You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by ke...@apache.org on 2021/06/05 06:42:09 UTC
[skywalking] branch master updated: CVE: upgrade snakeyaml to
prevent billion laughs attack in dynamic configuration. (#7071)
This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new 56f2e86 CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration. (#7071)
56f2e86 is described below
commit 56f2e86a07f098bead03bc2bdbaf4d1a6a868e94
Author: Zhenxu <ke...@apache.org>
AuthorDate: Sat Jun 5 14:41:46 2021 +0800
CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration. (#7071)
---
.github/workflows/ci-it.yaml | 3 ++-
CHANGES.md | 1 +
dist-material/release-docs/LICENSE | 2 +-
.../analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java | 6 +++---
.../provider/trace/TraceLatencyThresholdsAndWatcherTest.java | 2 +-
oap-server/pom.xml | 2 +-
.../oap/server/configuration/api/ConfigWatcherRegister.java | 3 +--
.../oap/server/library/util/PropertyPlaceholderHelperTest.java | 2 +-
.../receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java | 2 +-
tools/dependencies/known-oap-backend-dependencies-es7.txt | 2 +-
tools/dependencies/known-oap-backend-dependencies.txt | 2 +-
11 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/.github/workflows/ci-it.yaml b/.github/workflows/ci-it.yaml
index 7bdd5f1..8ce9357 100644
--- a/.github/workflows/ci-it.yaml
+++ b/.github/workflows/ci-it.yaml
@@ -111,7 +111,8 @@ jobs:
java-version: 8
- name: 'Install & Test'
if: env.SKIP_CI != 'true'
- run: ./mvnw --batch-mode -P"agent,backend,ui,dist" clean verify install
+ run: |
+ ./mvnw --batch-mode -P"agent,backend,ui,dist" clean verify install
CI-on-MacOS:
diff --git a/CHANGES.md b/CHANGES.md
index 632f88d..b13efb5 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -60,6 +60,7 @@ Release Notes.
* Add HTTP implementation of logs reporting protocol.
* Make metrics exporter still work even when storage layer failed.
* Fix Jetty HTTP `TRACE` issue, disable HTTP methods except `POST`.
+* CVE: upgrade snakeyaml to prevent [billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs#Variations) in dynamic configuration.
#### UI
* Add logo for kong plugin.
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index a24fafb..83c98e5 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -247,7 +247,7 @@ The text of each license is the standard Apache 2.0 license.
securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0
LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0
Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
- SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0
+ SnakeYAML 1.28: http://www.snakeyaml.org , Apache 2.0
Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0
Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0
diff --git a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
index ef7c992..90e635d 100644
--- a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
+++ b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
@@ -18,7 +18,7 @@
package org.apache.skywalking.oap.server.analyzer.provider.trace;
-import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.atomic.AtomicInteger;
import lombok.extern.slf4j.Slf4j;
import org.apache.skywalking.oap.server.analyzer.module.AnalyzerModule;
import org.apache.skywalking.oap.server.analyzer.provider.AnalyzerModuleConfig;
@@ -31,11 +31,11 @@ import org.apache.skywalking.oap.server.library.module.ModuleProvider;
*/
@Slf4j
public class TraceLatencyThresholdsAndWatcher extends ConfigChangeWatcher {
- private AtomicReference<Integer> slowTraceSegmentThreshold;
+ private AtomicInteger slowTraceSegmentThreshold;
public TraceLatencyThresholdsAndWatcher(ModuleProvider provider) {
super(AnalyzerModule.NAME, provider, "slowTraceSegmentThreshold");
- slowTraceSegmentThreshold = new AtomicReference<>();
+ slowTraceSegmentThreshold = new AtomicInteger();
slowTraceSegmentThreshold.set(getDefaultValue());
}
diff --git a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
index 5e11e5c..b552be9 100644
--- a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
+++ b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
@@ -57,7 +57,7 @@ public class TraceLatencyThresholdsAndWatcherTest {
register.registerConfigChangeWatcher(watcher);
register.start();
- while (watcher.getSlowTraceSegmentThreshold() == 10000) {
+ while (watcher.getSlowTraceSegmentThreshold() < 0) {
Thread.sleep(2000);
}
assertThat(watcher.getSlowTraceSegmentThreshold(), is(3000));
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index 391b09b..ddb0afd 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -57,7 +57,7 @@
<slf4j.version>1.7.25</slf4j.version>
<log4j.version>2.9.0</log4j.version>
<guava.version>28.1-jre</guava.version>
- <snakeyaml.version>1.18</snakeyaml.version>
+ <snakeyaml.version>1.28</snakeyaml.version>
<graphql-java-tools.version>5.2.3</graphql-java-tools.version>
<graphql-java.version>8.0</graphql-java.version>
<zookeeper.version>3.4.10</zookeeper.version>
diff --git a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
index 1c95d23..503ae15 100644
--- a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
+++ b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
@@ -64,7 +64,6 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi
public void start() {
isStarted = true;
- configSync();
LOGGER.info("Current configurations after the bootstrap sync." + LINE_SEPARATOR + register.toString());
Executors.newSingleThreadScheduledExecutor()
@@ -72,7 +71,7 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi
new RunnableWithExceptionProtection(
this::configSync,
t -> LOGGER.error("Sync config center error.", t)
- ), syncPeriod, syncPeriod, TimeUnit.SECONDS);
+ ), 0, syncPeriod, TimeUnit.SECONDS);
}
void configSync() {
diff --git a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
index 71bff49..95b83c1 100644
--- a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
+++ b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
@@ -73,7 +73,7 @@ public class PropertyPlaceholderHelperTest {
Assert.assertEquals("0.0.0.0", yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restHost"), properties)));
//tests that use ${REST_PORT:12800} and set REST_PORT in environmentVariables.
- Assert.assertEquals(12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties)));
+ Assert.assertEquals((Integer) 12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties)));
}
@Test
diff --git a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
index 4c524c0..84ffff6 100644
--- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
+++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
@@ -155,7 +155,7 @@ public class K8SALSServiceMeshHTTPAnalysisTest {
@Override
public void init(ModuleManager manager, EnvoyMetricReceiverConfig config) {
- super.init(manager, config);
+ this.config = config;
serviceRegistry = mock(K8SServiceRegistry.class);
when(serviceRegistry.findService(anyString())).thenReturn(config.serviceMetaInfoFactory().unknown());
when(serviceRegistry.findService("10.44.2.56")).thenReturn(new ServiceMetaInfo("ingress", "ingress-Inst"));
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 4ce602a..472726a 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -158,7 +158,7 @@ simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar
simpleclient_httpserver-0.9.0.jar
slf4j-api-1.7.25.jar
-snakeyaml-1.18.jar
+snakeyaml-1.28.jar
swagger-annotations-1.6.2.jar
t-digest-3.2.jar
vavr-0.10.3.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 1421eec..db9107a 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -154,7 +154,7 @@ simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar
simpleclient_httpserver-0.9.0.jar
slf4j-api-1.7.25.jar
-snakeyaml-1.18.jar
+snakeyaml-1.28.jar
swagger-annotations-1.6.2.jar
t-digest-3.2.jar
vavr-0.10.3.jar