From c9975f14098b196fc128eabd340fc6792df233ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Wed, 1 Mar 2023 13:16:08 +0100 Subject: [PATCH 1/2] Fix CVE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upgrade org.yaml:snakeyaml@1.31 to org.yaml:snakeyaml@2.0 to fix ✗ Arbitrary Code Execution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3152153] in org.yaml:snakeyaml@1.31 introduced by org.yaml:snakeyaml@1.31 --- core/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build.gradle b/core/build.gradle index 88843c83a3..15572be303 100644 --- a/core/build.gradle +++ b/core/build.gradle @@ -181,7 +181,7 @@ dependencies { "ch.qos.logback:logback-classic:${logbackVersion}", "ch.qos.logback:logback-access:${logbackVersion}", 'org.json:json:20211205', - 'org.yaml:snakeyaml:1.31', + 'org.yaml:snakeyaml:2.0', 'com.github.spullara.cli-parser:cli-parser:1.1.6', 'org.apache.httpcomponents:httpclient:4.5.14', 'com.sun.mail:javax.mail:1.6.2', From 40c1cfd812709166d5989b67a84fb877d94f98b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Wed, 1 Mar 2023 13:58:31 +0100 Subject: [PATCH 2/2] Fix upgrade --- .../java/org/mapfish/print/config/ConfigurationFactory.java | 6 +----- .../org/mapfish/print/config/MapfishPrintConstructor.java | 3 ++- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/core/src/main/java/org/mapfish/print/config/ConfigurationFactory.java b/core/src/main/java/org/mapfish/print/config/ConfigurationFactory.java index 1ffb483001..e550b9c892 100644 --- a/core/src/main/java/org/mapfish/print/config/ConfigurationFactory.java +++ b/core/src/main/java/org/mapfish/print/config/ConfigurationFactory.java @@ -43,12 +43,8 @@ public final void init() { if (maxAliases != null) { loaderOptions.setMaxAliasesForCollections(Integer.parseInt(maxAliases)); } - Representer representer = new Representer(); DumperOptions dumperOptions = new DumperOptions(); - dumperOptions.setDefaultFlowStyle(representer.getDefaultFlowStyle()); - dumperOptions.setDefaultScalarStyle(representer.getDefaultScalarStyle()); - dumperOptions.setAllowReadOnlyProperties(representer.getPropertyUtils().isAllowReadOnlyProperties()); - dumperOptions.setTimeZone(representer.getTimeZone()); + Representer representer = new Representer(dumperOptions); this.yaml = new Yaml(constructor, representer, dumperOptions, loaderOptions); } diff --git a/core/src/main/java/org/mapfish/print/config/MapfishPrintConstructor.java b/core/src/main/java/org/mapfish/print/config/MapfishPrintConstructor.java index 409d948eb5..6319c3fd69 100644 --- a/core/src/main/java/org/mapfish/print/config/MapfishPrintConstructor.java +++ b/core/src/main/java/org/mapfish/print/config/MapfishPrintConstructor.java @@ -4,6 +4,7 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.ConfigurableApplicationContext; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.TypeDescription; import org.yaml.snakeyaml.constructor.Constructor; import org.yaml.snakeyaml.nodes.Node; @@ -34,7 +35,7 @@ public final class MapfishPrintConstructor extends Constructor { * @param context the application context object for creating */ public MapfishPrintConstructor(final ConfigurableApplicationContext context) { - super(new TypeDescription(Configuration.class, CONFIGURATION_TAG)); + super(new TypeDescription(Configuration.class, CONFIGURATION_TAG), new LoaderOptions()); this.context = context; Map yamlObjects = context.getBeansOfType(ConfigurationObject.class); for (Map.Entry entry: yamlObjects.entrySet()) {