OBS-URL: https://build.opensuse.org/package/show/Java:packages/testng?expand=0&rev=15

0001-Avoid-accidental-javascript-in-javadoc.patch

@@ -1,17 +1,17 @@
-From bce3019741aeb785658b23095ae408a6c2d8ca35 Mon Sep 17 00:00:00 2001
+From c8fcf5bd1154bd435e57b12100eb282034f4990f Mon Sep 17 00:00:00 2001
 From: Michael Simacek <msimacek@redhat.com>
 Date: Wed, 31 May 2017 13:44:36 +0200
-Subject: [PATCH 1/2] Avoid accidental javascript in javadoc
+Subject: [PATCH 1/4] Avoid accidental javascript in javadoc
 
 ---
  src/main/java/org/testng/xml/TestNGContentHandler.java | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/src/main/java/org/testng/xml/TestNGContentHandler.java b/src/main/java/org/testng/xml/TestNGContentHandler.java
-index b74572a..7c490e9 100644
+index f464412d..9d2da018 100644
 --- a/src/main/java/org/testng/xml/TestNGContentHandler.java
 +++ b/src/main/java/org/testng/xml/TestNGContentHandler.java
-@@ -250,7 +250,9 @@ public class TestNGContentHandler extends DefaultHandler {
+@@ -298,7 +298,9 @@ public class TestNGContentHandler extends DefaultHandler {
      }
    }
  
@@ -23,5 +23,5 @@ index b74572a..7c490e9 100644
      if (start) {
        m_currentLanguage = attributes.getValue("language");
 -- 
-2.20.1
+2.44.0
 

0002-Replace-bundled-jquery-with-CDN-link.patch

@@ -1,7 +1,7 @@
-From 9155677e2d5acdd2379c38041189da52c7f04946 Mon Sep 17 00:00:00 2001
+From e579eeb8505135c415e3742993de3cbb6b21d9d9 Mon Sep 17 00:00:00 2001
 From: Michael Simacek <msimacek@redhat.com>
 Date: Wed, 18 Jul 2018 15:57:49 +0200
-Subject: [PATCH 2/2] Replace bundled jquery with CDN link
+Subject: [PATCH 2/4] Replace bundled jquery with CDN link
 
 ---
  src/main/java/org/testng/reporters/jq/Main.java | 1 -
@@ -9,7 +9,7 @@ Subject: [PATCH 2/2] Replace bundled jquery with CDN link
  2 files changed, 1 insertion(+), 2 deletions(-)
 
 diff --git a/src/main/java/org/testng/reporters/jq/Main.java b/src/main/java/org/testng/reporters/jq/Main.java
-index efd6799..2d8b74e 100644
+index efd6799a..2d8b74e1 100644
 --- a/src/main/java/org/testng/reporters/jq/Main.java
 +++ b/src/main/java/org/testng/reporters/jq/Main.java
 @@ -21,7 +21,6 @@ public class Main implements IReporter {
@@ -21,7 +21,7 @@ index efd6799..2d8b74e 100644
          "testng-reports.js",
          "testng-reports1.css",
 diff --git a/src/main/resources/org/testng/header b/src/main/resources/org/testng/header
-index f5abbc3..817badc 100644
+index f5abbc3e..817badce 100644
 --- a/src/main/resources/org/testng/header
 +++ b/src/main/resources/org/testng/header
 @@ -7,7 +7,7 @@
@@ -34,5 +34,5 @@ index f5abbc3..817badc 100644
      <script type="text/javascript" src="https://www.google.com/jsapi"></script>
      <script type='text/javascript'>
 -- 
-2.31.1
+2.44.0
 

0003-Upgrade-snakeyaml-to-2.0.patch

@@ -0,0 +1,45 @@
+From aa7331aba84d9061ff57d55aa3da4f4e73bb1602 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lu=C3=ADs=20Bianchin?= <labianchin@users.noreply.github.com>
+Date: Fri, 28 Apr 2023 13:49:38 +0200
+Subject: [PATCH 3/4] Upgrade snakeyaml to 2.0
+
+Includes CVE fix https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in for https://nvd.nist.gov/vuln/detail/CVE-2022-1471
+---
+ src/main/java/org/testng/internal/Yaml.java | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/java/org/testng/internal/Yaml.java b/src/main/java/org/testng/internal/Yaml.java
+index 3bd146a2..db17b60d 100644
+--- a/src/main/java/org/testng/internal/Yaml.java
++++ b/src/main/java/org/testng/internal/Yaml.java
+@@ -8,6 +8,7 @@ import org.testng.xml.XmlPackage;
+ import org.testng.xml.XmlScript;
+ import org.testng.xml.XmlSuite;
+ import org.testng.xml.XmlTest;
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.TypeDescription;
+ import org.yaml.snakeyaml.constructor.Constructor;
+ import org.yaml.snakeyaml.nodes.MappingNode;
+@@ -29,7 +30,7 @@ public final class Yaml {
+   private Yaml() {}
+ 
+   public static XmlSuite parse(String filePath, InputStream is) throws FileNotFoundException {
+-    Constructor constructor = new TestNGConstructor(XmlSuite.class);
++    Constructor constructor = new TestNGConstructor(XmlSuite.class, new LoaderOptions());
+     {
+       TypeDescription suiteDescription = new TypeDescription(XmlSuite.class);
+       suiteDescription.addPropertyParameters("packages", XmlPackage.class);
+@@ -303,8 +304,8 @@ public final class Yaml {
+ 
+   private static class TestNGConstructor extends Constructor {
+ 
+-    public TestNGConstructor(Class<?> theRoot) {
+-      super(theRoot);
++    public TestNGConstructor(Class<?> theRoot, LoaderOptions loadingConfig) {
++      super(theRoot, loadingConfig);
+       yamlClassConstructors.put(NodeId.scalar, new ConstructParallelMode());
+       yamlClassConstructors.put(NodeId.mapping, new ConstructXmlScript());
+     }
+-- 
+2.44.0
+

