From 95d9d85ca29b00601c1c06871c55a49d73989501 Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Wed, 13 Mar 2024 22:09:56 +0000
Subject: [PATCH] dep bumps and nonroot bypass (#910)

* dep bumps and nonroot bypass

* log changing
---
 build.gradle                | 22 +++++++++++-----------
 scripts/init-without-ocr.sh | 16 +++++++++++-----
 scripts/init.sh             | 21 +++++++++++----------
 3 files changed, 33 insertions(+), 26 deletions(-)

diff --git a/build.gradle b/build.gradle
index 3cd1afc6..73ecb894 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '3.2.2'
+    id 'org.springframework.boot' version '3.2.3'
     id 'io.spring.dependency-management' version '1.1.3'
     id 'org.springdoc.openapi-gradle-plugin' version '1.8.0'
     id "io.swagger.swaggerhub" version "1.3.2"
@@ -87,26 +87,26 @@ spotless {
 
 dependencies {
     //security updates
-    implementation 'ch.qos.logback:logback-classic:1.4.14'
-    implementation 'ch.qos.logback:logback-core:1.4.14'
-    implementation 'org.springframework:spring-webmvc:6.1.3'
+    implementation 'ch.qos.logback:logback-classic:1.5.3'
+    implementation 'ch.qos.logback:logback-core:1.5.3'
+    implementation 'org.springframework:spring-webmvc:6.1.4'
 
     implementation("io.github.pixee:java-security-toolkit:1.1.2")
 
     implementation 'org.yaml:snakeyaml:2.2'
-    implementation 'org.springframework.boot:spring-boot-starter-web:3.2.2'
-    implementation 'org.springframework.boot:spring-boot-starter-thymeleaf:3.2.2'
+    implementation 'org.springframework.boot:spring-boot-starter-web:3.2.3'
+    implementation 'org.springframework.boot:spring-boot-starter-thymeleaf:3.2.3'
 
     if (System.getenv('DOCKER_ENABLE_SECURITY') != 'false') {
-        implementation 'org.springframework.boot:spring-boot-starter-security:3.2.2'
+        implementation 'org.springframework.boot:spring-boot-starter-security:3.2.3'
         implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5:3.1.2.RELEASE'
-        implementation "org.springframework.boot:spring-boot-starter-data-jpa:3.2.2"
+        implementation "org.springframework.boot:spring-boot-starter-data-jpa:3.2.3"
 
         //2.2.x requires rebuild of DB file.. need migration path
         implementation "com.h2database:h2:2.1.214"
     }
 
-    testImplementation 'org.springframework.boot:spring-boot-starter-test:3.2.2'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test:3.2.3'
 
     // Batik
     implementation 'org.apache.xmlgraphics:batik-all:1.17'
@@ -149,7 +149,7 @@ dependencies {
 
     implementation 'org.bouncycastle:bcprov-jdk18on:1.77'
     implementation 'org.bouncycastle:bcpkix-jdk18on:1.77'
-    implementation 'org.springframework.boot:spring-boot-starter-actuator:3.2.2'
+    implementation 'org.springframework.boot:spring-boot-starter-actuator:3.2.3'
     implementation 'io.micrometer:micrometer-core:1.12.3'
     implementation group: 'com.google.zxing', name: 'core', version: '3.5.2'
     // https://mvnrepository.com/artifact/org.commonmark/commonmark
@@ -160,7 +160,7 @@ dependencies {
 
 	implementation 'com.fathzer:javaluator:3.0.3'
 
-    developmentOnly("org.springframework.boot:spring-boot-devtools:3.2.2")
+    developmentOnly("org.springframework.boot:spring-boot-devtools:3.2.3")
     compileOnly 'org.projectlombok:lombok:1.18.30'
     annotationProcessor 'org.projectlombok:lombok:1.18.28'
 }
diff --git a/scripts/init-without-ocr.sh b/scripts/init-without-ocr.sh
index 4673b9dd..64e6dab0 100644
--- a/scripts/init-without-ocr.sh
+++ b/scripts/init-without-ocr.sh
@@ -10,14 +10,20 @@ if [ ! -z "$PGID" ] && [ "$PGID" != "$(getent group stirlingpdfgroup | cut -d: -
 fi
 umask "$UMASK" || true
 
-echo "Setting permissions and ownership for necessary directories..."
-chown -R stirlingpdfuser:stirlingpdfgroup $HOME /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar || true
-chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar || true
+
 if [[ "$INSTALL_BOOK_AND_ADVANCED_HTML_OPS" == "true" ]]; then
   apk add --no-cache calibre@testing
 fi
 
 /scripts/download-security-jar.sh
 
-# Run the main command
-exec su-exec stirlingpdfuser "$@"
\ No newline at end of file
+echo "Setting permissions and ownership for necessary directories..."
+if chown -R stirlingpdfuser:stirlingpdfgroup $HOME /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar; then
+	chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar || true
+	# If chown succeeds, execute the command as stirlingpdfuser
+    exec su-exec stirlingpdfuser "$@"
+else
+    # If chown fails, execute the command without changing the user context
+    echo "[WARN] Chown failed, running as host user"
+    exec "$@"
+fi
diff --git a/scripts/init.sh b/scripts/init.sh
index 1b298e16..f06527d0 100644
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -24,12 +24,6 @@ if [ ! -z "$PGID" ] && [ "$PGID" != "$(getent group stirlingpdfgroup | cut -d: -
 fi
 umask "$UMASK" || true
 
-echo "Setting permissions and ownership for necessary directories..."
-chown -R stirlingpdfuser:stirlingpdfgroup $HOME /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar || true
-chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar || true
-
-
-
 
 # Check if TESSERACT_LANGS environment variable is set and is not empty
 if [[ -n "$TESSERACT_LANGS" ]]; then
@@ -50,9 +44,16 @@ if [[ "$INSTALL_BOOK_AND_ADVANCED_HTML_OPS" == "true" ]]; then
   apk add --no-cache calibre@testing
 fi
 
-
-
 /scripts/download-security-jar.sh
 
-# Run the main command and switch to stirling user for rest of run
-exec su-exec stirlingpdfuser "$@"
\ No newline at end of file
+echo "Setting permissions and ownership for necessary directories..."
+# Attempt to change ownership of directories and files
+if chown -R stirlingpdfuser:stirlingpdfgroup $HOME /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar; then
+	chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar || true
+    # If chown succeeds, execute the command as stirlingpdfuser
+    exec su-exec stirlingpdfuser "$@"
+else
+    # If chown fails, execute the command without changing the user context
+    echo "[WARN] Chown failed, running as host user"
+    exec "$@"
+fi