Switch to hiccup2.0 in clojars code base

This change attempts to migrate clojars to the latest version of
hiccup, which has introduced a bunch of new security features.

In this change, we also remove the old safe_hiccup, as this
functionality is built into Hiccup2.

#914

Author: iwillig

dependabot/deps-list.txt

@@ -67,7 +67,7 @@ duct/hikaricp-component 0.1.2  (EPL-1.0)
 environ/environ 1.1.0  (EPL-1.0)
 fipp/fipp 0.6.29  (EPL-1.0)
 funcool/cuerdas 2.2.0  (BSD (2-Clause))
-hiccup/hiccup 1.0.5 
+hiccup/hiccup 2.0.0  (EPL-1.0)
 instaparse/instaparse 1.4.8  (EPL-1.0)
 io.airlift/aircompressor 2.0.2  (Apache-2.0)
 javax.xml.bind/jaxb-api 2.3.0  (CDDL 1.1)

dependabot/deps-tree.txt

@@ -186,7 +186,7 @@ duct/duct 0.8.2
   . medley/medley 0.8.3
   . meta-merge/meta-merge 1.0.0
   X ring/ring-core 1.5.0 :use-top
-hiccup/hiccup 1.0.5
+hiccup/hiccup 2.0.0
 one-time/one-time 0.8.0
   X commons-codec/commons-codec 1.15 :older-version
   X ring/ring-codec 1.2.0 :superseded

dependabot/pom.xml

@@ -166,7 +166,7 @@
     <dependency>
       <groupId>hiccup</groupId>
       <artifactId>hiccup</artifactId>
-      <version>1.0.5</version>
+      <version>2.0.0</version>
     </dependency>
     <dependency>
       <groupId>one-time</groupId>

deps.edn

@@ -39,7 +39,7 @@
                            :exclusions [org.slf4j/slf4j-nop]}
 
   ;; manually imported clj-kondo configs from 2.x branch to .clj-kondo/imports/hiccup/hiccup
-  hiccup/hiccup {:mvn/version "1.0.5"}
+  hiccup/hiccup {:mvn/version "2.0.0"}
 
   kirasystems/aging-session {:mvn/version "0.5.0"
                              :exclusions [org.clojure/clojurescript]}

src/clojars/repo_indexing.clj

@@ -4,7 +4,6 @@
    [clojars.retry :as retry]
    [clojars.s3 :as s3]
    [clojars.web.common :as common]
-   [clojars.web.safe-hiccup :as safe-hiccup]
    [clojure.java.io :as io]
    [clojure.string :as str]
    [hiccup.element :as el])
@@ -64,24 +63,24 @@
 (defn- generate-index
   ^String
   [path entries]
-  (safe-hiccup/html5
-   {:lang "en"}
-   [:head
-    [:meta {:charset "utf-8"}]
-    [:meta {:name "viewport" :content "width=device-width,initial-scale=1"}]
-    [:title (format "Clojars Repository: %s" (or path "/"))]]
-   [:body
-    [:header
-     [:h1 (or path "/")]]
-    [:hr]
-    [:main
-     [:pre#contents
-      (when (some? path)
-        (list
-         (el/link-to "../" "../")
-         "\n"))
-      (mapcat entry-line entries)]]
-    [:hr]]))
+  (str (common/html5
+        {:lang "en"}
+        [:head
+         [:meta {:charset "utf-8"}]
+         [:meta {:name "viewport" :content "width=device-width,initial-scale=1"}]
+         [:title (format "Clojars Repository: %s" (or path "/"))]]
+        [:body
+         [:header
+          [:h1 (or path "/")]]
+         [:hr]
+         [:main
+          [:pre#contents
+           (when (some? path)
+             (list
+              (el/link-to "../" "../")
+              "\n"))
+           (mapcat entry-line entries)]]
+         [:hr]])))
 
