Updating Silex to the latest version 2.3.0

- There are a number of outstanding Dependabot alerts on our symfony/* dependencies from our current version of Silex. This update resolves all of them. - There are three outstanding SimpleSAMLPHP CVEs that we are unable to address via simply upgrading to a fixed version. Therefor to remediate these threats I've included patches that will be applied in the pre-build step of RPM generation ( `open_xdmod/modules/xdmod/build.json` ). Below is a list of the CVE's, the corresponding fix in SimpleSAMLPHP's github repo, the patch file to resolve the CVE and any notes. - CVE-2020-5301: Information disclosure of source code in SimpleSAMLphp. - GitHub: simplesamlphp/simplesamlphp@47968d2 - `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5031.diff` - Notes: The file that is patched in the original commit does not exist in our version of the library so I identified the equivalent file in our library, `www/errorreport.php`, and updated that instead. - CVE-2020-5225: Log injection in SimpleSAMLphp - Github: simplesamlphp/simplesamlphp@4623851 - `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.diff` - `open_xdmod/modules/xdmod/assets/setup.sh` - removing lines that are either no longer accurate ( echo ) or commented out ( composer install ) - `open_xdmod/modules/xdmod/build.json` - Since the build process happens twice during a CI build, once during the initial build and again during the qa tests for the build test, and we are patching files in vendor/simplesamlphp/simplesamlphp we need to make sure that we start fresh for each build. - `tests/ci/qa-test-setup.sh` - Added some code to capture the `COMPOSER` env variable before changing it so that we can reset it to the original value after the qa setup process is done.
ubccr · Aug 6, 2024 · e2536f1 · e2536f1
1 parent 86d915c
commit e2536f1
Show file tree

Hide file tree

Showing 12 changed files with 1,272 additions and 280 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -43,7 +43,7 @@ jobs:
           command: dnf install -y php libzip-devel php-pear php-devel
       - run:
           name: Install MongoDB Pear module
-          command: yes '' | pecl install mongodb || true
+          command: yes '' | pecl install mongodb-1.19.3 || true
       - run:
             name: install the composer dependencies
             command: composer install

diff --git a/classes/Rest/Controllers/BaseControllerProvider.php b/classes/Rest/Controllers/BaseControllerProvider.php
@@ -8,7 +8,7 @@
 use Rest\Utilities\Authorization;
 use Silex\Application;
 use Silex\ControllerCollection;
-use Silex\ControllerProviderInterface;
+use Silex\Api\ControllerProviderInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;

diff --git a/classes/Rest/XdmodApplicationFactory.php b/classes/Rest/XdmodApplicationFactory.php
@@ -7,7 +7,6 @@
 use Rest\Controllers\BaseControllerProvider;
 use Rest\Utilities\Authentication;
 use Silex\Application;
-use Silex\Provider\UrlGeneratorServiceProvider;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -64,7 +63,7 @@ public static function getInstance()
         $app['debug'] = filter_var(\xd_utilities\getConfiguration('general', 'debug_mode'), FILTER_VALIDATE_BOOLEAN);
 
         // REGISTER: a URL Generator.
-        $app->register(new UrlGeneratorServiceProvider());
+        $app->register(new \Silex\Provider\RoutingServiceProvider());
 
         // SET: the regex that will be used to filter the API_SYMBOL in a route.
         //      in this case we're using it as our base url.
@@ -74,14 +73,14 @@ public static function getInstance()
         // representing the latest version.
         $app['controllers']->value(self::API_SYMBOL, 'latest');
 
-        $app['logger.db'] = $app->share(function () {
+        $app['logger.db'] = function () {
             return \CCR\Log::factory('rest.logger.db', array(
                 'console' => false,
                 'file' => false,
                 'mail' => false,
                 'dbLogLevel' => \CCR\Log::INFO
             ));
-        });
+        };
 
         $app->before(function (Request $request, Application $app) {
             $request->attributes->set('timing.start', microtime(true));
@@ -226,7 +225,7 @@ public static function getInstance()
         }
 
         // SETUP: error handler
-        $app->error(function (\Exception $e, $code) use ($app) {
+        $app->error(function (\Exception $e, Request $request, $code) {
             if($code == 405 && strtoupper($_SERVER['REQUEST_METHOD']) === 'OPTIONS' && array_key_exists('HTTP_ORIGIN', $_SERVER)){
                 try {
                     $corsDomains = \xd_utilities\getConfiguration('cors', 'domains');

diff --git a/composer.json b/composer.json
@@ -16,7 +16,7 @@
         "phpmailer/phpmailer": "~6.9",
         "robrichards/xmlseclibs": "~3.0",
         "sencha/extjs-gpl": "3.4.*",
-        "silex/silex": "~1.2",
+        "silex/silex": "v2.3.0",
         "simplesamlphp/simplesamlphp": "^1.16",
         "symfony/polyfill-php56": "~1.11",
         "symfony/process": "~2.0",
@@ -30,7 +30,7 @@
         "kassner/log-parser": "~1.5",
         "geoip2/geoip2": "~2.0",
         "ua-parser/uap-php": "^3.9",
-        "mongodb/mongodb": "^1.14"
+        "mongodb/mongodb": "^1.19.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.0",