[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient CookieStore (apache#23725)

lhotari · web-flow · commit 51e8247e4976 · 2024-12-13T05:12:59.000-08:00
diff --git a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
@@ -183,6 +183,7 @@ public void initialize(Context context) throws IOException {
                     .build();
         }
         AsyncHttpClientConfig clientConfig = new DefaultAsyncHttpClientConfig.Builder()
+                .setCookieStore(null)
                 .setConnectTimeout(connectionTimeout)
                 .setReadTimeout(readTimeout)
                 .setSslContext(sslContext)
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/BrokerServiceLookupTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/BrokerServiceLookupTest.java
@@ -1142,6 +1142,7 @@ public void onThrowable(Throwable t) {
 
     private AsyncHttpClient getHttpClient(String version) {
         DefaultAsyncHttpClientConfig.Builder confBuilder = new DefaultAsyncHttpClientConfig.Builder();
+        confBuilder.setCookieStore(null);
         confBuilder.setUseProxyProperties(true);
         confBuilder.setFollowRedirect(true);
         confBuilder.setUserAgent(version);
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -159,6 +159,7 @@ private void configureAsyncHttpClientConfig(ClientConfigurationData conf, int co
         if (conf.getConnectionMaxIdleSeconds() > 0) {
             confBuilder.setPooledConnectionIdleTimeout(conf.getConnectionMaxIdleSeconds() * 1000);
         }
+        confBuilder.setCookieStore(null);
         confBuilder.setUseProxyProperties(true);
         confBuilder.setFollowRedirect(false);
         confBuilder.setRequestTimeout(conf.getRequestTimeoutMs());
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ControlledClusterFailover.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ControlledClusterFailover.java
@@ -85,6 +85,7 @@ private ControlledClusterFailover(ControlledClusterFailoverBuilderImpl builder)
 
     private AsyncHttpClient buildHttpClient() {
         DefaultAsyncHttpClientConfig.Builder confBuilder = new DefaultAsyncHttpClientConfig.Builder();
+        confBuilder.setCookieStore(null);
         confBuilder.setUseProxyProperties(true);
         confBuilder.setFollowRedirect(true);
         confBuilder.setMaxRedirects(DEFAULT_MAX_REDIRECTS);
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -74,6 +74,7 @@ protected HttpClient(ClientConfigurationData conf, EventLoopGroup eventLoopGroup
         this.serviceNameResolver.updateServiceUrl(conf.getServiceUrl());
 
         DefaultAsyncHttpClientConfig.Builder confBuilder = new DefaultAsyncHttpClientConfig.Builder();
+        confBuilder.setCookieStore(null);
         confBuilder.setUseProxyProperties(true);
         confBuilder.setFollowRedirect(true);
         confBuilder.setMaxRedirects(conf.getMaxLookupRedirects());
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/protocol/TokenClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/protocol/TokenClient.java
@@ -53,6 +53,7 @@ public TokenClient(URL tokenUrl) {
     TokenClient(URL tokenUrl, AsyncHttpClient httpClient) {
         if (httpClient == null) {
             DefaultAsyncHttpClientConfig.Builder confBuilder = new DefaultAsyncHttpClientConfig.Builder();
+            confBuilder.setCookieStore(null);
             confBuilder.setUseProxyProperties(true);
             confBuilder.setFollowRedirect(true);
             confBuilder.setConnectTimeout(DEFAULT_CONNECT_TIMEOUT_IN_SECONDS * 1000);

Original file line number	Diff line number	Diff line change
`@@ -183,6 +183,7 @@ public void initialize(Context context) throws IOException {`
`183`	`183`	`.build();`
`184`	`184`	`}`
`185`	`185`	`AsyncHttpClientConfig clientConfig = new DefaultAsyncHttpClientConfig.Builder()`
	`186`	`+ .setCookieStore(null)`
`186`	`187`	`.setConnectTimeout(connectionTimeout)`
`187`	`188`	`.setReadTimeout(readTimeout)`
`188`	`189`	`.setSslContext(sslContext)`
Original file line number	Diff line number	Diff line change
`@@ -159,6 +159,7 @@ private void configureAsyncHttpClientConfig(ClientConfigurationData conf, int co`
`159`	`159`	`if (conf.getConnectionMaxIdleSeconds() > 0) {`
`160`	`160`	`confBuilder.setPooledConnectionIdleTimeout(conf.getConnectionMaxIdleSeconds() * 1000);`
`161`	`161`	`}`
	`162`	`+ confBuilder.setCookieStore(null);`
`162`	`163`	`confBuilder.setUseProxyProperties(true);`
`163`	`164`	`confBuilder.setFollowRedirect(false);`
`164`	`165`	`confBuilder.setRequestTimeout(conf.getRequestTimeoutMs());`