diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3b737cab..76950742 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,9 +2,13 @@ name: Slipway Test
on: [push]
+env: # runner has 7g of ram
+ JVM_OPTS: -Xmx6G
+
jobs:
- clojure:
+ build:
+
runs-on: ubuntu-latest
strategy:
@@ -31,7 +35,7 @@ jobs:
java-version: '11'
- name: Install clojure tools
- uses: DeLaGuardo/setup-clojure@12.3
+ uses: DeLaGuardo/setup-clojure@13.0
with:
lein: 'latest'
github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -57,13 +61,22 @@ jobs:
run: lein uberjar
- name: NVD
- working-directory: ./${{ matrix.project }}
- run: ../scripts/dependency-checker.sh
+ uses: dependency-check/Dependency-Check_Action@main
+ env:
+ # actions/setup-java changes JAVA_HOME so it needs to be reset to match the depcheck image
+ JAVA_HOME: /opt/jdk
+ with:
+ project: ${{ matrix.project }}
+ path: ${{ matrix.project }}/target
+ format: 'HTML'
+ out: ${{ matrix.project }}/reports
+ args: >
+ --suppression ${{ matrix.project }}/dependency-check-suppressions.xml
- name: Persist NVD
if: always()
uses: actions/upload-artifact@v4
with:
name: nvd-${{ matrix.project }}-${{ github.sha }}
- path: ./${{ matrix.project }}/dependency-check/report/*
+ path: ${{ matrix.project }}/reports/*
retention-days: 1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 33e29776..cdbd60aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,20 @@
# Change Log
All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/)
+## [1.1.18] - 2024-12-09
+
+Introduce ability configure HSTS (HTTP Strict Transport Security) with new slipway.connector.https settings:
+
+* :sts-max-age
+* :sts-include-subdomains?
+
+For more informmation, see: https://github.com/factorhouse/kpow/issues/35
+
+Also made these http/https settings configurable (default false, previously hard-coded to false):
+
+* :send-server-version?
+* :send-date-header?
+
## [1.1.17] - 2024-09-05
Bump to latest Jetty version (11.0.24 or equivalent)
diff --git a/README.md b/README.md
index 16060819..f867478e 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ Jetty is sophisticated as it addresses a complex domain with flexibility and con
Slipway holds close to Jetty idioms for configuration rather than presenting a simplified DSL.
-Slipway takes a map of namespaced configuration.
+Slipway takes a single map of namespaced configuration. Namespaces correspond to Jetty domain models, and can be considered as separate maps and then merged.
### :slipway
@@ -310,11 +310,11 @@ Configuration of Jetty auth options.
See examples below for configuration guides to JAAS and HASH authentication.
```clojure
-#:slipway.security{:realm "the Jetty authentication realm"
- :hash-user-file "the path to a Jetty Hash User File"
- :login-service "a Jetty LoginService identifier, 'jaas' and 'hash' supported by default"
- :identity-service "a concrete Jetty IdentityService"
- :authenticator "a concrete Jetty Authenticator (e.g. FormAuthenticator or BasicAuthenticator)"
+#:slipway.security{:realm "the Jetty authentication realm"
+ :hash-user-file "the path to a Jetty Hash User File"
+ :login-service "a Jetty LoginService identifier, 'jaas' and 'hash' supported by default"
+ :identity-service "a concrete Jetty IdentityService"
+ :authenticator "a concrete Jetty Authenticator (e.g. FormAuthenticator or BasicAuthenticator)"
```
### :slipway.connector.http
@@ -322,13 +322,15 @@ See examples below for configuration guides to JAAS and HASH authentication.
Configuration of an HTTP server connector.
```clojure
-#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces."
- :port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
- :idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
- :http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
- :proxy-protocol? "if true, add the ProxyConnectionFactory. See Jetty Proxy Protocol docs"
- :http-config "a concrete HttpConfiguration object to replace the default config entirely"
- :configurator "a fn taking the final connector as argument, allowing further configuration"}
+#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces."
