Merge pull request #2846 from hongwei1/develop

fix(deps): upgrade avro4s 1.8.2→4.1.2 to patch CVE-2024-47561 (CVSS 9.8); remove stale deps

Author: simonredfern

obp-api/pom.xml

@@ -20,11 +20,6 @@
       <artifactId>obp-commons</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>com.github.everit-org.json-schema</groupId>
-      <artifactId>org.everit.json.schema</artifactId>
-      <version>1.6.1</version>
-    </dependency>
     <!-- Upgraded from 1.4.14 (EOL branch) to 1.5.18. 1.4.x is end-of-life as of
          2024; 1.5.x is the supported branch and requires Java 11+ (which we target).
          Fixes CVE-2024-12798 (RCE via JaninoEventEvaluator in 1.4.x). -->
@@ -41,6 +36,7 @@
       <groupId>net.databinder.dispatch</groupId>
       <artifactId>dispatch-core_${scala.version}</artifactId>
       <version>0.13.1</version>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.json4s</groupId>
@@ -121,21 +117,20 @@
       <artifactId>protobuf-java</artifactId>
       <version>3.25.5</version>
     </dependency>
-    <!-- Pin snappy-java to override the 1.1.1.3 pulled in transitively by avro 1.8.2.
+    <!-- Pin org.apache.avro:avro to 1.11.4 to override the 1.9.2 pulled in transitively
+         by avro4s 4.1.2. Fixes CVE-2024-47561 (CVSS 9.8 — RCE via schema parsing). -->
+    <dependency>
+      <groupId>org.apache.avro</groupId>
+      <artifactId>avro</artifactId>
+      <version>${apache.avro.version}</version>
+    </dependency>
+    <!-- Pin snappy-java to override older versions pulled in transitively by avro.
          Fixes CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642. -->
     <dependency>
       <groupId>org.xerial.snappy</groupId>
       <artifactId>snappy-java</artifactId>
       <version>1.1.10.4</version>
     </dependency>
-    <!-- Pin commons-beanutils to override the 1.9.2 pulled in transitively via
-         everit json-schema → commons-validator. Fixes CVE-2025-48734, CVE-2019-10086;
-         1.11.0 adds the Improper-Access-Control fix (GHSA on top of those). -->
-    <dependency>
-      <groupId>commons-beanutils</groupId>
-      <artifactId>commons-beanutils</artifactId>
-      <version>1.11.0</version>
-    </dependency>
     <!-- Pin msal4j to override the older version pulled in transitively by
          mssql-jdbc → azure-identity. Fixes CVE-2024-35255 (elevation of
          privilege, fixed upstream in 1.15.1). Not used directly in source —
@@ -177,11 +172,6 @@
       <artifactId>cglib</artifactId>
       <version>3.3.0</version>
     </dependency>
-    <dependency>
-      <groupId>org.apache.httpcomponents</groupId>
-      <artifactId>httpclient</artifactId>
-      <version>4.5.14</version>
-    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-pool2</artifactId>
@@ -241,7 +231,7 @@
     <dependency>
       <groupId>com.sksamuel.avro4s</groupId>
       <artifactId>avro4s-core_${scala.version}</artifactId>
-      <version>${avro.version}</version>
+      <version>${avro4s.version}</version>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -312,19 +302,14 @@
       <artifactId>json-smart</artifactId>
     </dependency>
     <!-- ********** flexmark START ********** -->
-    <!-- Library flexmark-all v0.40.8 is replaced with used modules -->
+    <!-- Library flexmark-all v0.40.8 is replaced with used module -->
     <!-- https://mvnrepository.com/artifact/com.vladsch.flexmark/flexmark-profile-pegdown -->
     <dependency>
       <groupId>com.vladsch.flexmark</groupId>
       <artifactId>flexmark-profile-pegdown</artifactId>
       <version>0.40.8</version>
     </dependency>
-    <!-- https://mvnrepository.com/artifact/com.vladsch.flexmark/flexmark-util-options -->
-    <dependency>
-      <groupId>com.vladsch.flexmark</groupId>
-      <artifactId>flexmark-util-options</artifactId>
-      <version>0.64.0</version>
-    </dependency>
+
       <!-- https://mvnrepository.com/artifact/org.web3j/core -->
       <dependency>
           <groupId>org.web3j</groupId>
@@ -422,6 +407,7 @@
       <groupId>org.asynchttpclient</groupId>
       <artifactId>async-http-client</artifactId>
       <version>2.15.0</version>
+      <scope>test</scope>
         <exclusions>
             <exclusion>
                 <artifactId>javax.activation</artifactId>
@@ -514,11 +500,12 @@
       <artifactId>jackson-databind</artifactId>
       <!-- version managed by jackson-bom in parent pom -->
     </dependency>
-      <!-- https://mvnrepository.com/artifact/tools.jackson.dataformat/jackson-dataformat-yaml -->
+    <!-- com.fasterxml YAML module (Jackson 2.x), version managed by jackson-bom in parent pom.
+         Replaces the incompatible tools.jackson 3.x line so a single Jackson generation is on
+         the classpath. YAMLUtils uses com.fasterxml.jackson.dataformat.yaml.YAMLFactory. -->
     <dependency>
-      <groupId>tools.jackson.dataformat</groupId>
+      <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-yaml</artifactId>
-      <version>3.0.4</version>
     </dependency>
     <!-- https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp -->
     <dependency>

obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala

@@ -28,12 +28,9 @@ package code.api.dynamic.endpoint
 
 import APIMethodsDynamicEndpoint.ImplementationsDynamicEndpoint
 import code.api.OBPRestHelper
-import code.api.dynamic.endpoint.helper.DynamicEndpoints
-import code.api.util.{APIUtil, VersionedOBPApis}
+import code.api.util.VersionedOBPApis
 import code.util.Helper.MdcLoggable
 import com.openbankproject.commons.util.{ApiVersion,ApiVersionStatus}
-import net.liftweb.common.{Box, Full}
-import org.apache.http.HttpStatus
 
 /*
 This file defines which endpoints from all the versions are available in v4.0.0

obp-api/src/main/scala/code/api/dynamic/entity/projection/ProjectionDualWrite.scala

@@ -9,13 +9,13 @@ import org.json4s.JsonAST.JObject
 /**
  * Keeps a record's projection row in sync on the write path (DE_indexing, Phase 3). Guarded by
  * `projectionEnabled` and a no-op unless the entity has a `ready` projection — so it changes nothing
- * by default. Uses `DoobieUtil.runQuery`, which reuses Lift's request connection, so the projection
- * upsert/delete participates in the SAME transaction as the canonical blob write (commit/rollback
- * together). Scalar fields only (spatial dual-write is Phase 4).
+ * by default. Uses `DoobieUtil.runUpdate` so the INSERT is committed even when called outside an
+ * explicit request-scope transaction (e.g. dynamic-entity POST handlers that don't wrap in
+ * `withBusinessDBTransaction`). When a request-scope proxy IS present, `runUpdate` still reuses it
+ * via `transactorFromConnection`. Scalar fields only (spatial dual-write is Phase 4).
  */
 object ProjectionDualWrite extends MdcLoggable {
 
-  /** Upsert the record's ready indexed scalar columns into the projection (called after the blob save). */
   def onSave(bankId: Option[String], entityName: String, dataId: String, body: JObject): Unit =
     withReadyScalarFields(bankId, entityName) { (safeTable, fields) =>
       val cols = fields.map { case (f, spec) =>
@@ -24,13 +24,12 @@ object ProjectionDualWrite extends MdcLoggable {
           ProjectionDDL.sqlColumnType(spec.fieldType.toString),
           ProjectionCoerce.toColumnValue(body \ f, spec.fieldType))
       }
-      DoobieUtil.runQuery(ProjectionStore.upsert(safeTable, dataId, cols))
+      DoobieUtil.runUpdate(ProjectionStore.upsert(safeTable, dataId, cols))
     }
 
