Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added a new read config flag of anchor to enable/disable following an… #164

Merged
merged 2 commits into from
Feb 1, 2023
Merged

added a new read config flag of anchor to enable/disable following an… #164

merged 2 commits into from
Feb 1, 2023

Conversation

JoeBeeton
Copy link
Contributor

…chors ( enabled by default ).

Also added a new SafeYamlConfig class that disables Class Tags and Anchors to remediate
CVE-2023-24620
CVE-2023-24621

@JoeBeeton
added a new read config flag of anchor to enable/disable following an…
c31f686 
…chors ( enabled by default ).

Also added a new SafeYamlConfig class that disables Class Tags and Anchors to remediate
CVE-2023-24620
CVE-2023-24621
NathanSweet
NathanSweet reviewed Feb 1, 2023
View reviewed changes
src/com/esotericsoftware/yamlbeans/SafeYamlConfig.java Outdated
}

@Override
public void setClassTags(boolean anchors) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to throw unsupported operation than to silently ignore a method call that is invalid. The rest looks OK. I'll run the source formatter after merge.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think you are right. It would have to be an unchecked exception. Will add it.

@JoeBeeton
Copy link
Contributor Author

Exception added

@NathanSweet NathanSweet merged commit b112258 into EsotericSoftware:master Feb 1, 2023
@NathanSweet
Copy link
Member

Cheers!

@JoeBeeton
Copy link
Contributor Author

No problem

NathanSweet added a commit that referenced this pull request Feb 1, 2023
@NathanSweet
Formatting, clean up.
33a0f91 
#164
@NathanSweet
Copy link
Member

@Mr14huashao Could I bother you to do a Maven release of YamlBeans?

@chadlwilson
Copy link

chadlwilson commented Sep 1, 2023
edited
Loading

The CVEs linked to this PR are now in the NVD and linked but there seem to be no binaries that seem available linked to https://github.com/EsotericSoftware/yamlbeans/releases/tag/1.16

If there any help needed to get a maven release done here? @Mr14huashao seems to have been inactive on GitHub since December 2020, which is a worry 😢

kryo seems to have recent releases though, and possibly goes to the same Maven Central namespace? Does someone like @theigl from there have access to the required signing keys/creds for publishing yamlbeans as well, perhaps?

@JoeBeeContrast
Copy link

Hi

I created a fork under https://github.com/Contrast-Security-OSS/yamlbeans and pushed to maven.
https://mvnrepository.com/artifact/com.contrastsecurity/yamlbeans/1.17

Joe

@chadlwilson
Copy link

Thanks @JoeBeeContrast . Do you plan to maintain this fork for a while?

chadlwilson added a commit to tomzo/gocd-yaml-config-plugin that referenced this pull request Sep 1, 2023
@chadlwilson
Migrate to contrastsecurity yamlbeans 1.17
73082aa 
The esotericsoftware yamlbeans version seems to be semi-abandoned, or team have lost ability to publish to Maven based on
EsotericSoftware/yamlbeans#164 (comment) There are a couple of CVEs mitigated here,
but we need to re-enable anchors/aliases as these are core functionality.

Also minor tweaks needed to tests due to yamlbeans correcting the support for block scalars in 1.16. See https://yaml-multiline.info/
@JoeBeeContrast
Copy link

For the time being, yes.

@theigl
Copy link

theigl commented Sep 5, 2023

@chadlwilson: I'm not an admin/owner of the EsotericSoftware organization, so I can't do releases in this repository.

@NathanSweet: Could you do a release?

@NathanSweet
Copy link
Member

Sure:
https://github.com/EsotericSoftware/yamlbeans/releases/tag/1.17

@chadlwilson
Copy link

Unfortunately doing a github release doesnt doing anything to get built artifacts into Maven Central which is what is needed for other projects to use and consume the fixes.

https://repo1.maven.org/maven2/com/esotericsoftware/yamlbeans/yamlbeans/

@cardamon cardamon mentioned this pull request Feb 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NathanSweet NathanSweet NathanSweet left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@JoeBeeton @NathanSweet @chadlwilson @JoeBeeContrast @theigl