You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by ke...@apache.org on 2021/06/05 03:39:26 UTC
[skywalking] branch cve/snakeyaml created (now 143d1a7)
This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a change to branch cve/snakeyaml
in repository https://gitbox.apache.org/repos/asf/skywalking.git.
at 143d1a7 CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration.
This branch includes the following new commits:
new 143d1a7 CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[skywalking] 01/01: CVE: upgrade snakeyaml to prevent billion
laughs attack in dynamic configuration.
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a commit to branch cve/snakeyaml
in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 143d1a770ad03a8ff02f1c7825762eebe5022ecc
Author: kezhenxu94 <ke...@apache.org>
AuthorDate: Sat Jun 5 11:39:04 2021 +0800
CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration.
---
CHANGES.md | 1 +
dist-material/release-docs/LICENSE | 2 +-
.../analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java | 6 +++---
.../provider/trace/TraceLatencyThresholdsAndWatcherTest.java | 2 +-
oap-server/pom.xml | 2 +-
.../oap/server/configuration/api/ConfigWatcherRegister.java | 3 +--
.../oap/server/library/util/PropertyPlaceholderHelperTest.java | 2 +-
.../receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java | 2 +-
tools/dependencies/known-oap-backend-dependencies-es7.txt | 2 +-
tools/dependencies/known-oap-backend-dependencies.txt | 2 +-
10 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 632f88d..b13efb5 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -60,6 +60,7 @@ Release Notes.
* Add HTTP implementation of logs reporting protocol.
* Make metrics exporter still work even when storage layer failed.
* Fix Jetty HTTP `TRACE` issue, disable HTTP methods except `POST`.
+* CVE: upgrade snakeyaml to prevent [billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs#Variations) in dynamic configuration.
#### UI
* Add logo for kong plugin.
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index a24fafb..83c98e5 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -247,7 +247,7 @@ The text of each license is the standard Apache 2.0 license.
securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0
LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0
Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
- SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0
+ SnakeYAML 1.28: http://www.snakeyaml.org , Apache 2.0
Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0
Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0
diff --git a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
index ef7c992..90e635d 100644
--- a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
+++ b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
@@ -18,7 +18,7 @@
package org.apache.skywalking.oap.server.analyzer.provider.trace;
-import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.atomic.AtomicInteger;
import lombok.extern.slf4j.Slf4j;
import org.apache.skywalking.oap.server.analyzer.module.AnalyzerModule;
import org.apache.skywalking.oap.server.analyzer.provider.AnalyzerModuleConfig;
@@ -31,11 +31,11 @@ import org.apache.skywalking.oap.server.library.module.ModuleProvider;
*/
@Slf4j
public class TraceLatencyThresholdsAndWatcher extends ConfigChangeWatcher {
- private AtomicReference<Integer> slowTraceSegmentThreshold;
+ private AtomicInteger slowTraceSegmentThreshold;
public TraceLatencyThresholdsAndWatcher(ModuleProvider provider) {
super(AnalyzerModule.NAME, provider, "slowTraceSegmentThreshold");
- slowTraceSegmentThreshold = new AtomicReference<>();
+ slowTraceSegmentThreshold = new AtomicInteger();
slowTraceSegmentThreshold.set(getDefaultValue());
}
diff --git a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
index 5e11e5c..b552be9 100644
--- a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
+++ b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
@@ -57,7 +57,7 @@ public class TraceLatencyThresholdsAndWatcherTest {
register.registerConfigChangeWatcher(watcher);
register.start();
- while (watcher.getSlowTraceSegmentThreshold() == 10000) {
+ while (watcher.getSlowTraceSegmentThreshold() < 0) {
Thread.sleep(2000);
}
assertThat(watcher.getSlowTraceSegmentThreshold(), is(3000));
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index 391b09b..ddb0afd 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -57,7 +57,7 @@
<slf4j.version>1.7.25</slf4j.version>
<log4j.version>2.9.0</log4j.version>
<guava.version>28.1-jre</guava.version>
- <snakeyaml.version>1.18</snakeyaml.version>
+ <snakeyaml.version>1.28</snakeyaml.version>
<graphql-java-tools.version>5.2.3</graphql-java-tools.version>
<graphql-java.version>8.0</graphql-java.version>
<zookeeper.version>3.4.10</zookeeper.version>
diff --git a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
index 1c95d23..503ae15 100644
--- a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
+++ b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
@@ -64,7 +64,6 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi
public void start() {
isStarted = true;
- configSync();
LOGGER.info("Current configurations after the bootstrap sync." + LINE_SEPARATOR + register.toString());
Executors.newSingleThreadScheduledExecutor()
@@ -72,7 +71,7 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi
new RunnableWithExceptionProtection(
this::configSync,
t -> LOGGER.error("Sync config center error.", t)
- ), syncPeriod, syncPeriod, TimeUnit.SECONDS);
+ ), 0, syncPeriod, TimeUnit.SECONDS);
}
void configSync() {
diff --git a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
index 71bff49..95b83c1 100644
--- a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
+++ b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
@@ -73,7 +73,7 @@ public class PropertyPlaceholderHelperTest {
Assert.assertEquals("0.0.0.0", yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restHost"), properties)));
//tests that use ${REST_PORT:12800} and set REST_PORT in environmentVariables.
- Assert.assertEquals(12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties)));
+ Assert.assertEquals((Integer) 12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties)));
}
@Test
diff --git a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
index 4c524c0..84ffff6 100644
--- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
+++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
@@ -155,7 +155,7 @@ public class K8SALSServiceMeshHTTPAnalysisTest {
@Override
public void init(ModuleManager manager, EnvoyMetricReceiverConfig config) {
- super.init(manager, config);
+ this.config = config;
serviceRegistry = mock(K8SServiceRegistry.class);
when(serviceRegistry.findService(anyString())).thenReturn(config.serviceMetaInfoFactory().unknown());
when(serviceRegistry.findService("10.44.2.56")).thenReturn(new ServiceMetaInfo("ingress", "ingress-Inst"));
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 4ce602a..472726a 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -158,7 +158,7 @@ simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar
simpleclient_httpserver-0.9.0.jar
slf4j-api-1.7.25.jar
-snakeyaml-1.18.jar
+snakeyaml-1.28.jar
swagger-annotations-1.6.2.jar
t-digest-3.2.jar
vavr-0.10.3.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 1421eec..db9107a 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -154,7 +154,7 @@ simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar
simpleclient_httpserver-0.9.0.jar
slf4j-api-1.7.25.jar
-snakeyaml-1.18.jar
+snakeyaml-1.28.jar
swagger-annotations-1.6.2.jar
t-digest-3.2.jar
vavr-0.10.3.jar