I think that it would be great to have pippo in the Techempower benchmark.

https://www.techempower.com/benchmarks

It will not only help to get pippo known (a lot of devs use that site to choose technologies/frameworks), but also to be compared with lot's of other technologies.

What do you think?

Integrate Pippo with PAC4J (http://www.pac4j.org). PAC4J supports most authentication mechanisms. You can use

• OAuth (Facebook, Twitter, Google...)
• SAML
• CAS
• OpenID Connect
• HTTP
• OpenID
• Google App Engine
• LDAP
• SQL
• JWT
• MongoDB
• CouchDB
• IP address
• Kerberos (SPNEGO)
• REST API

and authorization mechanisms:

• Roles/permissions
• Anonymous/remember me/(fully) authenticated
• CORS
• CSRF
• HTTP Security headers

This PR try to resolve #393. Thanks to @codematix for his work.

Hi decebals,

I'm new in using pippo, and pippo is very helping me when creating API. Right now, I already created API using pippo and succeeded when I use embedded web server (jetty), but then I have an issue when I create the API to war and deploy it on tomcat / jetty (as independent web server) .

All the parameter that can work when I'm use it with embedded server suddenly can't be accessed to be passed to the local String variable, when I use routeContext.getParameter("parameter").toString() the result always null

Is there any other setting that I have to change when I compile the application to war?

Whenever content-length is specified in request GET, request get blocked. https://github.com/decebals/pippo/blob/master/pippo-core/src/main/java/ro/pippo/core/Request.java#L405 - to get body. Call gets blocked at this line - https://github.com/decebals/pippo/blob/master/pippo-core/src/main/java/ro/pippo/core/Request.java#L405

on reader.read(buffer) - becoming blocking on IO calls. I was using undertow server and changed to jetty server to know if it is server issue.

I thought that since body is not allowed in GET, we return empty string whenever it is GET and you call getBody() but i tried for other methods also, whenever content-length is set and body is not specified then request becomes blocking Observed this behavior in 1.2+ pippo

Hi, I am new user of Pippo.

Using pippo-test for writing test cases I referred pippo.ro couldn't find any documentation for pippo tests.

Below is the snippet.

public class ServiceApplicationTest {

   // pippo app test instance with random port
    @ClassRule
    public  static PippoRule pippoRule = new PippoRule(new ServiceApplication(), AvailablePortFinder.findAvailablePort());

    @Test
    public void testServiceApplication() {
        PippoTest.get("/error");
    }

}

Running tests gives me this. I am unable to figure it out the reason. Need some help

java.lang.NullPointerException
    at ro.pippo.core.WebServerSettings.<init>(WebServerSettings.java:38)
    at ro.pippo.jetty.JettySettings.<init>(JettySettings.java:39)
    at ro.pippo.jetty.JettyServer.createDefaultSettings(JettyServer.java:83)
    at ro.pippo.jetty.JettyServer.createDefaultSettings(JettyServer.java:49)
    at ro.pippo.core.AbstractWebServer.getSettings(AbstractWebServer.java:34)
    at ro.pippo.test.PippoRule.createPippo(PippoRule.java:59)
    at ro.pippo.test.PippoRule$2.evaluate(PippoRule.java:104)
    at org.junit.rules.RunRules.evaluate(RunRules.java:20)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
    at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
    at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:117)
    at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:42)
    at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:253)
    at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:84)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)

Consider this scenario where we are getting a Db instance to be shared throughout a request-response cycle:

// Preparation route for 
ALL("/.*", (request, response, chain) -> {
    response.bind("db", getDb());
}); 

POST("/{id}", (request, response, chain) -> {
    Db db = (Db) response.getLocals().get("db");
    // this throws an runtime exception somewhere deep inside
    db.insert(something);
});

// Cleanup route
ALL("/.*", (request, response, chain) -> {
    Db db = (Db) response.getLocals().remove("db");
    db.release();
}); 

If an exception is thrown in POST then the cleanup route is never executed and we are now leaking Db connections. Instead of trapping Db exceptions in every handler, it would be nice to be able to specify cleanup routes/routines that are guaranteed to execute at the end of the Request-Response cycle despite exceptions within the chain. These mechanisms should be fail-safe themselves and should not have a chain parameter.

void cleanup(Request request, Response response);

The RouteHandlerChain or PippoFilter should execute these cleanup routines within independent try {} catch {} blocks.

for (CleanupHandler handler : cleanupHandlers) {
    try {
        handler.cleanup(request, response);
    } catch (Exception e) {
        log.error("Whoops", e);
    }
}

Perhaps these could be registered as:

// Cleanup route
CLEANUP("/.*", (request, response) -> {
    Db db = (Db) response.getLocals().remove("db");
    db.release();
}); 

1. Whenever I annotate my action method with more then 1 route annotation for example @GET("") and @PUT("") only the first one defined is actualy enabled and executed.

2. I tried to create some basic type of interceptors for example one annotation @JustAtest that is placed on my controller class and a second one annotation @Required that is placed on an action method. When I annotade my controller class with @JustAtest and some of my action method with @Required only the @Required annotation is executed. Both of them should be executed right ?

