From f7955f21d582db05d161084d0b526dbacb56a9d9 Mon Sep 17 00:00:00 2001 From: Sattvik Chakravarthy Date: Wed, 3 Apr 2024 12:35:00 +0530 Subject: [PATCH] fix: backports to core 5.0 (#115) * fix: vulnerability fix * fix: pagination query * fix: changelog * fix: update deps --- CHANGELOG.md | 5 +++++ build.gradle | 16 +++++++-------- implementationDependencies.json | 6 +++--- .../storage/mysql/queries/GeneralQueries.java | 20 ++++++++++++++----- 4 files changed, 31 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b056152..e0e66c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +## [3.0.1] - 2024-04-02 + +- Fixes vulnerabilities in dependencies +- Fixes user pagination queries + ## [3.0.0] - 2023-04-05 - Adds `use_static_key` `BOOLEAN` column into `session_info` diff --git a/build.gradle b/build.gradle index 228e225..a355b7c 100644 --- a/build.gradle +++ b/build.gradle @@ -2,7 +2,7 @@ plugins { id 'java-library' } -version = "3.0.0" +version = "3.0.1" repositories { mavenCentral() @@ -20,7 +20,7 @@ dependencies { implementation group: 'org.mariadb.jdbc', name: 'mariadb-java-client', version: '2.6.0' // https://mvnrepository.com/artifact/ch.qos.logback/logback-classic - compileOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.3' + compileOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.4.14' // https://mvnrepository.com/artifact/com.google.code.gson/gson compileOnly group: 'com.google.code.gson', name: 'gson', version: '2.3.1' @@ -32,10 +32,10 @@ dependencies { compileOnly group: 'org.jetbrains', name: 'annotations', version: '13.0' // https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml - compileOnly group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-yaml', version: '2.14.0' + compileOnly group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-yaml', version: '2.16.1' // https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core - compileOnly group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.14.0' + compileOnly group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.16.1' testImplementation 'junit:junit:4.12' @@ -43,10 +43,10 @@ dependencies { testImplementation group: 'org.mockito', name: 'mockito-core', version: '3.1.0' // https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core - testImplementation group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '10.1.1' + testImplementation group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '10.1.18' // https://mvnrepository.com/artifact/ch.qos.logback/logback-classic - testImplementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.3' + testImplementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.4.14' // https://mvnrepository.com/artifact/com.google.code.gson/gson testImplementation group: 'com.google.code.gson', name: 'gson', version: '2.3.1' @@ -54,10 +54,10 @@ dependencies { testImplementation 'com.tngtech.archunit:archunit-junit4:0.22.0' // https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml - testImplementation group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-yaml', version: '2.14.0' + testImplementation group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-yaml', version: '2.16.1' // https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core - testImplementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.14.0' + testImplementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.16.1' } jar { diff --git a/implementationDependencies.json b/implementationDependencies.json index b814823..f6add0f 100644 --- a/implementationDependencies.json +++ b/implementationDependencies.json @@ -12,9 +12,9 @@ "src": "https://repo1.maven.org/maven2/com/zaxxer/HikariCP/3.4.1/HikariCP-3.4.1-sources.jar" }, { - "jar": "https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar", - "name": "SLF4j API 1.7.25", - "src": "https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25-sources.jar" + "jar": "https://repo1.maven.org/maven2/org/slf4j/slf4j-api/2.0.7/slf4j-api-2.0.7.jar", + "name": "SLF4j API 2.0.7", + "src": "https://repo1.maven.org/maven2/org/slf4j/slf4j-api/2.0.7/slf4j-api-2.0.7-sources.jar" } ] } diff --git a/src/main/java/io/supertokens/storage/mysql/queries/GeneralQueries.java b/src/main/java/io/supertokens/storage/mysql/queries/GeneralQueries.java index a5203be..46cd51c 100644 --- a/src/main/java/io/supertokens/storage/mysql/queries/GeneralQueries.java +++ b/src/main/java/io/supertokens/storage/mysql/queries/GeneralQueries.java @@ -486,9 +486,11 @@ public static AuthRecipeUserInfo[] getUsers(Start start, @NotNull Integer limit, if (USER_SEARCH_TAG_CONDITION.toString().length() == 0) { usersFromQuery = new ArrayList<>(); } else { - + // This query is slightly different from one in postgres because we want to use same ordering for + // primary_or_recipe_user_time_joined and primary_or_recipe_user_id because mysql 5.7 does not support + // different ordering for different columns using an index String finalQuery = "SELECT * FROM ( " + USER_SEARCH_TAG_CONDITION.toString() + " ) AS finalResultTable" - + " ORDER BY time_joined " + timeJoinedOrder + ", user_id DESC "; + + " ORDER BY time_joined " + timeJoinedOrder + ", user_id " + timeJoinedOrder; usersFromQuery = execute(start, finalQuery, pst -> { for (int i = 1; i <= queryList.size(); i++) { pst.setString(i, queryList.get(i - 1)); @@ -524,11 +526,15 @@ public static AuthRecipeUserInfo[] getUsers(Start start, @NotNull Integer limit, if (!recipeIdCondition.equals("")) { recipeIdCondition = recipeIdCondition + " AND"; } + + // This query is slightly different from one in postgres because we want to use same ordering for + // primary_or_recipe_user_time_joined and primary_or_recipe_user_id because mysql 5.7 does not support + // different ordering for different columns using an index String timeJoinedOrderSymbol = timeJoinedOrder.equals("ASC") ? ">" : "<"; String QUERY = "SELECT user_id, recipe_id FROM " + Config.getConfig(start).getUsersTable() + " WHERE " + recipeIdCondition + " (time_joined " + timeJoinedOrderSymbol - + " ? OR (time_joined = ? AND user_id <= ?)) ORDER BY time_joined " + timeJoinedOrder - + ", user_id DESC LIMIT ?"; + + " ? OR (time_joined = ? AND user_id " + timeJoinedOrderSymbol + "= ?)) ORDER BY time_joined " + timeJoinedOrder + + ", user_id " + timeJoinedOrder + " LIMIT ?"; usersFromQuery = execute(start, QUERY, pst -> { pst.setLong(1, timeJoined); pst.setLong(2, timeJoined); @@ -548,8 +554,12 @@ public static AuthRecipeUserInfo[] getUsers(Start start, @NotNull Integer limit, if (!recipeIdCondition.equals("")) { recipeIdCondition = " WHERE " + recipeIdCondition; } + // This query is slightly different from one in postgres because we want to use same ordering for + // primary_or_recipe_user_time_joined and primary_or_recipe_user_id because mysql 5.7 does not support + // different ordering for different columns using an index String QUERY = "SELECT user_id, recipe_id FROM " + Config.getConfig(start).getUsersTable() - + recipeIdCondition + " ORDER BY time_joined " + timeJoinedOrder + ", user_id DESC LIMIT ?"; + + recipeIdCondition + " ORDER BY time_joined " + timeJoinedOrder + ", user_id " + + timeJoinedOrder + " LIMIT ?"; usersFromQuery = execute(start, QUERY, pst -> pst.setInt(1, limit), result -> { List temp = new ArrayList<>(); while (result.next()) {