search

GoogleCloudPlatform / point-of-sale

Anthos Edge Use Cases for bringing apps and computation closer to the location where the action is, to improve response times and save bandwidth.
Apache License 2.0
35 stars 18 forks source link

fix(deps): update dependency org.yaml:snakeyaml to v2 [security] #217

Closed renovate-bot closed 1 year ago

renovate-bot commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.yaml:snakeyaml 1.33 -> 2.0 age adoption passing confidence

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-1471

Summary

SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the target class. A ConstructorException is thrown, but only after a malicious payload is deserialized.

Severity

High, lack of type checks during deserialization allows remote code execution.

Proof of Concept

Execute bash run.sh. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000.

Example output of successful run of proof of concept:

$ bash run.sh

[+] Downloading snakeyaml if needed
[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
nc: no process found
[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
[+] An exception is expected.
Exception:
Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
 in 'string', line 1, column 1:
    payload: !!javax.script.ScriptEn ... 
    ^
Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
 in 'string', line 1, column 10:
    payload: !!javax.script.ScriptEngineManag ... 
             ^

    at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
    at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
    at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
    at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
    at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
    at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
    at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
    at Main.main(Main.java:37)
Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
    at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
    at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
    at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
    at java.base/java.lang.reflect.Field.set(Field.java:780)
    at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
    ... 9 more
[+] Dumping Received HTTP Request. Will not be empty if PoC worked
GET /proof-of-concept HTTP/1.1
User-Agent: Java/11.0.14
Host: localhost:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Further Analysis

Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.

A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information.

Timeline

Date reported: 4/11/2022 Date fixed: Date disclosed: 10/13/2022

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

arbrown commented 1 year ago

/gcbrun

Shabirmean commented 1 year ago

/gcbrun

Shabirmean commented 1 year ago

Bumped and fixed in https://github.com/GoogleCloudPlatform/point-of-sale/pull/219

forking-renovate[bot] commented 1 year ago

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will ignore this upgrade and you will not receive PRs for any future 2.x releases. However, if you upgrade to 2.x manually then Renovate will reenable minor and patch updates automatically.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.