Dependabot Fixes

[ryanrath]

These fixes were originally included in
#1967, but are now to be included in this PR.

Description

• BaseControllerProvider.php: the namespace for the ControllerProviderInterface; interface changed in the latest version of Silex ( from Silex\ControllerProviderInterface to Silex\Api\ControllerProviderInterface).
• XdmodApplicationFactory.php:
  • UrlGeneratorServiceProvider has been changed to RoutingServiceProvider.
  • there is no more app->share function, you just use an anonymous function.
  • the Request $request argument has been added to the anonymous function called by the $app->error helper
    function.
• composer.json:
  • Updated silex to the latest ( last ) version v2.3.0, this resolves the following dependabot alerts:
    • https://github.com/ubccr/xdmod/security/dependabot/10 (CVE-2022-24894)
      • Here's the commit with the fix: symfony/symfony@d2f6322
      • And here is where you can find the updated file: vendor/symfony/http-kernel/HttpCache/Store.php. Specifically lines 49-51, and 228-230.
    • https://github.com/ubccr/xdmod/security/dependabot/11 (CVE-2019-18888)
      • this is fixed as the current version v4.4.49 is >= 3.4.35.
      • Here's the commit w/ the fix: symfony/symfony@691486e
      • And here's the updated file: vendor/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.php
    • https://github.com/ubccr/xdmod/security/dependabot/12 (CVE-2019-10913)
      • Here's the commit w/ the fix: symfony/symfony@944e60f
      • Here's the updated file: vendor/symfony/http-foundation/Request.php
    • https://github.com/ubccr/xdmod/security/dependabot/13 (CVE-2019-18887)
      • Here's the commit w/ the fix: symfony/symfony@cccefe6
      • And here's the updated file: vendor/symfony/http-kernel/UriSigner.php
    • https://github.com/ubccr/xdmod/security/dependabot/14 (CVE-2018-14773)
      • Here's the commit with the fix: symfony/symfony@e447e8b
      • Here's the updated file: vendor/symfony/http-foundation/Request.php
• open_xdmod/modules/xdmod/build.json
  • Added the patches to resolve:
  • https://github.com/ubccr/xdmod/security/dependabot/1
  • https://github.com/ubccr/xdmod/security/dependabot/2
  • https://github.com/ubccr/xdmod/security/dependabot/22

SimpleSAMLphp Patches

• https://github.com/ubccr/xdmod/security/dependabot/1 ( CVE-2020-5225 )
  • Resolved with changes in commit: simplesamlphp/simplesamlphp@864f039
  • patch of these changes ( for www/errorreport.php ): open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch
• https://github.com/ubccr/xdmod/security/dependabot/2
  • Resolved with changes in: simplesamlphp/simplesamlphp@47968d2
  • Patch file: open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5301.patch
• https://github.com/ubccr/xdmod/security/dependabot/22
  • Resolved with changes in: simplesamlphp/simplesamlphp@ce2294e
    • Note: the function isValidURL already exists in Utils/Http.php in the version that we're using, that's why only the change to postredirect.php has been included in the patch file.
  • Patch File: open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch

Motivation and Context

We have a number of Dependabot Alerts that should probably be resolved. The following changes should do that for the symfony/* and simplesamlphp/simplesamlphp dependencies.

Tests performed

All automated tests pass.

Checklist:

• The pull request description is suitable for a Changelog entry
• The milestone is set correctly on the pull request
• The appropriate labels have been added to the pull request

[jpwhite4]

Has the updated mongo library been tested with the SUPREMM module?

[ryanrath]

I'll double check that now.

[ryanrath]

@jpwhite4 I've removed the mongodb update from this PR.