[FEATURE] Upgrade druid version to > 1.2.4

[jmashalk]

Is your feature request related to a problem?
The version of druid used in legacy code path is outdated leading to certain issues with respect to security.

What solution would you like?
Druid version to be upgraded to >1.2.4

What alternatives have you considered?
Other alternatives are to override the version externally, however it is not compatible with some of the code in legacy path of sql plugin.

Do you have any additional context?
Additional context has been sent in an email to the security team of opensearch.

[noCharger]

The version of druid used in legacy code path is outdated leading to certain issues with respect to security

@jmashalk, could you elaborate on the specific security issues? We are also very willing to review your PR if you'd like to contribute.

[jmashalk]

Hi, Following is the gist of the security issue --------------------------- Our security team at Oracle has reported the a vulnerability in Sql plugin of opensearch. Sending this mail instead of creating an issue as per the security policy: https://github.com/opensearch-project/sql/security/policy Following the vulnerability: ID: "ANCHORE:CVE-2021-33800+druid” Issue: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Details: The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Fix: Druid versions>= 1.2.4 Link: https://nvd.nist.gov/vuln/detail/CVE-2021-33800, https://cwe.mitre.org/data/definitions/22.html This seems to be a serious security breach, could you let us know, if this can be fixed by the opensearch community? Thanks, Jai From: Louis Chu ***@***.***> Date: Thursday, 16 May 2024 at 10:50 AM To: opensearch-project/sql ***@***.***> Cc: Jai Mashalkar ***@***.***>, Mention ***@***.***> Subject: [External] : Re: [opensearch-project/sql] [FEATURE] Upgrade druid version to > 1.2.4 (Issue #2679) The version of druid used in legacy code path is outdated leading to certain issues with respect to security @jmashalk<https://urldefense.com/v3/__https:/github.com/jmashalk__;!!ACWV5N9M2RV99hQ!JoB3jAOID5243BlcZ4VpUHgWrrLMEzP8-tMLSk-ut0MynJxS2BH6jf4ZFgndtE6f-L9ti5TlmaH3cMHKz9oP9m1K2AI$>, could you elaborate on the specific security issues? We are also very willing to review your PR if you'd like to contribute. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/opensearch-project/sql/issues/2679*issuecomment-2114049138__;Iw!!ACWV5N9M2RV99hQ!JoB3jAOID5243BlcZ4VpUHgWrrLMEzP8-tMLSk-ut0MynJxS2BH6jf4ZFgndtE6f-L9ti5TlmaH3cMHKz9oPJlJuHaY$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BIQYEL3AJIGIFJIJSIRBOTLZCQ6X3AVCNFSM6AAAAABHZNZUYOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJUGA2DSMJTHA__;!!ACWV5N9M2RV99hQ!JoB3jAOID5243BlcZ4VpUHgWrrLMEzP8-tMLSk-ut0MynJxS2BH6jf4ZFgndtE6f-L9ti5TlmaH3cMHKz9oPmSz3v_o$>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[noCharger]

@jmashalk

This CVE has no impact on SQL plugin because the concerning code block is a seperate path which loading static sources for druid web stats feature. Also verified in current SQL plugin source code there's no usage of the class com.alibaba.druid.util.Utils https://github.com/search?q=repo%3Aopensearch-project%2Fsql+com.alibaba.druid.util.Utils&type=code.

Fix commit: alibaba/druid@b1e8264
Ref: alibaba/druid#5840 (comment)

[terryquigleysas]

I completely appreciate that the code is not vulnerable but an upgrade would be helpful as this is continually flagged up in customer security scans. This change would certainly help us and save our customers time.

[terryquigleysas]

I completely appreciate that the code is not vulnerable but an upgrade would be helpful as this is continually flagged up in customer security scans. This change would certainly help us and save our customers time.

In the hope that the version bump for this library would be trivial I looked at updating to the first known version with the CVE fix that affects us from 1.0.15 -> 1.1.20.

I found that there were several classes that no longer exist in the newer version (so won't compile) and had no immediately obvious alternative (the same is still true for recent code. ). Both are several years old.

Considering that I also agree that there is no impact on this plugin from the cited CVE I couldn't justify the time it would take me to do the further research required and upgrade legacy functionality.