From 3d58f2cff68ae2ce0820d0a5c322ff973e2a3b4d Mon Sep 17 00:00:00 2001
From: Stefan Santesson <stefan@aaa-sec.com>
Date: Fri, 1 Apr 2022 00:28:17 +0200
Subject: [PATCH] release 1.0.2

---
 Dockerfile                                    |  2 +-
 Dockerfile-debug                              |  2 +-
 Dockerfile-softhsm                            |  2 +-
 README.md                                     |  2 +-
 pom.xml                                       |  4 ++--
 .../configuration/BinderControllerAdvice.java | 19 -------------------
 src/main/resources/cfg/banner.txt             |  2 +-
 versions.md                                   | 11 ++++++-----
 8 files changed, 13 insertions(+), 31 deletions(-)
 delete mode 100644 src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java

diff --git a/Dockerfile b/Dockerfile
index 483fa9a..9979712 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM openjdk:11-jre
 
-ADD target/cmc-ca-client-base-1.0.2-SNAPSHOT.jar /app.jar
+ADD target/cmc-ca-client-base-1.0.2.jar /app.jar
 ENTRYPOINT ["java","-jar","/app.jar"]
 
 # Main web port
diff --git a/Dockerfile-debug b/Dockerfile-debug
index 997c580..0ad498f 100644
--- a/Dockerfile-debug
+++ b/Dockerfile-debug
@@ -1,6 +1,6 @@
 FROM openjdk:11-jre
 
-ADD target/cmc-ca-client-base-1.0.2-SNAPSHOT.jar /app.jar
+ADD target/cmc-ca-client-base-1.0.2.jar /app.jar
 
 # This ENTRYPOINT enables attachement of a debugger on port 8000. This port is automtically exposed on the docker container.
 ENTRYPOINT ["java","-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000","-jar","/app.jar"]
diff --git a/Dockerfile-softhsm b/Dockerfile-softhsm
index b4d6dae..13274e9 100644
--- a/Dockerfile-softhsm
+++ b/Dockerfile-softhsm
@@ -12,7 +12,7 @@ RUN apt-get update && apt-get install -y pcscd libccid libpcsclite-dev libssl-de
 # Setup softhsm
 RUN rm -rf /var/lib/softhsm/tokens && mkdir /var/lib/softhsm/tokens
 
-ADD target/cmc-ca-client-base-1.0.2-SNAPSHOT.jar /app.jar
+ADD target/cmc-ca-client-base-1.0.2.jar /app.jar
 COPY src/main/resources/cfg/start.sh /
 
 ENTRYPOINT /start.sh
diff --git a/README.md b/README.md
index 59a2a13..cd9838c 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 
 ---
-# CURRENT BUILD VERSION = 1.0.1
+# CURRENT BUILD VERSION = 1.0.2
 ---
 # CA admin GUI based on CMC API
 
diff --git a/pom.xml b/pom.xml
index 7c197f6..b9ad1ad 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,13 +21,13 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.5</version>
+        <version>2.6.6</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
 
     <groupId>se.swedenconnect.ca</groupId>
     <artifactId>cmc-ca-client-base</artifactId>
-    <version>1.0.2-SNAPSHOT</version>
+    <version>1.0.2</version>
 
     <name>CA CMC client base</name>
     <description>CA CMC Client base for administration of CA services</description>
diff --git a/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java b/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java
deleted file mode 100644
index d5791cd..0000000
--- a/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java
+++ /dev/null
@@ -1,19 +0,0 @@
-package se.swedenconnect.ca.cmcclient.configuration;
-
-import org.springframework.core.annotation.Order;
-import org.springframework.web.bind.WebDataBinder;
-import org.springframework.web.bind.annotation.ControllerAdvice;
-import org.springframework.web.bind.annotation.InitBinder;
-
-@ControllerAdvice
-@Order(10000)
-public class BinderControllerAdvice {
-  @InitBinder
-  public void setAllowedFields(WebDataBinder dataBinder) {
-    // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
-    // By applying this mitigation, you prevent the "Class Loader Manipulation" attack vector from firing.
-    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
-    String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
-    dataBinder.setDisallowedFields(denylist);
-  }
-}
\ No newline at end of file
diff --git a/src/main/resources/cfg/banner.txt b/src/main/resources/cfg/banner.txt
index 05b9b31..1284ab8 100644
--- a/src/main/resources/cfg/banner.txt
+++ b/src/main/resources/cfg/banner.txt
@@ -4,5 +4,5 @@
  | |___   / ___ \    \__ \ |  __/ | |     \ V /  | | | (__  |  __/   | |___  | |  | | | |___    | (__  | | | | |  __/ | | | | | |_
   \____| /_/   \_\   |___/  \___| |_|      \_/   |_|  \___|  \___|    \____| |_|  |_|  \____|    \___| |_| |_|  \___| |_| |_|  \__|
 
-1.0.2-SNAPSHOT
+Version 1.0.2
 Powered by Spring Boot ${spring-boot.version}
\ No newline at end of file
diff --git a/versions.md b/versions.md
index d964215..23fe8e1 100644
--- a/versions.md
+++ b/versions.md
@@ -1,11 +1,12 @@
 # CA CMC Admin versions
 
-**Latest current version 1.0.1**
+**Latest current version 1.0.2**
 
-| Version | Comment                                   | Date       |
-|---------|-------------------------------------------|------------|
-| 1.0.0   | Initial version                           | 2022-02-08 |
-| 1.0.1   | Initial version                           | 2022-03-31 |
+| Version | Comment                                                      | Date       |
+|---------|--------------------------------------------------------------|------------|
+| 1.0.0   | Initial version                                              | 2022-02-08 |
+| 1.0.1   | temp fix of Spring boot RCE vulnerability                    | 2022-03-31 |
+| 1.0.2   | Upgrading to spring boot 2.6.6 as permanent solution to RCE  | 2022-03-31 |
 
 ## Important release notes (most recent on top)