Cherry-pick security fixes and community improvements

fmaass · fmaass · commit 75309464f747 · 2026-03-24T13:50:35.000+01:00
PR sismics#763: Replace log4j 1.2.17 with reload4j via slf4j-reload4j, bump Guava 31→33, H2 1.4→2.2, OkHttp 4.10→4.12, Jersey 3.0→3.1, commons-compress 1.22→1.25, add parsson + xercesImpl, exclude transitive log4j from subethasmtp. Patch libgnutls30 in Dockerfile. PR sismics#773 (selective): Fix garbled non-ASCII filenames in downloads by URL-encoding Content-Disposition header. Attribute email-imported documents to the Teedy user matching the sender address instead of always defaulting to admin. Made-with: Cursor
diff --git a/Dockerfile b/Dockerfile
@@ -11,6 +11,7 @@ ENV JETTY_HOME=/opt/jetty
 
 # Install packages
 RUN apt-get update && \
+    apt-get upgrade -y -q libgnutls30 && \
     apt-get -y -q --no-install-recommends install \
     vim less procps unzip wget tzdata openjdk-11-jdk \
     ffmpeg \
diff --git a/docs-core/pom.xml b/docs-core/pom.xml
@@ -63,13 +63,13 @@
     </dependency>
 
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
 
     <dependency>
       <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-log4j12</artifactId>
+      <artifactId>slf4j-reload4j</artifactId>
     </dependency>
 
     <dependency>
@@ -158,6 +158,11 @@
       <artifactId>fr.opensagres.poi.xwpf.converter.pdf</artifactId>
     </dependency>
 
+    <dependency>
+        <groupId>xerces</groupId>
+        <artifactId>xercesImpl</artifactId>
+    </dependency>
+
     <!-- ImageIO plugins -->
     <dependency>
       <groupId>com.twelvemonkeys.imageio</groupId>
diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/UserDao.java
@@ -1,12 +1,19 @@
 package com.sismics.docs.core.dao;
 
-import com.google.common.base.Joiner;
-import com.google.common.base.Strings;
-import at.favre.lib.crypto.bcrypt.BCrypt;
+import java.sql.Timestamp;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
 import org.joda.time.DateTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
 import com.sismics.docs.core.constant.AuditLogType;
 import com.sismics.docs.core.constant.Constants;
 import com.sismics.docs.core.dao.criteria.UserCriteria;
@@ -19,11 +26,10 @@
 import com.sismics.docs.core.util.jpa.SortCriteria;
 import com.sismics.util.context.ThreadLocalContext;
 
+import at.favre.lib.crypto.bcrypt.BCrypt;
 import jakarta.persistence.EntityManager;
 import jakarta.persistence.NoResultException;
 import jakarta.persistence.Query;
-import java.sql.Timestamp;
-import java.util.*;
 
 /**
  * User DAO.
@@ -233,6 +239,23 @@ public User getActiveByUsername(String username) {
             return null;
         }
     }
+
+    /**
+     * Gets an active user by its email.
+     * 
+     * @param email User's email
+     * @return User
+     */
+    public User getByEmail(String email) {
+        EntityManager em = ThreadLocalContext.get().getEntityManager();
+        try {
+            Query q = em.createQuery("select u from User u where u.email = :email and u.deleteDate is null");
+            q.setParameter("email", email);
+            return (User) q.getSingleResult();
+        } catch (NoResultException e) {
+            return null;
+        }
+    }
     
     /**
      * Deletes a user.
diff --git a/docs-core/src/main/java/com/sismics/docs/core/service/InboxService.java b/docs-core/src/main/java/com/sismics/docs/core/service/InboxService.java
@@ -1,8 +1,32 @@
 package com.sismics.docs.core.service;
 
