From ec87c4ea170774c132e38c1227edeb4146efd25c Mon Sep 17 00:00:00 2001 From: Jonah Graham Date: Wed, 9 Aug 2023 15:40:43 -0400 Subject: [PATCH] Remove and ignore object references from Yaml files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Yaml 2.0 fixes CVE-2022–1471 to error on object references. This commit adapts our use of Yaml to not output object references anymore and on loading explicitly allow object references to expected types. Fixes #498 --- .../internal/CMakePropertiesEvolutionTest.java | 13 ++++++++++++- .../META-INF/MANIFEST.MF | 5 ++++- .../internal/CMakePropertiesController.java | 18 ++++++++++++++++-- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java b/cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java index fc065c031eb..08045f27daa 100644 --- a/cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java +++ b/cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java @@ -22,9 +22,13 @@ import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean; import org.eclipse.cdt.cmake.core.properties.CMakeGenerator; import org.junit.Test; +import org.yaml.snakeyaml.DumperOptions; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor; +import org.yaml.snakeyaml.inspector.TagInspector; +import org.yaml.snakeyaml.nodes.Tag; +import org.yaml.snakeyaml.representer.Representer; /** * @author Martin Weber @@ -57,7 +61,14 @@ public void testSaveLoadEvolution_1() throws IOException { extraArgs.add("arg2"); props.setExtraArguments(extraArgs); - Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), new LoaderOptions())); + var loaderoptions = new LoaderOptions(); + TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName()); + loaderoptions.setTagInspector(taginspector); + Representer customRepresenter = new Representer(new DumperOptions()); + customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP); + + Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), loaderoptions), + customRepresenter); String output = yaml.dump(props); // try to load as evolved properties.. diff --git a/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF b/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF index ea913e38654..2947802d07e 100644 --- a/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF +++ b/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF @@ -22,4 +22,7 @@ Automatic-Module-Name: org.eclipse.cdt.cmake.core Bundle-Localization: plugin Import-Package: org.eclipse.core.variables, org.yaml.snakeyaml;version="[2.0.0,3.0.0)", - org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)" + org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)", + org.yaml.snakeyaml.inspector;version="[2.0.0,3.0.0)", + org.yaml.snakeyaml.nodes;version="[2.0.0,3.0.0)", + org.yaml.snakeyaml.representer;version="[2.0.0,3.0.0)" diff --git a/cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java b/cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java index 44cdc77e5b3..27560eec006 100644 --- a/cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java +++ b/cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java @@ -27,9 +27,14 @@ import org.eclipse.cdt.cmake.core.properties.CMakeGenerator; import org.eclipse.cdt.cmake.core.properties.ICMakeProperties; import org.eclipse.cdt.cmake.core.properties.ICMakePropertiesController; +import org.yaml.snakeyaml.DumperOptions; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.Constructor; import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor; +import org.yaml.snakeyaml.inspector.TagInspector; +import org.yaml.snakeyaml.nodes.Tag; +import org.yaml.snakeyaml.representer.Representer; /** * A {@code ICMakePropertiesController} that monitors modifications to the project properties that force @@ -68,7 +73,13 @@ public ICMakeProperties load() throws IOException { if (Files.exists(storageFile)) { try (InputStream is = Files.newInputStream(storageFile)) { var classLoader = this.getClass().getClassLoader(); - var clConstructor = new CustomClassLoaderConstructor(classLoader, new LoaderOptions()); + + var loaderoptions = new LoaderOptions(); + TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName()); + loaderoptions.setTagInspector(taginspector); + + var clConstructor = new CustomClassLoaderConstructor(classLoader, loaderoptions); + props = new Yaml(clConstructor).loadAs(is, CMakePropertiesBean.class); // props is null here if if no document was available in the file } @@ -95,7 +106,10 @@ public void save(ICMakeProperties properties) throws IOException { } } try (Writer wr = new OutputStreamWriter(Files.newOutputStream(storageFile))) { - new Yaml().dump(properties, wr); + Representer customRepresenter = new Representer(new DumperOptions()); + customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP); + new Yaml(new Constructor(CMakePropertiesBean.class, new LoaderOptions()), customRepresenter) + .dump(properties, wr); } setupModifyDetection(properties);