From c597c4aa000827eb95576856cb71c8373a065cb9 Mon Sep 17 00:00:00 2001
From: Daniel Beck <daniel-beck@users.noreply.github.com>
Date: Wed, 7 Aug 2024 18:19:11 +0200
Subject: [PATCH] Drop support for remoting releases before 2024-08

---
 core/pom.xml                                  |   2 +-
 core/src/main/java/hudson/PluginManager.java  |  16 --
 .../security/s2m/JarURLValidatorImpl.java     | 104 -----------
 pom.xml                                       |   3 +-
 test/pom.xml                                  |  10 +-
 .../jenkins/security/Security3430Test.java    | 161 +++---------------
 war/pom.xml                                   |   2 +-
 7 files changed, 33 insertions(+), 265 deletions(-)
 delete mode 100644 core/src/main/java/jenkins/security/s2m/JarURLValidatorImpl.java

diff --git a/core/pom.xml b/core/pom.xml
index 8e30ae211ed7..63d789788369 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -41,7 +41,7 @@ THE SOFTWARE.
   <properties>
     <xmlunit.version>2.10.0</xmlunit.version>
     <!-- Minimum Remoting version, which is tested for API compatibility, duplicated so that renovate only updates the latest remoting version property -->
-    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
+    <remoting.minimum.supported.version>3256.3258.v858f3c9a_f69d</remoting.minimum.supported.version>
     <!-- Filled in by jacoco-maven-plugin -->
     <jacocoSurefireArgs />
   </properties>
diff --git a/core/src/main/java/hudson/PluginManager.java b/core/src/main/java/hudson/PluginManager.java
index 16c22e9ca90c..75dd52c4d7b7 100644
--- a/core/src/main/java/hudson/PluginManager.java
+++ b/core/src/main/java/hudson/PluginManager.java
@@ -2417,22 +2417,6 @@ public String toString() {
             // only for debugging purpose
             return "classLoader " +  getClass().getName();
         }
-
-        // TODO Remove this once we require post 2024-07 remoting minimum version and deleted ClassLoaderProxy#fetchJar(URL)
-        @SuppressFBWarnings(
-                value = "DMI_COLLECTION_OF_URLS",
-                justification = "All URLs point to local files, so no DNS lookup.")
-        @Restricted(NoExternalUse.class)
-        public boolean isPluginJar(URL jarUrl) {
-            for (PluginWrapper plugin : activePlugins) {
-                if (plugin.classLoader instanceof URLClassLoader) {
-                    if (Set.of(((URLClassLoader) plugin.classLoader).getURLs()).contains(jarUrl)) {
-                        return true;
-                    }
-                }
-            }
-            return false;
-        }
     }
 