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.mail.Flags;
+import javax.mail.Folder;
+import javax.mail.FolderClosedException;
+import javax.mail.Message;
+import javax.mail.Session;
+import javax.mail.Store;
+import javax.mail.internet.InternetAddress;
+import javax.mail.search.FlagTerm;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import com.google.common.util.concurrent.AbstractScheduledService;
 import com.sismics.docs.core.constant.ConfigType;
 import com.sismics.docs.core.dao.TagDao;
+import com.sismics.docs.core.dao.UserDao;
 import com.sismics.docs.core.dao.criteria.TagCriteria;
 import com.sismics.docs.core.dao.dto.TagDto;
 import com.sismics.docs.core.event.DocumentCreatedAsyncEvent;
@@ -15,16 +39,6 @@
 import com.sismics.docs.core.util.jpa.SortCriteria;
 import com.sismics.util.EmailUtil;
 import com.sismics.util.context.ThreadLocalContext;
-import org.apache.commons.lang3.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.mail.*;
-import javax.mail.search.FlagTerm;
-import java.util.*;
-import java.util.concurrent.TimeUnit;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 /**
  * Inbox scanning service.
@@ -88,7 +102,8 @@ public void syncInbox() {
                 Message[] messages = inbox.search(new FlagTerm(new Flags(Flags.Flag.SEEN), false));
                 log.info(messages.length + " messages found");
                 for (Message message : messages) {
-                    importMessage(message, tagsNameToId);
+                    InternetAddress sender = (InternetAddress) message.getFrom()[0];
+                    importMessage(message, tagsNameToId,sender);
                     lastSyncMessageCount++;
                 }
             } catch (FolderClosedException e) {
@@ -190,8 +205,8 @@ private Folder openInbox() throws Exception {
      * @param message Message
      * @throws Exception e
      */
-    private void importMessage(Message message, Map<String, String> tags) throws Exception {
-        log.info("Importing message: " + message.getSubject());
+    private void importMessage(Message message, Map<String, String> tags,InternetAddress sender) throws Exception {
+        log.info("Importing message: " + message.getSubject()+",sender="+sender.getAddress());
 
         // Parse the mail
         EmailUtil.MailContent mailContent = new EmailUtil.MailContent();
@@ -219,8 +234,12 @@ private void importMessage(Message message, Map<String, String> tags) throws Exc
             log.debug("Tags found: " + String.join(", ", tagsFound));
             subject = subject.trim().replaceAll(" +", " ");
         }
-
-        document.setUserId("admin");
+        UserDao userDao = new UserDao();
+        com.sismics.docs.core.model.jpa.User user = userDao.getByEmail(sender.getAddress());
+        if(user!=null)
+          document.setUserId(user.getId());
+        else
+          document.setUserId("admin");
         document.setTitle(StringUtils.abbreviate(subject, 100));
         document.setDescription(StringUtils.abbreviate(mailContent.getMessage(), 4000));
         document.setSubject(StringUtils.abbreviate(mailContent.getSubject(), 500));
@@ -232,9 +251,13 @@ private void importMessage(Message message, Map<String, String> tags) throws Exc
         } else {
             document.setCreateDate(mailContent.getDate());
         }
+        if(user!=null)
+          DocumentUtil.createDocument(document, user.getId());
+        else{
+          // Save the document, create the base ACLs
+          DocumentUtil.createDocument(document, "admin");
+        }  
 
-        // Save the document, create the base ACLs
-        DocumentUtil.createDocument(document, "admin");
 
         // Add the tag
         String tagId = ConfigUtil.getConfigStringValue(ConfigType.INBOX_TAG);
@@ -253,12 +276,19 @@ private void importMessage(Message message, Map<String, String> tags) throws Exc
 
         // Raise a document created event
         DocumentCreatedAsyncEvent documentCreatedAsyncEvent = new DocumentCreatedAsyncEvent();
-        documentCreatedAsyncEvent.setUserId("admin");
+        if(user!=null)
+          documentCreatedAsyncEvent.setUserId(user.getId());
+        else
+          documentCreatedAsyncEvent.setUserId("admin");
         documentCreatedAsyncEvent.setDocumentId(document.getId());
         ThreadLocalContext.get().addAsyncEvent(documentCreatedAsyncEvent);
 
