CASSANDRA-18875: Upgrade jackson-dataformat-yaml to 2.19.2 and snakeyaml to 2.1

.build/owasp/dependency-check-suppressions.xml

@@ -20,18 +20,6 @@
   https://jeremylong.github.io/DependencyCheck/general/suppression.html
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <!--  https://issues.apache.org/jira/browse/CASSANDRA-17907 -->
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <cve>CVE-2022-1471</cve>
-        <cve>CVE-2022-25857</cve>
-        <cve>CVE-2022-38749</cve>
-        <cve>CVE-2022-38750</cve>
-        <cve>CVE-2022-38751</cve>
-        <cve>CVE-2022-38752</cve>
-        <cve>CVE-2022-41854</cve>
-    </suppress>
-
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-18943 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>

.build/parent-pom-template.xml

@@ -442,9 +442,9 @@
       <dependency>
         <groupId>com.fasterxml.jackson.dataformat</groupId>
         <artifactId>jackson-dataformat-yaml</artifactId>
-        <!-- CASSANDRA-20848 2.19.x would bring snakeyaml 2.4 which is for now incompatible with rest of the codebase -->
-        <version>2.13.2</version>
+        <version>2.19.2</version>
         <scope>test</scope>
+        <!-- CASSANDRA-20848 2.19.x would bring snakeyaml 2.4 which is for now incompatible with rest of the codebase -->
         <exclusions>
           <exclusion>
             <artifactId>snakeyaml</artifactId>
@@ -465,7 +465,7 @@
       <dependency>
         <groupId>org.yaml</groupId>
         <artifactId>snakeyaml</artifactId>
-        <version>1.26</version>
+        <version>2.1</version>
       </dependency>
       <dependency>
         <groupId>junit</groupId>
@@ -514,6 +514,17 @@
         <artifactId>harry-core</artifactId>
         <version>0.0.1</version>
         <scope>test</scope>
+        <!-- harry 0.0.1 uses jackson 2.11.3 which is older than our declared jackson dependency -->
+        <exclusions>
+          <exclusion>
+            <artifactId>jackson-databind</artifactId>
+            <groupId>com.fasterxml.jackson.core</groupId>
+          </exclusion>
+          <exclusion>
+            <artifactId>jackson-annotations</artifactId>
+            <groupId>com.fasterxml.jackson.core</groupId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>org.reflections</groupId>
@@ -532,6 +543,13 @@
         <artifactId>wiremock-jre8</artifactId>
         <version>2.35.0</version>
         <scope>test</scope>
+        <!-- wiremock 2.35.0 uses jackson 2.13.4 which is older than our declared jackson dependency -->
+        <exclusions>
+          <exclusion>
+            <artifactId>jackson-annotations</artifactId>
+            <groupId>com.fasterxml.jackson.core</groupId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>com.puppycrawl.tools</groupId>

.snyk

@@ -2,20 +2,6 @@
 # This file is autogenerated from .build/dependency-check-suppressions.xml
 version: v1.25.0
 ignore:
-  CVE-2022-1471:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-25857:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-38749:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-38750:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-38751:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-38752:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-41854:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
   CVE-2023-44487:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-18943 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2023-6378:

CHANGES.txt

@@ -1,4 +1,5 @@
 5.0.6
+ * Upgrade jackson-dataformat-yaml to 2.19.2 and snakeyaml to 2.1 (CASSANDRA-18875)
  * Expose StorageService.dropPreparedStatements via JMX (CASSANDRA-20870)
  * Sort SSTable TOC entries for determinism (CASSANDRA-20494)
 Merged from 4.1:

src/java/org/apache/cassandra/config/YamlConfigurationLoader.java

@@ -52,6 +52,8 @@
 import org.yaml.snakeyaml.introspector.Property;
 import org.yaml.snakeyaml.introspector.PropertyUtils;
 import org.yaml.snakeyaml.nodes.Node;
+import org.yaml.snakeyaml.parser.ParserImpl;
+import org.yaml.snakeyaml.resolver.Resolver;
 
 import static org.apache.cassandra.config.CassandraRelevantProperties.ALLOW_DUPLICATE_CONFIG_KEYS;
 import static org.apache.cassandra.config.CassandraRelevantProperties.ALLOW_NEW_OLD_CONFIG_KEYS;
@@ -195,7 +197,7 @@ private static void verifyReplacements(Map<Class<?>, Map<String, Replacement>> r
 
     private static void verifyReplacements(Map<Class<?>, Map<String, Replacement>> replacements, byte[] configBytes)
     {
-        LoaderOptions loaderOptions = new LoaderOptions();
+        LoaderOptions loaderOptions = getDefaultLoaderOptions();
         loaderOptions.setAllowDuplicateKeys(ALLOW_DUPLICATE_CONFIG_KEYS.getBoolean());
         Yaml rawYaml = new Yaml(loaderOptions);
 
