ZK-5819: [CodeQL] Apache Commons IO: Possible denial of service attac…

…k on untrusted input to XmlStreamReade
zkoss · Oct 17, 2024 · 0aae0cb · 0aae0cb
1 parent 7e5b898
commit 0aae0cb
Show file tree

Hide file tree

Showing 7 changed files with 6 additions and 5 deletions.
diff --git a/dist/lib/ext/commons-io.jar b/dist/lib/ext/commons-io.jar
diff --git a/zhtml/build.gradle b/zhtml/build.gradle
@@ -6,7 +6,7 @@ plugins {
 
 dependencies {
 	api project(':zul')
-	api 'commons-io:commons-io:2.13.0'
+	api 'commons-io:commons-io:2.17.0'
 	api 'org.zkoss:zsoup:1.8.2.5'
 }
 

diff --git a/zk-parent/pom.xml b/zk-parent/pom.xml
@@ -123,7 +123,7 @@
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
-                <version>2.13.0</version>
+                <version>2.17.0</version>
             </dependency>
             <dependency>
                 <groupId>commons-lang</groupId>

diff --git a/zk/build.gradle b/zk/build.gradle
@@ -15,7 +15,7 @@ dependencies {
 	api project(':zweb')
 	api project(':zkwebfragment')
 	api 'org.apache.commons:commons-fileupload2-javax:2.0.0-M2'
-	api 'commons-io:commons-io:2.13.0'
+	api 'commons-io:commons-io:2.17.0'
 	api('com.google.guava:guava:32.1.2-jre') {
 		exclude group: '*', module: '*'
 	}

diff --git a/zkdoc/release-note b/zkdoc/release-note
@@ -34,6 +34,7 @@ ZK 10.1.0
   ZK-5546: Websocket endpoint doesn't trigger timeout-uri redirect after desktop timeout
   ZK-5807: A side-effect of ZK-5582 for the testSelectRange of B70_ZK_2534_groupTest
   ZK-5802: _listenFlex, _unlistenFlex declared on static member _ are used directly, cannot be overriden
+  ZK-5819: [CodeQL] Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReade
 
 * Upgrade Notes
   + Remove Htmls.encodeJavaScript(), Strings.encodeJavaScript(), Strings.escape() with Strings.ESCAPE_JAVASCRIPT, and replace them with OWASP Java Encoder APIs instead.

diff --git a/zksandbox/build.gradle b/zksandbox/build.gradle
@@ -33,7 +33,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'commons-io:commons-io:2.13.0'
+	implementation 'commons-io:commons-io:2.17.0'
 	implementation 'commons-logging:commons-logging:1.1.1'
 	implementation 'org.apache.commons:commons-fileupload2-javax:2.0.0-M2'
 	implementation 'org.zkoss.theme:breeze:10.0.1.1-Eval'

diff --git a/zktest/build.gradle b/zktest/build.gradle
@@ -60,7 +60,7 @@ dependencies {
 	implementation "org.zkoss.theme:atlantic:10.0.1.1-Eval"
 	implementation 'commons-logging:commons-logging:1.1.1'
 	implementation 'org.apache.commons:commons-fileupload2-javax:2.0.0-M2'
-	implementation 'commons-io:commons-io:2.13.0'
+	implementation 'commons-io:commons-io:2.17.0'
 	implementation "org.zkoss.zk:zk:${version}"
 	implementation "org.zkoss.zk:zkplus:${version}"
 	implementation "org.zkoss.zk:zkbind:${version}"