         // Add files to the document
         for (EmailUtil.FileContent fileContent : mailContent.getFileContentList()) {
+          if(user!=null)
+            FileUtil.createFile(fileContent.getName(), null, fileContent.getFile(), fileContent.getSize(),
+                    document.getLanguage(), user.getId(), document.getId());
+          else
             FileUtil.createFile(fileContent.getName(), null, fileContent.getFile(), fileContent.getSize(),
                     document.getLanguage(), "admin", document.getId());
         }
diff --git a/docs-web-common/pom.xml b/docs-web-common/pom.xml
@@ -31,6 +31,11 @@
       <groupId>org.glassfish.jersey.media</groupId>
       <artifactId>jersey-media-json-processing</artifactId>
     </dependency>
+
+    <dependency>
+        <groupId>org.eclipse.parsson</groupId>
+        <artifactId>parsson</artifactId>
+    </dependency>
       
     <!-- Other external dependencies -->
     <dependency>
@@ -49,8 +54,8 @@
     </dependency>
     
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
   
     <dependency>
diff --git a/docs-web/pom.xml b/docs-web/pom.xml
@@ -46,6 +46,11 @@
       <groupId>org.glassfish.jersey.inject</groupId>
       <artifactId>jersey-hk2</artifactId>
     </dependency>
+
+    <dependency>
+        <groupId>org.eclipse.parsson</groupId>
+        <artifactId>parsson</artifactId>
+    </dependency>
       
     <!-- Other external dependencies -->
     <dependency>
@@ -64,8 +69,8 @@
     </dependency>
     
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
   
     <dependency>
diff --git a/docs-web/src/main/java/com/sismics/docs/rest/resource/FileResource.java b/docs-web/src/main/java/com/sismics/docs/rest/resource/FileResource.java
@@ -1,5 +1,21 @@
 package com.sismics.docs.rest.resource;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URISyntaxException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.nio.file.StandardCopyOption;
+import java.text.MessageFormat;
+import java.util.List;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+import org.glassfish.jersey.media.multipart.FormDataBodyPart;
+import org.glassfish.jersey.media.multipart.FormDataParam;
+
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import com.google.common.io.ByteStreams;
@@ -27,30 +43,27 @@
 import com.sismics.util.JsonUtil;
 import com.sismics.util.context.ThreadLocalContext;
 import com.sismics.util.mime.MimeType;
-import org.glassfish.jersey.media.multipart.FormDataBodyPart;
-import org.glassfish.jersey.media.multipart.FormDataParam;
 
 import jakarta.json.Json;
 import jakarta.json.JsonArrayBuilder;
 import jakarta.json.JsonObjectBuilder;
-import jakarta.ws.rs.*;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.DELETE;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
 import jakarta.ws.rs.core.StreamingOutput;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URISyntaxException;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.nio.file.StandardCopyOption;
-import java.text.MessageFormat;
-import java.util.List;
-import java.util.zip.ZipEntry;
-import java.util.zip.ZipOutputStream;
 
 /**
  * File REST resources.
@@ -637,7 +650,7 @@ public Response data(
         }
 
         Response.ResponseBuilder builder = Response.ok(stream)
-                .header(HttpHeaders.CONTENT_DISPOSITION, "inline; filename=\"" + file.getFullName("data") + "\"")
+                .header(HttpHeaders.CONTENT_DISPOSITION, "inline; filename*=utf-8''" + filenameEncode(  file.getFullName("data") ))
                 .header(HttpHeaders.CONTENT_TYPE, mimeType);
         if (decrypt) {
             // Cache real files
@@ -651,6 +664,15 @@ public Response data(
         return builder.build();
     }
 
+    private String filenameEncode(String name) {
+        try {
+            return java.net.URLEncoder.encode(name, "UTF-8").replace("+", "%20");
+        } catch (java.io.UnsupportedEncodingException e) {
+            e.printStackTrace();
+            return name;
+        }
+    }
+
     /**
      * Returns all files from a document, zipped.
      *
diff --git a/pom.xml b/pom.xml
