migrate to velocity-engine-core to remove the vulnerability

[Oliver2421]

Hi, @wetneb, I stumbled upon a vulnerability introduced by package velocity-1.6.3.jar:

Issue Description

When I build the project, I notice that package velocity-1.6.3 with a vulnerability (CVE-2020-13936) is packaged in the main module (main/webapp/WEB-INF/lib/velocity-1.6.3.jar). I know that this project loads velocity in Butterfly.configureModules() by classLoader at run time.

Why is the project referencing this third-party library in a dynamically loaded manner instead of using maven for dependency management?

Is it possible to migrate to velocity-engine-core to remove the vulnerability?

Suggested Solution

Since velocity has reached its end of life and is no longer officially supported, it is recommended to migrate to velocity-engine-core.
Maybe you can try to migrate to org.apache.velocity:velocity-engine-core:2.0 or higher.

Note:
[email protected](>=2.0) has fixed the vulnerability.
Of course, you are welcome to share other ways to resolve the issue.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards,
^_^

[wetneb]

Hi @Oliver2421,

Thank you for reporting this, but it would be better to do it privately via https://github.com/OpenRefine/simile-butterfly/security/advisories/new

According to the vulnerability description, exploiting this vulnerability requires the ability to upload user-provided Velocity templates to the application. OpenRefine only lets users do that by uploading an extension. Uploading an extension is, in itself, already a way to let the user execute arbitrary code, which is expected, so this Velocity vulnerability does not seem to be of concern in our case.

Regardless, we are considering upgrading to a new version of Velocity in Butterfly (and OpenRefine) here: OpenRefine/OpenRefine#6077