[Io7UetI2] Update org.apache.poi to 5.3.0 to mitigate CVE-2024-25710 and CVE-2024-26308

core/src/main/java/apoc/util/MissingDependencyException.java

@@ -25,4 +25,8 @@ public class MissingDependencyException extends RuntimeException {
     public MissingDependencyException(String message) {
         super(message);
     }
+
+    public MissingDependencyException(String message, Throwable cause) {
+        super(message, cause);
+    }
 }

docs/asciidoc/modules/ROOT/partials/xls-dependencies.adoc

@@ -7,12 +7,12 @@ Once that file is downloaded, it should be placed in the `plugins` directory and
 Alternatively, you can download these jars from Maven Repository (putting them into `plugins` directory as well):
 
 .For XLS files:
-* https://repo1.maven.org/maven2/org/apache/poi/poi/5.1.0/poi-5.1.0.jar[poi-5.1.0.jar^]
+* https://repo1.maven.org/maven2/org/apache/poi/poi/5.3.0/poi-5.3.0.jar[poi-5.3.0.jar^]
 
 .Additional for XLSX files:
 * https://repo1.maven.org/maven2/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar[commons-collections4-4.4.jar^]
-* https://repo1.maven.org/maven2/org/apache/poi/poi-ooxml/5.1.0/poi-ooxml-5.1.0.jar[poi-ooxml-5.1.0.jar^]
-* https://repo1.maven.org/maven2/org/apache/poi/poi-ooxml-lite/5.1.0/poi-ooxml-lite-5.1.0.jar[poi-ooxml-lite-5.1.0.jar^]
+* https://repo1.maven.org/maven2/org/apache/poi/poi-ooxml/5.3.0/poi-ooxml-5.3.0.jar[poi-ooxml-5.3.0.jar^]
+* https://repo1.maven.org/maven2/org/apache/poi/poi-ooxml-lite/5.3.0/poi-ooxml-lite-5.3.0.jar[poi-ooxml-lite-5.3.0.jar^]
 * https://repo1.maven.org/maven2/org/apache/xmlbeans/xmlbeans/5.0.2/xmlbeans-5.0.2.jar[xmlbeans-5.0.2.jar^]
 * https://repo1.maven.org/maven2/com/github/virtuald/curvesapi/1.06/curvesapi-1.06.jar[curvesapi-1.06.jar^]
 

extra-dependencies/xls/build.gradle

@@ -20,12 +20,19 @@ jar {
 }
 
 dependencies {
-    implementation group: 'org.apache.poi', name: 'poi', version: '5.1.0'
-    implementation group: 'org.apache.poi', name: 'poi-ooxml-lite', version: '5.1.0'
-    implementation group: 'org.apache.poi', name: 'poi-ooxml', version: '5.1.0' , {
-        exclude group: 'org.apache.commons', module: 'commons-compress' 
+    // Make sure no transitive dependencies are included together with apache.poi
+
+    implementation group: 'org.apache.poi', name: 'poi', version: '5.3.0', {
+        exclude group: '*'
+    }
+    implementation group: 'org.apache.poi', name: 'poi-ooxml-lite', version: '5.3.0', {
+        exclude group: '*'
     }
-    implementation group: 'org.apache.xmlbeans', name: 'xmlbeans', version: '5.0.2'
+    implementation group: 'org.apache.poi', name: 'poi-ooxml', version: '5.3.0' , {
+        exclude group: '*'
+    }
+
+    implementation group: 'org.apache.xmlbeans', name: 'xmlbeans', version: '5.2.1'
     implementation group: 'com.github.virtuald', name: 'curvesapi', version: '1.06'
     implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
 }

full/build.gradle

@@ -64,10 +64,23 @@ dependencies {
     // compileOnly "org.antlr:antlr4-runtime:4.7.2"
     // testCompile "org.antlr:antlr4-runtime:4.7.2"
 
