You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by ru...@apache.org on 2020/03/26 20:36:32 UTC
[cassandra-sidecar] branch master updated: Security patch for snake
yaml
This is an automated email from the ASF dual-hosted git repository.
rustyrazorblade pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cassandra-sidecar.git
The following commit(s) were added to refs/heads/master by this push:
new c2d684d Security patch for snake yaml
c2d684d is described below
commit c2d684d7423bbf02a6fc231345eb1c2335cbc0b3
Author: Jon Haddad <jo...@jonhaddad.com>
AuthorDate: Mon Mar 9 12:45:10 2020 -0700
Security patch for snake yaml
Bumped commons-configuration2 to latest version and correctly use
YAMLConfiguration.
Patch by Jon Haddad; Reviewed by Dinesh Joshi for CASSANDRASC-12
---
CHANGES.txt | 1 +
build.gradle | 4 ++--
src/main/java/org/apache/cassandra/sidecar/MainModule.java | 12 ++++++++----
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 00defa6..7e12540 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,5 +1,6 @@
1.0.0
-----
+ * Security patch to fix incorrect usage of yaml configuration (CASSANDRASC-12)
* Build and Test with both Java 8 & 11 in Circle CI (CASSANDRA-15611)
* Upgraded Gradle and replaced FindBugs with SpotBugs (CASSANDRA-15610)
* Improving local HealthCheckTest reliability (CASSANDRA-15615)
diff --git a/build.gradle b/build.gradle
index f080eb6..6aa46d5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -85,10 +85,10 @@ dependencies {
compile 'com.datastax.cassandra:cassandra-driver-core:3.6+'
compile group: 'com.google.inject', name: 'guice', version: '4.2.2'
- compile group: 'org.apache.commons', name: 'commons-configuration2', version: '2.4'
+ compile group: 'org.apache.commons', name: 'commons-configuration2', version: '2.7'
runtime group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.3'
- runtime group: 'org.yaml', name: 'snakeyaml', version: '1.23'
+ runtime group: 'org.yaml', name: 'snakeyaml', version: '1.26'
jolokia 'org.jolokia:jolokia-jvm:1.6.0:agent'
swaggerUI 'org.webjars:swagger-ui:3.10.0'
diff --git a/src/main/java/org/apache/cassandra/sidecar/MainModule.java b/src/main/java/org/apache/cassandra/sidecar/MainModule.java
index 38a53f8..82c9c69 100644
--- a/src/main/java/org/apache/cassandra/sidecar/MainModule.java
+++ b/src/main/java/org/apache/cassandra/sidecar/MainModule.java
@@ -18,11 +18,12 @@
package org.apache.cassandra.sidecar;
+import java.io.IOException;
+import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import org.apache.commons.configuration2.YAMLConfiguration;
-import org.apache.commons.configuration2.builder.fluent.Configurations;
import org.apache.commons.configuration2.ex.ConfigurationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -106,15 +107,18 @@ public class MainModule extends AbstractModule
@Provides
@Singleton
- public Configuration configuration() throws ConfigurationException
+ public Configuration configuration() throws ConfigurationException, IOException
{
final String confPath = System.getProperty("sidecar.config", "file://./conf/config.yaml");
logger.info("Reading configuration from {}", confPath);
try
{
- Configurations confs = new Configurations();
URL url = new URL(confPath);
- YAMLConfiguration yamlConf = confs.fileBased(YAMLConfiguration.class, url);
+
+ YAMLConfiguration yamlConf = new YAMLConfiguration();
+ InputStream stream = url.openStream();
+ yamlConf.read(stream);
+
return new Configuration.Builder()
.setCassandraHost(yamlConf.get(String.class, "cassandra.host"))
.setCassandraPort(yamlConf.get(Integer.class, "cassandra.port"))
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org