+ :port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
+ :idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
+ :http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
+ :proxy-protocol? "if true, add the ProxyConnectionFactory. See Jetty Proxy Protocol docs"
+ :http-config "a concrete HttpConfiguration object to replace the default config entirely"
+ :configurator "a fn taking the final connector as argument, allowing further configuration"
+ :send-server-version? "if true, send the Server header in responses"
+ :send-date-header? "if true, send the Date header in responses"}
````
### :slipway.connector.https
@@ -358,8 +360,12 @@ Configuration of an HTTPS server connector.
:security-provider "the security provider name"
:client-auth "either :need or :want to set the corresponding need/wantClientAuth field"
:ssl-context "a concrete pre-configured SslContext"
- :sni-required? "true if a SNI certificate is required, default false"
- :sni-host-check? "true if the SNI Host name must match, default false"}
+ :sni-required? "if true SNI is required, else requests will be rejected with 400 response, default false"
+ :sni-host-check? "if true the SNI Host name must match when there is an SNI certificate, default false"
+ :sts-max-age "set the Strict-Transport-Security max age in seconds, default -1"
+ :sts-include-subdomains? "true if a include subdomain property is sent with any Strict-Transport-Security header"
+ :send-server-version? "if true, send the Server header in responses"
+ :send-date-header? "if true, send the Date header in responses"}
```
### :slipway.handler.gzip
diff --git a/common-jetty1x/src/slipway/websockets.clj b/common-jetty1x/src/slipway/websockets.clj
index 807f37f3..e1fdf106 100644
--- a/common-jetty1x/src/slipway/websockets.clj
+++ b/common-jetty1x/src/slipway/websockets.clj
@@ -29,6 +29,7 @@
(extend-protocol common.ws/WebSocketSend
+ #_:clj-kondo/ignore
(Class/forName "[B")
(-send!
([ba ws]
@@ -67,6 +68,7 @@
(extend-protocol common.ws/WebSocketPing
+ #_:clj-kondo/ignore
(Class/forName "[B")
(-ping! [ba ws] (common.ws/-ping! (ByteBuffer/wrap ba) ws)))
diff --git a/common/src/slipway.clj b/common/src/slipway.clj
index ccce28c1..0b614fe3 100644
--- a/common/src/slipway.clj
+++ b/common/src/slipway.clj
@@ -36,8 +36,10 @@
:security-provider "the security provider name"
:client-auth "either :need or :want to set the corresponding need/wantClientAuth field"
:ssl-context "a concrete pre-configured SslContext"
- :sni-required? "true if a SNI certificate is required, default false"
- :sni-host-check? "true if the SNI Host name must match, default false"}
+ :sni-required? "true if SNI is required, else requests will be rejected with 400 response, default false"
+ :sni-host-check? "true if the SNI Host name must match when there is an SNI certificate, default false"
+ :sts-max-age "set the Strict-Transport-Security max age in seconds, default -1"
+ :sts-include-subdomains? "true if a include subdomain property is sent with any Strict-Transport-Security header"}
#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces."
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
diff --git a/common/src/slipway/connector/http.clj b/common/src/slipway/connector/http.clj
index 3f278ce6..f3c5dd0e 100644
--- a/common/src/slipway/connector/http.clj
+++ b/common/src/slipway/connector/http.clj
@@ -5,21 +5,25 @@
HttpConnectionFactory ProxyConnectionFactory Server ServerConnector)))
(defn default-config ^HttpConfiguration
- [{::keys [http-forwarded?]}]
+ [{::keys [http-forwarded? send-server-version? send-date-header?]
+ :or {send-server-version? false
+ send-date-header? false}}]
(let [config (doto (HttpConfiguration.)
- (.setSendServerVersion false)
- (.setSendDateHeader false))]
+ (.setSendServerVersion send-server-version?)
