RIPE NCC has merged e8b6689

* Shorten metric name to be below 63 char limit [b92b1c88] * Inline method [a921ed88] * Use StringEscapeUtils instead of regexp [bef61285] * Prevent potentially problematic user input garbling our logs. [03695226] * BackgroundServices should always initialise eagerly [408c8739] * Prettify more [3dcd4325] * Optimise [1f7f5a83] * Revert toString [9529393e] * Add content hashes to the log messages. [0a7d2727] * bootstrap-icons: 1.10.3 -> 1.10.5 [3c691f9d] * Remove unused webjars dependencies [948e975f]
RIPE-NCC · Aug 22, 2023 · 60b127d · 60b127d
1 parent 8846100
commit 60b127d
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 18 deletions.
diff --git a/build.gradle b/build.gradle
@@ -40,10 +40,6 @@ dependencies {
     }
     implementation 'org.flywaydb:flyway-core'
 
-    implementation "org.webjars:jquery:3.6.4"
-    implementation "org.webjars:bootstrap:4.6.2"
-    implementation "org.webjars:webjars-locator-core"
-
     implementation "org.thymeleaf:thymeleaf:3.1.1.RELEASE"
     implementation "org.thymeleaf:thymeleaf-spring5:3.1.1.RELEASE"
 
@@ -67,6 +63,7 @@ dependencies {
     implementation 'ch.qos.logback.contrib:logback-jackson:0.1.5'
     implementation 'net.logstash.logback:logstash-logback-encoder:7.3'
     implementation 'commons-lang:commons-lang:2.6'
+    implementation 'org.apache.commons:commons-text:1.10.0'
 
     testImplementation('org.springframework.boot:spring-boot-starter-test') {
         exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'

diff --git a/src/main/java/net/ripe/rpki/publication/api/PublicationMessage.java b/src/main/java/net/ripe/rpki/publication/api/PublicationMessage.java
@@ -9,6 +9,8 @@
 import java.util.Optional;
 import java.util.function.Predicate;
 
+import static net.ripe.rpki.services.impl.handlers.PublicationSupport.objectHash;
+
 public interface PublicationMessage {
 
     class PublishRequest extends EqualsSupport implements PublicationMessage {
@@ -37,13 +39,12 @@ public String getBase64Content() {
 
         @Override
         public String toString() {
-            return String.format("PublishRequest [uri=%s, hash=%s]",
-                    uri, hashToReplace.orElse("<Absent>"));
+            return String.format("PublishRequest [uri=%s, hash=%s]", uri, hashToReplace.orElse("<Absent>"));
         }
 
-        public String toStringFull() {
-            return String.format("PublishRequest [uri=%s, content=%s, hash=%s]",
-                    uri, getBase64Content(), hashToReplace.orElse("<Absent>"));
+        public String toLogMessage() {
+            return String.format("PublishRequest [uri=%s, hash=%s, content-hash=%s]",
+                uri, hashToReplace.orElse("<Absent>"), objectHash(content));
         }
     }
 

diff --git a/src/main/java/net/ripe/rpki/publication/server/ExternalPublishingServer.java b/src/main/java/net/ripe/rpki/publication/server/ExternalPublishingServer.java
@@ -147,8 +147,12 @@ public List<? extends PublicationMessage> execute(List<? extends PublicationMess
             log.warn("Publishing server client is not properly initialized.");
             return Collections.emptyList();
         }
-        final StringBuilder logMessage = new StringBuilder("Sending to publishing server [");
-        logMessage.append(publishingServerUrl).append("] using clientId=").append(clientId).append(":\n");
+        final StringBuilder logMessage = new StringBuilder();
+        if (log.isInfoEnabled()) {
+            logMessage.append("Sending to publishing server [")
+                .append(publishingServerUrl)
+                .append("] using clientId=").append(clientId).append(":\n");
+        }
 
