-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat : upgrade to spring boot 3.4.0 and delombok #1556
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,64 @@ | ||
package com.example.mongoes.config; | ||
|
||
import lombok.Data; | ||
import org.springframework.boot.context.properties.ConfigurationProperties; | ||
|
||
@Data | ||
@ConfigurationProperties("application") | ||
public class ApplicationProperties { | ||
private Cors cors = new Cors(); | ||
|
||
@Data | ||
public Cors getCors() { | ||
return cors; | ||
} | ||
|
||
public void setCors(Cors cors) { | ||
this.cors = cors; | ||
} | ||
|
||
public static class Cors { | ||
private String pathPattern = "/api/**"; | ||
private String allowedMethods = "*"; | ||
private String allowedHeaders = "*"; | ||
private String allowedOriginPatterns = "*"; | ||
private boolean allowCredentials = true; | ||
|
||
public String getPathPattern() { | ||
return pathPattern; | ||
} | ||
|
||
public void setPathPattern(String pathPattern) { | ||
this.pathPattern = pathPattern; | ||
} | ||
|
||
public String getAllowedMethods() { | ||
return allowedMethods; | ||
} | ||
|
||
public void setAllowedMethods(String allowedMethods) { | ||
this.allowedMethods = allowedMethods; | ||
} | ||
|
||
public String getAllowedHeaders() { | ||
return allowedHeaders; | ||
} | ||
|
||
public void setAllowedHeaders(String allowedHeaders) { | ||
this.allowedHeaders = allowedHeaders; | ||
} | ||
|
||
public String getAllowedOriginPatterns() { | ||
return allowedOriginPatterns; | ||
} | ||
|
||
public void setAllowedOriginPatterns(String allowedOriginPatterns) { | ||
this.allowedOriginPatterns = allowedOriginPatterns; | ||
} | ||
|
||
public boolean isAllowCredentials() { | ||
return allowCredentials; | ||
} | ||
|
||
public void setAllowCredentials(boolean allowCredentials) { | ||
this.allowCredentials = allowCredentials; | ||
} | ||
Comment on lines
+24
to
+62
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Security Risk: Permissive CORS Configuration Pattern The verification reveals a concerning pattern across multiple modules in this repository. The same permissive CORS configuration is duplicated in over 20 different private String allowedMethods = "*";
private String allowedHeaders = "*";
private String allowedOriginPatterns = "*";
private boolean allowCredentials = true; This configuration:
No environment-specific configurations or security documentation was found to override these defaults. This combination creates a significant security risk as it completely bypasses the Same-Origin Policy protection. Recommendations:
🔗 Analysis chainReview security implications of permissive CORS defaults While the getter/setter implementations are correct, the default CORS configuration is highly permissive:
This configuration might be suitable for development but could pose security risks in production. Let's check if there are any production-specific CORS configurations: Consider:
🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Search for CORS configuration in application properties/yaml files
rg -l "cors" | grep -E "application.*\.(properties|ya?ml)$" | xargs cat
Length of output: 71 Script: #!/bin/bash
# Let's try a broader search for CORS configuration files and properties
# First, find all application properties/yaml files
echo "=== Application Properties/YAML files ==="
fd -e properties -e yml -e yaml | grep -i "application"
# Then search for CORS-related code configurations
echo -e "\n=== CORS Configuration in Code ==="
rg -l --type java "cors"
# Finally, let's look for any default values being set
echo -e "\n=== Default CORS Values ==="
rg -i "allowedMethods.*=.*\*|allowedHeaders.*=.*\*|allowedOriginPatterns.*=.*\*|allowCredentials.*=.*true" --type java
Length of output: 29410 Script: #!/bin/bash
# Let's check if there are any environment-specific CORS configurations or documentation
echo "=== Checking for CORS configuration documentation ==="
rg -i "cors" README.md
# Look for WebSecurityConfigurerAdapter or SecurityFilterChain configurations
echo -e "\n=== Security configurations ==="
rg -l "WebSecurityConfigurerAdapter|SecurityFilterChain" --type java
# Check for any production profiles or configurations
echo -e "\n=== Production configurations ==="
fd -e properties -e yml -e yaml | grep -i "prod" | xargs cat 2>/dev/null
Length of output: 433 |
||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,29 @@ | ||
package com.example.mongoes.document; | ||
|
||
import lombok.Getter; | ||
import lombok.Setter; | ||
import org.bson.BsonTimestamp; | ||
import org.springframework.data.annotation.Id; | ||
import org.springframework.data.mongodb.core.mapping.Document; | ||
|
||
@Document | ||
@Getter | ||
@Setter | ||
public class ChangeStreamResume { | ||
|
||
@Id private String id; | ||
|
||
private BsonTimestamp resumeTimestamp; | ||
|
||
public String getId() { | ||
return id; | ||
} | ||
|
||
public void setId(String id) { | ||
this.id = id; | ||
} | ||
|
||
public BsonTimestamp getResumeTimestamp() { | ||
return resumeTimestamp; | ||
} | ||
|
||
public void setResumeTimestamp(BsonTimestamp resumeTimestamp) { | ||
this.resumeTimestamp = resumeTimestamp; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Caution: Using Spring Boot milestone version in production.
Spring Boot 3.4.0 appears to be a milestone version (based on the Spring Milestones repository). Milestone versions may contain breaking changes and are not recommended for production use.
Consider:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@coderabbitai, spring boot 3.4.0 is released on 21st November 2024, so its a valid version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rajadilipkolli, thank you for the clarification. Since Spring Boot 3.4.0 was released on 21st November 2024 and is a valid version, your upgrade is appropriate.
✏️ Learnings added