+ (.setSendDateHeader send-date-header?))]
(when http-forwarded? (.addCustomizer config (ForwardedRequestCustomizer.)))
config))
(comment
- #:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces"
- :port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
- :idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
- :http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
- :proxy-protocol? "if true, add the ProxyConnectionFactor. See Jetty Proxy Protocol docs"
- :http-config "a concrete HttpConfiguration object to replace the default config entirely"
- :configurator "a fn taking the final connector as argument, allowing further configuration"})
+ #:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces"
+ :port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
+ :idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
+ :http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
+ :proxy-protocol? "if true, add the ProxyConnectionFactor. See Jetty Proxy Protocol docs"
+ :http-config "a concrete HttpConfiguration object to replace the default config entirely"
+ :configurator "a fn taking the final connector as argument, allowing further configuration"
+ :send-server-version? "if true, send the Server header in responses"
+ :send-date-header? "if true, send the Date header in responses"})
(defmethod server/connector ::connector
[^Server server {::keys [host port idle-timeout proxy-protocol? http-forwarded? configurator http-config]
diff --git a/common/src/slipway/connector/https.clj b/common/src/slipway/connector/https.clj
index 7567263f..78c08d83 100644
--- a/common/src/slipway/connector/https.clj
+++ b/common/src/slipway/connector/https.clj
@@ -8,15 +8,25 @@
(org.eclipse.jetty.util.ssl SslContextFactory$Server)))
(defn default-config ^HttpConfiguration
- [{::keys [port http-forwarded? sni-required? sni-host-check?] :or {sni-required? false sni-host-check? false}}]
- (log/infof "sni required? %s, sni host check? %s" sni-required? sni-host-check?)
+ [{::keys [port http-forwarded? sni-required? sni-host-check? sts-max-age sts-include-subdomains? send-server-version?
+ send-date-header?]
+ :or {sni-required? false
+ sni-host-check? false
+ sts-max-age -1
+ sts-include-subdomains? false
+ send-server-version? false
+ send-date-header? false}}]
+ (log/infof "sni required? %s, sni host check? %s, sts-max-age %s, sts-include-subdomains? %s"
+ sni-required? sni-host-check? sts-max-age sts-include-subdomains?)
(let [config (doto (HttpConfiguration.)
(.setSecurePort port)
- (.setSendServerVersion false)
- (.setSendDateHeader false)
+ (.setSendServerVersion send-server-version?)
+ (.setSendDateHeader send-date-header?)
(.addCustomizer (doto (SecureRequestCustomizer.)
(.setSniRequired sni-required?)
- (.setSniHostCheck sni-host-check?))))]
+ (.setSniHostCheck sni-host-check?)
+ (.setStsMaxAge sts-max-age)
+ (.setStsIncludeSubDomains sts-include-subdomains?))))]
(when http-forwarded? (.addCustomizer config (ForwardedRequestCustomizer.)))
