Merge branch 'hotfix/3.2.4'

Author: LEDfan

README.md

@@ -16,7 +16,7 @@ Open Source Enterprise Deployment for Data Science Apps
 
 Learn more at <https://shinyproxy.io>
 
-**(c) Copyright Open Analytics NV, 2016-2025 - Apache License 2.0**
+**(c) Copyright Open Analytics NV, 2016-2026 - Apache License 2.0**
 
 ## Docs
 

owasp-suppression.xml

@@ -138,4 +138,10 @@
         <!-- Disputed by developers, not relevant for ShinyProxy  -->
         <cve>CVE-2023-35116</cve>
     </suppress>
+
+    <!-- Fixed in kotlin-stdlib 1.4.21, ShinyProxy uses a newer version-->
+    <suppress>
+        <cve>CVE-2020-29582</cve>
+    </suppress>
+
 </suppressions>

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>eu.openanalytics</groupId>
     <artifactId>shinyproxy</artifactId>
-    <version>3.2.3</version>
+    <version>3.2.4</version>
     <packaging>jar</packaging>
     <inceptionYear>2016</inceptionYear>
 
@@ -20,7 +20,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.13</version>
+        <version>3.5.14</version>
         <relativePath/>
     </parent>
 
@@ -31,12 +31,12 @@
         <maven.compiler.target>21</maven.compiler.target>
         <resource.delimiter>&amp;</resource.delimiter>
         <!-- Dependency versions -->
-        <containerproxy.version>1.2.3</containerproxy.version>
-        <spring-boot.version>3.4.13</spring-boot.version>
+        <containerproxy.version>1.2.4</containerproxy.version>
+        <spring-boot.version>3.5.14</spring-boot.version>
         <datatables.version>1.13.5</datatables.version>
         <datatables-buttons.version>2.4.1</datatables-buttons.version>
         <datatables-responsive.version>2.2.7</datatables-responsive.version>
-        <handlebars.version>4.7.7</handlebars.version>
+        <handlebars.version>4.7.9</handlebars.version>
         <sqlite-jdbc.version>3.50.3.0</sqlite-jdbc.version>
         <commons-lang.version>3.18.0</commons-lang.version>
         <!-- Plugin versions -->
@@ -116,7 +116,7 @@
             <version>${datatables-responsive.version}</version>
         </dependency>
         <dependency>
-            <groupId>org.webjars</groupId>
+            <groupId>org.webjars.npm</groupId>
             <artifactId>handlebars</artifactId>
             <version>${handlebars.version}</version>
         </dependency>
@@ -158,24 +158,14 @@
 
         <!-- Transitive dependencies updated for security -->
         <dependency>
-            <groupId>io.undertow</groupId>
-            <artifactId>undertow-core</artifactId>
-            <version>2.3.21.Final</version>
-        </dependency>
-        <dependency>
-            <groupId>io.undertow</groupId>
-            <artifactId>undertow-servlet</artifactId>
-            <version>2.3.21.Final</version>
-        </dependency>
-        <dependency>
-            <groupId>io.undertow</groupId>
-            <artifactId>undertow-websockets-jsr</artifactId>
-            <version>2.3.21.Final</version>
+            <groupId>org.webjars</groupId>
+            <artifactId>swagger-ui</artifactId>
+            <version>5.32.5</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-api</artifactId>
-            <version>2.25.3</version>
+            <version>2.25.4</version>
         </dependency>
     </dependencies>
 

src/main/java/eu/openanalytics/shinyproxy/controllers/AppController.java

@@ -36,6 +36,7 @@
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.PortMappingsKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.PublicPathKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValue;
+import eu.openanalytics.containerproxy.model.spec.ParameterDefinition;
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
 import eu.openanalytics.containerproxy.service.AsyncProxyService;
 import eu.openanalytics.containerproxy.service.InvalidParametersException;
@@ -80,6 +81,7 @@
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import java.io.IOException;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -169,6 +171,11 @@ private ModelAndView app(ModelMap map, HttpServletRequest request, String appNam
             map.put("parameterValues", allowedParametersForUser.getValues());
             map.put("parameterDefaults", allowedParametersForUser.getDefaultValue());
             map.put("parameterDefinitions", spec.getParameters().getDefinitions());
+            Map<ParameterDefinition, String> cleanedAppParameterDescriptions = new HashMap<>();
+            for (ParameterDefinition parameterDefinition : spec.getParameters().getDefinitions()) {
+                cleanedAppParameterDescriptions.put(parameterDefinition, thymeleaf.cleanHtml(parameterDefinition.getDescription()));
+            }
+            map.put("cleanedAppParameterDescriptions", cleanedAppParameterDescriptions);
             map.put("parameterIds", spec.getParameters().getIds());
 
             if (spec.getParameters().getTemplate() != null) {

src/main/java/eu/openanalytics/shinyproxy/controllers/BaseController.java

@@ -114,7 +114,7 @@ public abstract class BaseController {
     @Inject
     private IContainerBackend backend;
     @Inject
-    private Thymeleaf thymeleaf;
+    protected Thymeleaf thymeleaf;
     @Inject
     protected SpecExpressionResolver expressionResolver;
 
