Skip to content

Commit

Permalink
修复漏洞信息
Browse files Browse the repository at this point in the history 
Signed-off-by: hanbingleixue <hanbingleixue@hotmail.com>
  • Loading branch information
@hanbingleixue
hanbingleixue committed Dec 8, 2023
1 parent 7ec4f12 commit 5b96b96
Show file tree
Hide file tree
Showing 25 changed files with 52 additions and 28 deletions.
6 changes: 0 additions & 6 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@
<fastjson.version>1.2.83</fastjson.version>
<xml.apis.version>1.4.01</xml.apis.version>
<xerces.version>2.12.1</xerces.version>
<snake.yaml.version>1.32</snake.yaml.version>
<zookeeper.version>3.6.3</zookeeper.version>
<lombok.version>1.18.22</lombok.version>
<asm.version>8.0.1</asm.version>
Expand Down Expand Up @@ -194,11 +193,6 @@
<artifactId>xercesImpl</artifactId>
<version>${xerces.version}</version>
</dependency>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snake.yaml.version}</version>
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
Expand Down
3 changes: 2 additions & 1 deletion sermant-agentcore/sermant-agentcore-implement/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
<nexus.staging.plugin.version>1.6.7</nexus.staging.plugin.version>
<nacos.version>2.1.0</nacos.version>
<jackson-databind.version>2.13.4.2</jackson-databind.version>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -103,7 +104,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snake.yaml.version}</version>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
Expand Down
18 changes: 11 additions & 7 deletions ...re-implement/src/main/java/com/huaweicloud/sermant/implement/config/LoadYamlStrategy.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@

import com.alibaba.fastjson.util.IOUtils;

import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.ConstructorException;
import org.yaml.snakeyaml.representer.Representer;
Expand Down Expand Up @@ -60,7 +61,8 @@ public class LoadYamlStrategy implements LoadConfigStrategy<Map> {
*/
private static final Logger LOGGER = LoggerFactory.getLogger();

private static final Map<Class<?>, Class<?>> BASE_TYPE_TRANSFER_MAP = new HashMap<Class<?>, Class<?>>() {{
private static final Map<Class<?>, Class<?>> BASE_TYPE_TRANSFER_MAP = new HashMap<Class<?>, Class<?>>() {
{
put(int.class, Integer.class);
put(short.class, Short.class);
put(long.class, Long.class);
Expand All @@ -69,7 +71,8 @@ public class LoadYamlStrategy implements LoadConfigStrategy<Map> {
put(float.class, Float.class);
put(double.class, Double.class);
put(boolean.class, Boolean.class);
}};
}
};

/**
* Yaml对象
Expand All @@ -85,7 +88,7 @@ public class LoadYamlStrategy implements LoadConfigStrategy<Map> {
* 构造函数
*/
public LoadYamlStrategy() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
this.yaml = new Yaml(representer);
}
Expand All @@ -104,7 +107,7 @@ public Map getConfigHolder(File config, Map<String, Object> bootstreapArgsMap) {

@Override
public <R extends BaseConfig> R loadConfig(Map holder, R config) {
final Class<? extends BaseConfig> cls = config.getClass();
final Class<R> cls = (Class<R>) config.getClass();
final String typeKey = ConfigKeyUtil.getTypeKey(cls);
final Object typeVal = holder.get(typeKey);
if (!(typeVal instanceof Map)) {
Expand Down Expand Up @@ -226,12 +229,13 @@ public String getFixedValue(String key) {
if (fixedStrValue == null) {
fixedVal = null;
} else {
fixedVal = yaml.loadAs(fixedStrValue, BASE_TYPE_TRANSFER_MAP.getOrDefault(field.getType(),
field.getType()));
Class fieldClass = BASE_TYPE_TRANSFER_MAP.getOrDefault(field.getType(), field.getType());
fixedVal = yaml.loadAs(fixedStrValue, fieldClass);
}
} else {
Class fieldClass = subTypeVal.getClass();
fixedVal = yaml.loadAs(ConfigValueUtil.fixValue(configKey, yaml.dump(subTypeVal), argsMap, provider),
subTypeVal.getClass());
fieldClass);
}
} catch (ConstructorException exception) {
LOGGER.severe(String.format(Locale.ENGLISH, "Error occurs while parsing configKey: %s", configKey));
Expand Down
3 changes: 2 additions & 1 deletion ...rc/main/java/com/huaweicloud/sermant/implement/operation/converter/YamlConverterImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import com.huaweicloud.sermant.core.common.LoggerFactory;
import com.huaweicloud.sermant.core.operation.converter.api.YamlConverter;