config))
@@ -98,8 +108,12 @@
:security-provider "the security provider name"
:client-auth "either :need or :want to set the corresponding need/wantClientAuth field"
:ssl-context "a concrete pre-configured SslContext"
- :sni-required? "true if a SNI certificate is required, default false"
- :sni-host-check? "true if the SNI Host name must match, default false"})
+ :sni-required? "if true SNI is required, else requests will be rejected with 400 response, default false"
+ :sni-host-check? "if true the SNI Host name must match when there is an SNI certificate, default false"
+ :sts-max-age "set the Strict-Transport-Security max age in seconds, default -1"
+ :sts-include-subdomains? "true if a include subdomain property is sent with any Strict-Transport-Security header"
+ :send-server-version? "if true, send the Server header in responses"
+ :send-date-header? "if true, send the Date header in responses"})
(defmethod server/connector ::connector
[^Server server {::keys [host port idle-timeout proxy-protocol? http-config configurator]
diff --git a/common/src/slipway/security.clj b/common/src/slipway/security.clj
index 55aabd20..523da1c0 100644
--- a/common/src/slipway/security.clj
+++ b/common/src/slipway/security.clj
@@ -19,7 +19,7 @@
(if config
(when (slurp config)
(doto (JAASLoginService. realm) (.setConfiguration (Configuration/getConfiguration))))
- (throw (ex-info (str "start with -Djava.security.auth.login.config=/some/path/to/jaas.config to use Jetty/JAAS auth provider") {})))))
+ (throw (ex-info "start with -Djava.security.auth.login.config=/some/path/to/jaas.config to use Jetty/JAAS auth provider" {})))))
(defmethod login-service "hash"
[{::keys [realm hash-user-file]}]
@@ -27,7 +27,7 @@
(if hash-user-file
(when (slurp hash-user-file)
(HashLoginService. realm hash-user-file))
- (throw (ex-info (str "set the path to your hash user realm properties file") {}))))
+ (throw (ex-info "set the path to your hash user realm properties file" {}))))
(defn user
[^Request base-request]
diff --git a/common/test/slipway/example.clj b/common/test/slipway/example.clj
index 94b4ea85..6d976db0 100644
--- a/common/test/slipway/example.clj
+++ b/common/test/slipway/example.clj
@@ -29,6 +29,13 @@
:truststore-password "password"
:truststore-type "PKCS12"})
+(def hsts #::https{:sts-max-age 31536000
+ :sts-include-subdomains? true})
+
+(def hsts-no-subdomains #::https{:sts-max-age 31536000})
+
+(def hsts-no-max-age #::https{:sts-include-subdomains? true})
+
(def form-authenticator (FormAuthenticator. "/login" "/login-retry" false))
(def options
@@ -38,6 +45,16 @@
:https #::server{:connectors [https-connector]
:error-handler app/server-error-handler}
+ :hsts #::server{:connectors [(merge https-connector hsts)]
+ :error-handler app/server-error-handler}
+
+ :hsts-no-subdomains #::server{:connectors [(merge https-connector hsts-no-subdomains)]
+ :error-handler app/server-error-handler}
+
+ ;; this is an error condition / incorrect configuration - subdomains requires max-age set
+ :hsts-no-max-age #::server{:connectors [(merge https-connector hsts-no-max-age)]
+ :error-handler app/server-error-handler}
+
:http+https #::server{:connectors [http-connector https-connector]
:error-handler app/server-error-handler}
diff --git a/common/test/slipway/https_server_test.clj b/common/test/slipway/https_server_test.clj
index e08b0714..f9e8c688 100644
--- a/common/test/slipway/https_server_test.clj
+++ b/common/test/slipway/https_server_test.clj
@@ -253,4 +253,90 @@
(-> (client/do-get "https" "user:wrong@localhost" 3443 "/user" {:insecure? true})
(select-keys of-interest)))))
- (finally (example/stop!))))
\ No newline at end of file
+ (finally (example/stop!))))
+
+(deftest strict-transport-security
+
+ (testing "no hsts configuration"
+
+ (try
+ (example/start! [:https])
+
+ (let [result (-> (client/do-get "https://localhost:3443/user" {:insecure? true})
+ (select-keys (conj of-interest :headers)))
+ sts-header (get-in result [:headers "Strict-Transport-Security"])
+ result (dissoc result :headers)]
+
+ (is (= {:protocol-version {:name "HTTP" :major 1 :minor 1}
+ :status 200
+ :reason-phrase "OK"
+ :orig-content-encoding "gzip"
+ :body (html/user-page {})}
+ result))
+
+ (is (= nil sts-header)))
+
+ (finally (example/stop!))))
