Fix 3.6.3 (#751)

* fix: CVE-2024-1021

* fix: poi-ooxml-schemas

* be: ALWAYS_PARSE_INTEGRAL_NUMBER_INTO_DECIMAL

@rbv

@@ -1 +1 @@
-Subproject commit d42ae420345c31581e65f1fbac7085a9c4dad5d9
+Subproject commit d9a1e4f8e2dad6f0f3d33c1a2ddfd18e38f89350

pom.xml

@@ -10,7 +10,7 @@
     </parent>
     <groupId>com.rebuild</groupId>
     <artifactId>rebuild</artifactId>
-    <version>3.6.2</version>
+    <version>3.6.3</version>
     <name>rebuild</name>
     <description>Building your business-systems freely!</description>
     <url>https://getrebuild.com/</url>
@@ -403,6 +403,10 @@
                     <artifactId>ehcache</artifactId>
                     <groupId>org.ehcache</groupId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.poi</groupId>
+                    <artifactId>poi-ooxml-schemas</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -420,11 +424,6 @@
             <artifactId>poi-ooxml</artifactId>
             <version>5.2.5</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.poi</groupId>
-            <artifactId>poi-ooxml-schemas</artifactId>
-            <version>4.1.2</version>
-        </dependency>
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>

src/main/java/com/rebuild/core/Application.java

@@ -74,11 +74,11 @@ public class Application implements ApplicationListener<ApplicationStartedEvent>
     /**
      * Rebuild Version
      */
-    public static final String VER = "3.6.2";
+    public static final String VER = "3.6.3";
     /**
      * Rebuild Build [MAJOR]{1}[MINOR]{2}[PATCH]{2}[BUILD]{2}
      */
-    public static final int BUILD = 3060207;
+    public static final int BUILD = 3060308;
 
     static {
         // Driver for DB

src/main/java/com/rebuild/core/service/trigger/aviator/AviatorUtils.java

@@ -37,6 +37,7 @@ public class AviatorUtils {
     static {
         // https://www.yuque.com/boyan-avfmj/aviatorscript/yr1oau
         AVIATOR.setOption(Options.ALWAYS_PARSE_FLOATING_POINT_NUMBER_INTO_DECIMAL, Boolean.TRUE);
+        AVIATOR.setOption(Options.ALWAYS_PARSE_INTEGRAL_NUMBER_INTO_DECIMAL, Boolean.TRUE);
         AVIATOR.setOption(Options.ENABLE_PROPERTY_SYNTAX_SUGAR, Boolean.FALSE);
         AVIATOR.setOption(Options.ALLOWED_CLASS_SET, Collections.emptySet());
         AVIATOR.setOption(Options.TRACE_EVAL, Boolean.FALSE);

src/main/java/com/rebuild/web/commons/FileDownloader.java

@@ -181,6 +181,7 @@ public class FileDownloader extends BaseController {
 
         if (CommonsUtils.isExternalUrl(filepath)) {
             String text = OkHttpUtils.get(filepath, null, charset);
+            ServletUtils.setContentType(response, ServletUtils.CT_PLAIN);
             ServletUtils.write(response, text);
             return;
         }
@@ -212,6 +213,7 @@ public class FileDownloader extends BaseController {
             }
         }
 
+        ServletUtils.setContentType(response, ServletUtils.CT_PLAIN);
         ServletUtils.write(response, text);
     }
 

src/test/java/com/rebuild/core/service/trigger/aviator/AviatorUtilsTest.java

@@ -119,4 +119,10 @@ class AviatorUtilsTest {
         Assertions.assertTrue((Boolean) AviatorUtils.eval("12.34560 == 12.3456", env));
         Assertions.assertTrue((Boolean) AviatorUtils.eval("1 != 2", env));
     }
+
+    @Test
+    void intdiv() {
+        System.out.println(AviatorUtils.eval("1/2.333"));
+        System.out.println(AviatorUtils.eval("1/3"));
+    }
 }