3. My application based filters are not executed anymore after using controllers. In my Application I have defined this filter:

// auth user before filter
ALL("/.*", new RouteHandler() {

	@Override
	public void handle(RouteContext routeContext) {
		log.error("WHY IT DOES NOT GET HERE");
	}

});

How to handle Accept-Encoding header in request? Suppose Accept-Encoding=gzip then, response header should contain Content-Encoding=gzip. How to achieve this? Just adding header to response wouldn't be sufficient. Is there way already available in pippo to handle this or custom implementation is required for this??

Before:

@Override
protected void onInit() {

    GET("/users/{id}", routeContext -> {
        routeContext.send("find user, id: " + routeContext.getParameter("id").toString());
    });

    POST("/users", routeContext -> routeContext.send("create a new user"));

    PUT("/users/{id}", routeContext -> {
        routeContext.send("modify user, id: " + routeContext.getParameter("id").toString());
    });

    DELETE("/users/{id}", routeContext -> {
        routeContext.send("delete user, id: " + routeContext.getParameter("id").toString());
    });
}

After:

@Override
protected void onInit() {

    GROUP("/users", new RouteGroupHandler() {

        @Override
        public void handle() {

            GET("{id}", routeContext -> {
                routeContext.send("find user, id: " + routeContext.getParameter("id").toString());
            });

            POST(routeContext -> routeContext.send("create a new user"));

            PUT("{id}", routeContext -> {
                routeContext.send("modify user, id: " + routeContext.getParameter("id").toString());
            });

            DELETE("{id}", routeContext -> {
                routeContext.send("delete user, id: " + routeContext.getParameter("id").toString());
            });
        }
    });
}

I think it's better

ps: i pulled into a wrong branch?

Hello,

I experience such an error while trying to write my uploads (20MB file) onto a disk.

FileItem file = cx.getRequest().getFile("file"); file.write(new File('/tmp/myfile.jpg'));

Looking at pippo framework source code write method calls IoUtils.copy method. And that one uses a buffered read approach. So obviously it should not be a problem, right ? So why does it eat my heap space memory ?

Thank you

Various fixes to make maven build work on java 11 (see #497) :

• lombok version update. it is used in single file (test); can be removed completely from the project
• add explicit jaxb dependencies where required; see https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j
• fix javadoc issues (closing

  tags, wrong @see syntax, html entities)

• update mockito versions
• update maven plugin versions

Hello, I'm an independent security researcher performing security research under the GitHub Security Lab Bug Bounty Program. I believe I may have found a security vulnerability in this project.

Please open a security advisory against this repository so we can privately discuss the details. This advisory can be opened by a user with admin permissions on this repository.

https://github.com/pippo-java/pippo/security/advisories

@decebals, you should be able to view the disclosure here: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-v956-x5m6-xj62

Vulnerability disclosure will occur on Mar 14, 2023.

Bumps spring-web from 4.1.1.RELEASE to 6.0.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps tomcat-embed-core from 8.5.61 to 8.5.63.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

What happened？

There are 1 security vulnerabilities found in junit:junit 4.13

• CVE-2020-15250

What did I do？

Upgrade junit:junit from 4.13 to 4.13.1 for vulnerability fix

What did you expect to happen？

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

Security Vulnerability Fix

This pull request fixes a Zip Slip vulnerability either due to an insufficient, or missing guard when unzipping zip files.

Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still, most likely, a valid security hardening.

Preamble

Impact

This issue allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability.

Why?

The best description of Zip-Slip can be found in the white paper published by Snyk: Zip Slip Vulnerability

But I had a guard in place, why wasn't it sufficient?

If the changes you see are a change to the guard, not the addition of a new guard, this is probably because this code contains a Zip-Slip vulnerability due to a partial path traversal vulnerability.

To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

The Fix

Implementing a guard comparing paths with the method java.nio.files.Path#startsWith will adequately protect against this vulnerability.

For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

Other Examples

• CVE-2018-1002201 - zeroturnaround/zt-zip
• CVE-2018-1002202 - srikanth-lingala/zip4j
• CVE-2018-8009 - apache/hadoop

:arrow_right: Vulnerability Disclosure :arrow_left:

:wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

First question, do we need to perform vulnerability disclosure? It depends!

1. Is the vulnerable code only in tests or example code? No disclosure required!
2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

For partial path traversal, consider if user-supplied input could ever flow to this logic. If user-supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

Vulnerability Disclosure How-To

You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

Detecting this and Future Vulnerabilities

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

I'm not an employee of GitHub, I'm simply an open-source security researcher.

Source

This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly handcrafted to bring this security fix to your repository.

The source code that generated this PR can be found here: Zip Slip

Why didn't you disclose privately (ie. coordinated disclosure)?

This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

The problem is that, as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, etc..) can take time and isn't automatable. Unfortunately, when facing problems of this scale, individual reporting doesn't work well either.

Additionally, if I just spam out emails or issues, I'll just overwhelm already over-taxed maintainers, I don't want to do this either.

By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

Opting Out

If you'd like to opt out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/security-research
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Sponsorship & Support

This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/16