            <groupId>org.camunda.template-engines</groupId>
-            <artifactId>camunda-template-engines-velocity</artifactId>
-            <version>2.1.0</version>
+            <groupId>org.camunda.community.template.engine</groupId>
+            <artifactId>camunda-7-template-engine-velocity</artifactId>
+            <version>2.2.0</version>
         </dependency>
 
         <!-- Database -->
@@ -248,7 +264,7 @@
         <dependency>
             <groupId>org.codehaus.groovy</groupId>
             <artifactId>groovy-all</artifactId>
-            <version>3.0.17</version>
+            <version>3.0.19</version>
             <type>pom</type>
         </dependency>
 
@@ -297,25 +313,25 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-websocket</artifactId>
-            <version>5.3.20</version>
+            <version>6.0.11</version>
         </dependency>
 
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-messaging</artifactId>
-            <version>5.3.20</version>
+            <version>6.0.11</version>
         </dependency>
 
         <dependency>
             <groupId>org.graalvm.js</groupId>
             <artifactId>js-scriptengine</artifactId>
-            <version>22.3.2</version>
+            <version>22.3.3</version>
         </dependency>
 
         <dependency>
             <groupId>org.graalvm.js</groupId>
             <artifactId>js</artifactId>
-            <version>22.3.2</version>
+            <version>22.3.3</version>
         </dependency>
 
         <dependency>
@@ -329,6 +345,13 @@
             <artifactId>spring-boot-starter-data-redis-reactive</artifactId>
         </dependency>
 
+        <!-- Adding common file upload -->
+        <dependency>
+            <groupId>commons-fileupload</groupId>
+            <artifactId>commons-fileupload</artifactId>
+            <version>${version.commonsFileUpload}</version>
+        </dependency>
+
     </dependencies>
 
     <build>

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/config/AppConfig.java

@@ -7,7 +7,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
-import javax.annotation.PostConstruct;
+import jakarta.annotation.PostConstruct;
 
 /**
  * AppConfig

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/config/FormsFlowJerseyResourceConfig.java

@@ -8,7 +8,7 @@
 import org.glassfish.jersey.jackson.JacksonFeature;
 import org.springframework.stereotype.Component;
 
-import javax.ws.rs.ApplicationPath;
+import jakarta.ws.rs.ApplicationPath;
 
 /**
  * Extension to camunda Jersey resources

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/FormioTokenServiceProvider.java

@@ -9,8 +9,8 @@
 import org.springframework.stereotype.Service;
 import org.springframework.web.reactive.function.client.WebClient;
 
-import javax.annotation.PostConstruct;
-import javax.annotation.Resource;
+import jakarta.annotation.PostConstruct;
+import jakarta.annotation.Resource;
 import java.util.Properties;
 
 

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/HTTPServiceInvoker.java

@@ -9,11 +9,11 @@
 import org.springframework.http.*;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
 import java.io.IOException;
 import java.util.Map;
 import java.util.Properties;
 import java.util.logging.Logger;
+import jakarta.annotation.Resource;
 
 /**
  *  Http Service Invoker.

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/support/ApplicationAccessHandler.java

@@ -47,7 +47,8 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, String pay
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body(Mono.just(payload), String.class)
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(String.class)
                 .block();
 
@@ -71,7 +72,8 @@ public ResponseEntity<IResponse> exchange(String url, HttpMethod method, IReques
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null?BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(responseClazz)
                 .block();
         return new ResponseEntity<>(response.getBody(), response.getStatusCode());

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/support/BPMAccessHandler.java

@@ -8,6 +8,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.HttpStatusCode;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Service;
@@ -49,8 +50,10 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, Map<String
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null? BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
-                .onStatus(HttpStatus::is5xxServerError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.INTERNAL_SERVER_ERROR)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
+                .onStatus(HttpStatusCode::is5xxServerError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(String.class)
                 .block();
 

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/support/CustomSubmissionAccessHandler.java

@@ -50,7 +50,8 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, String pay
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body(Mono.just(payload), String.class)
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(String.class)
                 .block();
 
@@ -73,7 +74,8 @@ public ResponseEntity<IResponse> exchange(String url, HttpMethod method, IReques
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null?BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(responseClazz)
                 .block();
         return new ResponseEntity<>(response.getBody(), response.getStatusCode());

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/support/FormAccessHandler.java

@@ -22,7 +22,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Properties;
 
