bump netty to current package (fixes CVE-2019-20444, CVE-2019-20445, C…

…VE-2015-2156, CVE-2019-16869, CVE-2021-37136, CVE-2021-37137)

* migrate from netty CIDR (which no longer exists) to netty IpSubnetFilter for ip in cidr matching

pom.xml

@@ -286,8 +286,8 @@
 
 		<dependency>
 			<groupId>io.netty</groupId>
-			<artifactId>netty</artifactId>
-			<version>3.10.6.Final</version>
+			<artifactId>netty-all</artifactId>
+			<version>4.1.58.Final</version>
 		</dependency>
 
 		<dependency>

src/main/java/nl/sidnlabs/entrada/enrich/resolver/AbstractResolverCheck.java

@@ -51,7 +51,7 @@
 public abstract class AbstractResolverCheck implements DnsResolverCheck {
 
   private List<FastIpSubnet> matchers4 = new ArrayList<>();
-  private List<FastIpV6Subnet> matchers6 = new ArrayList<>();
+  private List<FastIpSubnet> matchers6 = new ArrayList<>();
 
   @Value("${entrada.location.persistence}")
   private String workDir;
@@ -137,7 +137,7 @@ private void load(File file) {
     lines
         .stream()
         .filter(s -> s.contains(":"))
-        .map(this::v6SubnetFor)
+        .map(this::subnetFor)
         .filter(Objects::nonNull)
         .forEach(s -> matchers6.add(s));
 
@@ -154,16 +154,6 @@ private FastIpSubnet subnetFor(String address) {
     return null;
   }
 
-  private FastIpV6Subnet v6SubnetFor(String address) {
-    try {
-      return new FastIpV6Subnet(address);
-    } catch (UnknownHostException e) {
-      log.error("Cannot create subnet for: {}", address, e);
-    }
-
-    return null;
-  }
-
   protected abstract List<String> fetch();
 
   private boolean isFileAvailable(File file) {
@@ -232,9 +222,8 @@ private boolean checkv4(String address, InetAddress inetAddress) {
   }
 
   private boolean checkv6(String address, InetAddress inetAddress) {
-    IPv6Address v6 = IPv6Address.fromInetAddress(inetAddress);
-    for (FastIpV6Subnet sn : matchers6) {
-      if (sn.contains(v6)) {
+    for (FastIpSubnet sn : matchers6) {
+      if (sn.contains(inetAddress)) {
         // addToCache(address);
         return true;
       }

src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpSubnet.java

@@ -1,31 +1,36 @@
 package nl.sidnlabs.entrada.enrich.resolver;
 
 import java.net.InetAddress;
+import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
-import org.jboss.netty.handler.ipfilter.CIDR;
+
+import io.netty.handler.ipfilter.IpFilterRuleType;
+import io.netty.handler.ipfilter.IpSubnetFilterRule;
 import lombok.Getter;
 
 @Getter
 public class FastIpSubnet implements Comparable<FastIpSubnet> {
 
-  private final CIDR cidr;
+  private final IpSubnetFilterRule cidr;
   private String cidrString;
 
   public FastIpSubnet() {
     cidr = null;
   }
 
   /**
-   * Create IpSubnet using the CIDR or normal Notation<BR>
+   * Create IpSubnet using the CIDR Notation<BR>
    * i.e.:<br>
    * IpSubnet subnet = new IpSubnet("10.10.10.0/24"); or<br>
-   * IpSubnet subnet = new IpSubnet("10.10.10.0/255.255.255.0"); or<br>
    * IpSubnet subnet = new IpSubnet("1fff:0:0a88:85a3:0:0:0:0/24");
    *
    * @param netAddress a network address as string.
    */
   public FastIpSubnet(String netAddress) throws UnknownHostException {
-    cidr = CIDR.newCIDR(netAddress);
+    String[] split = netAddress.split("/");
+    String cidr = split[0];
+    int cidrPrefix = Integer.parseInt(split[1]);
+    this.cidr = new IpSubnetFilterRule(cidr, cidrPrefix, IpFilterRuleType.ACCEPT);
     cidrString = cidr.toString();
   }
 
@@ -39,7 +44,7 @@ public boolean contains(InetAddress inetAddress) {
     if (cidr == null) {
       return false;
     }
-    return cidr.contains(inetAddress);
+    return cidr.matches(new InetSocketAddress(inetAddress, 0));
   }
 
   @Override
@@ -63,6 +68,6 @@ public int hashCode() {
 
   /** Compare two IpSubnet */
   public int compareTo(FastIpSubnet o) {
-    return cidrString.compareTo(o.getCidrString());
+    return cidr.compareTo(o.getCidr());
   }
 }

src/test/java/nl/sidnlabs/entrada/support/PerformanceTest.java

@@ -1,10 +1,11 @@
 package nl.sidnlabs.entrada.support;
 
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import java.net.InetAddress;
-import org.jboss.netty.handler.ipfilter.CIDR;
+import java.net.InetSocketAddress;
+
+import io.netty.handler.ipfilter.IpFilterRuleType;
+import io.netty.handler.ipfilter.IpSubnetFilterRule;
 import org.junit.jupiter.api.Test;
-import com.google.common.net.InetAddresses;
 import com.googlecode.ipv6.IPv6Address;
 import com.googlecode.ipv6.IPv6AddressRange;
 import nl.sidnlabs.dnslib.util.DomainName;
@@ -47,7 +48,7 @@ public void testIpv6() throws Exception {
         .fromFirstAndLast(IPv6Address.fromString("2a00:1450:4013::"),
             IPv6Address.fromString("2a00:1450:4013:ffff:ffff:ffff:ffff:ffff"));
 
-    InetAddress addr = InetAddresses.forString("2a00:1450:4013:0:0:0:0:8844");
+    InetSocketAddress addr = new InetSocketAddress("2a00:1450:4013:0:0:0:0:8844", 0);
 
     IPv6Address addr1 = IPv6Address.fromString("2a00:1450:4013:0:0:0:0:8844");
 
@@ -58,13 +59,13 @@ public void testIpv6() throws Exception {
     long time1 = System.currentTimeMillis() - start;
     System.out.println(time1);
 
-    CIDR cidr1 = CIDR.newCIDR("2a00:1450:4013::/48");
-    // CIDR cidr2 = CIDR.newCIDR("fe80::226:2dff:fefa:ffff");
+    IpSubnetFilterRule cidr1 = new IpSubnetFilterRule("2a00:1450:4013::", 48, IpFilterRuleType.ACCEPT);
+    // IpSubnetFilterRule cidr2 = new IpSubnetFilterRule("fe80::226:2dff:fefa:ffff", 128, IpFilterRuleType.ACCEPT);
 
 
     start = System.currentTimeMillis();
     for (int i = 0; i < 100000; i++) {
-      cidr1.contains(addr);
+      cidr1.matches(addr);
     }
     long time2 = System.currentTimeMillis() - start;
     System.out.println(time2);