Bump org.apache.commons:commons-text from 1.9 to 1.10.0

[dependabot]

Bumps org.apache.commons:commons-text from 1.9 to 1.10.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[CortezFrazierJr]

@fossabot summarize

[CortezFrazierJr]

@fossabot summarize

[fossabot]

45 of ~45 steps completed

• ✅ Starting dependency impact analysis... completed successfully (5 steps)

🔍 Review requested

I recommend merging this update after careful review, as it addresses a critical security vulnerability (CVE-2022-42889) in Apache Commons Text's StringSubstitutor. The automated migration successfully addressed the breaking change by handling the script interpolator usage in stringsub.java that would have been disabled by default in version 1.10.0. This is a security-focused update that eliminates dangerous interpolation functionality while maintaining application stability through targeted code fixes.

• I analyzed the dependency declaration and confirmed org.apache.commons:commons-text version 1.10.0 is properly declared in pom.xml at lines 25-28[^key-1]
• I searched the codebase for StringSubstitutor usage patterns and found direct usage in stringsub.java using StringSubstitutor.createInterpolator() method[^key-2]
• I examined the specific interpolator implementation and discovered explicit script interpolator usage with payload ${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./foo')} at line 7 in stringsub.java[^key-3]
• I verified the security impact by confirming this code uses the exact vulnerable functionality that CVE-2022-42889 addresses by disabling dangerous interpolators by default[^key-4]
• I executed an automated migration strategy that successfully addressed the script interpolator breaking change with 100% success rate across 1 migration step[^key-5]

Estimated 3-4 hours of manual security analysis saved: 1 hour reviewing CVE details and changelog, 1-2 hours validating vulnerable code patterns, 1 hour implementing and testing the fix

Migration Plan

This migration addresses the StringSubstitutor security fix in Apache Commons Text 1.10.0 that disables dangerous interpolators (script, dns, url) by default. The codebase explicitly uses the script interpolator for code execution, which will no longer work. The strategy involves either: (1) removing the dangerous interpolator usage if it's not essential, or (2) explicitly re-enabling it with proper security controls if the functionality is required. Given the security implications, the preferred approach is to refactor the code to avoid dangerous interpolators entirely. — All steps completed successfully.

Step	Status
Fix StringSubstitutor script interpolator usage disabled by CVE-2022-42889 security fix	✓ Fixed Commit: 49010c0 1 file changed

---

Change Details

🔧 Fixed Breaking Changes (1)

🔧 org.apache.commons:commons-text: StringSubstitutor interpolation security fix: Dangerous interpolators (script, dns, url) are disabled by default to address CVE-2022-42889 vulnerability. Applications using these interpolators may break unless explicitly re-enabled.

Status: 🔧 Fixed - Automatically resolved

🔧 Automated Fix Applied

Fixed via 1 ticket(s): Fix StringSubstitutor script interpolator usage disabled by CVE-2022-42889 security fix

The codebase is directly impacted because it uses StringSubstitutor.createInterpolator() with script interpolator functionality that is disabled by default in version 1.10.0 to address CVE-2022-42889. The code in stringsub.java:7 explicitly uses the dangerous script interpolator pattern that will no longer work after the security fix.

Validations (4)

1. Found org.apache.commons:commons-text version 1.10.0 declared in pom.xml at lines 25-28

2. Found direct usage in stringsub.java file using StringSubstitutor.createInterpolator()

3. Found explicit usage of script interpolator with payload ${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./foo')} in stringsub.java:7

4. Code uses the exact vulnerable functionality that CVE-2022-42889 addresses by disabling dangerous interpolators by default

Citations (4)

app-java-demo-e/pom.xml

Line 27 in d4ff2a7

<version>1.10.0</version>

Shows the codebase uses version 1.10.0 which contains the breaking change that disables dangerous interpolators by default

app-java-demo-e/src/main/java/com/endor/stringsub.java

Line 6 in d4ff2a7

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();

Code creates a StringSubstitutor interpolator using the method that enables dangerous interpolators in older versions but disables them by default in 1.10.0

app-java-demo-e/src/main/java/com/endor/stringsub.java

Line 7 in d4ff2a7

String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./foo')}");

This code is impacted because it uses the script interpolator which is disabled by default in version 1.10.0. The script interpolator will no longer execute this JavaScript code and the application behavior will change. To fix, the dangerous interpolators must be explicitly re-enabled if this functionality is required.

Additional Citations:

Summary: Confirms that version 1.10.0 contains the security fix that disables dangerous interpolators by default to address CVE-2022-42889

https://waratek.com/blog/cve-2022-42889-guide/

CVE-2022-42889 was identified by Alvaro Munoz on October 17, 2022, affecting Apache Commons Text versions 1.5 through 1.9, with a CVSS score of 9.8 out of 10. The vulnerability has been patched in version 1.10.

---

_{Was this helpful? 👍 👎}