From 6392762774094a148188e075de4038b0f291ca3c Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Thu, 30 Oct 2025 12:15:05 -0700 Subject: [PATCH] apache-commons-fileupload: fix build Signed-off-by: David Korczynski --- projects/apache-commons-fileupload/Dockerfile | 3 +- projects/apache-commons-fileupload/build.sh | 5 +-- .../project-parent/fuzz-targets/pom.xml | 7 ++++- .../java/com/example/FileUploadFuzzer.java | 23 +++++++------- .../com/example/MockHttpServletRequest.java | 4 +-- .../src/test/java/com/example/Util.java | 31 +++++++++---------- 6 files changed, 39 insertions(+), 34 deletions(-) diff --git a/projects/apache-commons-fileupload/Dockerfile b/projects/apache-commons-fileupload/Dockerfile index 7dfd175632a5..2b93387fb107 100644 --- a/projects/apache-commons-fileupload/Dockerfile +++ b/projects/apache-commons-fileupload/Dockerfile @@ -34,6 +34,5 @@ COPY project-parent $SRC/project-parent/ RUN rm -rf $SRC/project-parent/apache-commons-fileupload RUN git clone --depth 1 https://github.com/apache/commons-fileupload.git $SRC/project-parent/apache-commons-fileupload - COPY build.sh $SRC/ -WORKDIR $SRC/ \ No newline at end of file +WORKDIR $SRC/ diff --git a/projects/apache-commons-fileupload/build.sh b/projects/apache-commons-fileupload/build.sh index 73ca2c85e3da..77104dbe8b0c 100755 --- a/projects/apache-commons-fileupload/build.sh +++ b/projects/apache-commons-fileupload/build.sh @@ -20,12 +20,13 @@ PROJECT_GROUP_ID=org.apache.commons PROJECT_ARTIFACT_ID=commons-fileupload2 MAIN_REPOSITORY=https://github.com/apache/commons-fileupload.git -MAVEN_ARGS="-Dmaven.test.skip=true -Djavac.src.version=15 -Djavac.target.version=15 -Denforcer.skip=true -DskipTests" +MAVEN_ARGS="-Djavac.src.version=15 -Djavac.target.version=15 -Denforcer.skip=true -DskipTests" function set_project_version_in_fuzz_targets_dependency { PROJECT_VERSION=$(cd $PROJECT && $MVN org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) # set dependency project version in fuzz-targets - (cd fuzz-targets && $MVN versions:use-dep-version -Dincludes=$PROJECT_GROUP_ID:$PROJECT_ARTIFACT_ID -DdepVersion=$PROJECT_VERSION -DforceVersion=true) + (cd fuzz-targets && $MVN versions:use-dep-version -Dincludes=$PROJECT_GROUP_ID:commons-fileupload2-core -DdepVersion=$PROJECT_VERSION -DforceVersion=true) + (cd fuzz-targets && $MVN versions:use-dep-version -Dincludes=$PROJECT_GROUP_ID:commons-fileupload2-javax -DdepVersion=$PROJECT_VERSION -DforceVersion=true) } cd project-parent diff --git a/projects/apache-commons-fileupload/project-parent/fuzz-targets/pom.xml b/projects/apache-commons-fileupload/project-parent/fuzz-targets/pom.xml index d0fb71ddf63b..0c679d5c310f 100644 --- a/projects/apache-commons-fileupload/project-parent/fuzz-targets/pom.xml +++ b/projects/apache-commons-fileupload/project-parent/fuzz-targets/pom.xml @@ -32,7 +32,12 @@ org.apache.commons - commons-fileupload2 + commons-fileupload2-core + 2.0-SNAPSHOT + + + org.apache.commons + commons-fileupload2-javax 2.0-SNAPSHOT diff --git a/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/FileUploadFuzzer.java b/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/FileUploadFuzzer.java index 5ec13c6c99e7..12daf0e9019c 100644 --- a/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/FileUploadFuzzer.java +++ b/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/FileUploadFuzzer.java @@ -18,12 +18,12 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider; import com.code_intelligence.jazzer.junit.FuzzTest; -import org.apache.commons.fileupload2.FileItem; -import org.apache.commons.fileupload2.FileUpload; -import org.apache.commons.fileupload2.FileUploadException; -import org.apache.commons.fileupload2.MultipartStream; -import org.apache.commons.fileupload2.disk.DiskFileItemFactory; -import org.apache.commons.fileupload2.servlet.ServletFileUpload; +import org.apache.commons.fileupload2.core.FileItem; +import org.apache.commons.fileupload2.core.AbstractFileUpload; +import org.apache.commons.fileupload2.core.FileUploadException; +import org.apache.commons.fileupload2.core.MultipartInput; +import org.apache.commons.fileupload2.core.DiskFileItemFactory; +import org.apache.commons.fileupload2.javax.JavaxServletFileUpload; import java.io.File; import java.io.IOException; @@ -34,13 +34,14 @@ public class FileUploadFuzzer { @FuzzTest void myFuzzTest(FuzzedDataProvider data) - throws IOException, FileUploadException, MultipartStream.MalformedStreamException { - DiskFileItemFactory factory = new DiskFileItemFactory(); - factory.setRepository(new