From f064ec0c77a9fff5dca25ea20f96fa9b80e85c37 Mon Sep 17 00:00:00 2001
From: Alex Leitner <leitnersalex@gmail.com>
Date: Thu, 11 Apr 2024 00:28:32 +0000
Subject: [PATCH] GUACAMOLE-1289: Remove spring dependency and update
 dependencies with vulnerabilities.

---
 .../LICENSE.txt                               |  0
 .../{okhttp-4.9.1 => okhttp-4.12.0}/NOTICE    |  2 +-
 .../{okhttp-4.9.1 => okhttp-4.12.0}/README    |  2 +-
 .../okhttp-4.12.0/dep-coordinates.txt         |  2 ++
 doc/licenses/okhttp-4.9.1/dep-coordinates.txt |  1 -
 doc/licenses/okio-2.8.0/dep-coordinates.txt   |  1 -
 .../{okio-2.8.0 => okio-3.6.0}/LICENSE.txt    |  0
 .../{okio-2.8.0 => okio-3.6.0}/NOTICE         |  2 +-
 .../{okio-2.8.0 => okio-3.6.0}/README         |  2 +-
 doc/licenses/okio-3.6.0/dep-coordinates.txt   |  2 ++
 .../spring-web-5.3.25/dep-coordinates.txt     |  4 ---
 .../LICENSE                                   |  0
 .../README                                    |  2 +-
 .../spring-web-5.3.33/dep-coordinates.txt     |  4 +++
 extensions/guacamole-auth-duo/pom.xml         | 32 +++++++++++++------
 .../auth/duo/UserVerificationService.java     | 10 ++----
 16 files changed, 38 insertions(+), 28 deletions(-)
 rename doc/licenses/{okhttp-4.9.1 => okhttp-4.12.0}/LICENSE.txt (100%)
 rename doc/licenses/{okhttp-4.9.1 => okhttp-4.12.0}/NOTICE (94%)
 rename doc/licenses/{okhttp-4.9.1 => okhttp-4.12.0}/README (88%)
 create mode 100644 doc/licenses/okhttp-4.12.0/dep-coordinates.txt
 delete mode 100644 doc/licenses/okhttp-4.9.1/dep-coordinates.txt
 delete mode 100644 doc/licenses/okio-2.8.0/dep-coordinates.txt
 rename doc/licenses/{okio-2.8.0 => okio-3.6.0}/LICENSE.txt (100%)
 rename doc/licenses/{okio-2.8.0 => okio-3.6.0}/NOTICE (94%)
 rename doc/licenses/{okio-2.8.0 => okio-3.6.0}/README (90%)
 create mode 100644 doc/licenses/okio-3.6.0/dep-coordinates.txt
 delete mode 100644 doc/licenses/spring-web-5.3.25/dep-coordinates.txt
 rename doc/licenses/{spring-web-5.3.25 => spring-web-5.3.33}/LICENSE (100%)
 rename doc/licenses/{spring-web-5.3.25 => spring-web-5.3.33}/README (91%)
 create mode 100644 doc/licenses/spring-web-5.3.33/dep-coordinates.txt

diff --git a/doc/licenses/okhttp-4.9.1/LICENSE.txt b/doc/licenses/okhttp-4.12.0/LICENSE.txt
similarity index 100%
rename from doc/licenses/okhttp-4.9.1/LICENSE.txt
rename to doc/licenses/okhttp-4.12.0/LICENSE.txt
diff --git a/doc/licenses/okhttp-4.9.1/NOTICE b/doc/licenses/okhttp-4.12.0/NOTICE
similarity index 94%
rename from doc/licenses/okhttp-4.9.1/NOTICE
rename to doc/licenses/okhttp-4.12.0/NOTICE
index 7ab6fba62b..b3e81bd2ff 100644
--- a/doc/licenses/okhttp-4.9.1/NOTICE
+++ b/doc/licenses/okhttp-4.12.0/NOTICE
@@ -1,4 +1,4 @@
-Copyright 2021 Square, Inc.
+Copyright 2023 Square, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/doc/licenses/okhttp-4.9.1/README b/doc/licenses/okhttp-4.12.0/README
similarity index 88%
rename from doc/licenses/okhttp-4.9.1/README
rename to doc/licenses/okhttp-4.12.0/README
index 4277242602..c322ec2a66 100644
--- a/doc/licenses/okhttp-4.9.1/README
+++ b/doc/licenses/okhttp-4.12.0/README
@@ -1,7 +1,7 @@
 okhttp (https://square.github.io/okhttp/)
 ---------------------------------------------
 
