Fixed JXPath library vulnerability (#1651)

szczygiel-m · web-flow · commit 72ecc5aa41e3 · 2023-01-19T11:56:13.000+01:00
diff --git a/hermes-management/src/main/java/pl/allegro/tech/hermes/management/infrastructure/query/graph/JXPathAttribute.java b/hermes-management/src/main/java/pl/allegro/tech/hermes/management/infrastructure/query/graph/JXPathAttribute.java
@@ -1,5 +1,6 @@
 package pl.allegro.tech.hermes.management.infrastructure.query.graph;
 
+import org.apache.commons.jxpath.FunctionLibrary;
 import org.apache.commons.jxpath.JXPathContext;
 
 public class JXPathAttribute implements ObjectAttribute {
@@ -15,6 +16,8 @@ public JXPathAttribute(Object target, String path) {
 
     @Override
     public Object value() {
-        return JXPathContext.newContext(target).getValue(path);
+        JXPathContext context = JXPathContext.newContext(target);
+        context.setFunctions(new FunctionLibrary());
+        return context.getValue(path);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`package pl.allegro.tech.hermes.management.infrastructure.query.graph;`
`2`	`2`
	`3`	`+import org.apache.commons.jxpath.FunctionLibrary;`
`3`	`4`	`import org.apache.commons.jxpath.JXPathContext;`
`4`	`5`
`5`	`6`	`public class JXPathAttribute implements ObjectAttribute {`
`@@ -15,6 +16,8 @@ public JXPathAttribute(Object target, String path) {`
`15`	`16`
`16`	`17`	`@Override`
`17`	`18`	`public Object value() {`
`18`		`- return JXPathContext.newContext(target).getValue(path);`
	`19`	`+ JXPathContext context = JXPathContext.newContext(target);`
	`20`	`+ context.setFunctions(new FunctionLibrary());`
	`21`	`+ return context.getValue(path);`
`19`	`22`	`}`
`20`	`23`	`}`