Security patch for snake yaml

Bumped commons-configuration2 to latest version and correctly use YAMLConfiguration. Patch by Jon Haddad; Reviewed by Dinesh Joshi for CASSANDRASC-12
apache · Mar 26, 2020 · c2d684d7423bbf02a6fc231345eb1c2335cbc0b3 · c2d684d
1 parent 86d5c28
commit c2d684d7423bbf02a6fc231345eb1c2335cbc0b3
Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,5 +1,6 @@
 1.0.0
 -----
+ * Security patch to fix incorrect usage of yaml configuration (CASSANDRASC-12)
  * Build and Test with both Java 8 & 11 in Circle CI (CASSANDRA-15611)
  * Upgraded Gradle and replaced FindBugs with SpotBugs (CASSANDRA-15610)
  * Improving local HealthCheckTest reliability (CASSANDRA-15615)

diff --git a/build.gradle b/build.gradle
@@ -85,10 +85,10 @@ dependencies {
 
     compile 'com.datastax.cassandra:cassandra-driver-core:3.6+'
     compile group: 'com.google.inject', name: 'guice', version: '4.2.2'
-    compile group: 'org.apache.commons', name: 'commons-configuration2', version: '2.4'
+    compile group: 'org.apache.commons', name: 'commons-configuration2', version: '2.7'
 
     runtime group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.3'
-    runtime group: 'org.yaml', name: 'snakeyaml', version: '1.23'
+    runtime group: 'org.yaml', name: 'snakeyaml', version: '1.26'
 
     jolokia 'org.jolokia:jolokia-jvm:1.6.0:agent'
     swaggerUI 'org.webjars:swagger-ui:3.10.0'

diff --git a/src/main/java/org/apache/cassandra/sidecar/MainModule.java b/src/main/java/org/apache/cassandra/sidecar/MainModule.java
@@ -18,11 +18,12 @@
 
 package org.apache.cassandra.sidecar;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 
 import org.apache.commons.configuration2.YAMLConfiguration;
-import org.apache.commons.configuration2.builder.fluent.Configurations;
 import org.apache.commons.configuration2.ex.ConfigurationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -106,15 +107,18 @@ public Router vertxRouter(Vertx vertx, HealthService healthService)
 
     @Provides
     @Singleton
-    public Configuration configuration() throws ConfigurationException
+    public Configuration configuration() throws ConfigurationException, IOException
     {
         final String confPath = System.getProperty("sidecar.config", "file://./conf/config.yaml");
         logger.info("Reading configuration from {}", confPath);
         try
         {
-            Configurations confs = new Configurations();
             URL url = new URL(confPath);
-            YAMLConfiguration yamlConf = confs.fileBased(YAMLConfiguration.class, url);
+
+            YAMLConfiguration yamlConf = new YAMLConfiguration();
+            InputStream stream = url.openStream();
+            yamlConf.read(stream);
+
             return new Configuration.Builder()
                     .setCassandraHost(yamlConf.get(String.class, "cassandra.host"))
                     .setCassandraPort(yamlConf.get(Integer.class, "cassandra.port"))