This upgrade takes care of our move to JDK 17, Spring Boot 3.0.1 and a
few other security upgrades along the way.
Fixes#18993
TODO:
- [x] Check CI changes for Java 17
- [x] Check vulnerability report
- [x] Mongock needs an upgrade
- [x] Add JVM args at all possible places for exposing java.time module
- [x] Add type adapters everywhere / use the same config for type
adapters everywhere
* Changes to testDatasource interface method and archive flow
* Tests for plugin level testDatasource implementations
* Added test for refreshing cache on deleting datasource
* Modified warnings to errors in logs
* Fixed test
* Fixed test
## Description
This PR fixes an issue where a potentially malicious user can connect to disallowed hosts from the Elasticsearch plugin within Appsmith. This is because Elasticsearch client SDK is a HTTP interface underneath the hood.
## Type of change
- Bug fix (non-breaking change which fixes an issue)
## How Has This Been Tested?
- Junits for the following:
- create datasource with disallowed host
- validate datasource with disallowed host
- test datasource with disallowed host
## Checklist:
- [x] My code follows the style guidelines of this project
- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my feature works
- [x] New and existing unit tests pass locally with my changes
* This commit changes two things:
* Pom.xml --> ES- Restclient version to 7.17.5 from 7.9.2
* ElasticSearchPlugin.java ---> changed the testDatasource method to expect a 200 instead of a 200 or 404 HTTP status code
This commit fixes a high-priority bug with github issue https://github.com/appsmithorg/appsmith/issues/14909
* it can now negotiate around a 403 forbidden error as it does try to send head only to user provided URI
This commit has been tested:
* manually for CRUD at local with ES version 7.9.2
* manually for CR at user provide aws instance running 7.9.3 on docker
* |
| BugFix:
|
| This commit changes two files:
|
| * ElasticSearchPlugin.java --> added feature to distinguish between unauthorized and not found datasources.
| * ElasticSearchPluginTest.java ---> added testcases to verify the unauthorized and not found test cases
|
| This commit adds features on top of previous commit https://github.com/appsmithorg/appsmith/issues/14909
| * this commit adds the feature of more readable error messages while testing the elasticsearch datasource. i.e wrong endpoint errors and unauthorized issues
|
| This commit has been tested:
| * Junit
| * manually
* removed leftover comments from the parent commit and updated response texts for better readability
* removed wildcard imports from appsmith-plugins/elasticSearchPlugin/src/test/java/com/external/plugins/ElasticSearchPluginTest.java
Upgrades vulnerable dependencies in all plugins except for MySQL. That one is still failing and I'll fix it in a separate PR. Issue #14475
Co-authored-by: Nayan <nayan@appsmith.com>
Co-authored-by: Anagh Hegde <anagh@appsmith.com>
- return request parameters with type for debug tab.
- request params are stored in a RequestParamDTO object.
- a configProperty -> label map is cached in pluginService, which returns the param label as per the configProperty it is mapped to via editor.json file.
- This feature currently only works with prepared statements disabled.
* WIP : Type migration from String to Object for value
* Migrating config from string to boolean for prepared statement.
Handled error for already stored actions where PS config is stored as String and not Boolean.
- add title to action execution errors to improve user experience
- all errors in AppsmithPluginErrors
- action execution related errors in AppsmithError : NO_CONFIGURATION_FOUND_IN_DATASOURCE, INVALID_ACTION, INVALID_DATASOURCE, INVALID_DATASOURCE_CONFIGURATION - as these are the likely errors in an action execution flow (excluding plugin specific flow) that might result from faulty action / datasource configuration by a user.
- title is returned as part of ActionExecutionResult.
- title is set in ActionExecutionResult on failure during action execution.
- In response to review comment - added a new BaseException class, so that both AppsmithException and AppsmithPluginException extend this base class. Also, refactored code to introduce setErrorInfo() function in ActionExecutionResult class to set its attributes.
- Some unrelated cleanup:
- catch PoolInitializationException for Postgres plugin and return AppsmithPuginException
- catch MongoTimeoutException and return AppsmithPluginException
* WIP : enrichment of analytics event for execute.
* Plugin level : Catch all exceptions and set request in the result
Server level : Adding new fields to analytics : `isSuccessfulExecution`, `statusCode`, `timeElapsed`
* Dont catch StaleConnectionException. Server handles the same.
* Removed class specification for onErrorResume in plugins since its supposed to catch all errors.
- Use dynamic input text for plugin editor forms so that the evaluated value of mustache expression is visible.
- Those fields which are meant to store Key only - i.e. they are not visible to the user and are only meant to provide key for key value pair in db have been skipped.
* Added action request in S3 plugin.
* Added request data in Dynamo plugin
* Added request in Elastic Search.
* Request in Firestore.
* Request added in Mongo
* MsSQL request added.
* Added MySQL request.
* Added Postgres request.
* Added redis request.
* Redshift doen.
* Catching AppsmithPluginExceptions at the plugin level itself to ensure that the request gets passed on as part of the result.
* Fixed failing plugin test failures
* Fixed AmazonS3 test failures.
* WIP post analytics working
* WIP : Making the request data confirm to existing analytics request data format.
* Fixed the headers in the analytics body.
* Migrations S3, Postgres to the accepted format for request in analytics
* Updated S3 action to be the query
* Migration completed for all plugins for analytics.
* Removed the old analytics event. Now sending only the new one.
* Ensuring all data is captured in S3 plugin request in case of error.
* Minor editing of firestore to ensure that the errors get caught by the plugin itself.
* Fixed test cases in Amazon S3
* Incorporated review comments.
1. Move package appsmith-interfaces/src/main/java/com/appsmith/external/pluginExceptions-> appsmith-interfaces/src/main/java/com/appsmith/external/exceptions/pluginExceptions
2. Move enum AppsmithErrorAction from appsmith-server/src/main/java/com/appsmith/server/exceptions/AppsmithError.java -> appsmith-interfaces/src/main/java/com/appsmith/external/exceptions/AppsmithErrorAction.java, so that both plugin exceptions and server exceptions could use the same enum.
3. Log exception based on the error action defined for each exception.
* Adding host:port validation checks to ES plugin & Redis plugin
Also correcting the assertions in the RedisPluginTest so that the error message on test failure is accurate.
* Removing the endpoint validation from datasourceServiceImpl
Moving the endpoint validation to the plugin implementation classes because there are databases that require complete HTTP URL in their configuration. Checking for http/https at the platform level affects the UX for the user & plugin developer when using a new integration. Hence, all plugins must implement their own client/server validations in their own implementations
* Adding tests to assert hostname validation in mysql & postgres plugins
* add elasticSearchPlugin
* Fix container startup in tests
* Add elasticsearch dependency
* Get plugin to a base working state
* Add templates and tests for all Document APIs
* Add support for bulk queries
* Add test and template for bulk operations
* Use rich form for action configuration
* Add test API for ElasticSearch
* Use rich form's values for plugin execution
* Add authorization header support
* Fix tests after config object use changes
* Add test for bulk requests with nd-json body
* Remove templates and minor refactoring
* Fix potential NPE with null body
Co-authored-by: Trisha Anand <trisha@appsmith.com>
* Add datasource validation for endpoint
* Wrap errors in AppsmithPluginException
Co-authored-by: Suman Patra <spatra@akamai.com>
Co-authored-by: Trisha Anand <trisha@appsmith.com>
