YAML timestamps not handled properly with SnakeYaml 1.31 #32228
Comments
|
Note, d9265f0 also supports this issue. |
bclozel
added
type: bug
bclozel
changed the title
|
Thanks! |
|
@bclozel what I we do in SnakeYAML to improve the support for Spring Boot ? (I am a SnakeYAML developer) |
|
We can add a test and maintain it inside SnakeYAML |
|
@asomov The only thing that comes to mind is this: #32221 (comment) |
dbyron-sf
added a commit
to dbyron-sf/kork
that referenced
this issue
Dec 2, 2022
…ally up to date It would be nice to jump all the way to 1.33 to get all the way up to date, and to resolve these CVEs: CVE-2022-25857 (1.31), CVE-2022-38749 (1.31), CVE-2022-38750 (1.31), CVE-2022-38751 (1.32) and CVE-2022-38752 (1.32). However, spring-projects/spring-boot#32228 (comment) says to stick with 1.29 until >= 2.6.12, as the commit that resolved that issue (spring-projects/spring-boot@724f9eb) went in to 2.6.12. Note that spring boot 2.4.13 brings in version 1.27 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.4.13/spring-boot-dependencies-2.4.13.pom). 2.5.14 brings in 1.28 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.14/spring-boot-dependencies-2.5.14.pom) 2.6.13 brings in 1.29 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.6.13/spring-boot-dependencies-2.6.13.pom) 2.7.5 brings in 1.30 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.5/spring-boot-dependencies-2.7.5.pom) Note also that snakeyaml 1.32 introduces a default 3MB limit (see https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22). If, for example, clouddriver-local.yml is bigger than that, perhaps due to a large number of accounts, clouddriver fails to start.
mergify bot
pushed a commit
to spinnaker/kork
that referenced
this issue
Dec 2, 2022
…ally up to date (#999) It would be nice to jump all the way to 1.33 to get all the way up to date, and to resolve these CVEs: CVE-2022-25857 (1.31), CVE-2022-38749 (1.31), CVE-2022-38750 (1.31), CVE-2022-38751 (1.32) and CVE-2022-38752 (1.32). However, spring-projects/spring-boot#32228 (comment) says to stick with 1.29 until >= 2.6.12, as the commit that resolved that issue (spring-projects/spring-boot@724f9eb) went in to 2.6.12. Note that spring boot 2.4.13 brings in version 1.27 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.4.13/spring-boot-dependencies-2.4.13.pom). 2.5.14 brings in 1.28 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.14/spring-boot-dependencies-2.5.14.pom) 2.6.13 brings in 1.29 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.6.13/spring-boot-dependencies-2.6.13.pom) 2.7.5 brings in 1.30 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.5/spring-boot-dependencies-2.7.5.pom) Note also that snakeyaml 1.32 introduces a default 3MB limit (see https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22). If, for example, clouddriver-local.yml is bigger than that, perhaps due to a large number of accounts, clouddriver fails to start.
richard-timpson
pushed a commit
to richard-timpson/kork
that referenced
this issue
May 3, 2023
…p to date (spinnaker#60) Don't use anything newer (current latest is 1.33) due to spring-projects/spring-boot#32228 (comment). Note also that Salesforce clouddriver fails to start with 1.33 since clouddriver-local.yml is bigger than the default 3MB limit that 1.32 introduces. See https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22. @W-12038518
j-sandy
added a commit
to j-sandy/kork
that referenced
this issue
Mar 21, 2024
Spring boot 2.6.15 brings snakeyaml 1.29, which fails to parse yaml (including some k8s manifest) due to issue mentioned [here](spring-projects/spring-boot#30159 (comment)). It's safe to upgrade beyond 1.29. However, snakeyaml 1.32 has been introduced with [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) of restricting the size of incoming data i.e file size to 3 MB by default, and spring boot versions <= 3.0.7 are not equipped to modify this limit. So attempting to use 1.31 in order to avoid file size limitation till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. spring-projects/spring-boot#32228 (comment).
