[ISSUE nacos-group#314]Fix the RCE caused by the vulnerability in YAM…

…L deseriali… (nacos-group#328)
bulain · Dec 5, 2023 · f7fae96 · f7fae96
1 parent 9591915
commit f7fae96
Show file tree

Hide file tree

Showing 2 changed files with 185 additions and 196 deletions.
diff --git a/README.md b/README.md
@@ -41,6 +41,7 @@ Content
         - [4.1.1. Enable Nacos](#411-enable-nacos)
         - [4.1.2. Configure Change Listener method](#412-configure-change-listener-method)
             - [4.1.2.1. Type Conversion](#4121-type-conversion)
+              - [4.1.2.1.1. Type Conversion during YAML Parsing](#41211-Type Conversion during YAML Parsing)
             - [4.1.2.2. Timeout of Execution](#4122-timeout-of-execution)
         - [4.1.3. Global and Special Nacos Properties](#413-global-and-special-nacos-properties)
         - [4.1.4. `@NacosProperties`](#414-nacosproperties)
@@ -315,8 +316,33 @@ The `UserNacosConfigConverter` class binds the `@NacosConfigListener.converter()
     }
 ```
 
+##### 4.1.2.1.1. Type Conversion during YAML Parsing
 
+By default, starting from version 1.1.2, this library uses `SafeConstructor` for type conversion during YAML parsing. This is done to ensure that potentially unsafe code is not executed during the parsing process. `SafeConstructor` provides a secure construction logic for mapping YAML structures to Java objects.
 
+**System Property Toggle**
+
+To maintain compatibility with versions prior to 1.1.2, we have introduced a system property toggle named `yamlAllowComplexObject`. Prior to version 1.1.2, the library defaulted to using `Constructor`, another constructor in the SnakeYAML library that supports more complex object mapping. Starting from version 1.1.2, the default is switched to `SafeConstructor`.
+
+**Potential Risks**
+
+It's important to note that enabling `Constructor` introduces some potential risks, particularly the risk of Remote Code Execution (`RCE`). This is because `Constructor` allows more flexible object construction, but it also increases the risk of handling malicious YAML input.
+
+**Recommendations**
+
+- We recommend using the `NacosConfigConverter` for custom conversions.
+
+**If You Must Use `Constructor`**
+
+- Ensure that the source of the YAML data is secure.
+
+**How to Disable `SafeConstructor`**
+
+You can set the toggle by adding a JVM system property when starting your application. For example, in the command line:
+
+```bash
+java -DyamlAllowComplexObject=true -jar your-application.jar
+```
 
 - See [Type Conversion Sample of `@NacosConfigListener`](https://github.com/nacos-group/nacos-spring-project/blob/master/nacos-spring-samples/nacos-spring-webmvc-sample/src/main/java/com/alibaba/nacos/samples/spring/listener/PojoNacosConfigListener.java)