The SnakeYaml's Constructor() class is used in the component nacos-spring-context, but it does not restrict types that can be instantiated during deserialization.
Describe what happened (or what feature you want)
Deserializing yaml content provided by an attacker can lead to remote code execution.
So when spring framework project uses nacos-spring-context as a dependency, It will be easily RCE by just adding evil config in nacos server.
Describe what you expected to happen
Unsupported YAML content.
How to reproduce it (as minimally and precisely as possible)
Create a project of empty spring-framework, and add dependency of nacos-spring-context.
Add codes below, as the document says, it setting NacosPropertySource:
+import com.alibaba.nacos.api.config.ConfigType;
+import com.alibaba.nacos.spring.context.annotation.config.NacosPropertySource;
@SpringBootApplication
+@NacosPropertySource(dataId = "example.yaml", type=ConfigType.YAML, autoRefreshed=true)
public class Application {
public static void main(String[] args) {
......
Now login to nacos config server(default at http://127.0.0.1:8848 with credential of nacos/nacos), then edit example.yaml, add one line of config below:
stone-98
commented
11 months ago
Issue Description
The SnakeYaml's Constructor() class is used in the component nacos-spring-context, but it does not restrict types that can be instantiated during deserialization.
Describe what happened (or what feature you want)
Deserializing yaml content provided by an attacker can lead to remote code execution. So when spring framework project uses nacos-spring-context as a dependency, It will be easily RCE by just adding evil config in nacos server.
Describe what you expected to happen
Unsupported YAML content.
How to reproduce it (as minimally and precisely as possible)
Add codes below, as the document says, it setting NacosPropertySource:
Tell us your environment
spring-framework 2.7.8 nacos-spring-context 1.1.1
Anything else we need to know?