-    compileOnly "org.apache.poi:poi:5.1.0"
-    testImplementation "org.apache.poi:poi:5.1.0"
-    compileOnly "org.apache.poi:poi-ooxml:5.1.0"
-    testImplementation "org.apache.poi:poi-ooxml:5.1.0"
+    // Make sure no transitive dependencies are included together with apache.poi
+
+    compileOnly "org.apache.poi:poi:5.3.0", {
+        exclude group: '*'
+    }
+    testImplementation "org.apache.poi:poi:5.3.0", {
+        exclude group: '*'
+    }
+    compileOnly "org.apache.poi:poi-ooxml:5.3.0", {
+        exclude group: '*'
+    }
+    testImplementation "org.apache.poi:poi-ooxml:5.3.0", {
+        exclude group: '*'
+    }
+    testImplementation group: 'org.apache.xmlbeans', name: 'xmlbeans', version: '5.2.1'
+    testImplementation group: 'com.github.virtuald', name: 'curvesapi', version: '1.06'
+    testImplementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
 
     implementation 'org.jsoup:jsoup:1.15.3'
 

full/src/main/java/apoc/couchbase/Couchbase.java

@@ -400,7 +400,7 @@ private CouchbaseConnection getCouchbaseConnection(String hostOrKey, String buck
             CouchbaseConfig config = new CouchbaseConfig(configMap);
             return CouchbaseManager.getConnection(hostOrKey, bucket, config);
         } catch (NoClassDefFoundError e) {
-            throw new MissingDependencyException(COUCHBASE_MISSING_DEPS_ERROR);
+            throw new MissingDependencyException(COUCHBASE_MISSING_DEPS_ERROR, e);
         }
     }
 }

full/src/main/java/apoc/data/email/ExtractEmail.java

@@ -41,7 +41,7 @@ public Map<String, String> email(final @Name("email_address") String value) {
         try {
             return extractEmail(value);
         } catch (NoClassDefFoundError e) {
-            throw new MissingDependencyException(EMAIL_MISSING_DEPS_ERROR);
+            throw new MissingDependencyException(EMAIL_MISSING_DEPS_ERROR, e);
         }
     }
 }

full/src/main/java/apoc/export/xls/ExportXls.java

@@ -111,7 +111,7 @@ private Stream<ProgressInfo> exportXls(
         try {
             return ExportXlsHandler.getProgressInfoStream(fileName, source, data, configMap, apocConfig, db);
         } catch (NoClassDefFoundError e) {
-            throw new MissingDependencyException(XLS_MISSING_DEPS_ERROR);
+            throw new MissingDependencyException(XLS_MISSING_DEPS_ERROR, e);
         }
     }
 }

full/src/main/java/apoc/export/xls/ExportXlsHandler.java

@@ -64,7 +64,7 @@
 public class ExportXlsHandler {
     public static final String XLS_MISSING_DEPS_ERROR =
             "Cannot find the needed jar into the plugins folder in order to use . \n"
-                    + "Please see the documentation: https://neo4j.com/labs/apoc/5/overview/apoc.export/apoc.export.xls.all/#_install_dependencies";
+                    + "Please see the documentation: https://neo4j.com/labs/apoc/4.4/overview/apoc.export/apoc.export.xls.all/#_install_dependencies";
 
     public static Stream<ProgressInfo> getProgressInfoStream(
             String fileName,

full/src/main/java/apoc/load/LoadXls.java

@@ -149,7 +149,7 @@ public Stream<XLSResult> xls(
                     url, stream, selection, skip, hasHeader, limit, ignore, nullValues, mappings, skipNulls);
             return StreamSupport.stream(xlsSpliterator, false);
         } catch (NoClassDefFoundError e) {
-            throw new MissingDependencyException(XLS_MISSING_DEPS_ERROR);
+            throw new MissingDependencyException(XLS_MISSING_DEPS_ERROR, e);
         } catch (Exception e) {
             if (!failOnError)
                 return Stream.of(

full/src/main/java/apoc/mongodb/MongoDBUtils.java

@@ -56,7 +56,7 @@ protected static MongoDbConfig getMongoConfig(Map<String, Object> config) {
         try {
             return new MongoDbConfig(config);
         } catch (NoClassDefFoundError e) {
-            throw new MissingDependencyException(MONGO_MISSING_DEPS_ERROR);
+            throw new MissingDependencyException(MONGO_MISSING_DEPS_ERROR, e);
         }
     }
 }

full/src/main/java/apoc/redis/RedisConfig.java

@@ -49,7 +49,7 @@ public RedisConnection getRedisConnection(String uri, Map<String, Object> config
                 Constructor<?> constructor = redisConnectionClass.getConstructor(String.class, RedisConfig.class);
                 return (RedisConnection) constructor.newInstance(uri, redisConfig);
             } catch (NoClassDefFoundError e) {
-                throw new MissingDependencyException(REDIS_MISSING_DEPS_ERROR);
+                throw new MissingDependencyException(REDIS_MISSING_DEPS_ERROR, e);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }