Merge branch 'release/2.6.0'

.gitignore

@@ -1,4 +1,5 @@
 /target/
 /shinyproxy.log
 /application.yml
-/.project
+/.project
+*.gz

Jenkinsfile

@@ -20,7 +20,7 @@ pipeline {
 
                      configFileProvider([configFile(fileId: 'maven-settings-rsb', variable: 'MAVEN_SETTINGS_RSB')]) {
 
-                         sh 'mvn -s $MAVEN_SETTINGS_RSB -U clean deploy'
+                         sh 'mvn -B -s $MAVEN_SETTINGS_RSB -U clean deploy'
 
                      }
                 }

owasp-suppression.xml

@@ -1,80 +1,81 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-   <suppress>
-      <notes><![CDATA[
-      file name: spring-security-ldap-5.3.4.RELEASE.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-ldap@.*$</packageUrl>
-      <cve>CVE-2018-1258</cve>
-   </suppress>
-   <suppress>
-       <notes><![CDATA[
-       file name: spring-security-core-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
-    </suppress>
-    <suppress>
-       <notes><![CDATA[
-       file name: spring-security-jwt-1.1.1.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
-    </suppress>
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2018-1258
+        Vulnerability only applies when using spring-framework 5.0.5 -> we are not using that version.
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-oauth2-core-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-core@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <!--        <notes><![CDATA[-->
+        <!--   file name: spring-security-ldap-5.3.9.RELEASE.jar-->
+        <!--   ]]></notes>-->
+        <!--        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-ldap@.*$</packageUrl>-->
+        <cve>CVE-2018-1258</cve>
     </suppress>
+
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2021-22112
+        Only applies if using Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE,
+        we are using 5.3.9.
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-core-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <notes><![CDATA[
+   file name: spring-security-jwt-1.1.1.RELEASE.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl>
+        <cve>CVE-2021-22112</cve>
     </suppress>
+
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2020-14359
+        Only applies to Keycloak-gatekeeper not the keycloak libraries.
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-jwt-1.1.1.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <cve>CVE-2020-14359</cve>
     </suppress>
+
+
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2020-8908
+        Only applies if using com.google.common.io.Files.createTempDir().
+        We are not using this function directly. We are dependent on our library to remove the usage of this method.
+        (the method is not fixed/removed from Guava so updating has no influence)
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-oauth2-core-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-core@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <cve>CVE-2020-8908</cve>
     </suppress>
+
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2020-8554
+        Only applies to Kubernetes API server not the kubernetes libraries.
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-web-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-web@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <cve>CVE-2020-8554</cve>
     </suppress>
+
+
+    <!--
+        Only applies to the official Kubernetes Java client, not the client from fabric8io we are using.
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-oauth2-jose-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-jose@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <cve>CVE-2020-8570</cve>
     </suppress>
+
+
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2021-29425
+        Only applies to Apache Commons IO before 2.7, but we are using 2.7. (however somewhere this version is referred).
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-oauth2-client-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <sha1>7e39112810f6096061c43504188d18edc7d7eece</sha1>
+        <cve>CVE-2021-29425</cve>
     </suppress>
+
+
+    <!--
+        https://tanzu.vmware.com/security/cve-2015-5258
+        Only applies to springframework-social before 1.1.3, but we are using 1.1.6 (however somewhere this version is referred).
+    -->
     <suppress>
-       <notes><![CDATA[
-       file name: spring-security-config-5.3.4.RELEASE.jar
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-config@.*$</packageUrl>
-       <cve>CVE-2018-1258</cve>
+        <cve>CVE-2015-5258</cve>
     </suppress>
 </suppressions>

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>eu.openanalytics</groupId>
 	<artifactId>shinyproxy</artifactId>
-	<version>2.5.1</version>
+	<version>2.6.0</version>
 	<packaging>jar</packaging>
 
 	<name>ShinyProxy</name>
@@ -19,14 +19,14 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.3.4.RELEASE</version>
+		<version>2.3.12.RELEASE</version>
 		<relativePath />
 	</parent>
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<java.version>1.8</java.version>
-		<containerproxy.version>0.8.9</containerproxy.version>
+		<containerproxy.version>0.8.10</containerproxy.version>
 		<resource.delimiter>&amp;</resource.delimiter>
 	</properties>
 
@@ -83,9 +83,51 @@
 			<artifactId>js-cookie</artifactId>
 			<version>2.2.1</version>
 		</dependency>
+		<dependency>
+			<groupId>org.webjars</groupId>
+			<artifactId>handlebars</artifactId>
+			<version>4.7.6</version>
+		</dependency>
+		<dependency>
+			<groupId>io.undertow</groupId>
+			<artifactId>undertow-core</artifactId>
+			<version>2.2.8.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>io.undertow</groupId>
+			<artifactId>undertow-servlet</artifactId>
+			<version>2.2.8.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>io.undertow</groupId>
+			<artifactId>undertow-websockets-jsr</artifactId>
+			<version>2.2.8.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>org.jboss.xnio</groupId>
+			<artifactId>xnio-nio</artifactId>
+			<version>3.8.4.Final</version>
+		</dependency>
+		<dependency>
+			<groupId>org.jboss.xnio</groupId>
+			<artifactId>xnio-api</artifactId>
+			<version>3.8.4.Final</version>
+                </dependency>
 	</dependencies>
 
