From 4e733bf4925cca9ad44db3e863d0b7e44cbe17ae Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Thu, 8 Jan 2026 11:45:28 +1100 Subject: [PATCH 1/8] Precomputed pathSet --- src/main/java/com/uid2/operator/vertx/Endpoints.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/uid2/operator/vertx/Endpoints.java b/src/main/java/com/uid2/operator/vertx/Endpoints.java index be8fa0b05..782ca21f9 100644 --- a/src/main/java/com/uid2/operator/vertx/Endpoints.java +++ b/src/main/java/com/uid2/operator/vertx/Endpoints.java @@ -30,13 +30,14 @@ public enum Endpoints { UID2_SDK_2_0_0("/static/js/uid2-sdk-2.0.0.js") ; private final String path; + private static final Set endpoints = Stream.of(Endpoints.values()).map(Endpoints::toString).collect(Collectors.toSet()); Endpoints(final String path) { this.path = path; } public static Set pathSet() { - return Stream.of(Endpoints.values()).map(Endpoints::toString).collect(Collectors.toSet()); + return endpoints; } @Override From f2b9ccbfdb2f684444c81949277bc6c8cccc04ba Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Thu, 8 Jan 2026 11:47:09 +1100 Subject: [PATCH 2/8] Created a more optimized version of HTTPPathMetricFilter --- src/main/java/com/uid2/operator/Main.java | 3 +- .../util/HTTPPathMetricFilterOptimized.java | 32 +++++++++++++ .../HTTPPathMetricFilterOptimizedTest.java | 48 +++++++++++++++++++ 3 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java create mode 100644 src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java diff --git a/src/main/java/com/uid2/operator/Main.java b/src/main/java/com/uid2/operator/Main.java index 44f2fbe4a..6b95a2b8e 100644 --- a/src/main/java/com/uid2/operator/Main.java +++ b/src/main/java/com/uid2/operator/Main.java @@ -12,6 +12,7 @@ import com.uid2.operator.service.*; import com.uid2.operator.store.*; import com.uid2.operator.store.BootstrapConfigStore; +import com.uid2.operator.util.HTTPPathMetricFilterOptimized; import com.uid2.operator.vertx.Endpoints; import com.uid2.operator.vertx.OperatorShutdownHandler; import com.uid2.operator.vertx.UIDOperatorVerticle; @@ -517,7 +518,7 @@ private static void setupMetrics(MicrometerMetricsOptions metricOptions) { // providing common renaming for prometheus metric, e.g. "hello.world" to "hello_world" .meterFilter(new PrometheusRenameFilter()) .meterFilter(MeterFilter.replaceTagValues(Label.HTTP_PATH.toString(), - actualPath -> HTTPPathMetricFilter.filterPath(actualPath, Endpoints.pathSet()))) + actualPath -> HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()))) // Don't record metrics for 404s. .meterFilter(MeterFilter.deny(id -> id.getName().startsWith(MetricsDomain.HTTP_SERVER.getPrefix()) && diff --git a/src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java b/src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java new file mode 100644 index 000000000..badbb7cfd --- /dev/null +++ b/src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java @@ -0,0 +1,32 @@ +package com.uid2.operator.util; + +import io.vertx.core.http.impl.HttpUtils; + +import java.util.Set; + +public class HTTPPathMetricFilterOptimized { + public static String filterPath(String actualPath, Set pathSet) { + try { + String normalized = HttpUtils.normalizePath(actualPath); + /* Optimization 1: Split that avoids array and regex initialization */ + int splitIndex = normalized.indexOf('?'); + if (splitIndex != -1) { + normalized = normalized.substring(0, splitIndex); + } + + if (normalized.charAt(normalized.length() - 1) == '/') { + normalized = normalized.substring(0, normalized.length() - 1); + } + normalized = normalized.toLowerCase(); + + if (pathSet == null || pathSet.isEmpty()) { return normalized; } + + /* Optimization 2: Remove for loop and regex matching */ + if (pathSet.contains(normalized)) { return normalized; } + + return "/unknown"; + } catch (IllegalArgumentException e) { + return "/parsing_error"; + } + } +} diff --git a/src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java b/src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java new file mode 100644 index 000000000..ef018fdb3 --- /dev/null +++ b/src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java @@ -0,0 +1,48 @@ +package com.uid2.operator.util; + +import com.uid2.operator.vertx.Endpoints; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; +import org.junit.jupiter.params.provider.ValueSource; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +public class HTTPPathMetricFilterOptimizedTest { + @ParameterizedTest + @ValueSource(strings = { + "", + "/", + "/unknown-path", + "../", + "/v1/identity/map%55", + "/list/123", + }) + void testPathFiltering_InvalidPaths_Unknown(String actualPath) { + String filteredPath = HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()); + assertEquals("/unknown", filteredPath); + } + + @ParameterizedTest + @ValueSource(strings = { + "v1/identity/map?id=bad-escape-code%2", + "token/refresh?refresh_token=SOME_TOKEN<%=7485*4353%>", + "list/12%4/5435" + }) + void testPathFiltering_InvalidPaths_ParsingError(String actualPath) { + String filteredPath = HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()); + assertEquals("/parsing_error", filteredPath); + } + + @ParameterizedTest + @CsvSource(value = { + "/v2/identity/map, /v2/identity/map", + "v2/identity/map, /v2/identity/map", + "V3/IdenTity/mAp, /v3/identity/map", + "v2/token/refresh?refresh_token=123%20%23, /v2/token/refresh", + "v2/identity/map?identity/../map/, /v2/identity/map" + }) + void testPathFiltering_ValidPaths_KnownEndpoints(String actualPath, String expectedFilteredPath) { + String filteredPath = HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()); + assertEquals(expectedFilteredPath, filteredPath); + } +} From 703cd776899a7c26939468d1f514456cba0a2cc4 Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Thu, 8 Jan 2026 13:28:47 +1100 Subject: [PATCH 3/8] Removed original import statement from shared --- src/main/java/com/uid2/operator/Main.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/com/uid2/operator/Main.java b/src/main/java/com/uid2/operator/Main.java index 6b95a2b8e..4735b6eb8 100644 --- a/src/main/java/com/uid2/operator/Main.java +++ b/src/main/java/com/uid2/operator/Main.java @@ -28,7 +28,6 @@ import com.uid2.shared.store.salt.RotatingSaltProvider; import com.uid2.shared.store.reader.*; import com.uid2.shared.store.scope.GlobalScope; -import com.uid2.shared.util.HTTPPathMetricFilter; import com.uid2.shared.vertx.CloudSyncVerticle; import com.uid2.shared.vertx.ICloudSync; import com.uid2.shared.vertx.RotatingStoreVerticle; From ad517a895b72420db4598e47c5f4cc62d6b65e9f Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Fri, 9 Jan 2026 13:08:44 +1100 Subject: [PATCH 4/8] Moved new filter path function to shared --- Dockerfile | 6 ++- pom.xml | 2 +- src/main/java/com/uid2/operator/Main.java | 4 +- .../util/HTTPPathMetricFilterOptimized.java | 32 ------------- .../HTTPPathMetricFilterOptimizedTest.java | 48 ------------------- 5 files changed, 8 insertions(+), 84 deletions(-) delete mode 100644 src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java delete mode 100644 src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java diff --git a/Dockerfile b/Dockerfile index b9e031d64..5c6d721a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c -FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111 +FROM eclipse-temurin@sha256:89517925fa675c6c4b770bee7c44d38a7763212741b0d6fca5a5103caab21a97 WORKDIR /app EXPOSE 8080 @@ -20,10 +20,14 @@ COPY ./conf/*.xml /app/conf/ RUN tar xzvf /app/static.tar.gz --no-same-owner --no-same-permissions && rm -f /app/static.tar.gz +# Fix CVE-2025-68973: Update gnupg to patched version +RUN apk update && apk upgrade gnupg && rm -rf /var/cache/apk/* + RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating USER uid2-operator CMD java \ + -XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints \ -XX:MaxRAMPercentage=95 -XX:-UseCompressedOops -XX:+PrintFlagsFinal -XX:-OmitStackTraceInFastThrow \ -Djava.security.egd=file:/dev/./urandom \ -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \ diff --git a/pom.xml b/pom.xml index 4755419a8..8d892eac0 100644 --- a/pom.xml +++ b/pom.xml @@ -22,7 +22,7 @@ 2.1.0 2.1.19 2.1.9 - 11.1.124 + 11.3.4-alpha-334-SNAPSHOT ${project.version} 21 21 diff --git a/src/main/java/com/uid2/operator/Main.java b/src/main/java/com/uid2/operator/Main.java index 4735b6eb8..b4e79f5c2 100644 --- a/src/main/java/com/uid2/operator/Main.java +++ b/src/main/java/com/uid2/operator/Main.java @@ -12,7 +12,6 @@ import com.uid2.operator.service.*; import com.uid2.operator.store.*; import com.uid2.operator.store.BootstrapConfigStore; -import com.uid2.operator.util.HTTPPathMetricFilterOptimized; import com.uid2.operator.vertx.Endpoints; import com.uid2.operator.vertx.OperatorShutdownHandler; import com.uid2.operator.vertx.UIDOperatorVerticle; @@ -28,6 +27,7 @@ import com.uid2.shared.store.salt.RotatingSaltProvider; import com.uid2.shared.store.reader.*; import com.uid2.shared.store.scope.GlobalScope; +import com.uid2.shared.util.HTTPPathMetricFilter; import com.uid2.shared.vertx.CloudSyncVerticle; import com.uid2.shared.vertx.ICloudSync; import com.uid2.shared.vertx.RotatingStoreVerticle; @@ -517,7 +517,7 @@ private static void setupMetrics(MicrometerMetricsOptions metricOptions) { // providing common renaming for prometheus metric, e.g. "hello.world" to "hello_world" .meterFilter(new PrometheusRenameFilter()) .meterFilter(MeterFilter.replaceTagValues(Label.HTTP_PATH.toString(), - actualPath -> HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()))) + actualPath -> HTTPPathMetricFilter.filterPathWithoutPathParameters(actualPath, Endpoints.pathSet()))) // Don't record metrics for 404s. .meterFilter(MeterFilter.deny(id -> id.getName().startsWith(MetricsDomain.HTTP_SERVER.getPrefix()) && diff --git a/src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java b/src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java deleted file mode 100644 index badbb7cfd..000000000 --- a/src/main/java/com/uid2/operator/util/HTTPPathMetricFilterOptimized.java +++ /dev/null @@ -1,32 +0,0 @@ -package com.uid2.operator.util; - -import io.vertx.core.http.impl.HttpUtils; - -import java.util.Set; - -public class HTTPPathMetricFilterOptimized { - public static String filterPath(String actualPath, Set pathSet) { - try { - String normalized = HttpUtils.normalizePath(actualPath); - /* Optimization 1: Split that avoids array and regex initialization */ - int splitIndex = normalized.indexOf('?'); - if (splitIndex != -1) { - normalized = normalized.substring(0, splitIndex); - } - - if (normalized.charAt(normalized.length() - 1) == '/') { - normalized = normalized.substring(0, normalized.length() - 1); - } - normalized = normalized.toLowerCase(); - - if (pathSet == null || pathSet.isEmpty()) { return normalized; } - - /* Optimization 2: Remove for loop and regex matching */ - if (pathSet.contains(normalized)) { return normalized; } - - return "/unknown"; - } catch (IllegalArgumentException e) { - return "/parsing_error"; - } - } -} diff --git a/src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java b/src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java deleted file mode 100644 index ef018fdb3..000000000 --- a/src/test/java/com/uid2/operator/util/HTTPPathMetricFilterOptimizedTest.java +++ /dev/null @@ -1,48 +0,0 @@ -package com.uid2.operator.util; - -import com.uid2.operator.vertx.Endpoints; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.CsvSource; -import org.junit.jupiter.params.provider.ValueSource; - -import static org.junit.jupiter.api.Assertions.assertEquals; - -public class HTTPPathMetricFilterOptimizedTest { - @ParameterizedTest - @ValueSource(strings = { - "", - "/", - "/unknown-path", - "../", - "/v1/identity/map%55", - "/list/123", - }) - void testPathFiltering_InvalidPaths_Unknown(String actualPath) { - String filteredPath = HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()); - assertEquals("/unknown", filteredPath); - } - - @ParameterizedTest - @ValueSource(strings = { - "v1/identity/map?id=bad-escape-code%2", - "token/refresh?refresh_token=SOME_TOKEN<%=7485*4353%>", - "list/12%4/5435" - }) - void testPathFiltering_InvalidPaths_ParsingError(String actualPath) { - String filteredPath = HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()); - assertEquals("/parsing_error", filteredPath); - } - - @ParameterizedTest - @CsvSource(value = { - "/v2/identity/map, /v2/identity/map", - "v2/identity/map, /v2/identity/map", - "V3/IdenTity/mAp, /v3/identity/map", - "v2/token/refresh?refresh_token=123%20%23, /v2/token/refresh", - "v2/identity/map?identity/../map/, /v2/identity/map" - }) - void testPathFiltering_ValidPaths_KnownEndpoints(String actualPath, String expectedFilteredPath) { - String filteredPath = HTTPPathMetricFilterOptimized.filterPath(actualPath, Endpoints.pathSet()); - assertEquals(expectedFilteredPath, filteredPath); - } -} From 5922aea7b7f28e526d9ed91e06b07d0e032e2c8e Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Fri, 9 Jan 2026 02:13:05 +0000 Subject: [PATCH 5/8] [CI Pipeline] Released Snapshot version: 5.63.5-alpha-279-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8d892eac0..ad4475d19 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.4 + 5.63.5-alpha-279-SNAPSHOT UTF-8 From 7ec5ccd8d49e9b363110903abdb2692c7b0feb2d Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Fri, 9 Jan 2026 13:13:24 +1100 Subject: [PATCH 6/8] Updated vulnerable urllib in aws scripts --- scripts/aws/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aws/requirements.txt b/scripts/aws/requirements.txt index fe56f20ad..21093b9c0 100644 --- a/scripts/aws/requirements.txt +++ b/scripts/aws/requirements.txt @@ -1,4 +1,4 @@ requests[socks]==2.32.3 boto3==1.35.59 -urllib3==2.6.0 +urllib3==2.6.3 PyYAML===6.0.2 \ No newline at end of file From aedb1b7189610649031f64328fe2c5873abb926b Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Mon, 12 Jan 2026 10:26:02 +1100 Subject: [PATCH 7/8] Reverted Dockerfile and renamed constants --- Dockerfile | 8 ++------ src/main/java/com/uid2/operator/vertx/Endpoints.java | 7 ++++--- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5c6d721a2..7a5c738b7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c -FROM eclipse-temurin@sha256:89517925fa675c6c4b770bee7c44d38a7763212741b0d6fca5a5103caab21a97 +FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111 WORKDIR /app EXPOSE 8080 @@ -20,16 +20,12 @@ COPY ./conf/*.xml /app/conf/ RUN tar xzvf /app/static.tar.gz --no-same-owner --no-same-permissions && rm -f /app/static.tar.gz -# Fix CVE-2025-68973: Update gnupg to patched version -RUN apk update && apk upgrade gnupg && rm -rf /var/cache/apk/* - RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating USER uid2-operator CMD java \ - -XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints \ -XX:MaxRAMPercentage=95 -XX:-UseCompressedOops -XX:+PrintFlagsFinal -XX:-OmitStackTraceInFastThrow \ -Djava.security.egd=file:/dev/./urandom \ -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \ -Dlogback.configurationFile=/app/conf/logback.xml \ - -jar ${JAR_NAME}-${JAR_VERSION}.jar + -jar ${JAR_NAME}-${JAR_VERSION}.jar \ No newline at end of file diff --git a/src/main/java/com/uid2/operator/vertx/Endpoints.java b/src/main/java/com/uid2/operator/vertx/Endpoints.java index 782ca21f9..0a9485bf7 100644 --- a/src/main/java/com/uid2/operator/vertx/Endpoints.java +++ b/src/main/java/com/uid2/operator/vertx/Endpoints.java @@ -29,15 +29,16 @@ public enum Endpoints { UID2_SDK_1_0_0("/static/js/uid2-sdk-1.0.0.js"), UID2_SDK_2_0_0("/static/js/uid2-sdk-2.0.0.js") ; - private final String path; - private static final Set endpoints = Stream.of(Endpoints.values()).map(Endpoints::toString).collect(Collectors.toSet()); + private static final Set ENDPOINTS_SET = Stream.of(Endpoints.values()).map(Endpoints::toString).collect(Collectors.toSet()); + + private final String path; Endpoints(final String path) { this.path = path; } public static Set pathSet() { - return endpoints; + return ENDPOINTS_SET; } @Override From 7fe90b288e445e9f37b0af67a6d96ee7a9e509c6 Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Tue, 13 Jan 2026 10:42:27 +1100 Subject: [PATCH 8/8] Updated shared version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ad4475d19..9acc52ae7 100644 --- a/pom.xml +++ b/pom.xml @@ -22,7 +22,7 @@ 2.1.0 2.1.19 2.1.9 - 11.3.4-alpha-334-SNAPSHOT + 11.4.0 ${project.version} 21 21