Compare commits

...

No commits in common. "c8-stream-3.6" and "stream-mongodb-3.6-rhel-8.9.0" have entirely different histories.

7 changed files with 55 additions and 1 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/slf4j-1.7.28.tar.gz
/slf4j-1.7.28.tar.gz

View File

@ -1 +1 @@
f57e8e97d434bdcd8ba87ab9933d8de64bafb071 SOURCES/slf4j-1.7.28.tar.gz
f57e8e97d434bdcd8ba87ab9933d8de64bafb071 slf4j-1.7.28.tar.gz

View File

@ -0,0 +1,44 @@
From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Mon, 19 Mar 2018 16:01:57 +0100
Subject: [PATCH] Disallow EventData deserialization by default
---
.../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
index dc5b502..fa5c125 100644
--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
@@ -76,12 +76,21 @@ public class EventData implements Serializable {
*/
@SuppressWarnings("unchecked")
public EventData(String xml) {
- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
- try {
- XMLDecoder decoder = new XMLDecoder(bais);
- this.eventData = (Map<String, Object>) decoder.readObject();
- } catch (Exception e) {
- throw new EventException("Error decoding " + xml, e);
+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+ try {
+ XMLDecoder decoder = new XMLDecoder(bais);
+ this.eventData = (Map<String, Object>) decoder.readObject();
+ } catch (Exception e) {
+ throw new EventException("Error decoding " + xml, e);
+ }
+ } else {
+ throw new UnsupportedOperationException(
+ "Constructing EventData from XML is vulnerable to remote " +
+ "excution and is not allowed by default. If you're " +
+ "completely sure the source data is trusted, you can enable " +
+ "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+ "JVM property to 1");
}
}
--
2.14.3

8
gating.yaml Normal file
View File

@ -0,0 +1,8 @@
--- !Policy
product_versions:
- rhel-9
decision_contexts:
- osci_compose_gate
rules:
# https://docs.engineering.redhat.com/display/RHELPLAN/Maven+Bootstrap+manual+gating+test
- !PassingTestCaseRule {test_case_name: manual.sst_cs_apps.maven.bootstrap}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (slf4j-1.7.28.tar.gz) = 3eb81e8fefe85f5cc9acf3ac17d0e7c5d9f82f44e10279e7f623f1bf1301cf55dfb67ee9ad29464739c4fe4ea938aecc8d75b093426e9928de81752f80ef391f