import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.ConstructorException;
import org.yaml.snakeyaml.representer.Representer;
Expand All @@ -43,7 +44,7 @@ public class YamlConverterImpl implements YamlConverter {
* Constructor.
*/
public YamlConverterImpl() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
yaml = new Yaml(representer);
}
Expand Down
2 changes: 1 addition & 1 deletion sermant-backend/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<spring.boot.version>2.5.3</spring.boot.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<io.netty.version>4.1.86.Final</io.netty.version>
<spring-boot.version>2.6.1</spring-boot.version>
<spring-boot.version>2.7.15</spring-boot.version>
<protobuf-java.version>3.19.6</protobuf-java.version>
<lombok.version>1.18.22</lombok.version>
<fastjson.version>1.2.83</fastjson.version>
Expand Down
2 changes: 2 additions & 0 deletions sermant-common/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<simpleclient.version>0.16.0</simpleclient.version>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<!--公共第三方依赖,在插件服务模块或implement模块中以provided方式引入sermant-common-->
Expand All @@ -28,6 +29,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>io.prometheus</groupId>
Expand Down
2 changes: 1 addition & 1 deletion sermant-injector/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<commons.io.version>2.11.0</commons.io.version>
<spring.boot.version>2.7.4</spring.boot.version>
<spring.boot.version>2.7.15</spring.boot.version>
</properties>

<dependencies>
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-loadbalancer/dubbo-loadbalancer-plugin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
<package.plugin.type>plugin</package.plugin.type>
<config.skip.flag>false</config.skip.flag>
<spring-beans.version>5.3.20</spring-beans.version>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -54,6 +55,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
Expand Down
3 changes: 2 additions & 1 deletion ...adbalancer-plugin/src/test/java/com/huaweicloud/loadbalancer/cache/YamlRuleConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import com.huaweicloud.sermant.core.plugin.service.PluginService;
import com.huaweicloud.sermant.core.utils.StringUtils;

import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.error.YAMLException;
import org.yaml.snakeyaml.representer.Representer;
Expand All @@ -46,7 +47,7 @@ public class YamlRuleConverter implements RuleConverter, PluginService {
* 构造器
*/
public YamlRuleConverter() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
yaml = new Yaml(representer);
}
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-loadbalancer/loadbalancer-common/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<spring.version>5.3.20</spring.version>
<javax.version>1.3.2</javax.version>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -60,6 +61,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down
3 changes: 2 additions & 1 deletion .../loadbalancer-common/src/test/java/com/huaweicloud/loadbalancer/rule/RuleManagerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.error.YAMLException;
import org.yaml.snakeyaml.representer.Representer;
Expand Down Expand Up @@ -116,7 +117,7 @@ static class YamlRuleConverter implements RuleConverter, PluginService {
* 构造器
*/
public YamlRuleConverter() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
yaml = new Yaml(representer);
}
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-loadbalancer/loadbalancer-service/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<package.plugin.type>service</package.plugin.type>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
Expand All @@ -33,6 +34,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>junit</groupId>
Expand Down
3 changes: 2 additions & 1 deletion ...er/loadbalancer-service/src/main/java/com/huaweicloud/loadbalancer/YamlRuleConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import com.huaweicloud.sermant.core.plugin.service.PluginService;
import com.huaweicloud.sermant.core.utils.StringUtils;

import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.error.YAMLException;
import org.yaml.snakeyaml.representer.Representer;
Expand All @@ -50,7 +51,7 @@ public class YamlRuleConverter implements RuleConverter, PluginService {
* 构造器
*/
public YamlRuleConverter() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
List<String> whiteList = new ArrayList<>();
whiteList.add(LoadbalancerRule.class.getCanonicalName());
Expand Down
3 changes: 2 additions & 1 deletion ...adbalancer-service/src/main/java/com/huaweicloud/loadbalancer/common/SafeConstructor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package com.huaweicloud.loadbalancer.common;

import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.nodes.Tag;