-
+import org.springframework.http.HttpStatusCode;
 /**
  * Form Access Handler.
  * This class serves as gateway for all formio interactions.
@@ -79,7 +79,7 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, String pay
                                         dataBuffer.read(bytes);
                                         DataBufferUtils.release(dataBuffer); // Release the buffer to avoid memory leaks
                                         String responseBody = new String(bytes, StandardCharsets.UTF_8);
-                                        HttpStatus httpStatus = response.statusCode();
+                                        HttpStatusCode httpStatus = response.statusCode();
                                         return ResponseEntity.status(httpStatus).body(responseBody);
                                     });
                         }
@@ -108,7 +108,7 @@ public ResponseEntity<String> exchange(String url, HttpMethod method, String pay
                                         dataBuffer.read(bytes);
                                         DataBufferUtils.release(dataBuffer); // Release the buffer to avoid memory leaks
                                         String responseBody = new String(bytes, StandardCharsets.UTF_8);
-                                        HttpStatus httpStatus = response.statusCode();
+                                        HttpStatusCode httpStatus = response.statusCode();
                                         return ResponseEntity.status(httpStatus).body(responseBody);
                                     });
                         }

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/connector/support/TextAnalyzerAccessHandler.java

@@ -57,7 +57,8 @@ public ResponseEntity<IResponse> exchange(String url, HttpMethod method, IReques
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .body((payload == null? BodyInserters.empty():BodyInserters.fromValue(payload)))
                 .retrieve()
-                .onStatus(HttpStatus::is4xxClientError, clientResponse -> Mono.error(new HttpClientErrorException(HttpStatus.BAD_REQUEST)))
+                .onStatus(HttpStatusCode::is4xxClientError,
+                        clientResponse -> Mono.error(new HttpClientErrorException(clientResponse.statusCode())))
                 .toEntity(responseClazz)
                 .block();
         return new ResponseEntity<>(response.getBody(), response.getStatusCode());

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/io/event/CamundaEventListener.java

@@ -19,7 +19,7 @@
 import org.springframework.messaging.simp.SimpMessagingTemplate;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 import java.util.*;
 
 import static org.camunda.bpm.extension.commons.utils.VariableConstants.FORM_URL;

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/commons/io/socket/WebSocketConfig.java

@@ -26,7 +26,7 @@ public class WebSocketConfig implements WebSocketMessageBrokerConfigurer  {
 
     @Override
     public void registerStompEndpoints(StompEndpointRegistry registry) {
-        registry.addEndpoint("/forms-flow-bpm-socket/**").setAllowedOrigins(getOrigins())
+        registry.addEndpoint("/forms-flow-bpm-socket/").setAllowedOrigins(getOrigins())
                 .withSockJS();
     }
 

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/hooks/controllers/AdminController.java

@@ -11,8 +11,8 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
-import javax.annotation.Resource;
-import javax.servlet.ServletException;
+import jakarta.annotation.Resource;
+import jakarta.servlet.ServletException;
 
 import org.apache.commons.lang3.StringUtils;
 import org.camunda.bpm.engine.AuthorizationService;
@@ -51,8 +51,7 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.nimbusds.jose.shaded.json.JSONArray;
-import com.nimbusds.oauth2.sdk.util.CollectionUtils;
+import net.minidev.json.JSONArray;
 
 
 
@@ -91,7 +90,7 @@ public class AdminController {
         List<String> groups = getGroups(authentication);
         AuthorizationInfo authorizationInfo = null;
 
-        if (CollectionUtils.isNotEmpty(groups) && groups.contains(adminGroupName)) {
+        if (!groups.isEmpty() && groups.contains(adminGroupName)) {
             authorizationInfo = new AuthorizationInfo(true, null);
         } else {
             authorizationInfo = new AuthorizationInfo(false, getAuthorization(groups));
@@ -124,7 +123,7 @@ public class AdminController {
                     }
 
                 }
-                if(CollectionUtils.isNotEmpty(groups) && groups.contains(adminGroupName)) {
+                if(!groups.isEmpty() && groups.contains(adminGroupName)) {
                     for(AuthorizedAction formObj : formList) {
                         if(!isExists(filteredList, formObj.getFormId())) {
                             filteredList.add(formObj);

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/hooks/controllers/TaskController.java

@@ -1,8 +1,6 @@
 package org.camunda.bpm.extension.hooks.controllers;
 
-import com.nimbusds.jose.shaded.json.JSONArray;
-import com.nimbusds.oauth2.sdk.util.CollectionUtils;
-
+import net.minidev.json.JSONArray;
 import org.apache.commons.lang3.StringUtils;
 import org.camunda.bpm.extension.hooks.controllers.data.Task;
 import org.camunda.bpm.extension.hooks.controllers.data.Variable;
@@ -12,16 +10,17 @@
 import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
 import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
-import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.server.ResponseStatusException;
 
-import javax.servlet.ServletException;
+import jakarta.servlet.ServletException;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/hooks/delegates/FormTextAnalysisDelegate.java

@@ -23,7 +23,7 @@
 import  com.fasterxml.jackson.core.JsonProcessingException;
 
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/hooks/listeners/BPMFormDataPipelineListener.java

@@ -23,7 +23,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 
 import java.io.IOException;
 import java.util.ArrayList;

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/hooks/listeners/FormBPMFilteredDataPipelineListener.java

@@ -19,7 +19,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.List;

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/hooks/listeners/execution/ExternalSubmissionListener.java

@@ -20,7 +20,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;