[ISSUE #314]Fix the RCE caused by the vulnerability in YAML deseriali… #328
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stone-98
commented
Nov 21, 2023
|
|
||
| protected static final Logger LOGGER = LoggerFactory.getLogger(DefaultYamlConfigParse.class); | ||
|
|
||
| private static final String YAML_ALLOW_COMPLEX_OBJECT = "yamlAllowComplexObject"; |
There was a problem hiding this comment.
I've noticed that similar configurations use camelCase naming conventions, such as ignoreResourceNotFound and ignoreUnresolvablePlaceholders, so I've adopted camelCase naming for consistency.
|
I have a question: Why doesn't the nacos-spring-project module use com.alibaba.nacos.client.env.NacosClientProperties to retrieve properties? |
KomachiSion
reviewed
Nov 21, 2023
README.md
Outdated
|
|
||
| By default, this library uses `SafeConstructor` for type conversion during YAML parsing. This is done to ensure that potentially unsafe code is not executed during the parsing process. `SafeConstructor` provides a secure construction logic for mapping YAML structures to Java objects. |
There was a problem hiding this comment.
需要添加起始版本的说明,比如1.1.1版本前不是,1.1.2版本开始默认使用SafeConstructor
| You can set the toggle by adding a JVM system property when starting your application. For example, in the command line: | ||
|
|
||
| ```bash | ||
| java -DyamlAllowComplexObject=true -jar your-application.jar |
There was a problem hiding this comment.
Safe不是默认开启的吗?
这里应该是Disable吧?
KomachiSion
approved these changes
Nov 22, 2023
bulain
pushed a commit
to bulain/nacos-spring-project
that referenced
this pull request
Jan 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the purpose of the change
see: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
related: #314
Brief changelog
XX
Verifying this change
XXXX
Follow this checklist to help us incorporate your contribution quickly and easily:
[ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=trueto make sure basic checks pass. Runmvn clean install -DskipITsto make sure unit-test pass. Runmvn clean test-compile failsafe:integration-testto make sure integration-test pass.