Upgrade to SnakeYAML 2.1 #87
Conversation
Adapt to changes to exception messages in SnakeYAML 2.0
SnakeYAML 2.0 responded to CVE-2022-1471 by disallowing global tags by default for any usage. Global tags were never allowed when using the SnakeYAML SafeConstructor which clj-yaml uses by default. This is why we felt we were not affected by CVE-2022-1471. When the user requests `:unsafe` YAML, clj-yaml use the SnakeYAML Constructor. We adapt to 2.0 changes by continuing to allow globally unsafe construction under this usage via the TrustedTagInspector, which allows any and all tags to be created. For fine grained tag creation permissions, users can opt to use clj-yaml's `:unknown-tag-fn`.
|
New nvd scan CVEs are suppressed for SnakeYAML 1.33, I'll suppress them for SnakeYAML 2.0 as well. Or maybe all versions of SnakeYAML. |
|
@lread If I understand correctly, you passed |
Thanks for asking @borkdude. |
|
That seems a good solution to me. Is there anything you are uncertain about? |
I've claimed that clj-yaml's But... as long as |
* master: dev: support running nvd scan locally (#89)
I previously determined that 2 false positives did not apply to SnakeYAML but I configured these false positives to be ignored for v1.33 of SnakeYAML only. Globally ignore them instead to that they apply to all versions of SnakeYAML.
|
I think it might be a good idea to let the dust settle a bit on the SnakeYAML 2.0 release. Maybe wait a week? Is anybody in a hurry? For example, this new commit removes a new SnakeYAML class I used in this PR. Easy to adapt, but there might be other things like this coming in the near term. |
|
Yes, let's wait a month. |
|
Just to confirm my understanding: this PR is not necessary to resolve any security vulnerabilities because it's already safe to use snakeyaml 1.33 via clj-yaml 1.0.26 since clj-yaml is untrusting by default? |
|
@frenchy64 by default, yes |
|
@frenchy64, yup, that's our understanding and position. We do plan to upgrade to SnakeYAML 2, but felt it best to wait for the dust to settle. |
|
Thanks. Is there any way to parse untrusted yaml with clj-yaml 1.0.26? Want to audit my code base for such code so I can definitively rule out CVE-2022-1471. |
See the user guide: https://github.com/clj-commons/clj-yaml/blob/master/doc/01-user-guide.adoc#unsafe |
|
Yes, via an option: Check docs for more info. |
|
FYI: don't forget to change the project version there |
@geekingfrog, do you mean the clj-yaml version? |
|
Yes, the clj-yaml version. I missed this workflow, so you're all good. |
|
@borkdude, it has been about a month... but maybe we'll just wait until SnakeYAML 2.1 is released? In the short term, for this PR, I'll adapt to current 2.1 changes and sync with master. |
|
Yes. I also want to downgrade ordered before a new clj-yaml release since it had some issues with native image. |
If I get all the privs I need, we'll get a release out of ordered with your fix for clj-commons/ordered#71 for native-image sometime soon. |
SnakeYAML 2.1 will remove TrustedTagInspector. Do effectively the same work via a reify-ed TagInspector.
* master: Add :code-point-limit option to accept bigger documents (#103)
|
Seems like we can finally merge this one! Agreed @borkdude? |
|
Yeap! |
See commits for details.
Up for debate: my approach to dealing with unsafe YAML should be questioned.
An interesting alternative would be to also expose the new TagInspectors when using clj-yaml's
:unsafeoption. But, I think (correct me if I am wrong) we might already have this feature-wise via:unknown-tag-fn.Closes #86