Expand All @@ -35,7 +36,7 @@ public class SafeConstructor extends Constructor {
* @param whiteList 白名单
*/
public SafeConstructor(List<String> whiteList) {
super();
super(new LoaderOptions());
this.yamlConstructors.put(null, undefinedConstructor);
this.yamlConstructors.put(new Tag(Tag.PREFIX + Map.class.getCanonicalName()), new SafeConstructObject());
this.yamlConstructors.put(new Tag(Tag.PREFIX + List.class.getCanonicalName()), new SafeConstructObject());
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-loadbalancer/spring-cloud-loadbalancer-plugin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
<ribbon.version>2.3.0</ribbon.version>
<jakarta.el.version>3.0.4</jakarta.el.version>
<spring-context.version>5.3.20</spring-context.version>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -90,6 +91,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down
3 changes: 2 additions & 1 deletion ...oud-loadbalancer-plugin/src/test/java/com/huaweicloud/loadbalancer/YamlRuleConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import com.huaweicloud.sermant.core.plugin.service.PluginService;
import com.huaweicloud.sermant.core.utils.StringUtils;

import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.error.YAMLException;
import org.yaml.snakeyaml.representer.Representer;
Expand All @@ -46,7 +47,7 @@ public class YamlRuleConverter implements RuleConverter, PluginService {
* 构造器
*/
public YamlRuleConverter() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
yaml = new Yaml(representer);
}
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-router/router-config-service/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<package.plugin.type>service</package.plugin.type>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -49,6 +50,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
Expand Down
3 changes: 2 additions & 1 deletion ...g-service/src/main/java/com/huaweicloud/sermant/router/config/common/SafeConstructor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package com.huaweicloud.sermant.router.config.common;

import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.nodes.Tag;

Expand All @@ -35,7 +36,7 @@ public class SafeConstructor extends Constructor {
* @param whiteList 白名单
*/
public SafeConstructor(List<String> whiteList) {
super();
super(new LoaderOptions());
this.yamlConstructors.put(null, undefinedConstructor);
this.yamlConstructors.put(new Tag(Tag.PREFIX + Map.class.getCanonicalName()), new SafeConstructObject());
this.yamlConstructors.put(new Tag(Tag.PREFIX + List.class.getCanonicalName()), new SafeConstructObject());
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-service-removal/removal-service/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<config.skip.flag>false</config.skip.flag>
<package.plugin.type>service</package.plugin.type>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>
<dependencies>
<dependency>
Expand All @@ -33,6 +34,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>junit</groupId>
Expand Down
3 changes: 2 additions & 1 deletion ...al-service/src/main/java/com/huaweicloud/sermant/config/RemovalDynamicConfigListener.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import com.huaweicloud.sermant.core.service.dynamicconfig.common.DynamicConfigListener;
import com.huaweicloud.sermant.core.utils.StringUtils;

import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.representer.Representer;

Expand All @@ -42,7 +43,7 @@ public class RemovalDynamicConfigListener implements DynamicConfigListener {
* 构造方法
*/
public RemovalDynamicConfigListener() {
Representer representer = new Representer();
Representer representer = new Representer(new DumperOptions());
representer.getPropertyUtils().setSkipMissingProperties(true);
yaml = new Yaml(representer);
}
Expand Down
2 changes: 1 addition & 1 deletion sermant-plugins/sermant-spring-beans-deal/spring-beans-deal-plugin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<properties>
<config.skip.flag>false</config.skip.flag>
<package.plugin.type>plugin</package.plugin.type>
<spring-components.version>5.3.20</spring-components.version>
<spring-components.version>5.3.29</spring-components.version>
</properties>

<dependencies>
Expand Down
2 changes: 1 addition & 1 deletion sermant-plugins/sermant-tag-transmission/tag-transmission-dubbo3.x-plugin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<maven.compiler.target>8</maven.compiler.target>
<config.skip.flag>false</config.skip.flag>
<package.plugin.type>plugin</package.plugin.type>
<apache.dubbo.version>3.2.0</apache.dubbo.version>
<apache.dubbo.version>3.2.5</apache.dubbo.version>
</properties>

<dependencies>
Expand Down
2 changes: 2 additions & 0 deletions sermant-plugins/sermant-tag-transmission/tag-transmission-service/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@
<maven.compiler.target>8</maven.compiler.target>
<config.skip.flag>false</config.skip.flag>
<package.plugin.type>service</package.plugin.type>
<snakeyaml.version>2.0</snakeyaml.version>
</properties>

<dependencies>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
Expand Down
Loading

0 comments on commit 5b96b96

Please sign in to comment.