File("/tmp/abc")); - FileUpload upload = new ServletFileUpload(factory); + throws IOException, FileUploadException { + DiskFileItemFactory factory = DiskFileItemFactory.builder() + .setPath(new File("/tmp/abc").toPath()) + .get(); + AbstractFileUpload upload = new JavaxServletFileUpload(factory); // is set to tomcats default to approach CVE-2023-24998 - upload.setFileCountMax(10000); + upload.setMaxFileCount(10000); String contentType = data.consumeAsciiString(200); String multipartData = data.consumeRemainingAsString(); diff --git a/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/MockHttpServletRequest.java b/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/MockHttpServletRequest.java index 4f311f4e5b51..d662f158e9f5 100644 --- a/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/MockHttpServletRequest.java +++ b/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/MockHttpServletRequest.java @@ -16,7 +16,7 @@ package com.example; -import org.apache.commons.fileupload2.FileUploadBase; +import org.apache.commons.fileupload2.core.AbstractFileUpload; import javax.servlet.RequestDispatcher; import javax.servlet.ServletInputStream; @@ -63,7 +63,7 @@ public MockHttpServletRequest( mmRequestData = requestData; length = requestLength; mStrContentType = strContentType; - mHeaders.put(FileUploadBase.CONTENT_TYPE, strContentType); + mHeaders.put(AbstractFileUpload.CONTENT_TYPE, strContentType); } /** diff --git a/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/Util.java b/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/Util.java index 30a98798ad79..c36c1f217c52 100644 --- a/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/Util.java +++ b/projects/apache-commons-fileupload/project-parent/fuzz-targets/src/test/java/com/example/Util.java @@ -16,13 +16,12 @@ package com.example; -import org.apache.commons.fileupload2.FileItem; -import org.apache.commons.fileupload2.FileUpload; -import org.apache.commons.fileupload2.FileUploadException; -import org.apache.commons.fileupload2.disk.DiskFileItemFactory; -import org.apache.commons.fileupload2.portlet.PortletFileUpload; -import org.apache.commons.fileupload2.servlet.ServletFileUpload; -import org.apache.commons.fileupload2.servlet.ServletRequestContext; +import org.apache.commons.fileupload2.core.FileItem; +import org.apache.commons.fileupload2.core.AbstractFileUpload; +import org.apache.commons.fileupload2.core.FileUploadException; +import org.apache.commons.fileupload2.core.DiskFileItemFactory; +import org.apache.commons.fileupload2.javax.JavaxServletFileUpload; +import org.apache.commons.fileupload2.javax.JavaxServletRequestContext; import javax.servlet.http.HttpServletRequest; import java.io.UnsupportedEncodingException; @@ -37,29 +36,29 @@ */ public class Util { - public static List parseUpload(final FileUpload upload, final byte[] bytes) throws FileUploadException { + public static List parseUpload(final AbstractFileUpload upload, final byte[] bytes) throws FileUploadException { return parseUpload(upload, bytes, Constants.CONTENT_TYPE); } - public static List parseUpload(final FileUpload upload, final byte[] bytes, final String contentType) + public static List parseUpload(final AbstractFileUpload upload, final byte[] bytes, final String contentType) throws FileUploadException { final HttpServletRequest request = new MockHttpServletRequest(bytes, contentType); - return upload.parseRequest(new ServletRequestContext(request)); + return upload.parseRequest(new JavaxServletRequestContext(request)); } - public static List parseUpload(final FileUpload upload, final String content) + public static List parseUpload(final AbstractFileUpload upload, final String content) throws UnsupportedEncodingException, FileUploadException { final byte[] bytes = content.getBytes(StandardCharsets.US_ASCII); return parseUpload(upload, bytes, Constants.CONTENT_TYPE); } /** - * Return a list of {@link FileUpload} implementations for parameterized tests. - * @return a list of {@link FileUpload} implementations + * Return a list of {@link AbstractFileUpload} implementations for parameterized tests. + * @return a list of {@link AbstractFileUpload} implementations */ - public static List fileUploadImplementations() { + public static List fileUploadImplementations() { + DiskFileItemFactory factory = DiskFileItemFactory.builder().get(); return Arrays.asList( - new ServletFileUpload(new DiskFileItemFactory()), - new PortletFileUpload(new DiskFileItemFactory())); + new JavaxServletFileUpload(factory)); } }