     @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
diff --git a/core/src/main/java/jenkins/security/s2m/JarURLValidatorImpl.java b/core/src/main/java/jenkins/security/s2m/JarURLValidatorImpl.java
deleted file mode 100644
index 7fafcea946d5..000000000000
--- a/core/src/main/java/jenkins/security/s2m/JarURLValidatorImpl.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * The MIT License
- *
- * Copyright (c) 2024 CloudBees, Inc.
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-
-package jenkins.security.s2m;
-
-import edu.umd.cs.findbugs.annotations.Nullable;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-import hudson.Extension;
-import hudson.PluginManager;
-import hudson.remoting.Channel;
-import hudson.remoting.ChannelBuilder;
-import hudson.remoting.JarURLValidator;
-import java.io.IOException;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-import jenkins.model.Jenkins;
-import jenkins.security.ChannelConfigurator;
-import jenkins.util.SystemProperties;
-import org.kohsuke.accmod.Restricted;
-import org.kohsuke.accmod.restrictions.NoExternalUse;
-
-@Restricted(NoExternalUse.class)
-@Deprecated
-@Extension
-public class JarURLValidatorImpl extends ChannelConfigurator implements JarURLValidator {
-
-    public static final Logger LOGGER = Logger.getLogger(JarURLValidatorImpl.class.getName());
-
-    @Override
-    public void onChannelBuilding(ChannelBuilder builder, @Nullable Object context) {
-        LOGGER.log(Level.CONFIG, () -> "Setting up JarURLValidatorImpl for context: " + context);
-        builder.withProperty(JarURLValidator.class, this);
-    }
-
-    @Override
-    public void validate(URL url) throws IOException {
-        final String rejectAllProp = JarURLValidatorImpl.class.getName() + ".REJECT_ALL";
-        if (SystemProperties.getBoolean(rejectAllProp)) {
-            LOGGER.log(Level.FINE, () -> "Rejecting URL due to configuration: " + url);
-            throw new IOException("The system property '" + rejectAllProp + "' has been set, so all attempts by agents to load jars from the controller are rejected."
-                    + " Update the agent.jar of the affected agent to a version released in August 2024 or later to prevent this error."); // TODO better version spec
-        }
-        final String allowAllProp = Channel.class.getName() + ".DISABLE_JAR_URL_VALIDATOR";
-        if (SystemProperties.getBoolean(allowAllProp)) {
-            LOGGER.log(Level.FINE, () -> "Allowing URL due to configuration: " + url);
-            return;
-        }
-        if (!isAllowedJar(url)) {
-            LOGGER.log(Level.FINE, () -> "Rejecting URL: " + url);
-            throw new IOException("This URL does not point to a jar file allowed to be requested by agents: " + url + "."
-                    + " Update the agent.jar of the affected agent to a version released in August 2024 or later to prevent this error."
-            + " Alternatively, set the system property '" + allowAllProp + "' to 'true' if all the code built by Jenkins is as trusted as an administrator.");
-        } else {
-            LOGGER.log(Level.FINE, () -> "Allowing URL: " + url);
-        }
-    }
-    @SuppressFBWarnings(
-            value = "DMI_COLLECTION_OF_URLS",
-            justification = "All URLs point to local files, so no DNS lookup.")
-    private static boolean isAllowedJar(URL url) {
-        final ClassLoader classLoader = Jenkins.get().getPluginManager().uberClassLoader;
-        if (classLoader instanceof PluginManager.UberClassLoader uberClassLoader) {
-            if (uberClassLoader.isPluginJar(url)) {
-                LOGGER.log(Level.FINER, () -> "Determined to be plugin jar: " + url);
-                return true;
-            }
-        }
-
-        final ClassLoader coreClassLoader = Jenkins.class.getClassLoader();
-        if (coreClassLoader instanceof URLClassLoader urlClassLoader) {
-            if (Set.of(urlClassLoader.getURLs()).contains(url)) {
-                LOGGER.log(Level.FINER, () -> "Determined to be core jar: " + url);
-                return true;
-            }
-        }
-
-        LOGGER.log(Level.FINER, () -> "Neither core nor plugin jar: " + url);
-        return false;
-    }
-}
diff --git a/pom.xml b/pom.xml
index a0673a9c6cc1..f6229f33af46 100644
--- a/pom.xml
+++ b/pom.xml
@@ -87,7 +87,8 @@ THE SOFTWARE.
     <changelog.url>https://www.jenkins.io/changelog</changelog.url>
 
     <!-- Bundled Remoting version -->
-    <remoting.version>3256.3258.v858f3c9a_f69d</remoting.version>
+    <!-- TODO https://github.com/jenkinsci/remoting/pull/757 -->
+    <remoting.version>3262.v48cc7b_a_2fee8</remoting.version>
 
     <spotbugs.effort>Max</spotbugs.effort>
     <spotbugs.threshold>Medium</spotbugs.threshold>
diff --git a/test/pom.xml b/test/pom.xml
index 7b0a43d7c4a1..3f1d1ff9f144 100644
--- a/test/pom.xml
+++ b/test/pom.xml
@@ -39,7 +39,7 @@ THE SOFTWARE.
   <properties>
     <mavenDebug>false</mavenDebug>
     <!-- Minimum Remoting version, which is tested for API compatibility, duplicated so that renovate only updates the latest remoting version property -->
-    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
+    <remoting.minimum.supported.version>3256.3258.v858f3c9a_f69d</remoting.minimum.supported.version>
     <!-- Filled in by jacoco-maven-plugin -->
     <jacocoSurefireArgs />
     <!--
@@ -331,14 +331,6 @@ THE SOFTWARE.
                   <version>3256.v88a_f6e922152</version>
                   <type>jar</type>
                   <outputDirectory>${project.build.outputDirectory}/old-remoting</outputDirectory>
-                  <destFileName>remoting-before-SECURITY-3430-fix.jar</destFileName>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>org.jenkins-ci.main</groupId>
-                  <artifactId>remoting</artifactId>
-                  <version>3085.vc4c6977c075a</version>
-                  <type>jar</type>
-                  <outputDirectory>${project.build.outputDirectory}/old-remoting</outputDirectory>
                   <destFileName>remoting-unsupported.jar</destFileName>
                 </artifactItem>
                 <artifactItem>
diff --git a/test/src/test/java/jenkins/security/Security3430Test.java b/test/src/test/java/jenkins/security/Security3430Test.java
index a9e717c75f9f..dcc6cadd01c7 100644
--- a/test/src/test/java/jenkins/security/Security3430Test.java
+++ b/test/src/test/java/jenkins/security/Security3430Test.java
@@ -2,36 +2,27 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.empty;
-import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
-import hudson.ExtensionList;
 import hudson.model.Computer;
 import hudson.remoting.Channel;
 import hudson.remoting.Launcher;
 import hudson.slaves.SlaveComputer;
-import hudson.util.RingBufferLogHandler;
 import java.io.File;
-import java.io.IOException;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.net.URL;
+import java.net.URLClassLoader;
 import java.nio.charset.StandardCharsets;
 import java.security.Security;
-import java.util.List;
-import java.util.logging.Level;
 import java.util.logging.LogRecord;
-import java.util.logging.Logger;
 import jenkins.bouncycastle.api.InstallBouncyCastleJCAProvider;
-import jenkins.security.s2m.JarURLValidatorImpl;
 import jenkins.slaves.RemotingVersionInfo;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
@@ -43,32 +34,26 @@
 import org.jvnet.hudson.test.InboundAgentRule;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.RealJenkinsRule;
-import org.kohsuke.args4j.Argument;
 import org.kohsuke.stapler.Stapler;
 
