Merge pull request #85 from rundeck-plugins/cve-fixes

jtobard · web-flow · commit f7b559930f02 · 2025-10-08T15:05:51.000-03:00
RUN-3601: CVE-2025-48924 Fix
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,43 @@
-.gradle
-.idea
-build
-out
-/docker/client/rundeck-cli/node_modules/
+# IDE/Build files
+.gradle/
+*.ipr
+*.iml
+*.iws
+.idea/
+build/
+bin/
+out/
+
+# VS Code
+.vscode/
+
+# Eclipse
+.project
+.classpath
+.settings/
+.metadata/
+
+# NetBeans
+nbproject/private/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/
+
+# System files
+**/.DS_Store
+Thumbs.db
+
+# Temporary files
+*.tmp
+*.bak
+*.swp
+*~.nib
+
+# Log files
+*.log
+
+# Local environment files
+.env
+.env.local
+.env.*.local
diff --git a/build.gradle b/build.gradle
@@ -57,10 +57,22 @@ dependencies {
     implementation libs.commonsIo
     implementation libs.rundeckCore
     implementation libs.slf4jApi
+    
+    // Add secure commons-lang3 to provide alternative to vulnerable commons-lang 2.6
+    implementation(libs.commonsLang3)
 
     testImplementation libs.bundles.testLibs
 }
 
+configurations.all {
+    resolutionStrategy {
+        // Replace vulnerable commons-lang with secure commons-lang3
+        dependencySubstitution {
+            substitute module('commons-lang:commons-lang') using module("org.apache.commons:commons-lang3:${libs.versions.commonsLang3.get()}")
+        }
+    }
+}
+
 // task to copy plugin libs to output/lib dir
 task copyToLib(type: Copy) {
     into "$buildDir/output/lib"
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -14,6 +14,8 @@ cglib = "3.3.0"
 objenesis = "1.4"
 axionRelease = "1.18.18"
 nexusPublish = "2.0.0"
+# Security overrides for transitive dependencies
+commonsLang3 = "3.18.0"
 
 [libraries]
 sshj = { group = "com.hierynomus", name = "sshj", version.ref = "sshj" }
@@ -30,6 +32,7 @@ groovyAll = { group = "org.codehaus.groovy", name = "groovy-all", version.ref =
 spockCore = { group = "org.spockframework", name = "spock-core", version.ref = "spock" }
 cglibNodep = { group = "cglib", name = "cglib-nodep", version.ref = "cglib" }
 objenesis = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }
+commonsLang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commonsLang3" }
 
 [bundles]
 bouncycastle = ["bcpkix", "bcprov"]
diff --git a/src/main/java/com/plugin/sshjplugin/SSHJBuilder.java b/src/main/java/com/plugin/sshjplugin/SSHJBuilder.java
@@ -4,7 +4,7 @@
 import com.dtolabs.rundeck.core.dispatcher.DataContextUtils;
 import com.dtolabs.rundeck.plugins.PluginLogger;
 import com.plugin.sshjplugin.model.*;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.io.File;
 import java.util.HashMap;
diff --git a/src/main/java/com/plugin/sshjplugin/SSHJNodeExecutorPlugin.java b/src/main/java/com/plugin/sshjplugin/SSHJNodeExecutorPlugin.java
@@ -24,7 +24,7 @@
 import net.schmizz.keepalive.KeepAliveProvider;
 import net.schmizz.sshj.DefaultConfig;
 import net.schmizz.sshj.SSHClient;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.util.Arrays;
 import java.util.List;
