This is an automated email from the ASF dual-hosted git repository.
rustyrazorblade pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cassandra-sidecar.git
The following commit(s) were added to refs/heads/master by this push:
new c2d684d Security patch for snake yaml
c2d684d is described below
commit c2d684d7423bbf02a6fc231345eb1c2335cbc0b3
Author: Jon Haddad <[email protected]>
AuthorDate: Mon Mar 9 12:45:10 2020 -0700
Security patch for snake yaml
Bumped commons-configuration2 to latest version and correctly use
YAMLConfiguration.
Patch by Jon Haddad; Reviewed by Dinesh Joshi for CASSANDRASC-12
---
CHANGES.txt | 1 +
build.gradle | 4 ++--
src/main/java/org/apache/cassandra/sidecar/MainModule.java | 12 ++++++++----
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 00defa6..7e12540 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,5 +1,6 @@
1.0.0
-----
+ * Security patch to fix incorrect usage of yaml configuration (CASSANDRASC-12)
* Build and Test with both Java 8 & 11 in Circle CI (CASSANDRA-15611)
* Upgraded Gradle and replaced FindBugs with SpotBugs (CASSANDRA-15610)
* Improving local HealthCheckTest reliability (CASSANDRA-15615)
diff --git a/build.gradle b/build.gradle
index f080eb6..6aa46d5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -85,10 +85,10 @@ dependencies {
compile 'com.datastax.cassandra:cassandra-driver-core:3.6+'
compile group: 'com.google.inject', name: 'guice', version: '4.2.2'
- compile group: 'org.apache.commons', name: 'commons-configuration2',
version: '2.4'
+ compile group: 'org.apache.commons', name: 'commons-configuration2',
version: '2.7'
runtime group: 'commons-beanutils', name: 'commons-beanutils', version:
'1.9.3'
- runtime group: 'org.yaml', name: 'snakeyaml', version: '1.23'
+ runtime group: 'org.yaml', name: 'snakeyaml', version: '1.26'
jolokia 'org.jolokia:jolokia-jvm:1.6.0:agent'
swaggerUI 'org.webjars:swagger-ui:3.10.0'
diff --git a/src/main/java/org/apache/cassandra/sidecar/MainModule.java
b/src/main/java/org/apache/cassandra/sidecar/MainModule.java
index 38a53f8..82c9c69 100644
--- a/src/main/java/org/apache/cassandra/sidecar/MainModule.java
+++ b/src/main/java/org/apache/cassandra/sidecar/MainModule.java
@@ -18,11 +18,12 @@
package org.apache.cassandra.sidecar;
+import java.io.IOException;
+import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import org.apache.commons.configuration2.YAMLConfiguration;
-import org.apache.commons.configuration2.builder.fluent.Configurations;
import org.apache.commons.configuration2.ex.ConfigurationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -106,15 +107,18 @@ public class MainModule extends AbstractModule
@Provides
@Singleton
- public Configuration configuration() throws ConfigurationException
+ public Configuration configuration() throws ConfigurationException,
IOException
{
final String confPath = System.getProperty("sidecar.config",
"file://./conf/config.yaml");
logger.info("Reading configuration from {}", confPath);
try
{
- Configurations confs = new Configurations();
URL url = new URL(confPath);
- YAMLConfiguration yamlConf =
confs.fileBased(YAMLConfiguration.class, url);
+
+ YAMLConfiguration yamlConf = new YAMLConfiguration();
+ InputStream stream = url.openStream();
+ yamlConf.read(stream);
+
return new Configuration.Builder()
.setCassandraHost(yamlConf.get(String.class,
"cassandra.host"))
.setCassandraPort(yamlConf.get(Integer.class,
"cassandra.port"))
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
