From dc343cdc374213995c537a48a8b774b0edce2656 Mon Sep 17 00:00:00 2001
From: dpsutton <dan@dpsutton.com>
Date: Mon, 6 Jun 2022 11:13:42 -0500
Subject: [PATCH] Bump google oauth version (#23165)
CVE info:
Package: com.google.oauth-client:google-oauth-client
Installed Version: 1.31.5
Vulnerability CVE-2021-22573
Severity: HIGH
Fixed Version: 1.33.3
```
. metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk
. com.google.cloud/google-cloud-bigquery 1.135.4
. [truncated]
. com.google.oauth-client/google-oauth-client 1.31.5
. metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics
. com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1
. com.google.api-client/google-api-client 1.32.1
. com.google.oauth-client/google-oauth-client 1.31.5
```
I looked into bumping
com.google.apis/google-api-services-analytics-v3-rev20190807-1.32.1
but as far as I can tell from
https://search.maven.org/artifact/com.google.apis/google-api-services-analytics
this is the most recent version so we have to just target the transitive
dep.
For bigquery, it seems we are pretty far behind. 1.135.4 was released in
July 2021, the current version is 2.13.1 released in
June. https://mvnrepository.com/artifact/com.google.cloud/google-cloud-bigquery
I'm hesitant to bump this for a CVE but we need to prioritize this
upgrade.
After this PR:
```
clj -Stree -A:drivers
. metabase/bigquery-cloud-sdk /Users/dan/projects/work/metabase/modules/drivers/bigquery-cloud-sdk
. com.google.cloud/google-cloud-bigquery 1.135.4
. [truncated]
X com.google.oauth-client/google-oauth-client 1.31.5 :older-version
. com.google.oauth-client/google-oauth-client 1.33.3
. metabase/googleanalytics /Users/dan/projects/work/metabase/modules/drivers/googleanalytics
. com.google.apis/google-api-services-analytics v3-rev20190807-1.32.1
. com.google.api-client/google-api-client 1.32.1
X com.google.oauth-client/google-oauth-client 1.31.5 :older-version
```
With the `X` meaning not included and 1.33.3 being top level included so
using that version.
---
modules/drivers/bigquery-cloud-sdk/deps.edn | 5 +++--
modules/drivers/googleanalytics/deps.edn | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/modules/drivers/bigquery-cloud-sdk/deps.edn b/modules/drivers/bigquery-cloud-sdk/deps.edn
index 0ae0250c63f..46d7c7f90d8 100644
--- a/modules/drivers/bigquery-cloud-sdk/deps.edn
+++ b/modules/drivers/bigquery-cloud-sdk/deps.edn
@@ -3,6 +3,7 @@
:deps
;; TODO: figure out how to be able to leave off this version string and use the version from the BOM
- {com.google.cloud/google-cloud-bigquery {:mvn/version "1.135.4"}
+ {com.google.cloud/google-cloud-bigquery {:mvn/version "1.135.4"}
;; CVE on 2.8.7 from bigquery (NB: also in googleanalytics)
- com.google.code.gson/gson {:mvn/version "2.8.9"}}}
+ com.google.code.gson/gson {:mvn/version "2.8.9"}
+ com.google.oauth-client/google-oauth-client {:mvn/version "1.33.3"}}}
diff --git a/modules/drivers/googleanalytics/deps.edn b/modules/drivers/googleanalytics/deps.edn
index efb1309cb0f..c4a79b8976f 100644
--- a/modules/drivers/googleanalytics/deps.edn
+++ b/modules/drivers/googleanalytics/deps.edn
@@ -4,6 +4,7 @@
{com.google.apis/google-api-services-analytics {:mvn/version "v3-rev20190807-1.32.1"}
;; CVE on 2.8.7 from google api services (NB: also in bigquery-cloud-sdk)
com.google.code.gson/gson {:mvn/version "2.8.9"}
+ com.google.oauth-client/google-oauth-client {:mvn/version "1.33.3"}
;; for some reason, Google stopped depending on google-http-client-jackson2 from google-api-client somewhere between
;; 1.30.7 and 1.32.1, so we must explicitly bring it in because the google driver uses it directly
com.google.http-client/google-http-client-jackson2 {:mvn/version "1.39.2-sp.1"}}}
--
GitLab