Fix CVE of UninstrumentedGateways in Dynamic Configuration activation. (#6098)

CHANGES.md

@@ -38,6 +38,7 @@ Release Notes.
 * Add component ID for NodeJS Axios plugin.
 * Fix searchService method error in storage-influxdb-plugin.
 * Add JavaScript component ID.
+* Fix CVE of UninstrumentedGateways in Dynamic Configuration activation.
 
 #### UI
 * Fix un-removed tags in trace query.

oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/UninstrumentedGatewaysConfig.java

@@ -38,8 +38,8 @@ import org.apache.skywalking.oap.server.configuration.api.ConfigChangeWatcher;
 import org.apache.skywalking.oap.server.core.Const;
 import org.apache.skywalking.oap.server.library.module.ModuleProvider;
 import org.apache.skywalking.oap.server.library.util.ResourceUtils;
+import org.apache.skywalking.oap.server.library.util.yaml.ClassFilterConstructor;
 import org.yaml.snakeyaml.Yaml;
-import org.yaml.snakeyaml.constructor.Constructor;
 
 import static java.util.Objects.isNull;
 
@@ -86,8 +86,9 @@ public class UninstrumentedGatewaysConfig extends ConfigChangeWatcher {
         } else {
             gatewayInstanceKeyedByAddress = StreamSupport.stream(gateways.spliterator(), false)
                                                          .flatMap(instance -> instance.getInstances().stream())
-                                                         .collect(Collectors.toMap(GatewayInstanceInfo::getAddress, Function
-                                                             .identity()));
+                                                         .collect(
+                                                             Collectors.toMap(GatewayInstanceInfo::getAddress, Function
+                                                                 .identity()));
         }
     }
 
@@ -102,7 +103,12 @@ public class UninstrumentedGatewaysConfig extends ConfigChangeWatcher {
     private GatewayInfos parseGatewaysFromFile(final String file) {
         try {
             final Reader reader = ResourceUtils.read(file);
-            return new Yaml().loadAs(reader, GatewayInfos.class);
+            return new Yaml(new ClassFilterConstructor(new Class[] {
+                GatewayInfos.class,
+                GatewayInfo.class,
+                GatewayInstanceInfo.class,
+                }))
+                .loadAs(reader, GatewayInfos.class);
         } catch (FileNotFoundException e) {
             log.error("Cannot load gateways from: {}", file, e);
         }
@@ -111,7 +117,12 @@ public class UninstrumentedGatewaysConfig extends ConfigChangeWatcher {
 
     private GatewayInfos parseGatewaysFromYml(final String ymlContent) {
         try {
-            return new Yaml(new Constructor(GatewayInfos.class)).loadAs(ymlContent, GatewayInfos.class);
+            return new Yaml(new ClassFilterConstructor(new Class[] {
+                GatewayInfos.class,
+                GatewayInfo.class,
+                GatewayInstanceInfo.class,
+                }))
+                .loadAs(ymlContent, GatewayInfos.class);
         } catch (Exception e) {
             log.error("Failed to parse yml content as gateways: \n{}", ymlContent, e);
         }

oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/UninstrumentedGatewaysConfigTest.java

+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.skywalking.oap.server.analyzer.provider.trace;
+
+import org.apache.skywalking.oap.server.library.module.ModuleConfig;
+import org.apache.skywalking.oap.server.library.module.ModuleDefine;
+import org.apache.skywalking.oap.server.library.module.ModuleProvider;
+import org.apache.skywalking.oap.server.library.module.ModuleStartException;
+import org.apache.skywalking.oap.server.library.module.ServiceNotProvidedException;
+import org.junit.Assert;
+import org.junit.Test;
+import org.powermock.reflect.Whitebox;
+
+public class UninstrumentedGatewaysConfigTest {
+    @Test
+    public void testParseGatewayYAML() throws Exception {
+        final UninstrumentedGatewaysConfig uninstrumentedGatewaysConfig
+            = new UninstrumentedGatewaysConfig(new MockProvider());
+        UninstrumentedGatewaysConfig.GatewayInfos gatewayInfos
+            = Whitebox.invokeMethod(uninstrumentedGatewaysConfig, "parseGatewaysFromFile", "gateways.yml");
+        Assert.assertEquals(1, gatewayInfos.getGateways().size());
+    }
+
+    private static class MockProvider extends ModuleProvider {
+
+        @Override
+        public String name() {
+            return null;
+        }
+
+        @Override
+        public Class<? extends ModuleDefine> module() {
+            return null;
+        }
+
+        @Override
+        public ModuleConfig createConfigBeanIfAbsent() {
+            return null;
+        }
+
+        @Override
+        public void prepare() throws ServiceNotProvidedException, ModuleStartException {
+
+        }
+
+        @Override
+        public void start() throws ServiceNotProvidedException, ModuleStartException {
+
+        }
+
+        @Override
+        public void notifyAfterCompleted() throws ServiceNotProvidedException, ModuleStartException {
+
+        }
+
+        @Override
+        public String[] requiredModules() {
+            return new String[0];
+        }
+    }
+}

oap-server/analyzer/agent-analyzer/src/test/resources/gateways.yml

+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+gateways:
+  - name: proxy0
+    instances:
+      - host: 127.0.0.1 # the host/ip of this gateway instance
+        port: 9099 # the port of this gateway instance, defaults to 80

oap-server/server-library/library-util/pom.xml

@@ -62,5 +62,9 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-text</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+        </dependency>
     </dependencies>
 </project>

oap-server/server-library/library-util/src/main/java/org/apache/skywalking/oap/server/library/util/yaml/ClassFilterConstructor.java

+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.skywalking.oap.server.library.util.yaml;
+
+import lombok.RequiredArgsConstructor;
+import org.yaml.snakeyaml.constructor.Constructor;
+
+/**
+ * Whitelist constructor implementation for YAML snake.
+ * Copied from Apache ShardingSphere.
+ */
+@RequiredArgsConstructor
+public final class ClassFilterConstructor extends Constructor {
+
+    private final Class<?>[] acceptClasses;
+
+    @Override
+    protected Class<?> getClassForName(final String name) throws ClassNotFoundException {
+        for (Class<? extends Object> each : acceptClasses) {
+            if (name.equals(each.getName())) {
+                return super.getClassForName(name);
+            }
+        }
+        throw new IllegalArgumentException(String.format("Class is not accepted: %s", name));
+    }
+}
\ No newline at end of file