 public class Security3430Test {
     @Rule
-    public RealJenkinsRule jj = new RealJenkinsRule().withLogger(JarURLValidatorImpl.class, Level.FINEST);
+    public RealJenkinsRule jj = new RealJenkinsRule();
 
     @Rule
     public InboundAgentRule agents = new InboundAgentRule();
 
     @Test
     public void runWithOldestSupportedAgentJar() throws Throwable {
-        runWithRemoting(RemotingVersionInfo.getMinimumSupportedVersion().toString(), "/old-remoting/remoting-minimum-supported.jar", true);
-    }
-
-    @Test
-    public void runWithPreviousAgentJar() throws Throwable {
-        runWithRemoting("3256.v88a_f6e922152", "/old-remoting/remoting-before-SECURITY-3430-fix.jar", true);
+        runWithRemoting(RemotingVersionInfo.getMinimumSupportedVersion().toString(), "/old-remoting/remoting-minimum-supported.jar");
     }
 
     @Test
     public void runWithCurrentAgentJar() throws Throwable {
-        runWithRemoting(null, null, false);
+        runWithRemoting(null, null);
     }
 
-    private void runWithRemoting(String expectedRemotingVersion, String remotingResourcePath, boolean requestingJarFromAgent) throws Throwable {
+    private void runWithRemoting(String expectedRemotingVersion, String remotingResourcePath) throws Throwable {
         if (expectedRemotingVersion != null) {
             FileUtils.copyURLToFile(Security3430Test.class.getResource(remotingResourcePath), new File(jj.getHome(), "agent.jar"));
         }
@@ -77,23 +62,10 @@ private void runWithRemoting(String expectedRemotingVersion, String remotingReso
         final String agentName = "agent1";
         try {
             agents.createAgent(jj, InboundAgentRule.Options.newBuilder().name(agentName).build());
-            jj.runRemotely(Security3430Test::_run, agentName, expectedRemotingVersion, requestingJarFromAgent, true);
+            jj.runRemotely(Security3430Test::_run, agentName, expectedRemotingVersion, true);
         } finally {
             agents.stop(jj, agentName);
         }
-        jj.runRemotely(Security3430Test::disableJarURLValidatorImpl);
-        final String agentName2 = "agent2";
-        try {
-            agents.createAgent(jj, InboundAgentRule.Options.newBuilder().name(agentName2).build());
-            jj.runRemotely(Security3430Test::_run, agentName2, expectedRemotingVersion, requestingJarFromAgent, false);
-        } finally {
-            agents.stop(jj, agentName2);
-        }
-    }
-
-    // This is quite artificial, but demonstrating that without JarURLValidatorImpl we do not allow any calls from the agent:
-    private static void disableJarURLValidatorImpl(JenkinsRule j) {
-        assertTrue(ExtensionList.lookup(ChannelConfigurator.class).remove(ExtensionList.lookupSingleton(JarURLValidatorImpl.class)));
     }
 