+
+ (testing "sts-max-age and subdomains"
+
+ (try
+ (example/start! [:hsts])
+
+ (let [result (-> (client/do-get "https://localhost:3443/user" {:insecure? true})
+ (select-keys (conj of-interest :headers)))
+ sts-header (get-in result [:headers "Strict-Transport-Security"])
+ result (dissoc result :headers)]
+
+ (is (= {:protocol-version {:name "HTTP" :major 1 :minor 1}
+ :status 200
+ :reason-phrase "OK"
+ :orig-content-encoding "gzip"
+ :body (html/user-page {})}
+ result))
+
+ (is (= "max-age=31536000; includeSubDomains" sts-header)))
+
+ (finally (example/stop!))))
+
+ (testing "sts-max-age without subdomains"
+
+ (try
+ (example/start! [:hsts-no-subdomains])
+
+ (let [result (-> (client/do-get "https://localhost:3443/user" {:insecure? true})
+ (select-keys (conj of-interest :headers)))
+ sts-header (get-in result [:headers "Strict-Transport-Security"])
+ result (dissoc result :headers)]
+
+ (is (= {:protocol-version {:name "HTTP" :major 1 :minor 1}
+ :status 200
+ :reason-phrase "OK"
+ :orig-content-encoding "gzip"
+ :body (html/user-page {})}
+ result))
+
+ (is (= "max-age=31536000" sts-header)))
+
+ (finally (example/stop!))))
+
+ (testing "hsts no max age (incorrect configuration, no header included)"
+
+ (try
+ (example/start! [:hsts-no-max-age])
+
+ (let [result (-> (client/do-get "https://localhost:3443/user" {:insecure? true})
+ (select-keys (conj of-interest :headers)))
+ sts-header (get-in result [:headers "Strict-Transport-Security"])
+ result (dissoc result :headers)]
+
+ (is (= {:protocol-version {:name "HTTP" :major 1 :minor 1}
+ :status 200
+ :reason-phrase "OK"
+ :orig-content-encoding "gzip"
+ :body (html/user-page {})}
+ result))
+
+ (is (= nil sts-header)))
+
+ (finally (example/stop!)))))
\ No newline at end of file
diff --git a/slipway-jetty10/dependency-check-suppressions.xml b/slipway-jetty10/dependency-check-suppressions.xml
index a0e2af1c..ef65b13b 100644
--- a/slipway-jetty10/dependency-check-suppressions.xml
+++ b/slipway-jetty10/dependency-check-suppressions.xml
@@ -1,10 +1,6 @@
-
-
- ^pkg:maven/commons\-fileupload/commons\-fileupload@.*$
- CVE-2023-24998
-
+
+
+
diff --git a/slipway-jetty10/project.clj b/slipway-jetty10/project.clj
index 61ea42bd..40a8d853 100644
--- a/slipway-jetty10/project.clj
+++ b/slipway-jetty10/project.clj
@@ -1,14 +1,14 @@
-(defproject io.factorhouse/slipway-jetty10 "1.1.17"
+(defproject io.factorhouse/slipway-jetty10 "1.1.18"
- :description "A Clojure Companion for Jetty"
+ :description "A Clojure Companion for Jetty 10"
:url "https://github.com/factorhouse/slipway"
:license {:name "MIT License"
:url "https://github.com/factorhouse/slipway/blob/main/LICENSE"}
- :profiles {:dev {:dependencies [[com.fasterxml.jackson.core/jackson-core "2.17.2"] ;; required for internal inconsistency within clj-kondo, kept at latest for CVE avoidance
- [clj-kondo "2023.12.15"]
+ :profiles {:dev {:dependencies [[com.fasterxml.jackson.core/jackson-core "2.18.2"] ;; required for internal inconsistency within clj-kondo, kept at latest for CVE avoidance
+ [clj-kondo "2024.11.14"]
[clj-http "3.13.0"]
[ch.qos.logback/logback-classic "1.3.14"] ;; Logback 1.3.x supports the Java EE edition whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. The 1.5.x continues the 1.4.x series but with logback-access relocated to its own repository.
[ring/ring-anti-forgery "1.3.1"]
@@ -21,9 +21,10 @@
"kondo" ["with-profile" "+smoke" "run" "-m" "clj-kondo.main" "--lint" "common/src:common-jetty1x/src:test:common/test" "--parallel"]
"fmt" ["with-profile" "+smoke" "cljfmt" "check"]}
- :dependencies [[org.clojure/clojure "1.11.4"]
+ :dependencies [[org.clojure/clojure "1.12.0"]
[org.clojure/tools.logging "1.3.0"]
- [ring/ring-servlet "1.9.6"]
+ [commons-io "2.16.1"] ;; replaces old version with CVE in ring-servlet, remove when ring bumped to latest
+ [ring/ring-servlet "1.10.0"]
[com.taoensso/sente "1.17.0"]
[org.eclipse.jetty.websocket/websocket-jetty-api "10.0.24"]
[org.eclipse.jetty.websocket/websocket-jetty-server "10.0.24" :exclusions [org.slf4j/slf4j-api]]
diff --git a/slipway-jetty11/dependency-check-suppressions.xml b/slipway-jetty11/dependency-check-suppressions.xml
index a0d9218c..38949439 100644
--- a/slipway-jetty11/dependency-check-suppressions.xml
+++ b/slipway-jetty11/dependency-check-suppressions.xml
@@ -1,10 +1,6 @@
-
-
- ^pkg:maven/commons\-fileupload/commons\-fileupload@.*$
- CVE-2023-24998
-
+
+
+
diff --git a/slipway-jetty11/project.clj b/slipway-jetty11/project.clj
index 9fa4d45b..93ff9bd9 100644
--- a/slipway-jetty11/project.clj
+++ b/slipway-jetty11/project.clj
@@ -1,14 +1,14 @@
-(defproject io.factorhouse/slipway-jetty11 "1.1.17"
+(defproject io.factorhouse/slipway-jetty11 "1.1.18"
- :description "A Clojure Companion for Jetty"
+ :description "A Clojure Companion for Jetty 11"
:url "https://github.com/factorhouse/slipway"
:license {:name "MIT License"
:url "https://github.com/factorhouse/slipway/blob/main/LICENSE"}
- :profiles {:dev {:dependencies [[com.fasterxml.jackson.core/jackson-core "2.17.2"] ;; required for internal inconsistency within clj-kondo, kept at latest for CVE avoidance
- [clj-kondo "2023.12.15"]
+ :profiles {:dev {:dependencies [[com.fasterxml.jackson.core/jackson-core "2.18.2"] ;; required for internal inconsistency within clj-kondo, kept at latest for CVE avoidance
+ [clj-kondo "2024.11.14"]
[clj-http "3.13.0"]
[ch.qos.logback/logback-classic "1.3.14"] ;; Logback 1.3.x supports the Java EE edition whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. The 1.5.x continues the 1.4.x series but with logback-access relocated to its own repository.