         try {
             final XMLBuilder xml = XMLBuilder
@@ -161,16 +165,22 @@ public List<? extends PublicationMessage> execute(List<? extends PublicationMess
                     final XMLBuilder elem = xml.e(OP_TAG_NAME_PUBLISH).a("uri", publish.getUri().toString());
                     publish.hashToReplace.ifPresent(s -> elem.a("hash", s));
                     elem.t(publish.getBase64Content());
-                    logMessage.append('\t').append(publish).append('\n');
+                    if (log.isInfoEnabled()) {
+                        logMessage.append('\t').append(publish.toLogMessage()).append('\n');
+                    }
                     oneMorePublish(publish.getUri());
                 } else if (publicationMessage instanceof WithdrawRequest) {
                     final WithdrawRequest withdraw = (WithdrawRequest) publicationMessage;
                     xml.e(OP_TAG_NAME_WITHDRAW).a("uri", withdraw.getUri().toString()).a("hash", withdraw.hash);
-                    logMessage.append('\t').append(withdraw).append('\n');
+                    if (log.isInfoEnabled()) {
+                        logMessage.append('\t').append(withdraw).append('\n');
+                    }
                     oneMoreWithdraw(withdraw.getUri());
                 } else if (publicationMessage instanceof ListRequest) {
                     xml.e(OP_TAG_NAME_LIST);
-                    logMessage.append('\t').append(publicationMessage).append('\n');
+                    if (log.isInfoEnabled()) {
+                        logMessage.append('\t').append(publicationMessage).append('\n');
+                    }
                 }
             }
 

diff --git a/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBean.java b/src/main/java/net/ripe/rpki/ripencc/provisioning/ProvisioningAuditLogServiceBean.java
@@ -9,6 +9,7 @@
 import net.ripe.rpki.domain.ProvisioningAuditLogEntity;
 import net.ripe.rpki.server.api.dto.ProvisioningAuditData;
 import org.apache.tomcat.util.codec.binary.Base64;
+import org.apache.commons.text.StringEscapeUtils;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.format.DateTimeFormat;
@@ -95,12 +96,12 @@ public static LogEntry make(ProvisioningAuditLogEntity entry, byte[] request) {
                 Base64.encodeBase64String(entry.getProvisioningCmsObject()),
                 entry.getPrincipal(),
                 Objects.toString(entry.getNonHostedCaUUID(), null),
-                entry.getSummary(),
+                // Escape all non-printable characters to avoid problems with user input in our logs
+                StringEscapeUtils.escapeJava(entry.getSummary()),
                 Objects.toString(entry.getEntryUuid(), null),
                 dateFormat.print(utcDate),
                 // since request is a DER binary, encode it as base64 as well
                 Base64.encodeBase64String(request));
         }
     }
-
 }
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/BackgroundServices.java b/src/main/java/net/ripe/rpki/services/impl/background/BackgroundServices.java
@@ -13,6 +13,7 @@
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.core.env.Environment;
 import org.springframework.core.env.Profiles;
 import org.springframework.stereotype.Component;
@@ -33,6 +34,7 @@
 
 @Slf4j
 @Component
+@Lazy(false)
 public class BackgroundServices {
 
     public static final String RIS_WHOIS_UPDATE_SERVICE = "risWhoisUpdateService";

diff --git a/src/main/java/net/ripe/rpki/services/impl/background/PublishedObjectCleanUpServiceBean.java b/src/main/java/net/ripe/rpki/services/impl/background/PublishedObjectCleanUpServiceBean.java
@@ -45,7 +45,7 @@ public PublishedObjectCleanUpServiceBean(BackgroundTaskRunner backgroundTaskRunn
         this.resourceCertificateRepository = resourceCertificateRepository;
         this.transactionTemplate = new TransactionTemplate(transactionManager);
 
-        this.deletedNonHostedPublicKeysCounter = Counter.builder("rpkicore.deleted.non.hosted.public.keys.without.signing.certificate")
+        this.deletedNonHostedPublicKeysCounter = Counter.builder("rpkicore.deleted.non.hosted.public.keys.without.signing.cert")
             .description("The number of deleted non-hosted public keys without signing certificate")
             .register(meterRegistry);
     }

diff --git a/src/main/resources/WEB-INF/templates/fragments/includes.html b/src/main/resources/WEB-INF/templates/fragments/includes.html
@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width"/>
     <base data-th-href="@{/}"/>
     <link rel="preload" data-th-href="@{/styles/main.css}" as="style"/>
-    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected].3/font/bootstrap-icons.css">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected].5/font/bootstrap-icons.css" integrity="sha384-Ay26V7L8bsJTsX9Sxclnvsn+hkdiwRnrjZJXqKmkIDobPgIIWBOVguEcQQLDuhfN" crossorigin="anonymous">
     <link rel="shortcut icon" href="data:image/x-icon;">
 
     <link rel="stylesheet" type="text/css" data-th-href="@{/styles/main.css}"/>