Upgrade Okie to version 3.6.0 (from 1.17.2) and OkHttp jar to version 4.12.0 to address CVE-2023-3635.

Author: Mariamalmesfer

pom.xml

@@ -49,7 +49,7 @@
         <dep.slice.version>0.38</dep.slice.version>
         <dep.testing-mysql-server-5.version>0.6</dep.testing-mysql-server-5.version>
         <dep.aws-sdk.version>1.12.560</dep.aws-sdk.version>
-        <dep.okhttp.version>3.9.0</dep.okhttp.version>
+        <dep.okhttp.version>4.12.0</dep.okhttp.version>
         <dep.jdbi3.version>3.4.0</dep.jdbi3.version>
         <dep.oracle.version>19.3.0.0</dep.oracle.version>
         <dep.drift.version>1.40</dep.drift.version>
@@ -216,6 +216,19 @@
 
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>com.squareup.okio</groupId>
+                <artifactId>okio-jvm</artifactId>
+                <version>3.6.0</version>
+            </dependency>
+
+             <!-- pull up to the version used in okio-jvm to avoid conlict with okhttp-* -->
+             <dependency>
+                <groupId>org.jetbrains.kotlin</groupId>
+                <artifactId>kotlin-stdlib-jdk8</artifactId>
+                <version>1.9.10</version>
+             </dependency>
+
             <dependency>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-bom</artifactId>

presto-client/pom.xml

@@ -117,4 +117,19 @@
             <scope>test</scope>
         </dependency>
     </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <configuration>
+                    <ignoredUnusedDeclaredDependencies>
+                        <!-- This is needed to keep Okio in the build and prevent conflicts with OkHttp and Kotlin dependencies. -->
+                        <ignoredUnusedDeclaredDependency>com.squareup.okio:okio-jvm</ignoredUnusedDeclaredDependency>
+                    </ignoredUnusedDeclaredDependencies>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 </project>

presto-client/src/main/java/com/facebook/presto/client/JsonResponse.java

@@ -24,7 +24,6 @@
 import javax.annotation.Nullable;
 
 import java.io.IOException;
-import java.io.InterruptedIOException;
 import java.io.UncheckedIOException;
 
 import static com.google.common.base.MoreObjects.toStringHelper;
@@ -146,11 +145,6 @@ public static <T> JsonResponse<T> execute(JsonCodec<T> codec, OkHttpClient clien
             return new JsonResponse<>(response.code(), response.message(), response.headers(), body);
         }
         catch (IOException e) {
-            // OkHttp throws this after clearing the interrupt status
-            // TODO: remove after updating to Okio 1.15.0+
-            if ((e instanceof InterruptedIOException) && "thread interrupted".equals(e.getMessage())) {
-                Thread.currentThread().interrupt();
-            }
             throw new UncheckedIOException(e);
         }
     }

presto-client/src/main/java/com/facebook/presto/client/OkHttpUtil.java

@@ -16,6 +16,7 @@
 import com.facebook.airlift.security.pem.PemReader;
 import com.google.common.base.CharMatcher;
 import com.google.common.net.HostAndPort;
+import okhttp.internal.tls.LegacyHostnameVerifier;
 import okhttp3.Call;
 import okhttp3.Callback;
 import okhttp3.Credentials;
@@ -237,6 +238,7 @@ public static void setupSsl(
             sslContext.init(keyManagers, new TrustManager[] {trustManager}, null);
 
             clientBuilder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
+            clientBuilder.hostnameVerifier(LegacyHostnameVerifier.INSTANCE);
         }
         catch (GeneralSecurityException | IOException e) {
             throw new ClientException("Error setting up SSL: " + e.getMessage(), e);