dbyron-sf
pushed a commit
to j-sandy/kork
that referenced
this issue
Mar 21, 2024
Spring boot 2.6.15 brings snakeyaml 1.29, which [fails to parse yaml](spring-projects/spring-boot#30159 (comment)) (including some k8s manifests). It's safe to upgrade beyond 1.29 according to [this](spring-projects/spring-boot#32228 (comment)). However, snakeyaml 1.32 has a [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) to restrict the size of incoming data to 3 MB by default ([PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22)), and spring boot versions <= 3.0.7 are not equipped to modify this. So, use 1.31 in order to avoid the limit till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. before: | | +--- org.yaml:snakeyaml:1.29 -> 1.27 (c) | +--- org.yaml:snakeyaml:{strictly 1.27} -> 1.27 (c) after: | | +--- org.yaml:snakeyaml:1.29 -> 1.31 (c) | +--- org.yaml:snakeyaml:1.31 (c)
dbyron-sf
pushed a commit
to j-sandy/kork
that referenced
this issue
Mar 21, 2024
Spring boot 2.6.15 brings in snakeyaml 1.29, which [fails to parse yaml](spring-projects/spring-boot#30159 (comment)) (including some k8s manifests). It's safe to upgrade beyond 1.29 according to [this](spring-projects/spring-boot#32228 (comment)). However, snakeyaml 1.32 has a [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) to restrict the size of incoming data to 3 MB by default ([PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22)), and spring boot versions <= 3.0.7 are not equipped to modify this. So, use 1.31 in order to avoid the limit till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. before: | | +--- org.yaml:snakeyaml:1.29 -> 1.27 (c) | +--- org.yaml:snakeyaml:{strictly 1.27} -> 1.27 (c) after: | | +--- org.yaml:snakeyaml:1.29 -> 1.31 (c) | +--- org.yaml:snakeyaml:1.31 (c)
dbyron-sf
pushed a commit
to j-sandy/kork
that referenced
this issue
Mar 21, 2024
Spring boot 2.6.15 brings in snakeyaml 1.29, which [fails to parse yaml](spring-projects/spring-boot#30159 (comment)) (including some k8s manifests). It's safe to upgrade beyond 1.29 according to [this](spring-projects/spring-boot#32228 (comment)). However, snakeyaml 1.32 has a [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) to restrict the size of incoming data to 3 MB by default ([PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22)), and spring boot versions <= 3.0.7 are not equipped to modify this. So, use 1.31 in order to avoid the limit till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. before: | | +--- org.yaml:snakeyaml:1.29 -> 1.27 (c) | +--- org.yaml:snakeyaml:{strictly 1.27} -> 1.27 (c) after: | | +--- org.yaml:snakeyaml:1.29 -> 1.31 (c) | +--- org.yaml:snakeyaml:1.31 (c)
mergify bot
pushed a commit
to spinnaker/kork
that referenced
this issue
Mar 21, 2024
Spring boot 2.6.15 brings in snakeyaml 1.29, which [fails to parse yaml](spring-projects/spring-boot#30159 (comment)) (including some k8s manifests). It's safe to upgrade beyond 1.29 according to [this](spring-projects/spring-boot#32228 (comment)). However, snakeyaml 1.32 has a [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) to restrict the size of incoming data to 3 MB by default ([PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22)), and spring boot versions <= 3.0.7 are not equipped to modify this. So, use 1.31 in order to avoid the limit till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. before: | | +--- org.yaml:snakeyaml:1.29 -> 1.27 (c) | +--- org.yaml:snakeyaml:{strictly 1.27} -> 1.27 (c) after: | | +--- org.yaml:snakeyaml:1.29 -> 1.31 (c) | +--- org.yaml:snakeyaml:1.31 (c)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Spring Boot 2.x is currently using SnakeYaml 1.29 and cannot be further upgraded because of our third party dependency upgrade policy. As seen in #32221, the latest SnakeYaml 1.31 ships with a fix for a CVE: a DoS vulnerability if the Yaml parser is used with untrusted input.
We advise Spring Boot users to upgrade to SnakeYaml 1.31 if they think their application is vulnerable. Because this version also brings backwards incompatible changes with our SnakeYaml support, we need to ensure that Spring Boot applications upgraded to the latest version still behave properly at runtime.
This issue is about ensuring forward compatibility with SnakeYaml 1.31, but this should not upgrade the managed dependency, the default version should remain at 1.29.
The text was updated successfully, but these errors were encountered: