Refresh java4: Java 1.4 downgrade of current mainline + Docker, Hurl, fixes#116
Open
amarcalfaria wants to merge 10 commits into
Open
Refresh java4: Java 1.4 downgrade of current mainline + Docker, Hurl, fixes#116amarcalfaria wants to merge 10 commits into
amarcalfaria wants to merge 10 commits into
Conversation
Replaces the stale java4 contents (81 commits behind) with a fresh Java 1.4 source downgrade of current origin/master: stripped @WebServlet/@WebListener/@OverRide annotations (servlet registration in web-25.xml, plus the three previously annotation-only servlets), raw types for generics, iterator loops, StringBuffer, and 1.4-safe forms for isEmpty/format/autoboxing/setHttpOnly. Branch lineage preserved on top of origin/java4; tree overwritten wholesale. Builds with -Dversion.jdk=1.4 -Dversion.webxml=25. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The old tests/spiracle_sqli_test.py was Python 2 and used a bespoke
<split> data format. Replace it with Hurl (hurl.dev): a generator turns
the existing mysql.txt/oracle.txt payload matrices into .hurl files
under tests/hurl/rasp/, with the block status as a {{block_status}}
variable. Because the 550 block code is only emitted when the Waratek
RASP agent intercepts the query, that suite is RASP-efficacy only; a
separate tests/hurl/smoke/ suite runs against a plain (unprotected)
deployment for CI, proving the app serves and that injections succeed
unprotected. Includes run.sh and docs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
First run failed on DROP TABLE (tables absent); re-runs failed on CREATE USER (user already present). Guard CREATE USER with IF NOT EXISTS and the three DROP TABLE statements with IF EXISTS so the script can be run repeatedly without manual cleanup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SendRedirect wrote plaintext instructions via getWriter() with no Content-Type header when the redirectMeTo param was absent. Every other output path in the app already sets Content-Type via setHeader; this was the last servlet response missing one. Use text/plain since the body is plain instructional text, not HTML. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ction (#103) (java4: 1.4-adapted) CreateC3p0Connection.init() read non-existent bare property keys (c3p0.url, c3p0.classname, ...) instead of the per-database keys defined in Spiracle.properties (c3p0.oracle.url, ...). url resolved to null, so ComboPooledDataSource.setJdbcUrl(null) led to DriverManager.getDriver(null) and OracleDriver.acceptsURL(null) threw NPE. Derive the key prefix from the default.connection property (matching SpiracleInit's convention) so the correct per-database connection settings are loaded. java4 adaptation: prefix.trim().isEmpty() → prefix.trim().length() == 0 (String.isEmpty() is Java 5+; -source 1.4 requires length() == 0). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Multi-stage Dockerfile builds the WAR (JDK 8 / Maven) and deploys it on Tomcat 9 with the MySQL, MSSQL and Oracle JDBC drivers preinstalled. An entrypoint rewrites conf/Spiracle.properties from env vars (default connection + DB host/URL) so the committed config is untouched. One compose file per database (mysql/mssql/oracle) brings up the app plus a seeded database for a one-command, no-local-install test target. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ebxml=25 (java4: 1.4-adapted) The Docker feat cherry-pick used -Dversion.webxml=30 (Servlet 3.0 / modern build). For java4 the build must produce the Servlet 2.5 / Java-1.4 artifact. Switch to the same flags used by the java4 branch build: -Dversion.jdk=1.4 -Dversion.webxml=25. Tomcat 9 deploys Servlet 2.5 WARs without issue. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The java4 WAR bundles mysql-connector 3.1.14, which fails against MySQL 8 with 'Unknown initial character set index 255' (utf8mb4). Pin the MySQL service to 5.7 — compatible with the old connector and still supports the CREATE USER IF NOT EXISTS seed. Smoke suite passes against this stack. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…raversal/negative Expands test coverage beyond smoke with endpoint-level functional tests that run against an unprotected deployment: a regression test for the SendRedirect Content-Type fix (#8), benign + injection SQL behavior, reflected XSS, path traversal, and negative cases. Validated green against the MySQL Docker stack. (The rasp/ matrix remains agent-only.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
README for the java4 branch: per-database Docker compose stacks (MySQL pinned to 5.7 for the bundled legacy connector), the Hurl test suites (smoke/functional on a plain deployment, rasp agent-only), and the -Dversion.jdk=1.4 -Dversion.webxml=25 build. Documents the branch as the Java 1.4 source-compatible variant (web.xml registration, legacy deps) and points modern users to master. Notes the #8/#33/#103 fixes (the Oracle NPE fix adapted to 1.4). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refreshes the
java4branch (which was ~81 commits behind mainline) to a Java 1.4 source-compatible downgrade of current mainline, with full feature parity, plus Docker support, the Hurl test harness, and the three bug fixes — all adapted for Java 1.4.Re-fork + downgrade
origin/java4; tree replaced with a fresh Java-1.4 downgrade of current mainline.@WebServlet/@WebListener/@Overrideremoved (servlet registration moved toweb-25.xml, including the 3 previously annotation-only servlets), generics → raw types + casts, enhanced-for → iterator loops,StringBuilder→StringBuffer,String.isEmpty()/String.format()/autoboxing → 1.4-safe forms,Cookie.setHttpOnly()via reflection.mysql-connector 3.1.14).mvn install -Dversion.jdk=1.4 -Dversion.webxml=25(JDK 8 toolchain;javacstill accepts-source/-target 1.4).Docker support (#68)
Dockerfilebuild adapted to-Dversion.jdk=1.4 -Dversion.webxml=25.mysql:5.7: the java4 WAR bundlesmysql-connector 3.1.14, which cannot negotiate MySQL 8's utf8mb4 (charset index 255). 5.7 also satisfies theCREATE USER IF NOT EXISTSseed.Hurl test harness
tests/hurl/smoke + functional suites (plain, no-agent) and the agent-onlyrasp/matrix. Endpoint-based, so identical to mainline.Fixes (Java 1.4-adapted)
Content-Typeon theSendRedirectfallback.setupdb_mysql.sqlidempotency.CreateC3p0Connection(derives key prefix fromdefault.connection); adapted to uselength() == 0instead ofString.isEmpty().Docs
README.adocdocuments the Docker quickstart (with the 5.7 note), Testing, the-Dversion.jdk=1.4 -Dversion.webxml=25build, and the branch model (this branch = Java 1.4 variant;master= Java 5–8). Includes a Liberty note thatServlet-3.0is the lowest available feature and serves the 2.5 WAR without annotation scanning.Verification
mvn clean install -Dversion.jdk=1.4 -Dversion.webxml=25 -DskipTeststhen BUILD SUCCESS at source 1.4 (only the expected "obsolete source/target 1.4" warnings).@WebServlet/@Override/.isEmpty()insrc/main/java.Note
The app remains intentionally vulnerable; Docker/test docs keep the localhost/throwaway-only caution.