     /**
@@ -101,13 +73,8 @@ private static void disableJarURLValidatorImpl(JenkinsRule j) {
      * @param agentName the name of the agent we're working with
      * @param expectedRemotingVersion The version expected for remoting, or {@code null} if we're using whatever is bundled with this Jenkins.
      * @param requestingJarFromAgent {@code true} if and only if we expect to go through {@code ClassLoaderProxy#fetchJar}
-     * @param hasJenkinsJarURLValidator {@code true} if and only we do not expect {@link jenkins.security.s2m.JarURLValidatorImpl} to be present. Only relevant when {@code requestingJarFromAgent} is {@code true}.
      */
-    private static void _run(JenkinsRule j, String agentName, String expectedRemotingVersion, Boolean requestingJarFromAgent, Boolean hasJenkinsJarURLValidator) throws Throwable {
-        final RingBufferLogHandler logHandler = new RingBufferLogHandler(50);
-        Logger.getLogger(JarURLValidatorImpl.class.getName()).addHandler(logHandler);
-        final List<LogRecord> logRecords = logHandler.getView();
-
+    private static void _run(JenkinsRule j, String agentName, String expectedRemotingVersion, Boolean requestingJarFromAgent) throws Throwable {
         final Computer computer = j.jenkins.getComputer(agentName);
         assertThat(computer, instanceOf(SlaveComputer.class));
         SlaveComputer agent = (SlaveComputer) computer;
@@ -117,111 +84,39 @@ private static void _run(JenkinsRule j, String agentName, String expectedRemotin
             assertThat(result, is(expectedRemotingVersion));
         }
 
-        logHandler.clear();
-
         { // regular behavior
-            if (hasJenkinsJarURLValidator) {
-                // it works
-                assertTrue(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Stapler.class));
-                if (requestingJarFromAgent) {
-                    assertThat(logRecords, hasItem(logMessageContainsString("Allowing URL: file:/")));
-                } else {
-                    assertThat(logRecords, is(empty()));
-                }
-
-                logHandler.clear();
-                assertFalse(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Stapler.class));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Allowing URL"))));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Rejecting URL"))));
-            } else {
-                // outdated remoting.jar will fail, but up to date one passes
-                if (requestingJarFromAgent) {
-                    final IOException ex = assertThrows(IOException.class, () -> channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Stapler.class));
-                    assertThat(ex.getMessage(), containsString("No hudson.remoting.JarURLValidator has been set for this channel, so all #fetchJar calls are rejected. This is likely a bug in Jenkins. As a workaround, try updating the agent.jar file."));
-                } else {
-                    assertTrue(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Stapler.class));
-                    assertThat(logRecords, is(empty()));
-                }
-            }
-        }
-
-        logHandler.clear();
-
-        if (hasJenkinsJarURLValidator) { // Start rejecting everything; only applies to JarURLValidatorImpl
-            System.setProperty(JarURLValidatorImpl.class.getName() + ".REJECT_ALL", "true");
-
+            // it works
+            assertTrue(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Stapler.class));
             // Identify that a jar was already loaded:
             assertFalse(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Stapler.class));
-            assertThat(logRecords, not(hasItem(logMessageContainsString("Allowing URL"))));
-            assertThat(logRecords, not(hasItem(logMessageContainsString("Rejecting URL"))));
-
-            logHandler.clear();
-
-            // different jar file than before, old remoting will fail due to call through ClassLoaderProxy#fetchJar, new remoting passes
-            if (requestingJarFromAgent) {
-                final IOException ioException = assertThrows(IOException.class, () -> channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, Argument.class));
-                assertThat(ioException.getMessage(), containsString("all attempts by agents to load jars from the controller are rejected"));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Allowing URL"))));
-                assertThat(logRecords, hasItem(logMessageContainsString("Rejecting URL due to configuration: ")));
-            } else {
-                assertTrue(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, org.kohsuke.args4j.Argument.class));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Allowing URL"))));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Rejecting URL"))));
-            }
-        }
-
-        logHandler.clear();
-
-        if (hasJenkinsJarURLValidator) { // Disable block, only applies to JarURLValidatorImpl
-            System.clearProperty(JarURLValidatorImpl.class.getName() + ".REJECT_ALL");
-            if (requestingJarFromAgent) {
-                // now it works again for old remoting:
-                assertTrue(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, org.kohsuke.args4j.Argument.class));
-                assertThat(logRecords, hasItem(logMessageContainsString("Allowing URL: file:/")));
-            } else {
-                // new remoting already has it.
-                assertFalse(channel.preloadJar(j.jenkins.getPluginManager().uberClassLoader, org.kohsuke.args4j.Argument.class));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Allowing URL"))));
-                assertThat(logRecords, not(hasItem(logMessageContainsString("Rejecting URL"))));
-            }
-            assertThat(logRecords, not(hasItem(logMessageContainsString("Rejecting URL due to configuration: "))));
         }
 