 	<build>
+		<resources>
+			<resource>
+				<directory>src/main/resources</directory>
+				<excludes>
+					<exclude>static/handlebars/node_modules/**</exclude>
+					<exclude>static/handlebars/.gitignore</exclude>
+					<exclude>static/handlebars/generate.sh</exclude>
+					<exclude>static/handlebars/*.handlebars</exclude>
+					<exclude>**/.gitignore</exclude>
+				</excludes>
+			</resource>
+		</resources>
 		<plugins>
 			<plugin>
 				<groupId>org.springframework.boot</groupId>
@@ -307,7 +349,7 @@
 						<exclude>.gitignore</exclude>
 						<exclude>src/deb/**</exclude>
 						<exclude>templates/**</exclude>
-						<exclude>src/main/resources/static/js/js.cookie-2.2.1.min.js</exclude>
+						<exclude>src/main/resources/static/handlebars/node_modules/**</exclude>
 					</excludes>
 				</configuration>
 				<executions>
@@ -380,7 +422,7 @@
                 <plugin>
                   <groupId>org.owasp</groupId>
                   <artifactId>dependency-check-maven</artifactId>
-                  <version>5.3.0</version>
+				<version>6.1.6</version>
                   <configuration>
                     <suppressionFiles>
                         <suppressionFile>owasp-suppression.xml</suppressionFile>

src/main/java/eu/openanalytics/shinyproxy/AppRequestInfo.java

@@ -0,0 +1,118 @@
+/**
+ * ShinyProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.shinyproxy;
+
+import eu.openanalytics.containerproxy.util.BadRequestException;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class AppRequestInfo {
+
+    private static final Pattern APP_INSTANCE_PATTERN = Pattern.compile(".*?/(app_i|app_direct_i)/([^/]*)/([^/]*)(/?.*)");
+    private static final Pattern APP_PATTERN = Pattern.compile(".*?/(app|app_direct)/([^/]*)(/?.*)");
+    private static final Pattern INSTANCE_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9_.-]*$");
+
+    private final String appName;
+    private final String appInstance;
+    private final String subPath;
+
+    public AppRequestInfo(String appName, String appInstance, String subPath) {
+        this.appName = appName;
+        this.appInstance = appInstance;
+        this.subPath = subPath;
+    }
+
+    public static AppRequestInfo fromRequestOrException(HttpServletRequest request) {
+        AppRequestInfo result = fromURI(request.getRequestURI());
+        if (result == null) {
+            throw new BadRequestException("Error parsing URL.");
+        }
+        return result;
+    }
+
+    public static AppRequestInfo fromURI(String uri) {
+        Matcher appMatcher = APP_PATTERN.matcher(uri);
+        Matcher appInstanceMatcher = APP_INSTANCE_PATTERN.matcher(uri);
+        if (appInstanceMatcher.matches()) {
+            String appName = appInstanceMatcher.group(2);
+            if (appName == null || appName.trim().equals("")) {
+                throw new BadRequestException("Error parsing URL: name of app not found in URL.");
+            }
+
+            String appInstance = appInstanceMatcher.group(3);
+            if (appInstance == null || appInstance.trim().equals("")) {
+                throw new BadRequestException("Error parsing URL: name of instance not found in URL.");
+            }
+
+            if (appInstance.length() > 64 || !INSTANCE_NAME_PATTERN.matcher(appInstance).matches()) {
+                throw new BadRequestException("Error parsing URL: name of instance contains invalid characters or is too long.");
+            }
+
+            String subPath = appInstanceMatcher.group(4);
+            if (subPath == null || subPath.trim().equals("")) {
+                subPath = null;
+            } else {
+                subPath = subPath.trim();
+            }
+
+            return new AppRequestInfo(appName, appInstance, subPath);
+        } else if (appMatcher.matches()) {
+            String appName = appMatcher.group(2);
+            if (appName == null || appName.trim().equals("")) {
+                throw new BadRequestException("Error parsing URL: name of app not found in URL.");
+            }
+
+            String appInstance = "_";
+
+            String subPath = appMatcher.group(3);
+            if (subPath == null || subPath.trim().equals("")) {
+                subPath = null;
+            } else {
+                subPath = subPath.trim();
+            }
+
+            return new AppRequestInfo(appName, appInstance, subPath);
+        } else {
+            return null;
+        }
+    }
+
+    public String getAppInstance() {
+        return appInstance;
+    }
+
+    public String getAppInstanceDisplayName() {
+        if (appInstance.equals("_")) {
+            return "Default";
+        }
+        return appInstance;
+    }
+
+    public String getAppName() {
+        return appName;
+    }
+
+    public String getSubPath() {
+        return subPath;
+    }
+}