[ring/ring-anti-forgery "1.3.1"]
@@ -21,9 +21,10 @@
"kondo" ["with-profile" "+smoke" "run" "-m" "clj-kondo.main" "--lint" "common/src:common-jetty1x/src:test:common/test" "--parallel"]
"fmt" ["with-profile" "+smoke" "cljfmt" "check"]}
- :dependencies [[org.clojure/clojure "1.11.4"]
+ :dependencies [[org.clojure/clojure "1.12.0"]
[org.clojure/tools.logging "1.3.0"]
- [ring/ring-servlet "1.9.6"]
+ [commons-io "2.16.1"] ;; replaces old version with CVE in ring-servlet, remove when ring bumped to latest
+ [ring/ring-servlet "1.10.0"]
[com.taoensso/sente "1.17.0"]
[org.eclipse.jetty.websocket/websocket-jetty-api "11.0.24"]
[org.eclipse.jetty.websocket/websocket-jetty-server "11.0.24" :exclusions [org.slf4j/slf4j-api]]
diff --git a/slipway-jetty9/dependency-check-suppressions.xml b/slipway-jetty9/dependency-check-suppressions.xml
index b955669d..ef65b13b 100644
--- a/slipway-jetty9/dependency-check-suppressions.xml
+++ b/slipway-jetty9/dependency-check-suppressions.xml
@@ -1,10 +1,6 @@
-
-
- ^pkg:maven/commons\-fileupload/commons\-fileupload@.*$
- CVE-2023-24998
-
+
+
+
diff --git a/slipway-jetty9/project.clj b/slipway-jetty9/project.clj
index d7f590a5..cfb5cf70 100644
--- a/slipway-jetty9/project.clj
+++ b/slipway-jetty9/project.clj
@@ -1,14 +1,14 @@
-(defproject io.factorhouse/slipway-jetty9 "1.1.17"
+(defproject io.factorhouse/slipway-jetty9 "1.1.18"
- :description "A Clojure Companion for Jetty"
+ :description "A Clojure Companion for Jetty 9"
:url "https://github.com/factorhouse/slipway"
:license {:name "MIT License"
:url "https://github.com/factorhosue/slipway/blob/main/LICENSE"}
- :profiles {:dev {:dependencies [[com.fasterxml.jackson.core/jackson-core "2.17.2"] ;; required for internal inconsistency within clj-kondo, kept at latest for CVE avoidance
- [clj-kondo "2023.12.15"] ;; https://github.com/clj-kondo/clj-kondo/issues/2277 leave at this version until we move to Clojure 1.12.x and can fix
+ :profiles {:dev {:dependencies [[com.fasterxml.jackson.core/jackson-core "2.18.2"] ;; required for internal inconsistency within clj-kondo, kept at latest for CVE avoidance
+ [clj-kondo "2024.11.14"]
[clj-http "3.13.0"]
[ch.qos.logback/logback-classic "1.3.14"] ;; Logback 1.3.x supports the Java EE edition whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. The 1.5.x continues the 1.4.x series but with logback-access relocated to its own repository.
[ring/ring-anti-forgery "1.3.1"]
@@ -21,9 +21,10 @@
"kondo" ["with-profile" "+smoke" "run" "-m" "clj-kondo.main" "--lint" "src:common/src:test:common/test" "--parallel"]
"fmt" ["with-profile" "+smoke" "cljfmt" "check"]}
- :dependencies [[org.clojure/clojure "1.11.4"]
+ :dependencies [[org.clojure/clojure "1.12.0"]
[org.clojure/tools.logging "1.3.0"]
- [ring/ring-servlet "1.9.6"]
+ [commons-io "2.16.1"] ;; replaces old version with CVE in ring-servlet, remove when ring bumped to latest
+ [ring/ring-servlet "1.10.0"]
[com.taoensso/sente "1.17.0"]
[org.eclipse.jetty/jetty-server "9.4.56.v20240826"]
[org.eclipse.jetty.websocket/websocket-server "9.4.56.v20240826"]
diff --git a/slipway-jetty9/src/slipway/websockets.clj b/slipway-jetty9/src/slipway/websockets.clj
index f1f4d373..693b2c46 100644
--- a/slipway-jetty9/src/slipway/websockets.clj
+++ b/slipway-jetty9/src/slipway/websockets.clj
@@ -32,6 +32,7 @@
(extend-protocol common.ws/WebSocketSend
+ #_:clj-kondo/ignore
(Class/forName "[B")
(-send!
([ba ws]
@@ -70,6 +71,7 @@
(extend-protocol common.ws/WebSocketPing
+ #_:clj-kondo/ignore
(Class/forName "[B")
(-ping! [ba ws] (common.ws/-ping! (ByteBuffer/wrap ba) ws)))