 (defn- sort-entries
   [entries]

src/clojars/web.clj

@@ -9,7 +9,8 @@
    [clojars.friend.oauth.github :as github]
    [clojars.friend.oauth.gitlab :as gitlab]
    [clojars.friend.registration :as registration]
-   [clojars.http-utils :refer [wrap-secure-session wrap-additional-security-headers]]
+   [clojars.http-utils :refer [wrap-additional-security-headers
+                               wrap-secure-session]]
    [clojars.log :as log]
    [clojars.middleware :refer [wrap-ignore-trailing-slash]]
    [clojars.routes.api :as api]
@@ -22,9 +23,8 @@
    [clojars.routes.user :as user]
    [clojars.routes.verify :as verify]
    [clojars.web.browse :refer [browse]]
-   [clojars.web.common :as common :refer [html-doc]]
+   [clojars.web.common :as common :refer [html-doc raw]]
    [clojars.web.dashboard :refer [dashboard index-page]]
-   [clojars.web.safe-hiccup :refer [raw]]
    [clojars.web.search :as search]
    [clojure.java.io :as io]
    [compojure.core :refer [ANY context GET PUT routes]]
@@ -55,30 +55,30 @@
   (let [db (:spec db)]
     (routes
      (GET "/" _
-          (try-account
-           #(if %
-              (dashboard db %)
-              (index-page db stats %))))
+       (try-account
+        #(if %
+           (dashboard db %)
+           (index-page db stats %))))
      (GET "/search" {:keys [params]}
-          (try-account
-           #(let [validated-params (-> params
-                                       (update :page try-parse-page))]
-              (search/search search % validated-params))))
+       (try-account
+        #(let [validated-params (-> params
+                                    (update :page try-parse-page))]
+           (search/search search % validated-params))))
      (GET "/projects" {:keys [params]}
-          (try-account
-           #(let [validated-params
-                  (-> params
-                      (update :from (partial common/check-no-null-bytes "from"))
-                      (update :page try-parse-page))]
-              (browse db % validated-params))))
+       (try-account
+        #(let [validated-params
+               (-> params
+                   (update :from (partial common/check-no-null-bytes "from"))
+                   (update :page try-parse-page))]
+           (browse db % validated-params))))
      (GET "/security" []
-          (try-account
-           #(html-doc "Security" {:account %}
-                      (raw (slurp (io/resource "security.html"))))))
+       (try-account
+        #(html-doc "Security" {:account %}
+                   (raw (slurp (io/resource "security.html"))))))
      (GET "/dmca" []
-          (try-account
-           #(html-doc "DMCA" {:account %}
-                      (raw (slurp (io/resource "dmca.html"))))))
+       (try-account
+        #(html-doc "DMCA" {:account %}
+                   (raw (slurp (io/resource "dmca.html"))))))
      session/routes
      (group/routes db event-emitter)
      (artifact/routes db stats)
@@ -90,12 +90,12 @@
      (api/routes db stats)
      (PUT "*" _ {:status 405 :headers {} :body "Did you mean to use /repo?"})
      (ANY "*" _
-          (try-account
-           #(not-found
-             (html-doc "Page not found" {:account %}
-                       [:div.small-section
-                        [:h1 "Page not found"]
-                        [:p "Thundering typhoons!  I think we lost it.  Sorry!"]])))))))
+       (try-account
+        #(not-found
+          (html-doc "Page not found" {:account %}
+                    [:div.small-section
+                     [:h1 "Page not found"]
+                     [:p "Thundering typhoons!  I think we lost it.  Sorry!"]])))))))
 
 (def ^:private defaults-config
   (-> ring-defaults/secure-site-defaults
@@ -149,19 +149,19 @@
   (let [db (:spec db)]
     (routes
      (-> (context
-          "/repo" _
-          (-> (repo/routes storage db event-emitter search)
-              (friend/authenticate
-               {:credential-fn (auth/token-credential-fn db)
-                :workflows [(workflows/http-basic :realm "clojars")]
-                :allow-anon? false
-                :unauthenticated-handler
-                (partial workflows/http-basic-deny "clojars")})
-              (repo/wrap-reject-non-token db)
-              (repo/wrap-exceptions error-reporter)
-              (repo/wrap-file (:repo (config)))
-              (log/wrap-request-context)
-              (repo/wrap-reject-double-dot)))
+           "/repo" _
+           (-> (repo/routes storage db event-emitter search)
+               (friend/authenticate
+                {:credential-fn (auth/token-credential-fn db)
+                 :workflows [(workflows/http-basic :realm "clojars")]
+                 :allow-anon? false
+                 :unauthenticated-handler
+                 (partial workflows/http-basic-deny "clojars")})
+               (repo/wrap-reject-non-token db)
+               (repo/wrap-exceptions error-reporter)
+               (repo/wrap-file (:repo (config)))
+               (log/wrap-request-context)
+               (repo/wrap-reject-double-dot)))
          (wrap-secure-session))
      (-> (token-breach/routes db event-emitter)
          (wrap-exceptions error-reporter)