-    Version: 4.9.1
+    Version: 4.12.0
     From: 'Square Inc'
     License(s):
         Apache 2.0
diff --git a/doc/licenses/okhttp-4.12.0/dep-coordinates.txt b/doc/licenses/okhttp-4.12.0/dep-coordinates.txt
new file mode 100644
index 0000000000..8aeb660e82
--- /dev/null
+++ b/doc/licenses/okhttp-4.12.0/dep-coordinates.txt
@@ -0,0 +1,2 @@
+com.squareup.okhttp3:okhttp:jar:4.12.0
+com.squareup.okhttp3:logging-interceptor:jar:4.12.0
diff --git a/doc/licenses/okhttp-4.9.1/dep-coordinates.txt b/doc/licenses/okhttp-4.9.1/dep-coordinates.txt
deleted file mode 100644
index 0215ca270b..0000000000
--- a/doc/licenses/okhttp-4.9.1/dep-coordinates.txt
+++ /dev/null
@@ -1 +0,0 @@
-com.squareup.okhttp3:okhttp:jar:4.9.1
diff --git a/doc/licenses/okio-2.8.0/dep-coordinates.txt b/doc/licenses/okio-2.8.0/dep-coordinates.txt
deleted file mode 100644
index 88c8776ad2..0000000000
--- a/doc/licenses/okio-2.8.0/dep-coordinates.txt
+++ /dev/null
@@ -1 +0,0 @@
-com.squareup.okio:okio:jar:2.8.0
diff --git a/doc/licenses/okio-2.8.0/LICENSE.txt b/doc/licenses/okio-3.6.0/LICENSE.txt
similarity index 100%
rename from doc/licenses/okio-2.8.0/LICENSE.txt
rename to doc/licenses/okio-3.6.0/LICENSE.txt
diff --git a/doc/licenses/okio-2.8.0/NOTICE b/doc/licenses/okio-3.6.0/NOTICE
similarity index 94%
rename from doc/licenses/okio-2.8.0/NOTICE
rename to doc/licenses/okio-3.6.0/NOTICE
index 9004e5d831..b3e81bd2ff 100644
--- a/doc/licenses/okio-2.8.0/NOTICE
+++ b/doc/licenses/okio-3.6.0/NOTICE
@@ -1,4 +1,4 @@
-Copyright 2020 Square, Inc.
+Copyright 2023 Square, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/doc/licenses/okio-2.8.0/README b/doc/licenses/okio-3.6.0/README
similarity index 90%
rename from doc/licenses/okio-2.8.0/README
rename to doc/licenses/okio-3.6.0/README
index cf4693dbd7..8dea3d581d 100644
--- a/doc/licenses/okio-2.8.0/README
+++ b/doc/licenses/okio-3.6.0/README
@@ -1,7 +1,7 @@
 okio (https://square.github.io/okio/)
 ---------------------------------------------
 
-    Version: 2.8.0
+    Version: 3.6.0
     From: 'Square Inc'
     License(s):
         Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt)
diff --git a/doc/licenses/okio-3.6.0/dep-coordinates.txt b/doc/licenses/okio-3.6.0/dep-coordinates.txt
new file mode 100644
index 0000000000..b785b2613d
--- /dev/null
+++ b/doc/licenses/okio-3.6.0/dep-coordinates.txt
@@ -0,0 +1,2 @@
+com.squareup.okio:okio:jar:3.6.0
+com.squareup.okio:okio-jvm:jar:3.6.0
diff --git a/doc/licenses/spring-web-5.3.25/dep-coordinates.txt b/doc/licenses/spring-web-5.3.25/dep-coordinates.txt
deleted file mode 100644
index 0670c0fa8d..0000000000
--- a/doc/licenses/spring-web-5.3.25/dep-coordinates.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-org.springframework:spring-web:jar:5.3.25
-org.springframework:spring-beans:jar:5.3.25
-org.springframework:spring-core:jar:5.3.25
-org.springframework:spring-jcl:jar:5.3.25
diff --git a/doc/licenses/spring-web-5.3.25/LICENSE b/doc/licenses/spring-web-5.3.33/LICENSE
similarity index 100%
rename from doc/licenses/spring-web-5.3.25/LICENSE
rename to doc/licenses/spring-web-5.3.33/LICENSE
diff --git a/doc/licenses/spring-web-5.3.25/README b/doc/licenses/spring-web-5.3.33/README
similarity index 91%
rename from doc/licenses/spring-web-5.3.25/README
rename to doc/licenses/spring-web-5.3.33/README
index f719e88ff7..48b1f0358f 100644
--- a/doc/licenses/spring-web-5.3.25/README
+++ b/doc/licenses/spring-web-5.3.33/README
@@ -1,7 +1,7 @@
 Spring Framework (https://spring.io/projects/spring-framework)
 --------------------------------------------------------------
 
