Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SnakeYaml SafeConstructor restricting deserialization #6319

Merged
merged 3 commits into from Jul 4, 2023
Merged

SnakeYaml SafeConstructor restricting deserialization #6319

merged 3 commits into from Jul 4, 2023

Conversation

julianladisch
Copy link
Contributor

ParsedDockerComposeFile is vulnerable to deserialization gadget chain attacks that can lead to remote code execution when the file has untrusted content: https://nvd.nist.gov/vuln/detail/CVE-2022-1471

This should be fixed by using SafeConstructor as suggested by the SnakeYaml developers.

Deserialization of arbitrary Java types is not used by the Compose file spec and therefore can be disabled without any loss of functionality: https://docs.docker.com/compose/compose-file/

@julianladisch
SnakeYaml SafeConstructor restricting deserialization
bb81eae 
ParsedDockerComposeFile is vulnerable to deserialization gadget chain attacks
that can lead to remote code execution when the file has untrusted content:
https://nvd.nist.gov/vuln/detail/CVE-2022-1471

This should be fixed by using SafeConstructor as suggested by the SnakeYaml
developers.

Deserialization of arbitrary Java types is not used by the Compose file spec
and therefore can be disabled without any loss of functionality:
https://docs.docker.com/compose/compose-file/
@julianladisch julianladisch requested a review from a team as a code owner December 22, 2022 11:31
@eddumelendez eddumelendez added this to the next milestone Jul 4, 2023
@eddumelendez eddumelendez added the security Pull requests that address a security vulnerability label Jul 4, 2023
@eddumelendez eddumelendez merged commit 595076c into testcontainers:main Jul 4, 2023
85 checks passed
@eddumelendez
Copy link
Member

Thanks for your contribution, @julianladisch !

@julianladisch julianladisch deleted the snakeyaml-deserialization branch July 7, 2023 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eddumelendez eddumelendez eddumelendez approved these changes

Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
1.19.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@julianladisch @eddumelendez