Do not allow global tags by default

Comments (14)

1. 

   Andrey Somov reporter

   • changed status to open

   • 2022-12-29T15:44:24+00:00
2. 

   Andrey Somov reporter

   • edited description

   • 2022-12-29T15:45:32+00:00
3. 

   Andrey Somov reporter

   Implementation:

   https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44

   • 2022-12-29T18:33:08+00:00
4. 

   Or Peles

   Hi Andrey,
   Regarding the currently merged fix (https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44),,) due to the fact that the security check itself (in isGlobalTagAllowed) relies on the 'startswith' function, in certain circumstances it could allow tags of unintended packages/classes to pass through. For example - the use of allowClassPrefix("java") for allowing java.* classes will also unintentionally allow classes of the javax.* package as they both .startsWith("java"). Such code will be exposed to the ScriptEngineManager gadget chain used in the original exploit.

   As such, we suggest adding a "." postfix wherever possible. For example, in the existing tests in TypeSafeMapImplementationsTest.java, use allowClassPrefix("java.") instead of allowClassPrefix("java"), so developers relying on them will not be exposed to the aforementioned exploit.

   • 2023-01-03T10:53:17+00:00
5. 

   Andrey Somov reporter

   Please note that the current code does NOT depend anyhow on the 'startswith' function.

   What you see is the implementation for tests. An example implementation is given as reference. Those who explicitly enable it can do whatever they wish.

   ‌

   • 2023-01-03T10:56:39+00:00
6. 

   Or Peles

   This is exactly my point, since the example implementation is vulnerable, I worry that users may copy this example as-is and become vulnerable as well. Changing the example to "java." won't cause any side-effects and will "show" the users how to use this API more securely.

   • 2023-01-03T11:41:30+00:00
7. 

   Andrey Somov reporter

   Ok. I will remove the example completely

   • 2023-01-03T11:44:13+00:00
8. 

   Jonathan Leitschuh

   That's a good plan. IMHO a vulnerable example is worse than no example at all

   • 2023-01-04T03:40:12+00:00
9. 

   Andrey Somov reporter

   The example is NOT vulnerable. Otherwise this is also vulnerable because a bad developer may misuse it.

   • 2023-01-04T05:43:38+00:00
10. 

    Carlo de Wolf

    Using “java” as opposed to “java.” can only be considered a bad coding practice which may have unintended side-effects such as introducing a vulnerability. I agree with Andrey, the example itself has no vulnerability. But it might get augmented to show good coding practices. Likewise TrustedTagInspector should be used judiciously.

    • 2023-01-04T09:17:01+00:00
11. 

    Andrey Somov reporter

    • changed status to resolved

    It will be delivered in version 2.0

    https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes

    • 2023-01-04T09:36:01+00:00
12. 

    Timothy Lyanguzov

    Perfect. When this fix is going to be released?

    • 2023-02-01T22:16:55+00:00
13. 

    Andrey Somov reporter

    as I said - in version 2.0

    • 2023-02-02T05:12:43+00:00
14. 

    Timothy Lyanguzov

    So, the question is still the same “When version 2.0 is going to be released?”. The date. There is no need to wait until other non-security-related issues are resolved. Many people are waiting only for this single fix.

    • 2023-02-02T06:24:15+00:00
15. Log in to comment