-
Notifications
You must be signed in to change notification settings - Fork 26.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: add yaml loadAs test #14080
base: 3.2
Are you sure you want to change the base?
test: add yaml loadAs test #14080
Conversation
yuluo-yx
commented
Apr 12, 2024
- For Test YamlCodec to ensure no CVE issue #13799
Signed-off-by: yuluo-yx <[email protected]>
Signed-off-by: yuluo-yx <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The background of this feature is that snakeyaml supports including class names within the content. Therefore, it's intended to test and verify that classes configured on the whitelist can be deserialized, whereas others should be rejected.
e.g.,
"1": !!demo.User
name: Alice
age: 28
"2": !!demo.User
name: Bob
age: 34
Refs:
https://github.com/apache/dubbo/blob/3.3/dubbo-remoting/dubbo-remoting-http12/src/main/java/org/apache/dubbo/remoting/http12/message/codec/YamlCodec.java#L40
https://github.com/apache/dubbo/blob/3.3/dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java#L33
https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/class-check/
got it, I will refactor it |
Quality Gate passedIssues Measures |
dubbo-cluster/src/test/java/org/apache/dubbo/rpc/cluster/yaml/YamlCodeCTest.java
Show resolved
Hide resolved
Quality Gate passedIssues Measures |
import org.yaml.snakeyaml.Yaml; | ||
import org.yaml.snakeyaml.error.YAMLException; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious if adding these test cases would be beneficial for Dubbo?
For #13799, we should test it through a complete RPC |