Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use safe YAML loading #493

Merged
merged 2 commits into from
Mar 8, 2023
Merged

Use safe YAML loading #493

merged 2 commits into from
Mar 8, 2023

Conversation

matthiasr
Copy link
Contributor

We don't need unsafe YAML deserialization, so make sure we don't. It
is unlikely but not unthinkable that someone might load an untrusted
configuration.

@matthiasr
Update SnakeYAML to 1.33
8360e08 
the latest release in this line. Does *not* by itself fix CVE-2022-1471.

Signed-off-by: Matthias Rampke <[email protected]>
@matthiasr
Use safe YAML loading
236070c 
We don't *need* unsafe YAML deserialization, so make sure we don't. It
is unlikely but not unthinkable that someone might load an untrusted
configuration.

Signed-off-by: Matthias Rampke <[email protected]>
@matthiasr
Copy link
Contributor Author

@or-shachar could you take a look at this to make sure I did it right?

@matthiasr matthiasr mentioned this pull request Feb 16, 2023
Closed
or-shachar
or-shachar approved these changes Feb 18, 2023
View reviewed changes
Copy link
Contributor

@or-shachar or-shachar left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SafeConstructor indeed sounds safer :)

Important to note that this limits the kind of objects this constructor can return to standard java objects:
image (from docs)

Also this helped me understand the motivation a little further.

The CloudWatchCollectorTest covers parsing yamls and loading configuration so I'm guessing this doesn't break anything.

Looks good to me :-)

future note:

Maybe we should explore defining a schema to the configuration and use type safe loading. I think this can be a good opportunity to use Java record sede. The gains would be a well defined configuration class with fields and more proper access to configuration fields.

Also - moving to configuration schema can help with #484.

@matthiasr matthiasr mentioned this pull request Mar 8, 2023
Open
@matthiasr
Copy link
Contributor Author

I agree, a proper configuration schema would be much better: #512

@matthiasr matthiasr merged commit bdb0a37 into master Mar 8, 2023
@matthiasr matthiasr deleted the mr/snakeyaml-safe branch March 8, 2023 16:18
@matthiasr matthiasr mentioned this pull request Jun 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@or-shachar or-shachar or-shachar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matthiasr @or-shachar