This is an automated email from the ASF dual-hosted git repository. rustyrazorblade pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cassandra-sidecar.git
The following commit(s) were added to refs/heads/master by this push: new c2d684d Security patch for snake yaml c2d684d is described below commit c2d684d7423bbf02a6fc231345eb1c2335cbc0b3 Author: Jon Haddad <j...@jonhaddad.com> AuthorDate: Mon Mar 9 12:45:10 2020 -0700 Security patch for snake yaml Bumped commons-configuration2 to latest version and correctly use YAMLConfiguration. Patch by Jon Haddad; Reviewed by Dinesh Joshi for CASSANDRASC-12 --- CHANGES.txt | 1 + build.gradle | 4 ++-- src/main/java/org/apache/cassandra/sidecar/MainModule.java | 12 ++++++++---- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 00defa6..7e12540 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,5 +1,6 @@ 1.0.0 ----- + * Security patch to fix incorrect usage of yaml configuration (CASSANDRASC-12) * Build and Test with both Java 8 & 11 in Circle CI (CASSANDRA-15611) * Upgraded Gradle and replaced FindBugs with SpotBugs (CASSANDRA-15610) * Improving local HealthCheckTest reliability (CASSANDRA-15615) diff --git a/build.gradle b/build.gradle index f080eb6..6aa46d5 100644 --- a/build.gradle +++ b/build.gradle @@ -85,10 +85,10 @@ dependencies { compile 'com.datastax.cassandra:cassandra-driver-core:3.6+' compile group: 'com.google.inject', name: 'guice', version: '4.2.2' - compile group: 'org.apache.commons', name: 'commons-configuration2', version: '2.4' + compile group: 'org.apache.commons', name: 'commons-configuration2', version: '2.7' runtime group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.3' - runtime group: 'org.yaml', name: 'snakeyaml', version: '1.23' + runtime group: 'org.yaml', name: 'snakeyaml', version: '1.26' jolokia 'org.jolokia:jolokia-jvm:1.6.0:agent' swaggerUI 'org.webjars:swagger-ui:3.10.0' diff --git a/src/main/java/org/apache/cassandra/sidecar/MainModule.java b/src/main/java/org/apache/cassandra/sidecar/MainModule.java index 38a53f8..82c9c69 100644 --- a/src/main/java/org/apache/cassandra/sidecar/MainModule.java +++ b/src/main/java/org/apache/cassandra/sidecar/MainModule.java @@ -18,11 +18,12 @@ package org.apache.cassandra.sidecar; +import java.io.IOException; +import java.io.InputStream; import java.net.MalformedURLException; import java.net.URL; import org.apache.commons.configuration2.YAMLConfiguration; -import org.apache.commons.configuration2.builder.fluent.Configurations; import org.apache.commons.configuration2.ex.ConfigurationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -106,15 +107,18 @@ public class MainModule extends AbstractModule @Provides @Singleton - public Configuration configuration() throws ConfigurationException + public Configuration configuration() throws ConfigurationException, IOException { final String confPath = System.getProperty("sidecar.config", "file://./conf/config.yaml"); logger.info("Reading configuration from {}", confPath); try { - Configurations confs = new Configurations(); URL url = new URL(confPath); - YAMLConfiguration yamlConf = confs.fileBased(YAMLConfiguration.class, url); + + YAMLConfiguration yamlConf = new YAMLConfiguration(); + InputStream stream = url.openStream(); + yamlConf.read(stream); + return new Configuration.Builder() .setCassandraHost(yamlConf.get(String.class, "cassandra.host")) .setCassandraPort(yamlConf.get(Integer.class, "cassandra.port")) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org