-    Version: 5.3.25
+    Version: 5.3.33
     From: 'Spring' (https://spring.io/)
     License(s):
         Apache v2.0
diff --git a/doc/licenses/spring-web-5.3.33/dep-coordinates.txt b/doc/licenses/spring-web-5.3.33/dep-coordinates.txt
new file mode 100644
index 0000000000..442a22e196
--- /dev/null
+++ b/doc/licenses/spring-web-5.3.33/dep-coordinates.txt
@@ -0,0 +1,4 @@
+org.springframework:spring-web:jar:5.3.33
+org.springframework:spring-beans:jar:5.3.33
+org.springframework:spring-core:jar:5.3.33
+org.springframework:spring-jcl:jar:5.3.33
diff --git a/extensions/guacamole-auth-duo/pom.xml b/extensions/guacamole-auth-duo/pom.xml
index f7f49563c2..43ead7a751 100644
--- a/extensions/guacamole-auth-duo/pom.xml
+++ b/extensions/guacamole-auth-duo/pom.xml
@@ -47,20 +47,32 @@
             <dependency>
                 <groupId>com.squareup.okhttp3</groupId>
                 <artifactId>okhttp</artifactId>
-                <version>4.9.1</version> <!-- Specify the desired version -->
+                <version>4.12.0</version> <!-- Specify the desired version -->
+            </dependency>
+            
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>logging-interceptor</artifactId>
+                <version>4.12.0</version>
             </dependency>
 
             <!-- Force the use of a consistent version of Kotlin standard library common -->
             <dependency>
                 <groupId>org.jetbrains.kotlin</groupId>
                 <artifactId>kotlin-stdlib-common</artifactId>
-                <version>1.4.10</version>
+                <version>1.9.23</version>
             </dependency>
 
             <dependency>
                 <groupId>org.jetbrains.kotlin</groupId>
                 <artifactId>kotlin-stdlib</artifactId>
-                <version>1.4.10</version>
+                <version>1.9.23</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.jetbrains.kotlin</groupId>
+                <artifactId>kotlin-stdlib-jdk8</artifactId>
+                <version>1.9.23</version>
             </dependency>
 
         </dependencies>
@@ -95,6 +107,13 @@
             <version>2.5</version>
             <scope>provided</scope>
         </dependency>
+
+        <dependency>
+            <groupId>jakarta.ws.rs</groupId>
+            <artifactId>jakarta.ws.rs-api</artifactId>
+            <version>2.1.6</version>
+            <type>jar</type>
+        </dependency>
         
         <!-- Duo SDK -->
         <dependency>
@@ -102,13 +121,6 @@
             <artifactId>duo-universal-sdk</artifactId>
             <version>1.1.3</version>
         </dependency>
-        
-        <!-- spring-web -->
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <version>5.3.25</version>
-        </dependency>
 
     </dependencies>
 
diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
index 26ab71221e..f8ed1368b0 100644
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
@@ -27,6 +27,7 @@
 import java.net.URISyntaxException;
 import java.util.Collections;
 import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.UriBuilder;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.auth.duo.conf.ConfigurationService;
@@ -39,7 +40,6 @@
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Service for verifying the identity of a user against Duo.
@@ -102,13 +102,9 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
 
         try {
 
-            String redirectUrl = confService.getRedirectUri().toString();
-
-            String builtUrl = UriComponentsBuilder
-                    .fromUriString(redirectUrl)
+            String builtUrl = UriBuilder.fromUri(confService.getRedirectUri().toString())
                     .queryParam(Credentials.RESUME_QUERY, DuoAuthenticationProvider.PROVIDER_IDENTIFER)
-                    .build()
-                    .toUriString();
+                    .build().toString();
 
             // Set up the Duo Client
             Client duoClient = new Client.Builder(