Merge #624 and #605 from mainline (#656)

* Issue 623, fix security vulnerability regarding to depedencies commons-codec and Guava

* Issue 580, Using UTC as default timezone for date_format function if not provided

Author: penghuo

build.gradle

@@ -206,6 +206,10 @@ configurations {
         extendsFrom = extendsFrom.findAll { it != configurations.antlr }
     }
 }
+configurations.all {
+    // enforce 1.1.3, https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379
+    resolutionStrategy.force 'commons-codec:commons-codec:1.13'
+}
 
 check.dependsOn jacocoTestReport
 
@@ -248,7 +252,13 @@ dependencies {
     compile group: 'org.locationtech.spatial4j', name: 'spatial4j', version:'0.7'
     compile group: "org.elasticsearch.plugin", name: 'parent-join-client', version: "${es_version}"
     compile group: "org.elasticsearch.plugin", name: 'reindex-client', version: "${es_version}"
-    compile group: 'com.google.guava', name: 'guava', version:'15.0'
+    constraints {
+        implementation('commons-codec:commons-codec:1.13') {
+            because 'https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379'
+        }
+    }
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    compile group: 'com.google.guava', name: 'guava', version:'25.0-jre'
     compile group: 'org.json', name: 'json', version:'20180813'
     compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.9'
 

src/main/java/com/amazon/opendistroforelasticsearch/sql/query/maker/Maker.java

@@ -76,6 +76,11 @@
 
 public abstract class Maker {
 
+    /**
+     * UTC.
+     */
+    private static final ZoneId UTC = ZoneId.of("UTC");
+
     public static final Object NONE = new Object();
 
     public static final Set<String> queryFunctions = Sets.newHashSet(
@@ -409,7 +414,8 @@ private ToXContent makeForDateFormat(SQLMethodInvokeExpr nameExpr, SQLCharExpr v
         if (params.size() > 2) {
             zoneId = ZoneId.of(removeSingleQuote(params.get(2).toString())).toString();
         } else {
-            zoneId = ZoneId.systemDefault().toString();
+            // Using UTC, if there is no Zone provided.
+            zoneId = UTC.getId();
         }
 
         RangeQueryBuilder rangeQuery = QueryBuilders.rangeQuery(field).format(format).timeZone(zoneId);

src/main/java/com/amazon/opendistroforelasticsearch/sql/utils/SQLFunctions.java

@@ -527,7 +527,7 @@ private Tuple<String, String> date_format(SQLExpr field, String pattern, String
         String name = nextId("date_format");
         if (valueName == null) {
             return new Tuple<>(name, "def " + name + " = DateTimeFormatter.ofPattern('" + pattern + "').withZone("
-                    + (zoneId != null ? "ZoneId.of('" + zoneId + "')" : "ZoneId.systemDefault()")
+                    + (zoneId != null ? "ZoneId.of('" + zoneId + "')" : "ZoneId.of(\"UTC\")")
                     + ").format(Instant.ofEpochMilli(" + getPropertyOrValue(field) + ".toInstant().toEpochMilli()))");
         } else {
             return new Tuple<>(name, exprString(field) + "; "

src/test/java/com/amazon/opendistroforelasticsearch/sql/esintgtest/DateFormatIT.java

@@ -33,6 +33,10 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
+import static com.amazon.opendistroforelasticsearch.sql.util.MatcherUtils.rows;
+import static com.amazon.opendistroforelasticsearch.sql.util.MatcherUtils.schema;
+import static com.amazon.opendistroforelasticsearch.sql.util.MatcherUtils.verifyDataRows;
+import static com.amazon.opendistroforelasticsearch.sql.util.MatcherUtils.verifySchema;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.is;
 
@@ -112,6 +116,17 @@ public void and() throws SqlParseException{
         );
     }
 
+    @Test
+    public void andWithDefaultTimeZone() throws SqlParseException {
+        assertThat(
+                dateQuery(SELECT_FROM +
+                                "WHERE date_format(insert_time, 'yyyy-MM-dd HH:mm:ss') >= '2014-08-17 16:13:12' " +
+                                "AND date_format(insert_time, 'yyyy-MM-dd HH:mm:ss') <= '2014-08-17 16:13:13'",
+                        "yyyy-MM-dd HH:mm:ss"),
+                contains("2014-08-17 16:13:12")
+        );
+    }
+
     @Test
     public void or() throws SqlParseException {
         assertThat(
@@ -152,6 +167,17 @@ public void sortByAliasedDateFormat() throws IOException {
                 is(new DateTime("2014-08-24T00:00:41.221Z", DateTimeZone.UTC)));
     }
 
+    @Test
+    public void selectDateTimeWithDefaultTimeZone() throws SqlParseException {
+        JSONObject response = executeJdbcRequest("SELECT date_format(insert_time, 'yyyy-MM-dd') as date " +
+                " FROM " + TestsConstants.TEST_INDEX_ONLINE +
+                " WHERE date_format(insert_time, 'yyyy-MM-dd HH:mm:ss') >= '2014-08-17 16:13:12' " +
+                " AND date_format(insert_time, 'yyyy-MM-dd HH:mm:ss') <= '2014-08-17 16:13:13'");
+
+        verifySchema(response, schema("date", "", "text"));
+        verifyDataRows(response, rows("2014-08-17"));
+    }
+
     @Test
     public void groupByAndSort() throws IOException {
         JSONObject aggregations = executeQuery(
@@ -203,17 +229,19 @@ private void checkAggregations(JSONObject aggregations, String key, Ordering<Com
     }
 
     private Set<Object> dateQuery(String sql) throws SqlParseException {
+        return dateQuery(sql, TestsConstants.SIMPLE_DATE_FORMAT);
+    }
+
+    private Set<Object> dateQuery(String sql, String format) throws SqlParseException {
         try {
             JSONObject response = executeQuery(sql);
-            return getResult(response, "insert_time");
+            return getResult(response, "insert_time", DateTimeFormat.forPattern(format));
         } catch (IOException e) {
             throw new SqlParseException(String.format("Unable to process query '%s'", sql));
         }
     }
 
-    private Set<Object> getResult(JSONObject response, String fieldName) {
-        DateTimeFormatter formatter = DateTimeFormat.forPattern(TestsConstants.SIMPLE_DATE_FORMAT);
-
+    private Set<Object> getResult(JSONObject response, String fieldName, DateTimeFormatter formatter) {
         JSONArray hits = getHits(response);
         Set<Object> result = new TreeSet<>(); // Using TreeSet so order is maintained
         for (int i = 0; i < hits.length(); i++) {
@@ -227,4 +255,8 @@ private Set<Object> getResult(JSONObject response, String fieldName) {
 
         return result;
     }
+
+    private JSONObject executeJdbcRequest(String query) {
+        return new JSONObject(executeQuery(query, "jdbc"));
+    }
 }