0004-vuln-fix-Zip-Slip-Vulnerability.patch

@@ -0,0 +1,52 @@
+From 99ba3bc7a03fb8d55cd938d5def9e5a71a9ee92b Mon Sep 17 00:00:00 2001
+From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
+Date: Mon, 3 Oct 2022 21:21:05 +0000
+Subject: [PATCH 4/4] vuln-fix: Zip Slip Vulnerability
+
+This fixes a Zip-Slip vulnerability.
+
+This change does one of two things. This change either
+
+1. Inserts a guard to protect against Zip Slip.
+OR
+2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
+
+For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
+The check is bypassed although `/outnot` is not under the `/out` directory.
+It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
+For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
+however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
+
+Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+Severity: High
+CVSSS: 7.4
+Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
+
+Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
+Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
+
+Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16
+
+Co-authored-by: Moderne <team@moderne.io>
+---
+ src/main/java/org/testng/JarFileUtils.java | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
+index 683a8b55..8eb15759 100644
+--- a/src/main/java/org/testng/JarFileUtils.java
++++ b/src/main/java/org/testng/JarFileUtils.java
+@@ -77,7 +77,9 @@ class JarFileUtils {
+         if (Parser.canParse(jeName.toLowerCase())) {
+           InputStream inputStream = jf.getInputStream(je);
+           File copyFile = new File(file, jeName);
+-          Files.copyFile(inputStream, copyFile);
++          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
++            throw new IOException("Bad zip entry");
++          }
+           if (matchesXmlPathInJar(je)) {
+             suitePath = copyFile.toString();
+           }
+-- 
+2.44.0
+

testng-CVE-2022-4065.patch

@@ -1,14 +0,0 @@
-diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
-index 683a8b5..2f2ed8f 100644
---- a/src/main/java/org/testng/JarFileUtils.java
-+++ b/src/main/java/org/testng/JarFileUtils.java
-@@ -77,6 +77,9 @@ class JarFileUtils {
-         if (Parser.canParse(jeName.toLowerCase())) {
-           InputStream inputStream = jf.getInputStream(je);
-           File copyFile = new File(file, jeName);
-+          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
-+            throw new IOException("Bad zip entry");
-+          }
-           Files.copyFile(inputStream, copyFile);
-           if (matchesXmlPathInJar(je)) {
-             suitePath = copyFile.toString();

testng.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Apr 15 18:07:44 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Modified patches:
+  * 0001-Avoid-accidental-javascript-in-javadoc.patch
+  * 0002-Replace-bundled-jquery-with-CDN-link.patch
+  * testng-CVE-2022-4065.patch ->
+    0004-vuln-fix-Zip-Slip-Vulnerability.patch
+    + re-cherry-pick and rediff in git
+- Added patch:
+  * 0003-Upgrade-snakeyaml-to-2.0.patch
+    + Fix build against snakeyaml >= 2.0
+
 -------------------------------------------------------------------
 Wed Feb 21 17:12:29 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

testng.spec

@@ -28,7 +28,8 @@ Source1:        pom.xml
 Source2:        %{name}-build.xml
 Patch0:         0001-Avoid-accidental-javascript-in-javadoc.patch
 Patch1:         0002-Replace-bundled-jquery-with-CDN-link.patch
-Patch2:         testng-CVE-2022-4065.patch
+Patch2:         0003-Upgrade-snakeyaml-to-2.0.patch
+Patch3:         0004-vuln-fix-Zip-Slip-Vulnerability.patch
 BuildRequires:  ant
 BuildRequires:  beust-jcommander
 BuildRequires:  bsh2
@@ -37,7 +38,7 @@ BuildRequires:  google-guice
 BuildRequires:  javapackages-local >= 6
 BuildRequires:  jsr-305
 BuildRequires:  junit
-BuildRequires:  snakeyaml
+BuildRequires:  snakeyaml >= 2.0
 BuildArch:      noarch
 
 %description
@@ -59,6 +60,7 @@ This package contains the API documentation for %{name}.
 %patch -P 0 -p1
 %patch -P 1 -p1
 %patch -P 2 -p1
+%patch -P 3 -p1
 
 sed 's/@VERSION@/%{version}/' %{SOURCE1} > pom.xml
 cp %{SOURCE2} build.xml