mirrors/cdt
1
0
Fork 0
mirror of https://github.com/eclipse-cdt/cdt synced 2025-04-29 19:45:01 +02:00
Code Issues Wiki Activity

Remove and ignore object references from Yaml files

Browse source 
Yaml 2.0 fixes CVE-2022–1471 to error on object references. This
commit adapts our use of Yaml to not output object references
anymore and on loading explicitly allow object references to
expected types.

Fixes #498
This commit is contained in:
Jonah Graham 2023-08-09 15:40:43 -04:00
parent e725b88951
commit de012f42a6
3 changed files with 32 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java
View file

@ -22,9 +22,13 @@ import java.util.List;
import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean; import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean;
import org.eclipse.cdt.cmake.core.properties.CMakeGenerator; import org.eclipse.cdt.cmake.core.properties.CMakeGenerator;
import org.junit.Test; import org.junit.Test;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor; import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
import org.yaml.snakeyaml.inspector.TagInspector;
import org.yaml.snakeyaml.nodes.Tag;
import org.yaml.snakeyaml.representer.Representer;
/** /**
* @author Martin Weber * @author Martin Weber
@ -57,7 +61,14 @@ public class CMakePropertiesEvolutionTest {
extraArgs.add("arg2"); extraArgs.add("arg2");
props.setExtraArguments(extraArgs); props.setExtraArguments(extraArgs);
Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), new LoaderOptions())); var loaderoptions = new LoaderOptions();
TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName());
loaderoptions.setTagInspector(taginspector);
Representer customRepresenter = new Representer(new DumperOptions());
customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP);
Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), loaderoptions),
customRepresenter);
String output = yaml.dump(props); String output = yaml.dump(props);
// try to load as evolved properties.. // try to load as evolved properties..

5
cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF
View file

@ -22,4 +22,7 @@ Automatic-Module-Name: org.eclipse.cdt.cmake.core
Bundle-Localization: plugin Bundle-Localization: plugin
Import-Package: org.eclipse.core.variables, Import-Package: org.eclipse.core.variables,
org.yaml.snakeyaml;version="[2.0.0,3.0.0)", org.yaml.snakeyaml;version="[2.0.0,3.0.0)",
org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)" org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)",
org.yaml.snakeyaml.inspector;version="[2.0.0,3.0.0)",
org.yaml.snakeyaml.nodes;version="[2.0.0,3.0.0)",
org.yaml.snakeyaml.representer;version="[2.0.0,3.0.0)"

18
cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java
View file

@ -27,9 +27,14 @@ import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean;
import org.eclipse.cdt.cmake.core.properties.CMakeGenerator; import org.eclipse.cdt.cmake.core.properties.CMakeGenerator;
import org.eclipse.cdt.cmake.core.properties.ICMakeProperties; import org.eclipse.cdt.cmake.core.properties.ICMakeProperties;
import org.eclipse.cdt.cmake.core.properties.ICMakePropertiesController; import org.eclipse.cdt.cmake.core.properties.ICMakePropertiesController;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor; import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
import org.yaml.snakeyaml.inspector.TagInspector;
import org.yaml.snakeyaml.nodes.Tag;
import org.yaml.snakeyaml.representer.Representer;
/** /**
* A {@code ICMakePropertiesController} that monitors modifications to the project properties that force * A {@code ICMakePropertiesController} that monitors modifications to the project properties that force
@ -68,7 +73,13 @@ class CMakePropertiesController implements ICMakePropertiesController {
if (Files.exists(storageFile)) { if (Files.exists(storageFile)) {
try (InputStream is = Files.newInputStream(storageFile)) { try (InputStream is = Files.newInputStream(storageFile)) {
var classLoader = this.getClass().getClassLoader(); var classLoader = this.getClass().getClassLoader();
var clConstructor = new CustomClassLoaderConstructor(classLoader, new LoaderOptions());
var loaderoptions = new LoaderOptions();
TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName());
loaderoptions.setTagInspector(taginspector);
var clConstructor = new CustomClassLoaderConstructor(classLoader, loaderoptions);
props = new Yaml(clConstructor).loadAs(is, CMakePropertiesBean.class); props = new Yaml(clConstructor).loadAs(is, CMakePropertiesBean.class);
// props is null here if if no document was available in the file // props is null here if if no document was available in the file
} }
@ -95,7 +106,10 @@ class CMakePropertiesController implements ICMakePropertiesController {
} }
} }
try (Writer wr = new OutputStreamWriter(Files.newOutputStream(storageFile))) { try (Writer wr = new OutputStreamWriter(Files.newOutputStream(storageFile))) {
new Yaml().dump(properties, wr); Representer customRepresenter = new Representer(new DumperOptions());
customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP);
new Yaml(new Constructor(CMakePropertiesBean.class, new LoaderOptions()), customRepresenter)
.dump(properties, wr);
} }
setupModifyDetection(properties); setupModifyDetection(properties);