New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: add yaml loadAs test #14080
base: 3.2
Are you sure you want to change the base?
test: add yaml loadAs test #14080
Conversation
yuluo-yx
commented
Apr 12, 2024
- For Test YamlCodec to ensure no CVE issue #13799
Signed-off-by: yuluo-yx <yuluo08290126@gmail.com>
Signed-off-by: yuluo-yx <yuluo08290126@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The background of this feature is that snakeyaml supports including class names within the content. Therefore, it's intended to test and verify that classes configured on the whitelist can be deserialized, whereas others should be rejected.
e.g.,
"1": !!demo.User
name: Alice
age: 28
"2": !!demo.User
name: Bob
age: 34
Refs:
https://github.com/apache/dubbo/blob/3.3/dubbo-remoting/dubbo-remoting-http12/src/main/java/org/apache/dubbo/remoting/http12/message/codec/YamlCodec.java#L40
https://github.com/apache/dubbo/blob/3.3/dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java#L33
https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/class-check/
got it, I will refactor it |
Quality Gate passedIssues Measures |
import org.yaml.snakeyaml.error.YAMLException; | ||
|
||
/** | ||
* @author yuluo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the author tag. THX