-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added a new read config flag of anchor to enable/disable following an… #164
Conversation
…chors ( enabled by default ). Also added a new SafeYamlConfig class that disables Class Tags and Anchors to remediate CVE-2023-24620 CVE-2023-24621
} | ||
|
||
@Override | ||
public void setClassTags(boolean anchors) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to throw unsupported operation than to silently ignore a method call that is invalid. The rest looks OK. I'll run the source formatter after merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I think you are right. It would have to be an unchecked exception. Will add it.
…if an attempt is made to set them to true.
Exception added |
Cheers! |
No problem |
@Mr14huashao Could I bother you to do a Maven release of YamlBeans? |
The CVEs linked to this PR are now in the NVD and linked but there seem to be no binaries that seem available linked to https://github.com/EsotericSoftware/yamlbeans/releases/tag/1.16 If there any help needed to get a maven release done here? @Mr14huashao seems to have been inactive on GitHub since December 2020, which is a worry 😢 kryo seems to have recent releases though, and possibly goes to the same Maven Central namespace? Does someone like @theigl from there have access to the required signing keys/creds for publishing yamlbeans as well, perhaps? |
Hi I created a fork under https://github.com/Contrast-Security-OSS/yamlbeans and pushed to maven. Joe |
Thanks @JoeBeeContrast . Do you plan to maintain this fork for a while? |
The esotericsoftware yamlbeans version seems to be semi-abandoned, or team have lost ability to publish to Maven based on EsotericSoftware/yamlbeans#164 (comment) There are a couple of CVEs mitigated here, but we need to re-enable anchors/aliases as these are core functionality. Also minor tweaks needed to tests due to yamlbeans correcting the support for block scalars in 1.16. See https://yaml-multiline.info/
For the time being, yes. |
@chadlwilson: I'm not an admin/owner of the EsotericSoftware organization, so I can't do releases in this repository. @NathanSweet: Could you do a release? |
Unfortunately doing a github release doesnt doing anything to get built artifacts into Maven Central which is what is needed for other projects to use and consume the fixes. https://repo1.maven.org/maven2/com/esotericsoftware/yamlbeans/yamlbeans/ |
…chors ( enabled by default ).
Also added a new SafeYamlConfig class that disables Class Tags and Anchors to remediate
CVE-2023-24620
CVE-2023-24621