-        logHandler.clear();
-
-        if (hasJenkinsJarURLValidator || !requestingJarFromAgent) { // prepare bouncycastle-api
-            assertTrue(j.jenkins.getPluginManager().getPlugin("bouncycastle-api").isActive());
-            InstallBouncyCastleJCAProvider.on(channel);
-            channel.call(new ConfirmBouncyCastleLibrary());
-        }
-
-        logHandler.clear();
+        assertTrue(j.jenkins.getPluginManager().getPlugin("bouncycastle-api").isActive());
+        InstallBouncyCastleJCAProvider.on(channel);
+        channel.call(new ConfirmBouncyCastleLibrary());
 
         { // Exploitation tests
             final URL secretKeyFile = new File(j.jenkins.getRootDir(), "secret.key").toURI().toURL();
             final String expectedContent = IOUtils.toString(secretKeyFile, StandardCharsets.UTF_8);
-            { // Protection is effective when agents request non-jar files:
+
+            // Protection is effective when agents request non-jar files:
+            if (expectedRemotingVersion == null) {
+                assertThrows(NoSuchMethodException.class, () -> channel.call(new Exploit(secretKeyFile, expectedContent)));
+            } else {
                 final InvocationTargetException itex = assertThrows(InvocationTargetException.class, () -> channel.call(new Exploit(secretKeyFile, expectedContent)));
-                assertThat(itex.getCause(), instanceOf(IOException.class));
-                if (hasJenkinsJarURLValidator) {
-                    assertThat(itex.getCause().getMessage(), containsString("This URL does not point to a jar file allowed to be requested by agents"));
-                    assertThat(logRecords, not(hasItem(logMessageContainsString("Allowing URL"))));
-                    assertThat(logRecords, hasItem(logMessageContainsString("Rejecting URL: ")));
-                } else {
-                    assertThat(itex.getCause().getMessage(), containsString("No hudson.remoting.JarURLValidator has been set for this channel, so all #fetchJar calls are rejected. This is likely a bug in Jenkins. As a workaround, try updating the agent.jar file."));
-                }
+                assertThat(itex.getCause(), instanceOf(IllegalStateException.class));
             }
+        }
+        { // Support for pre-2024-08 remoting has been dropped, so even formerly legitimate jar files cannot be requested anymore:
+            final URLClassLoader classLoader = (URLClassLoader) j.jenkins.getPluginManager().getPlugin("bouncycastle-api").classLoader;
+            URL safeUrl = classLoader.getURLs()[0];
+            final String expectedContent = IOUtils.toString(safeUrl, StandardCharsets.UTF_8);
 
-            logHandler.clear();
-
-            { // Disable protection and non-jar files can be accessed:
-                System.setProperty(Channel.class.getName() + ".DISABLE_JAR_URL_VALIDATOR", "true");
-                channel.call(new Exploit(secretKeyFile, expectedContent));
-                if (hasJenkinsJarURLValidator) {
-                    assertThat(logRecords, hasItem(logMessageContainsString("Allowing URL due to configuration")));
-                    assertThat(logRecords, not(hasItem(logMessageContainsString("Rejecting URL"))));
-                }
-                System.clearProperty(Channel.class.getName() + ".DISABLE_JAR_URL_VALIDATOR");
+            if (expectedRemotingVersion == null) {
+                assertThrows(NoSuchMethodException.class, () -> channel.call(new Exploit(safeUrl, expectedContent)));
+            } else {
+                final InvocationTargetException itex = assertThrows(InvocationTargetException.class, () -> channel.call(new Exploit(safeUrl, expectedContent)));
+                assertThat(itex.getCause(), instanceOf(IllegalStateException.class));
             }
         }
     }
diff --git a/war/pom.xml b/war/pom.xml
index 350911cda226..6c52d4d7e5b1 100644
--- a/war/pom.xml
+++ b/war/pom.xml
@@ -48,7 +48,7 @@ THE SOFTWARE.
     <port>8080</port>
     <mina-sshd-api.version>2.13.1-117.v2f1a_b_66ff91d</mina-sshd-api.version>
     <!-- Minimum Remoting version, which is tested for API compatibility, duplicated so that renovate only updates the latest remoting version property -->
-    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
+    <remoting.minimum.supported.version>3256.3258.v858f3c9a_f69d</remoting.minimum.supported.version>
     <node.version>20.16.0</node.version>
     <!-- frontend-maven-plugin will install this Yarn version as bootstrap, then hand over control to Yarn Berry. -->
     <yarn.version>1.22.19</yarn.version>