CVE: upgrade snakeyaml to prevent billion laughs attack in dynamic configuration. (#7071)

56f2e86a · Zhenxu · GitHub · 971360a7 · 56f2e86a · 56f2e86a
11 changed file
--- a/.github/workflows/ci-it.yaml
+++ b/.github/workflows/ci-it.yaml
@@ -111,7 +111,8 @@ jobs:
          java-version: 8
      - name: 'Install & Test'
        if: env.SKIP_CI != 'true'
-        run: ./mvnw --batch-mode -P"agent,backend,ui,dist" clean verify install
+        run: |
+          ./mvnw --batch-mode -P"agent,backend,ui,dist" clean verify install
  CI-on-MacOS:

--- a/CHANGES.md
+++ b/CHANGES.md
@@ -60,6 +60,7 @@ Release Notes.
 * Add HTTP implementation of logs reporting protocol.
 * Make metrics exporter still work even when storage layer failed.
 * Fix Jetty HTTP `TRACE` issue, disable HTTP methods except `POST`.
+* CVE: upgrade snakeyaml to prevent [billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs#Variations) in dynamic configuration.
 #### UI
 * Add logo for kong plugin.

--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -247,7 +247,7 @@ The text of each license is the standard Apache 2.0 license.
    securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0
    LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0
    Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
-    SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0
+    SnakeYAML 1.28: http://www.snakeyaml.org , Apache 2.0
    Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
    Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0
    Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0

--- a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
+++ b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java
@@ -18,7 +18,7 @@
 package org.apache.skywalking.oap.server.analyzer.provider.trace;
-import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.atomic.AtomicInteger;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.skywalking.oap.server.analyzer.module.AnalyzerModule;
 import org.apache.skywalking.oap.server.analyzer.provider.AnalyzerModuleConfig;
@@ -31,11 +31,11 @@ import org.apache.skywalking.oap.server.library.module.ModuleProvider;
 */
 @Slf4j
 public class TraceLatencyThresholdsAndWatcher extends ConfigChangeWatcher {
-    private AtomicReference<Integer> slowTraceSegmentThreshold;
+    private AtomicInteger slowTraceSegmentThreshold;
    public TraceLatencyThresholdsAndWatcher(ModuleProvider provider) {
        super(AnalyzerModule.NAME, provider, "slowTraceSegmentThreshold");
-        slowTraceSegmentThreshold = new AtomicReference<>();
+        slowTraceSegmentThreshold = new AtomicInteger();
        slowTraceSegmentThreshold.set(getDefaultValue());
    }

--- a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
+++ b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java
@@ -57,7 +57,7 @@ public class TraceLatencyThresholdsAndWatcherTest {
        register.registerConfigChangeWatcher(watcher);
        register.start();
-        while (watcher.getSlowTraceSegmentThreshold() == 10000) {
+        while (watcher.getSlowTraceSegmentThreshold() < 0) {
            Thread.sleep(2000);
        }
        assertThat(watcher.getSlowTraceSegmentThreshold(), is(3000));

--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -57,7 +57,7 @@
        <slf4j.version>1.7.25</slf4j.version>
        <log4j.version>2.9.0</log4j.version>
        <guava.version>28.1-jre</guava.version>
-        <snakeyaml.version>1.18</snakeyaml.version>
+        <snakeyaml.version>1.28</snakeyaml.version>
        <graphql-java-tools.version>5.2.3</graphql-java-tools.version>
        <graphql-java.version>8.0</graphql-java.version>
        <zookeeper.version>3.4.10</zookeeper.version>

--- a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
+++ b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java
@@ -64,7 +64,6 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi
    public void start() {
        isStarted = true;
-        configSync();
        LOGGER.info("Current configurations after the bootstrap sync." + LINE_SEPARATOR + register.toString());
        Executors.newSingleThreadScheduledExecutor()
@@ -72,7 +71,7 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi
                     new RunnableWithExceptionProtection(
                         this::configSync,
                         t -> LOGGER.error("Sync config center error.", t)
-                     ), syncPeriod, syncPeriod, TimeUnit.SECONDS);
+                     ), 0, syncPeriod, TimeUnit.SECONDS);
    }
    void configSync() {

--- a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
+++ b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java
@@ -73,7 +73,7 @@ public class PropertyPlaceholderHelperTest {
        Assert.assertEquals("0.0.0.0", yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restHost"), properties)));
        //tests that use ${REST_PORT:12800} and set REST_PORT in environmentVariables.
-        Assert.assertEquals(12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties)));
+        Assert.assertEquals((Integer) 12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties)));
    }
    @Test

--- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
+++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java
@@ -155,7 +155,7 @@ public class K8SALSServiceMeshHTTPAnalysisTest {
        @Override
        public void init(ModuleManager manager, EnvoyMetricReceiverConfig config) {
-            super.init(manager, config);
+            this.config = config;
            serviceRegistry = mock(K8SServiceRegistry.class);
            when(serviceRegistry.findService(anyString())).thenReturn(config.serviceMetaInfoFactory().unknown());
            when(serviceRegistry.findService("10.44.2.56")).thenReturn(new ServiceMetaInfo("ingress", "ingress-Inst"));

--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -158,7 +158,7 @@ simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar
 simpleclient_httpserver-0.9.0.jar
 slf4j-api-1.7.25.jar
-snakeyaml-1.18.jar
+snakeyaml-1.28.jar
 swagger-annotations-1.6.2.jar
 t-digest-3.2.jar
 vavr-0.10.3.jar

--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -154,7 +154,7 @@ simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar
 simpleclient_httpserver-0.9.0.jar
 slf4j-api-1.7.25.jar
-snakeyaml-1.18.jar
+snakeyaml-1.28.jar
 swagger-annotations-1.6.2.jar
 t-digest-3.2.jar
 vavr-0.10.3.jar