@@ -170,7 +170,7 @@ protected void prepareMap(ModelMap map, HttpServletRequest request, ProxySpec pr
         map.put("bootstrapCss", "/css/bootstrap.css");
         map.put("bootstrapJs", "/js/bootstrap.js");
         map.put("jqueryJs", "/webjars/jquery/3.7.1/jquery.min.js");
-        map.put("handlebars", "/webjars/handlebars/4.7.7/handlebars.runtime.min.js");
+        map.put("handlebars", "/webjars/handlebars/4.7.9/dist/handlebars.runtime.min.js");
 
         boolean isLoggedIn = authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated();
         map.put("isLoggedIn", isLoggedIn);
@@ -185,7 +185,7 @@ protected void prepareMap(ModelMap map, HttpServletRequest request, ProxySpec pr
         map.put("pauseSupported", backend.supportsPause());
         map.put("spInstance", identifierService.instanceId);
         map.put("allowTransferApp", allowTransferApp);
-        map.put("notificationMessage", environment.getProperty("proxy.notification-message"));
+        map.put("notificationMessage", thymeleaf.cleanHtml(environment.getProperty("proxy.notification-message")));
         map.put("bodyClasses", bodyClasses);
 
         List<ProxySpec> apps = proxyService.getUserSpecs();

src/main/java/eu/openanalytics/shinyproxy/controllers/IndexController.java

@@ -31,7 +31,9 @@
 
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 @Controller
 public class IndexController extends BaseController {
@@ -95,6 +97,18 @@ private Object index(ModelMap map, HttpServletRequest request) {
 
         prepareMap(map, request);
 
+        Map<ProxySpec, Boolean> openSwitchInstanceInsteadOfApp = new HashMap<>();
+        Map<ProxySpec, String> appUrl = new HashMap<>();
+        Map<ProxySpec, String> cleanDescription = new HashMap<>();
+        for (ProxySpec app : apps) {
+            openSwitchInstanceInsteadOfApp.put(app, thymeleaf.openSwitchInstanceInsteadOfApp(app));
+            appUrl.put(app, thymeleaf.getAppUrl(app));
+            cleanDescription.put(app, thymeleaf.cleanHtml(app.getDescription()));
+        }
+        map.put("openSwitchInstanceInsteadOfApp", openSwitchInstanceInsteadOfApp);
+        map.put("appUrl", appUrl);
+        map.put("cleanDescription", cleanDescription);
+
         // navbar
         map.put("page", "index");
 

src/main/resources/static/handlebars/generate.sh

@@ -26,7 +26,7 @@ set -u
 set -o pipefail
 
 if [ ! -f "./node_modules/.bin/handlebars" ]; then
-  npm install handlebars@4.7.7 --save false
+  npm install handlebars@4.7.9 --save false
 fi
 
 rm precompiled.js

src/main/resources/static/handlebars/precompiled.js

@@ -154,7 +154,7 @@ <h2>Choose the parameters for this app</h2>
                                             th:text="${value}"></option>
                                 </select>
                                 <span class="help-block" th:if="${parameterDefinition.getDescription() != null}"
-                                      th:utext="${@thymeleaf.cleanHtml(parameterDefinition.getDescription())}"></span>
+                                      th:utext="${cleanedAppParameterDescriptions.get(parameterDefinition)}"></span>
                             </div>
                         </div>
 

src/main/resources/templates/app.html

@@ -51,19 +51,19 @@
             <th:block th:if="${app != null}">
                 <div
                         class="list-group-item"
-                        th:classappend="${@thymeleaf.openSwitchInstanceInsteadOfApp(app) ? 'app-link-switch' : 'app-link-open'}"
+                        th:classappend="${openSwitchInstanceInsteadOfApp.get(app) ? 'app-link-switch' : 'app-link-open'}"
                         th:data-app-id="${app.id}"
-                        th:data-app-url="${@thymeleaf.openSwitchInstanceInsteadOfApp(app) ? '' : @thymeleaf.getAppUrl(app)}"
+                        th:data-app-url="${openSwitchInstanceInsteadOfApp.get(app) ? '#' : appUrl.get(app)}"
                 >
-                    <a th:href="${@thymeleaf.openSwitchInstanceInsteadOfApp(app) ? '#' : @thymeleaf.getAppUrl(app)}"
-                       th:remove="${@thymeleaf.openSwitchInstanceInsteadOfApp(app)} ? tag : none">
+                    <a th:href="${openSwitchInstanceInsteadOfApp.get(app) ? '#' : appUrl.get(app)}"
+                       th:remove="${openSwitchInstanceInsteadOfApp.get(app)} ? tag : none">
                         <span class="app-list-title app-list-title-before" th:text="${app.displayName == null} ? ${app.id} : ${app.displayName}"></span>
                         <th:block th:if="${appLogos.get(app) != null}" th:with="logo=${appLogos.get(app)}">
                             <img th:height="${logo.height}" th:src="${logo.src}" th:style="${logo.style}" th:width="${logo.width}">
                         </th:block>
                         <span class="app-list-title app-list-title-after" th:text="${app.displayName == null} ? ${app.id} : ${app.displayName}"></span>
                     </a>
-                    <span class="app-list-description" th:if="${app.description != null}" th:utext="${@thymeleaf.cleanHtml(app.description)}"></span>
+                    <span class="app-list-description" th:if="${app.description != null}" th:utext="${cleanDescription.get(app)}"></span>
                 </div>
             </th:block>
         </th:block>
@@ -75,7 +75,7 @@
                      th:class="${myAppsMode == 'Inline' ? 'col-xs-12 col-md-4 col-md-offset-3 col-lg-5 col-lg-offset-3' : 'col-lg-6 col-lg-offset-3'}">
                     <div class="alert alert-warning notification-message" role="alert" th:if="${notificationMessage != null}">
                         <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-                        <p th:utext="${@thymeleaf.cleanHtml(notificationMessage)}"> </p>
+                        <p th:utext="${notificationMessage}"> </p>
                     </div>
                     <div class="alert alert-info" role="alert"
                          th:if="${groupedApps.isEmpty() && ungroupedApps.isEmpty()}">