-  /** Delete the record's projection row (called after the blob delete; FK cascade is a backstop). */
   def onDelete(bankId: Option[String], entityName: String, dataId: String): Unit =
     withReadyScalarFields(bankId, entityName) { (safeTable, _) =>
-      DoobieUtil.runQuery(ProjectionStore.delete(safeTable, dataId))
+      DoobieUtil.runUpdate(ProjectionStore.delete(safeTable, dataId))
     }
 
   private def withReadyScalarFields(bankId: Option[String], entityName: String)

obp-api/src/main/scala/code/api/util/APIUtil.scala

@@ -1416,34 +1416,12 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
   //ended -- Filtering and Paging relevant methods  ////////////////////////////
 
 
-  /** Import this object's methods to add signing operators to dispatch.Request */
   object OAuth {
-    import dispatch.{Req => Request}
-
-    import scala.collection.Map
-
     case class Consumer(key: String, secret: String)
     case class Token(value: String, secret: String)
 
     /** Out-of-band callback code */
     val oob = "oob"
-
-    /** Add OAuth operators to dispatch.Request */
-    implicit def Request2RequestSigner(r: Request) = new RequestSigner(r)
-
-    class RequestSigner(rb: Request) {
-      /** sign a request with a consumer and a token, e.g. an OAuth-signed API request */
-      def <@ (consumer: Consumer, token: Token): Request = {
-        rb <:< Map("Authorization" -> s"""DirectLogin token="${token.value}"""")
-      }
-      def <@ (consumerAndToken: Option[(Consumer,Token)]): Request = {
-        consumerAndToken match {
-          case Some((_, token)) => 
-            rb <:< Map("Authorization" -> s"""DirectLogin token="${token.value}"""")
-          case None => rb
-        }
-      }
-    }
   }
 
   /*

obp-api/src/main/scala/code/api/util/JwtUtil.scala

@@ -15,7 +15,6 @@ import com.nimbusds.jose.util.{DefaultResourceRetriever, JSONObjectUtils}
 import com.nimbusds.jwt.proc.{BadJWTException, DefaultJWTProcessor}
 import com.nimbusds.jwt.{JWTClaimsSet, SignedJWT}
 import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet
-import dispatch.Future
 import net.liftweb.common.{Box, Empty, Failure, Full}
 
 object JwtUtil extends MdcLoggable {

obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala

@@ -5,37 +5,34 @@ import java.io.{ByteArrayOutputStream, InputStream}
 import com.sksamuel.avro4s._
 
 import scala.concurrent.{ExecutionContext, Future}
-import scala.util.Try
+import scala.util.Success
 
-/**
-  * Provides generic serialization/deserialization
-  */
 trait AvroSerializer {
 
-  def serialize[T: SchemaFor : ToRecord](event: T)(implicit executionContext: ExecutionContext): String = {
+  def serialize[T: Encoder](event: T)(implicit executionContext: ExecutionContext): String = {
     val baos = new ByteArrayOutputStream()
-    val output = AvroOutputStream.json[T](baos)
+    val output = AvroOutputStream.json[T].to(baos).build()
     output.write(event)
     output.close()
-    val r = baos.toString("UTF-8")
-    r
+    baos.toString("UTF-8")
   }
 
-  def serializeFuture[T: SchemaFor : ToRecord](event: T)(implicit executionContext: ExecutionContext): Future[String] =
+  def serializeFuture[T: Encoder](event: T)(implicit executionContext: ExecutionContext): Future[String] =
     Future(serialize(event))
 
-  def deserializeFuture[T >: Null : SchemaFor : FromRecord](data: String)(implicit executionContext: ExecutionContext): Future[Option[T]] =
+  def deserializeFuture[T >: Null : Decoder](data: String)(implicit executionContext: ExecutionContext): Future[Option[T]] =
     Future(deserialize[T](data))
 
