This is an automated email from the ASF dual-hosted git repository. kezhenxu94 pushed a commit to branch cve/snakeyaml in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 143d1a770ad03a8ff02f1c7825762eebe5022ecc Author: kezhenxu94 <[email protected]> AuthorDate: Sat Jun 5 11:39:04 2021 +0800 CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration. --- CHANGES.md | 1 + dist-material/release-docs/LICENSE | 2 +- .../analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java | 6 +++--- .../provider/trace/TraceLatencyThresholdsAndWatcherTest.java | 2 +- oap-server/pom.xml | 2 +- .../oap/server/configuration/api/ConfigWatcherRegister.java | 3 +-- .../oap/server/library/util/PropertyPlaceholderHelperTest.java | 2 +- .../receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java | 2 +- tools/dependencies/known-oap-backend-dependencies-es7.txt | 2 +- tools/dependencies/known-oap-backend-dependencies.txt | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 632f88d..b13efb5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -60,6 +60,7 @@ Release Notes. * Add HTTP implementation of logs reporting protocol. * Make metrics exporter still work even when storage layer failed. * Fix Jetty HTTP `TRACE` issue, disable HTTP methods except `POST`. +* CVE: upgrade snakeyaml to prevent [billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs#Variations) in dynamic configuration. #### UI * Add logo for kong plugin. diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index a24fafb..83c98e5 100755 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -247,7 +247,7 @@ The text of each license is the standard Apache 2.0 license. securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0 LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0 Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0 - SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0 + SnakeYAML 1.28: http://www.snakeyaml.org , Apache 2.0 Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0 Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0 Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0 diff --git a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java index ef7c992..90e635d 100644 --- a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java +++ b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java @@ -18,7 +18,7 @@ package org.apache.skywalking.oap.server.analyzer.provider.trace; -import java.util.concurrent.atomic.AtomicReference; +import java.util.concurrent.atomic.AtomicInteger; import lombok.extern.slf4j.Slf4j; import org.apache.skywalking.oap.server.analyzer.module.AnalyzerModule; import org.apache.skywalking.oap.server.analyzer.provider.AnalyzerModuleConfig; @@ -31,11 +31,11 @@ import org.apache.skywalking.oap.server.library.module.ModuleProvider; */ @Slf4j public class TraceLatencyThresholdsAndWatcher extends ConfigChangeWatcher { - private AtomicReference<Integer> slowTraceSegmentThreshold; + private AtomicInteger slowTraceSegmentThreshold; public TraceLatencyThresholdsAndWatcher(ModuleProvider provider) { super(AnalyzerModule.NAME, provider, "slowTraceSegmentThreshold"); - slowTraceSegmentThreshold = new AtomicReference<>(); + slowTraceSegmentThreshold = new AtomicInteger(); slowTraceSegmentThreshold.set(getDefaultValue()); } diff --git a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java index 5e11e5c..b552be9 100644 --- a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java +++ b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java @@ -57,7 +57,7 @@ public class TraceLatencyThresholdsAndWatcherTest { register.registerConfigChangeWatcher(watcher); register.start(); - while (watcher.getSlowTraceSegmentThreshold() == 10000) { + while (watcher.getSlowTraceSegmentThreshold() < 0) { Thread.sleep(2000); } assertThat(watcher.getSlowTraceSegmentThreshold(), is(3000)); diff --git a/oap-server/pom.xml b/oap-server/pom.xml index 391b09b..ddb0afd 100755 --- a/oap-server/pom.xml +++ b/oap-server/pom.xml @@ -57,7 +57,7 @@ <slf4j.version>1.7.25</slf4j.version> <log4j.version>2.9.0</log4j.version> <guava.version>28.1-jre</guava.version> - <snakeyaml.version>1.18</snakeyaml.version> + <snakeyaml.version>1.28</snakeyaml.version> <graphql-java-tools.version>5.2.3</graphql-java-tools.version> <graphql-java.version>8.0</graphql-java.version> <zookeeper.version>3.4.10</zookeeper.version> diff --git a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java index 1c95d23..503ae15 100644 --- a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java +++ b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java @@ -64,7 +64,6 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi public void start() { isStarted = true; - configSync(); LOGGER.info("Current configurations after the bootstrap sync." + LINE_SEPARATOR + register.toString()); Executors.newSingleThreadScheduledExecutor() @@ -72,7 +71,7 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi new RunnableWithExceptionProtection( this::configSync, t -> LOGGER.error("Sync config center error.", t) - ), syncPeriod, syncPeriod, TimeUnit.SECONDS); + ), 0, syncPeriod, TimeUnit.SECONDS); } void configSync() { diff --git a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java index 71bff49..95b83c1 100644 --- a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java +++ b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java @@ -73,7 +73,7 @@ public class PropertyPlaceholderHelperTest { Assert.assertEquals("0.0.0.0", yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restHost"), properties))); //tests that use ${REST_PORT:12800} and set REST_PORT in environmentVariables. - Assert.assertEquals(12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties))); + Assert.assertEquals((Integer) 12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties))); } @Test diff --git a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java index 4c524c0..84ffff6 100644 --- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java +++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java @@ -155,7 +155,7 @@ public class K8SALSServiceMeshHTTPAnalysisTest { @Override public void init(ModuleManager manager, EnvoyMetricReceiverConfig config) { - super.init(manager, config); + this.config = config; serviceRegistry = mock(K8SServiceRegistry.class); when(serviceRegistry.findService(anyString())).thenReturn(config.serviceMetaInfoFactory().unknown()); when(serviceRegistry.findService("10.44.2.56")).thenReturn(new ServiceMetaInfo("ingress", "ingress-Inst")); diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt index 4ce602a..472726a 100755 --- a/tools/dependencies/known-oap-backend-dependencies-es7.txt +++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt @@ -158,7 +158,7 @@ simpleclient_common-0.6.0.jar simpleclient_hotspot-0.6.0.jar simpleclient_httpserver-0.9.0.jar slf4j-api-1.7.25.jar -snakeyaml-1.18.jar +snakeyaml-1.28.jar swagger-annotations-1.6.2.jar t-digest-3.2.jar vavr-0.10.3.jar diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt index 1421eec..db9107a 100755 --- a/tools/dependencies/known-oap-backend-dependencies.txt +++ b/tools/dependencies/known-oap-backend-dependencies.txt @@ -154,7 +154,7 @@ simpleclient_common-0.6.0.jar simpleclient_hotspot-0.6.0.jar simpleclient_httpserver-0.9.0.jar slf4j-api-1.7.25.jar -snakeyaml-1.18.jar +snakeyaml-1.28.jar swagger-annotations-1.6.2.jar t-digest-3.2.jar vavr-0.10.3.jar
