Merge pull request #74 from bnc-projects/use-docker-container-tag

alphafoobar · web-flow · commit 5fdac9837e27 · 2020-05-14T17:36:17.000+12:00
Use docker container tag
diff --git a/build.gradle b/build.gradle
@@ -63,6 +63,12 @@ allprojects {
         toolVersion = "0.8.5"
     }
 
+    jacocoTestReport {
+        reports {
+            xml.enabled true
+        }
+    }
+
     checkstyle {
         toolVersion '8.28'
         tasks.withType(Checkstyle) {
diff --git a/service/Dockerfile b/service/Dockerfile
@@ -1,4 +1,4 @@
-FROM adoptopenjdk:11-jre-hotspot
+FROM adoptopenjdk:11.0.7_10-jre-hotspot-bionic
 
 RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser
 USER appuser
diff --git a/service/build.gradle b/service/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id "org.springframework.boot" version "2.2.4.RELEASE"
+    id "org.springframework.boot" version "2.2.7.RELEASE"
     id "io.spring.dependency-management" version "1.0.9.RELEASE"
     id "com.palantir.docker" version "0.24.0"
     id "com.gorylenko.gradle-git-properties" version "2.2.0"
@@ -37,9 +37,11 @@ docker {
 
 dependencies {
     implementation project(':client')
+
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-actuator'
-    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-sleuth', version: '2.2.1.RELEASE'
-    implementation group: 'io.micrometer', name: 'micrometer-registry-new-relic', version: '1.3.3'
+    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-sleuth', version: '2.2.2.RELEASE'
+    implementation group: 'io.micrometer', name: 'micrometer-registry-new-relic'
+
     testImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test'
 }
diff --git a/service/src/main/java/com/bnc/sbjb/rest/DefaultExceptionHandler.java b/service/src/main/java/com/bnc/sbjb/rest/DefaultExceptionHandler.java
@@ -86,8 +86,27 @@ public CustomError handleExceptionMethodNotAllowed(final Exception ex) {
     @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
     @ResponseBody
     public CustomError handleException(HttpServletRequest httpServletRequest, Exception ex) {
-        logger.error("Unknown exception [queryString=\"{}\" errorMessage=\"{}\"]", httpServletRequest.getQueryString(), ex.getMessage(), ex);
+        final String queryString = sanitizedQueryString(httpServletRequest.getQueryString(), 250);
+        logger.error("Unknown exception [queryString=\"{}\" errorMessage=\"{}\"]", queryString, ex.getMessage(), ex);
         return new CustomError(HttpStatus.INTERNAL_SERVER_ERROR,
             "Oops something went wrong. Please contact us if this keeps occurring.");
     }
+
+    /**
+     * Logging should not be vulnerable to injection attacks.
+     *
+     * @param queryString The query string to sanitize.
+     * @param maxLength The max acceptable length
+     * @return A string that is no more characters than the max length requested, with new lines and tabs replaced.
+     */
+    private String sanitizedQueryString(String queryString, int maxLength) {
+        if (queryString == null) {
+            return "";
+        }
+        return queryString
+            .substring(0, Math.min(queryString.length(), maxLength))
+            .replaceAll("[\n]+", "\\\\n")
+            .replaceAll("[\r]+", "\\\\r")
+            .replaceAll("[\t]+", "\\\\t");
+    }
 }
diff --git a/service/src/test/java/com/bnc/sbjb/rest/DefaultExceptionHandlerTest.java b/service/src/test/java/com/bnc/sbjb/rest/DefaultExceptionHandlerTest.java
@@ -0,0 +1,46 @@
+package com.bnc.sbjb.rest;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
+
+import javax.servlet.http.HttpServletRequest;
+import org.junit.jupiter.api.Test;
+
+class DefaultExceptionHandlerTest {
+
+    @Test
+    void testHandleExceptionWithBigQueryString() {
+        final HttpServletRequest mockRequest = mock(HttpServletRequest.class);
+        when(mockRequest.getQueryString()).thenReturn(
+            "This is a string with a lot of text and several extra whitespaces\n"
+                + "This is a string with a lot of text and several extra whitespaces\n"
+                + "This is a string with a lot of text and several extra whitespaces\n"
+                + "This is a string with a lot of text and several extra whitespaces\n"
+                + "This is a string with a lot of text and several extra whitespaces\n");
+        new DefaultExceptionHandler().handleException(mockRequest, new Exception("Just testing"));
+        // Just to include a test.
+        verify(mockRequest).getQueryString();
+        verifyNoMoreInteractions(mockRequest);
+    }
+
+    @Test
+    void testHandleExceptionWithLittleQueryString() {
+        final HttpServletRequest mockRequest = mock(HttpServletRequest.class);
+        when(mockRequest.getQueryString()).thenReturn("\n");
+        new DefaultExceptionHandler().handleException(mockRequest, new Exception("Just testing"));
+        // Just to include a test.
+        verify(mockRequest).getQueryString();
+        verifyNoMoreInteractions(mockRequest);
+    }
+
+    @Test
+    void testHandleExceptionWithNoQueryString() {
+        final HttpServletRequest mockRequest = mock(HttpServletRequest.class);
+        when(mockRequest.getQueryString()).thenReturn(null);
+        new DefaultExceptionHandler().handleException(mockRequest, new Exception("Just testing"));
+        // Just to include a test.
+        verify(mockRequest).getQueryString();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM adoptopenjdk:11-jre-hotspot`
	`1`	`+FROM adoptopenjdk:11.0.7_10-jre-hotspot-bionic`
`2`	`2`
`3`	`3`	`RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser`
`4`	`4`	`USER appuser`