Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SnakeYaml SafeConstructor restricting deserialization #6319

Merged
merged 3 commits into from
Jul 4, 2023
Merged

SnakeYaml SafeConstructor restricting deserialization #6319

merged 3 commits into from
Jul 4, 2023

Commits on Dec 22, 2022

  1. SnakeYaml SafeConstructor restricting deserialization 

    ParsedDockerComposeFile is vulnerable to deserialization gadget chain attacks
that can lead to remote code execution when the file has untrusted content:
https://nvd.nist.gov/vuln/detail/CVE-2022-1471

This should be fixed by using SafeConstructor as suggested by the SnakeYaml
developers.

Deserialization of arbitrary Java types is not used by the Compose file spec
and therefore can be disabled without any loss of functionality:
https://docs.docker.com/compose/compose-file/
    @julianladisch
    julianladisch committed Dec 22, 2022
    Configuration menu
    Copy the full SHA
    bb81eae View commit details
    Browse the repository at this point in the history

Commits on Jul 4, 2023

  1. Merge branch 'main' into snakeyaml-deserialization

    @eddumelendez
    eddumelendez committed Jul 4, 2023
    Configuration menu
    Copy the full SHA
    c4f65a4 View commit details
    Browse the repository at this point in the history

  2. Fix format

    @eddumelendez
    eddumelendez committed Jul 4, 2023
    Configuration menu
    Copy the full SHA
    f842a83 View commit details
    Browse the repository at this point in the history