Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat : upgrade to spring boot 3.4.0 and delombok #1556

Merged
merged 2 commits into from
Dec 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 5 additions & 13 deletions boot-mongodb-elasticsearch/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.6</version>
<version>3.4.0</version>
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Caution: Using Spring Boot milestone version in production.

Spring Boot 3.4.0 appears to be a milestone version (based on the Spring Milestones repository). Milestone versions may contain breaking changes and are not recommended for production use.

Consider:

  1. Waiting for the GA release
  2. Or staying on the latest stable version (3.3.x)

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai, spring boot 3.4.0 is released on 21st November 2024, so its a valid version

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rajadilipkolli, thank you for the clarification. Since Spring Boot 3.4.0 was released on 21st November 2024 and is a valid version, your upgrade is appropriate.


✏️ Learnings added
Learnt from: rajadilipkolli
PR: rajadilipkolli/my-spring-boot-experiments#1556
File: boot-mongodb-elasticsearch/pom.xml:8-8
Timestamp: 2024-12-05T12:32:53.805Z
Learning: Spring Boot 3.4.0 was released on 21st November 2024 and is considered a stable release suitable for production use.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.example.mongoes</groupId>
Expand All @@ -19,7 +19,7 @@
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>

<java.version>21</java.version>
<springdoc-openapi.version>2.6.0</springdoc-openapi.version>
<springdoc-openapi.version>2.7.0</springdoc-openapi.version>

<project.testresult.directory>${project.build.directory}/test-results</project.testresult.directory>
<spotless.version>2.43.0</spotless.version>
Expand Down Expand Up @@ -53,11 +53,7 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb-reactive</artifactId>
Expand All @@ -78,11 +74,7 @@
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>


<dependency>
<groupId>org.springdoc</groupId>
Expand Down Expand Up @@ -229,7 +221,7 @@
<configuration>
<java>
<googleJavaFormat>
<version>1.23.0</version>
<version>1.25.0</version>
<style>AOSP</style>
</googleJavaFormat>
</java>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,19 +1,64 @@
package com.example.mongoes.config;

import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;

@Data
@ConfigurationProperties("application")
public class ApplicationProperties {
private Cors cors = new Cors();

@Data
public Cors getCors() {
return cors;
}

public void setCors(Cors cors) {
this.cors = cors;
}

public static class Cors {
private String pathPattern = "/api/**";
private String allowedMethods = "*";
private String allowedHeaders = "*";
private String allowedOriginPatterns = "*";
private boolean allowCredentials = true;

public String getPathPattern() {
return pathPattern;
}

public void setPathPattern(String pathPattern) {
this.pathPattern = pathPattern;
}

public String getAllowedMethods() {
return allowedMethods;
}

public void setAllowedMethods(String allowedMethods) {
this.allowedMethods = allowedMethods;
}

public String getAllowedHeaders() {
return allowedHeaders;
}

public void setAllowedHeaders(String allowedHeaders) {
this.allowedHeaders = allowedHeaders;
}

public String getAllowedOriginPatterns() {
return allowedOriginPatterns;
}

public void setAllowedOriginPatterns(String allowedOriginPatterns) {
this.allowedOriginPatterns = allowedOriginPatterns;
}

public boolean isAllowCredentials() {
return allowCredentials;
}

public void setAllowCredentials(boolean allowCredentials) {
this.allowCredentials = allowCredentials;
}
Comment on lines +24 to +62
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Security Risk: Permissive CORS Configuration Pattern

The verification reveals a concerning pattern across multiple modules in this repository. The same permissive CORS configuration is duplicated in over 20 different ApplicationProperties.java files, all using identical default values:

private String allowedMethods = "*";
private String allowedHeaders = "*";
private String allowedOriginPatterns = "*";
private boolean allowCredentials = true;

This configuration:

  1. Allows requests from any origin (*)
  2. Accepts all HTTP methods and headers
  3. Permits credentials (cookies, HTTP authentication)

No environment-specific configurations or security documentation was found to override these defaults. This combination creates a significant security risk as it completely bypasses the Same-Origin Policy protection.

