CHK-13432: Force io.netty:netty-codec-http to 4.2.13.Final to fix HTTP Request Smuggling (GHSA-m4cv-j2px-7723)

[Copilot]

io.netty:netty-codec-http versions >= 4.2.0.Alpha1, <= 4.2.12.Final are vulnerable to HTTP Request Smuggling via HttpClientCodec response desynchronization. The dependency enters transitively through spring-boot-starter-webflux → reactor-netty-http.

Changes

• build.gradle: Added resolutionStrategy.eachDependency override to pin io.netty:netty-codec-http to 4.2.13.Final, following the existing pattern for Jackson and Tomcat CVE mitigations:

if (requested.group == 'io.netty' && requested.name == 'netty-codec-http'
        && requested.version != null && requested.version < '4.2.13.Final') {
    useVersion('4.2.13.Final')
    because('GHSA-m4cv-j2px-7723: Netty HTTP Request Smuggling vulnerability in netty-codec-http < 4.2.13.Final')
}

Dependency tree confirms the resolution: io.netty:netty-codec-http:4.2.10.Final -> 4.2.13.Final.

Refs: CHK-13432 · GitHub Dependabot alert #56 · GHSA-m4cv-j2px-7723

Original prompt

Requested by: catarina.correia@getyourguide.com

Create a branch named CHK-13432-fix-netty-http-request-smuggling

Jira Ticket: CHK-13432
Security Alert: Github_Security_Alert - HTTP Request Smuggling

Context:
This is a security vulnerability fix for HTTP Request Smuggling vulnerability in io.netty:netty-codec-http used by the openapi-validation-java library.

Vulnerability Details:

• CVE/GHSA: GHSA-m4cv-j2px-7723
• Severity: MEDIUM
• Package: io.netty:netty-codec-http
• Vulnerable Version/Range: >= 4.2.0.Alpha1, <= 4.2.12.Final
• Patched Version: 4.2.13.Final

Work Needed:

• Locate netty-codec-http dependency in the dependency tree (it's a transitive dependency from spring-boot-starter-webflux)
• Add a dependency resolution override in build.gradle to force version 4.2.13.Final
• Follow the existing pattern already used for Jackson and Tomcat overrides in the resolutionStrategy section
• Verify patched version 4.2.13.Final appears in dependency tree
• Run tests following repository's documented test process

⚠️ PR Description Requirements:

• ALWAYS include the "Implementation Reasoning" section below in the PR description on GitHub

Implementation Reasoning:
Added a resolutionStrategy override in the root build.gradle to force io.netty:netty-codec-http to version 4.2.13.Final. This approach follows the existing pattern used for Jackson and Tomcat security fixes in the same file. The netty-codec-http dependency is transitive (comes from spring-boot-starter-webflux → Spring Boot BOM → Netty), so a direct dependency upgrade isn't possible. This resolution strategy ensures all transitive references to netty-codec-http use the patched version, preventing HTTP Request Smuggling attacks caused by incorrect chunk size parsing.

Security Considerations:

• Verify io.netty:netty-codec-http 4.2.13.Final appears in the dependency tree after the override
• Ensure no breaking changes are introduced in the minor version upgrade (4.2.12 → 4.2.13)
• Test thoroughly to ensure the HTTP Request Smuggling vulnerability is closed
• Confirm the fix by checking GitHub Dependabot alert Bump mockito from 4.11.0 to 5.7.0 #56 is resolved after merge

Acceptance Criteria:

• netty-codec-http 4.2.13.Final confirmed in dependency tree
• All existing tests pass with upgraded dependency
• No breaking changes introduced
• PR includes links to CHK-13432, GitHub alert Bump mockito from 4.11.0 to 5.7.0 #56, and GHSA-m4cv-j2px-7723

⚠️ Security Fix: This PR addresses a MEDIUM severity HTTP Request Smuggling vulnerability. Please review carefully.

Ask @catarina-correia for a review.