@@ -222,14 +224,7 @@ public static <T> T fromMap(Map<String,Object> map, boolean shouldCheck, Class<T
         constructor.setPropertyUtils(propertiesChecker);
         Yaml yaml = new Yaml(constructor);
         Node node = yaml.represent(map);
-        constructor.setComposer(new Composer(null, null)
-        {
-            @Override
-            public Node getSingleNode()
-            {
-                return node;
-            }
-        });
+        constructor.setComposer(getDefaultComposer(node));
         T value = (T) constructor.getSingleData(klass);
         if (shouldCheck)
             propertiesChecker.check();
@@ -256,26 +251,31 @@ protected Object newInstance(Node node)
         constructor.setPropertyUtils(propertiesChecker);
         Yaml yaml = new Yaml(constructor);
         Node node = yaml.represent(map);
-        constructor.setComposer(new Composer(null, null)
+        constructor.setComposer(getDefaultComposer(node));
+        T value = (T) constructor.getSingleData(klass);
+        if (shouldCheck)
+            propertiesChecker.check();
+        return value;
+    }
+
+    private static Composer getDefaultComposer(Node node)
+    {
+        return new Composer(new ParserImpl(null), new Resolver(), getDefaultLoaderOptions())
         {
             @Override
             public Node getSingleNode()
             {
                 return node;
             }
-        });
-        T value = (T) constructor.getSingleData(klass);
-        if (shouldCheck)
-            propertiesChecker.check();
-        return value;
+        };
     }
 
     @VisibleForTesting
     static class CustomConstructor extends CustomClassLoaderConstructor
     {
         CustomConstructor(Class<?> theRoot, ClassLoader classLoader)
         {
-            super(theRoot, classLoader);
+            super(theRoot, classLoader, getDefaultLoaderOptions());
 
             TypeDescription seedDesc = new TypeDescription(ParameterizedClass.class);
             seedDesc.putMapPropertyType("parameters", String.class, String.class);
@@ -426,5 +426,12 @@ public void check() throws ConfigurationException
                 logger.warn("{} parameters have been deprecated. They have new names and/or value format; For more information, please refer to NEWS.txt", deprecationWarnings);
         }
     }
+
+    public static LoaderOptions getDefaultLoaderOptions()
+    {
+        LoaderOptions loaderOptions = new LoaderOptions();
+        loaderOptions.setCodePointLimit(64 * 1024 * 1024); // 64 MiB
+        return loaderOptions;
+    }
 }
 

src/java/org/apache/cassandra/tools/JMXTool.java

@@ -68,9 +68,11 @@
 import io.airlift.airline.Help;
 import io.airlift.airline.HelpOption;
 import io.airlift.airline.Option;
+import org.apache.cassandra.config.YamlConfigurationLoader;
 import org.apache.cassandra.io.util.File;
 import org.apache.cassandra.io.util.FileInputStreamPlus;
 import org.apache.cassandra.utils.JsonUtils;
+import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.TypeDescription;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.Constructor;
@@ -163,7 +165,7 @@ void dump(OutputStream output, Map<String, Info> map) throws IOException
             {
                 void dump(OutputStream output, Map<String, Info> map) throws IOException
                 {
-                    Representer representer = new Representer();
+                    Representer representer = new Representer(new DumperOptions());
                     representer.addClassTag(Info.class, Tag.MAP); // avoid the auto added tag
                     Yaml yaml = new Yaml(representer);
                     yaml.dump(map, new OutputStreamWriter(output));
@@ -394,6 +396,7 @@ private static final class CustomConstructor extends Constructor
 
             public CustomConstructor()
             {
+                super(YamlConfigurationLoader.getDefaultLoaderOptions());
                 this.rootTag = new Tag(ROOT);
                 this.addTypeDescription(INFO_TYPE);
             }

tools/stress/src/org/apache/cassandra/stress/StressProfile.java

@@ -37,6 +37,7 @@
 import com.datastax.driver.core.*;
 import com.datastax.driver.core.exceptions.AlreadyExistsException;
 import org.antlr.runtime.RecognitionException;
+import org.apache.cassandra.config.YamlConfigurationLoader;
 import org.apache.cassandra.cql3.CQLFragmentParser;
 import org.apache.cassandra.cql3.CqlParser;
 import org.apache.cassandra.cql3.statements.ModificationStatement;
@@ -809,7 +810,7 @@ public static StressProfile load(URI file) throws IOError
     {
         try
         {
-            Constructor constructor = new Constructor(StressYaml.class);
+            Constructor constructor = new Constructor(StressYaml.class, YamlConfigurationLoader.getDefaultLoaderOptions());
 
             Yaml yaml = new Yaml(constructor);