Recommendations:

  • Remove the default values or use restrictive defaults
  • Add clear documentation about configuring CORS for production
  • Consider centralizing CORS configuration to avoid duplication
  • Add validation to prevent wildcard (*) usage when allowCredentials is true
🔗 Analysis chain

Review security implications of permissive CORS defaults

While the getter/setter implementations are correct, the default CORS configuration is highly permissive:

  • allowedMethods = "*"
  • allowedHeaders = "*"
  • allowedOriginPatterns = "*"
  • allowCredentials = true

This configuration might be suitable for development but could pose security risks in production.

Let's check if there are any production-specific CORS configurations:

Consider:

  1. Adding documentation about securing these values in production
  2. Using more restrictive defaults
  3. Implementing environment-specific CORS configurations
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for CORS configuration in application properties/yaml files
rg -l "cors" | grep -E "application.*\.(properties|ya?ml)$" | xargs cat

Length of output: 71


Script:

#!/bin/bash
# Let's try a broader search for CORS configuration files and properties
# First, find all application properties/yaml files
echo "=== Application Properties/YAML files ==="
fd -e properties -e yml -e yaml | grep -i "application"

# Then search for CORS-related code configurations
echo -e "\n=== CORS Configuration in Code ==="
rg -l --type java "cors" 

# Finally, let's look for any default values being set
echo -e "\n=== Default CORS Values ==="
rg -i "allowedMethods.*=.*\*|allowedHeaders.*=.*\*|allowedOriginPatterns.*=.*\*|allowCredentials.*=.*true" --type java

Length of output: 29410


Script:

#!/bin/bash
# Let's check if there are any environment-specific CORS configurations or documentation
echo "=== Checking for CORS configuration documentation ==="
rg -i "cors" README.md

# Look for WebSecurityConfigurerAdapter or SecurityFilterChain configurations
echo -e "\n=== Security configurations ==="
rg -l "WebSecurityConfigurerAdapter|SecurityFilterChain" --type java

# Check for any production profiles or configurations
echo -e "\n=== Production configurations ==="
fd -e properties -e yml -e yaml | grep -i "prod" | xargs cat 2>/dev/null

Length of output: 433

}
}
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
@ComponentScan.Filter(
type = FilterType.ASSIGNABLE_TYPE,
value = ReactiveElasticsearchRepository.class))
public class DataStoreConfiguration {
class DataStoreConfiguration {

@Bean
ReactiveMongoTransactionManager transactionManager(ReactiveMongoDatabaseFactory factory) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,25 @@
import com.example.mongoes.utils.AppConstants;
import com.example.mongoes.web.service.RestaurantService;
import java.io.IOException;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.context.event.ApplicationStartedEvent;
import org.springframework.context.annotation.Profile;
import org.springframework.context.event.EventListener;
import org.springframework.stereotype.Component;

@Component
@RequiredArgsConstructor
@Slf4j
@Profile(AppConstants.PROFILE_NOT_TEST)
public class Initializer implements CommandLineRunner {

private static final Logger log = LoggerFactory.getLogger(Initializer.class);
private final RestaurantService restaurantService;

public Initializer(RestaurantService restaurantService) {
this.restaurantService = restaurantService;
}

@Override
public void run(String... args) throws IOException {
log.info("Running Initializer.....");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
@Configuration(proxyBeanMethods = false)
@OpenAPIDefinition(info = @Info(title = "spring-boot-mongodb-elasticsearch", version = "v1"))
public class SwaggerConfig {
class SwaggerConfig {

@Bean
OpenAPI openAPI() {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,21 @@
package com.example.mongoes.config;

import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.data.web.config.SpringDataJacksonConfiguration;
import org.springframework.web.reactive.config.CorsRegistry;
import org.springframework.web.reactive.config.WebFluxConfigurer;

@Configuration
@RequiredArgsConstructor
@Configuration(proxyBeanMethods = false)
@Import(SpringDataJacksonConfiguration.class)
public class WebFluxConfig implements WebFluxConfigurer {

private final ApplicationProperties properties;

public WebFluxConfig(ApplicationProperties properties) {
this.properties = properties;
}

@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping(properties.getCors().getPathPattern())
Expand Down
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
package com.example.mongoes.document;

import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.util.StringJoiner;
import org.springframework.data.elasticsearch.annotations.GeoPointField;
import org.springframework.data.geo.Point;
import org.springframework.data.mongodb.core.index.GeoSpatialIndexType;
import org.springframework.data.mongodb.core.index.GeoSpatialIndexed;
import org.springframework.data.mongodb.core.mapping.Field;

@Data
@AllArgsConstructor
@NoArgsConstructor
public class Address {

private String building;
Expand All @@ -29,7 +23,6 @@ public class Address {
* </code>
* </pre>
*/
@JsonDeserialize(as = Point.class)
@GeoSpatialIndexed(type = GeoSpatialIndexType.GEO_2DSPHERE)
@GeoPointField
@org.springframework.data.elasticsearch.annotations.Field("coord")
Expand All @@ -39,4 +32,46 @@ public class Address {
private String street;

private Integer zipcode;

public String getBuilding() {
return building;
}

public void setBuilding(String building) {
this.building = building;
}

public Point getLocation() {
return location;
}

public void setLocation(Point location) {
this.location = location;
}

public String getStreet() {
return street;
}

public void setStreet(String street) {
this.street = street;
}

public Integer getZipcode() {
return zipcode;
}

public void setZipcode(Integer zipcode) {
this.zipcode = zipcode;
}

@Override
public String toString() {
return new StringJoiner(", ", Address.class.getSimpleName() + "[", "]")
.add("building='" + building + "'")
.add("location=" + location)
.add("street='" + street + "'")
.add("zipcode=" + zipcode)
.toString();
}
}
Original file line number Diff line number Diff line change
@@ -1,17 +1,29 @@
package com.example.mongoes.document;

import lombok.Getter;
import lombok.Setter;
import org.bson.BsonTimestamp;
import org.springframework.data.annotation.Id;
import org.springframework.data.mongodb.core.mapping.Document;

@Document
@Getter
@Setter
public class ChangeStreamResume {

@Id private String id;

private BsonTimestamp resumeTimestamp;

public String getId() {
return id;
}

public void setId(String id) {
this.id = id;
}

public BsonTimestamp getResumeTimestamp() {
return resumeTimestamp;
}

public void setResumeTimestamp(BsonTimestamp resumeTimestamp) {
this.resumeTimestamp = resumeTimestamp;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,10 @@
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateTimeDeserializer;
import java.time.LocalDateTime;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.util.StringJoiner;
import org.springframework.data.elasticsearch.annotations.Field;
import org.springframework.data.elasticsearch.annotations.FieldType;

@Data
@AllArgsConstructor
@NoArgsConstructor
public class Grades {
private String grade;

Expand All @@ -23,4 +18,45 @@ public class Grades {
private LocalDateTime date;

private Integer score;

public Grades() {}

public Grades(String grade, LocalDateTime date, Integer score) {
this.grade = grade;
this.date = date;
this.score = score;
}

public LocalDateTime getDate() {
return date;
}

public void setDate(LocalDateTime date) {
this.date = date;
}

public String getGrade() {
return grade;
}

public void setGrade(String grade) {
this.grade = grade;
}

public Integer getScore() {
return score;
}

public void setScore(Integer score) {
this.score = score;
}

@Override
public String toString() {
return new StringJoiner(", ", Grades.class.getSimpleName() + "[", "]")
.add("date=" + date)
.add("grade='" + grade + "'")
.add("score=" + score)
.toString();
}
}
Loading
Loading