[ISSUE #314]Fix the RCE caused by the vulnerability in YAML deseriali… - Githubissues

nacos-group / nacos-spring-project

Nacos ECO Project for Spring Framework

https://nacos.io/

Apache License 2.0

756 stars 311 forks source link

[ISSUE #314]Fix the RCE caused by the vulnerability in YAML deseriali… #328

Closed stone-98 closed 10 months ago

stone-98 commented 11 months ago

What is the purpose of the change

see: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 related: https://github.com/nacos-group/nacos-spring-project/issues/314

Brief changelog

XX

Verifying this change

XXXX

Follow this checklist to help us incorporate your contribution quickly and easily:

[ ] Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
[ ] Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
[ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
[ ] Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
[ ] Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass.

stone-98 commented 10 months ago

I have a question: Why doesn't the nacos-spring-project module use com.alibaba.nacos.client.env.NacosClientProperties to retrieve properties?