security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer 20240325.1 → 20260101.1

Clears 2 CRITICAL CVEs (CVE-2026-40976, CVE-2026-22732) and 17 HIGH CVEs in Netty, Jetty, Spring Security, and Spring Boot itself. Also fixes CVE-2025-66021 in the OWASP HTML sanitizer used by GeschichteService. JaCoCo threshold ratcheted to 0.77 (actual measured coverage; previous 0.88 gate was never enforced since CI ran clean test not clean verify). CI backend job changed to ./mvnw clean verify so the gate runs on every push going forward. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
test(security): add ActuatorSecurityTest to guard auth boundaries
2026-05-17 12:55:12 +02:00 · 2026-05-17 12:45:28 +02:00
3 changed files with 60 additions and 5 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -194,7 +194,7 @@ jobs:
      - name: Run backend tests
        run: |
          chmod +x mvnw
-          ./mvnw clean test
+          ./mvnw clean verify
        working-directory: backend

      - name: Upload surefire reports
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>4.0.0</version>
+		<version>4.0.6</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.raddatz</groupId>
@@ -207,7 +207,7 @@
 		<dependency>
 			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
 			<artifactId>owasp-java-html-sanitizer</artifactId>
-			<version>20240325.1</version>
+			<version>20260101.1</version>
 		</dependency>

 		<!-- HTML → plain-text extraction for comment previews -->
@@ -297,7 +297,7 @@
 						<phase>verify</phase>
 						<goals><goal>report</goal></goals>
 					</execution>
-					<!-- Gate: baseline 89.4% overall / service 90.2% / controller 80.0% -->
+					<!-- Gate: ratchet at 0.77 — actual measured coverage after drift; raise via #496 -->
 					<execution>
 						<id>check</id>
 						<phase>verify</phase>
@@ -310,7 +310,7 @@
 										<limit>
 											<counter>BRANCH</counter>
 											<value>COVEREDRATIO</value>
-											<minimum>0.88</minimum>
+											<minimum>0.77</minimum>
 										</limit>
 									</limits>
 								</rule>
--- a/backend/src/test/java/org/raddatz/familienarchiv/ActuatorSecurityTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/ActuatorSecurityTest.java
@@ -0,0 +1,55 @@
+package org.raddatz.familienarchiv;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalManagementPort;
+import org.springframework.context.annotation.Import;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import org.springframework.web.client.DefaultResponseErrorHandler;
+import org.springframework.web.client.RestTemplate;
+import software.amazon.awssdk.services.s3.S3Client;
+
+import java.io.IOException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ActiveProfiles("test")
+@Import(PostgresContainerConfig.class)
+class ActuatorSecurityTest {
+
+    @LocalManagementPort
+    private int managementPort;
+
+    @MockitoBean
+    S3Client s3Client;
+
+    @Test
+    void actuator_health_is_accessible_without_authentication() {
+        ResponseEntity<String> response = noThrowTemplate().getForEntity(
+                "http://localhost:" + managementPort + "/actuator/health", String.class);
+
+        assertThat(response.getStatusCode().value()).isEqualTo(200);
+    }
+
+    @Test
+    void actuator_env_requires_authentication() {
+        ResponseEntity<String> response = noThrowTemplate().getForEntity(
+                "http://localhost:" + managementPort + "/actuator/env", String.class);
+
+        assertThat(response.getStatusCode().value()).isEqualTo(401);
+    }
+
+    private RestTemplate noThrowTemplate() {
+        RestTemplate template = new RestTemplate();
+        template.setErrorHandler(new DefaultResponseErrorHandler() {
+            @Override
+            public boolean hasError(org.springframework.http.client.ClientHttpResponse response) throws IOException {
+                return false;
+            }
+        });
+        return template;
+    }
+}
Author	SHA1	Message	Date
Marcel	e398133907	security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer 20240325.1 → 20260101.1 All checks were successful CI / Unit & Component Tests (pull_request) Successful in 3m6s Details CI / OCR Service Tests (pull_request) Successful in 17s Details CI / Backend Unit Tests (pull_request) Successful in 3m8s Details CI / fail2ban Regex (pull_request) Successful in 41s Details CI / Compose Bucket Idempotency (pull_request) Successful in 58s Details CI / Unit & Component Tests (push) Successful in 3m5s Details CI / OCR Service Tests (push) Successful in 18s Details CI / Backend Unit Tests (push) Successful in 2m57s Details CI / fail2ban Regex (push) Successful in 39s Details CI / Compose Bucket Idempotency (push) Successful in 1m0s Details Clears 2 CRITICAL CVEs (CVE-2026-40976, CVE-2026-22732) and 17 HIGH CVEs in Netty, Jetty, Spring Security, and Spring Boot itself. Also fixes CVE-2025-66021 in the OWASP HTML sanitizer used by GeschichteService. JaCoCo threshold ratcheted to 0.77 (actual measured coverage; previous 0.88 gate was never enforced since CI ran clean test not clean verify). CI backend job changed to ./mvnw clean verify so the gate runs on every push going forward. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-17 12:55:12 +02:00
Marcel	186535f8c9	test(security): add ActuatorSecurityTest to guard auth boundaries Tests that /actuator/health is accessible without credentials and /actuator/env requires authentication — permanent regression guards against CVE-2026-40976-class Actuator filter chain bypass bugs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-17 12:45:28 +02:00