Merge remote-tracking branch 'origin/develop' into fb_ghIssueLink

labkey-susanh · labkey-susanh · commit f5f944286eac · 2025-06-23T11:12:57.000-07:00
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -217,4 +217,13 @@
        <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
        <cve>CVE-2005-1260</cve>
     </suppress>
+
+    <!-- Related to the setting of channel binding as required, which is not relevant to us. -->
+    <suppress>
+        <notes><![CDATA[
+       file name: postgresql-42.7.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
+        <vulnerabilityName>CVE-2025-49146</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
@@ -263,6 +263,7 @@ poiVersion=5.4.0
 
 pollingWatchVersion=0.2.0
 
+# Newer versions of the driver have a perf degradation that's important for us. https://github.com/pgjdbc/pgjdbc/issues/3505
 postgresqlDriverVersion=42.7.4
 
 quartzVersion=2.5.0
@@ -288,7 +289,7 @@ snappyJavaVersion=1.1.10.7
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
 springBootVersion=3.5.0
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=6.2.7
+springVersion=6.2.8
 
 sqliteJdbcVersion=3.49.1.0
 
diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -7,6 +7,7 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.ApplicationPidFileWriter;
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
 import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
 import org.springframework.boot.web.server.WebServerFactoryCustomizer;
 import org.springframework.context.annotation.Bean;
@@ -82,11 +83,11 @@ public static void main(String[] args)
         String enforceCsp = baseCsp + """
                 ${UPGRADE.INSECURE.REQUESTS}
                 frame-ancestors 'self' ;
-                report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ;
+                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ;
             """;
         // Leave out upgrade_insecure_requests and frame-ancestors directives, since they produce warnings on some browsers
         String reportCsp = baseCsp + """
-                report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ;
+                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ;
             """;
         application.setDefaultProperties(Map.of(
             "server.tomcat.basedir", ".",