-  def deserialize[T >: Null : SchemaFor : FromRecord](data: String)(implicit executionContext: ExecutionContext): Option[T] = {
-
-    val input = AvroInputStream.json[T](new StringInputStream(data))
-    val result: Try[T] = input.singleEntity
-    result.toOption
+  def deserialize[T >: Null : Decoder](data: String)(implicit executionContext: ExecutionContext): Option[T] = {
+    val schema = implicitly[Decoder[T]].schema
+    val input = AvroInputStream.json[T].from(new StringInputStream(data)).build(schema)
+    val result = input.tryIterator.collectFirst { case Success(v) => v }
+    input.close()
+    result
   }
 
   class StringInputStream(s: String) extends InputStream {
-    private val bytes = s.getBytes
+    private val bytes = s.getBytes("UTF-8")
 
     private var pos = 0
 
@@ -44,7 +41,7 @@ trait AvroSerializer {
     } else {
       val r = bytes(pos)
       pos += 1
-      r.toInt
+      r.toInt & 0xFF
     }
   }
-}
+}

obp-api/src/main/scala/code/bankconnectors/akka/AkkaConnector_vDec2018.scala

@@ -18,7 +18,6 @@ import com.openbankproject.commons.dto._
 import com.openbankproject.commons.model._
 import com.openbankproject.commons.model.enums.StrongCustomerAuthenticationStatus.SCAStatus
 import com.openbankproject.commons.model.enums.{AccountAttributeType, CardAttributeType, ChallengeType, CustomerAttributeType, ProductAttributeType, StrongCustomerAuthentication, TransactionAttributeType, TransactionRequestStatus}
-import com.sksamuel.avro4s.SchemaFor
 import net.liftweb.common.{Box, Full}
 import com.openbankproject.commons.util.JsonAliases.parse
 
@@ -55,8 +54,8 @@ object AkkaConnector_vDec2018 extends Connector with AkkaConnectorActorInit {
         inboundStatus,
         inboundAdapterInfoInternal)
       ),
-    outboundAvroSchema = Some(parse(SchemaFor[OutBoundGetAdapterInfo]().toString(true))),
-    inboundAvroSchema = Some(parse(SchemaFor[InBoundGetAdapterInfo]().toString(true))),
+    outboundAvroSchema = None,
+    inboundAvroSchema = None,
     adapterImplementation = Some(AdapterImplementation("- Core", 1))
   )
   override def getAdapterInfo(callContext: Option[CallContext]): Future[Box[(InboundAdapterInfoInternal, Option[CallContext])]] = {
@@ -81,8 +80,8 @@ object AkkaConnector_vDec2018 extends Connector with AkkaConnectorActorInit {
         List(bankCommons)
       )
       ),
-    outboundAvroSchema = Some(parse(SchemaFor[OutBoundGetBanks]().toString(true))),
-    inboundAvroSchema =  Some(parse(SchemaFor[InBoundGetBanks]().toString(true))),
+    outboundAvroSchema = None,
+    inboundAvroSchema = None,
     adapterImplementation = Some(AdapterImplementation("- Core", 2))
   )
 
@@ -110,8 +109,8 @@ object AkkaConnector_vDec2018 extends Connector with AkkaConnectorActorInit {
         bankCommons
       )
       ),
-    outboundAvroSchema = Some(parse(SchemaFor[OutBoundGetBank]().toString(true))),
-    inboundAvroSchema = Some(parse(SchemaFor[InBoundGetBank]().toString(true))),
+    outboundAvroSchema = None,
+    inboundAvroSchema = None,
     adapterImplementation = Some(AdapterImplementation("- Core", 5))
   )
   override def getBank(bankId : BankId, callContext: Option[CallContext]): Future[Box[(Bank, Option[CallContext])]] = {