[Git][java-team/snakeyaml][master] 2 commits: Add patch for CVE-2017-18640 (Closes: #952683)
Tony Mancill
gitlab at salsa.debian.org
Thu Mar 26 05:00:16 GMT 2020
Tony Mancill pushed to branch master at Debian Java Maintainers / snakeyaml
Commits:
00e2da45 by tony mancill at 2020-03-25T21:55:55-07:00
Add patch for CVE-2017-18640 (Closes: #952683)
- - - - -
82d9698a by tony mancill at 2020-03-25T21:55:55-07:00
prepare changelog for upload to unstable
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2017-18640.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+snakeyaml (1.25+ds-3) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch for CVE-2017-18640 (Closes: #952683)
+
+ -- tony mancill <tmancill at debian.org> Wed, 25 Mar 2020 21:45:58 -0700
+
snakeyaml (1.25+ds-2) unstable; urgency=medium
[ Mechtilde Stehmann ]
=====================================
debian/patches/CVE-2017-18640.patch
=====================================
@@ -0,0 +1,597 @@
+Description: patch for CVE-2017-18640
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952683
+Origin: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c/raw
+
+From da11ddbd91c1f8392ea932b37fa48110fa54ed8c Mon Sep 17 00:00:00 2001
+From: Colm O hEigeartaigh <coheigea at apache.org>
+Date: Mon, 24 Feb 2020 07:42:10 +0000
+Subject: [PATCH] Allow configuration for preventing billion laughs attack
+
+---
+ .../java/org/yaml/snakeyaml/LoaderOptions.java | 18 ++++
+ src/main/java/org/yaml/snakeyaml/Yaml.java | 10 +--
+ .../java/org/yaml/snakeyaml/composer/Composer.java | 15 ++++
+ .../snakeyaml/constructor/BaseConstructor.java | 14 +++-
+ .../yaml/snakeyaml/constructor/Constructor.java | 24 +++++-
+ .../snakeyaml/constructor/SafeConstructor.java | 6 ++
+ .../issues/issue377/BillionLaughsAttackTest.java | 97 ++++++++++++++++++++++
+ .../snakeyaml/issues/issue377/ReferencesTest.java | 93 +++++++++++++++------
+ .../snakeyaml/issues/issue38/BigNumberIdTest.java | 5 +-
+ .../org/yaml/snakeyaml/recursive/HumanTest.java | 8 +-
+ .../recursive/generics/HumanGenericsTest.java | 6 +-
+ 11 files changed, 258 insertions(+), 38 deletions(-)
+ create mode 100644 src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java
+
+--- a/src/main/java/org/yaml/snakeyaml/LoaderOptions.java
++++ b/src/main/java/org/yaml/snakeyaml/LoaderOptions.java
+@@ -19,6 +19,8 @@
+
+ private boolean allowDuplicateKeys = true;
+ private boolean wrappedToRootException = false;
++ private int maxAliasesForCollections = 50; //to prevent YAML at https://en.wikipedia.org/wiki/Billion_laughs_attack
++ private boolean allowRecursiveKeys;
+
+ public boolean isAllowDuplicateKeys() {
+ return allowDuplicateKeys;
+@@ -57,4 +59,20 @@
+ public void setWrappedToRootException(boolean wrappedToRootException) {
+ this.wrappedToRootException = wrappedToRootException;
+ }
++
++ public int getMaxAliasesForCollections() {
++ return maxAliasesForCollections;
++ }
++
++ public void setMaxAliasesForCollections(int maxAliasesForCollections) {
++ this.maxAliasesForCollections = maxAliasesForCollections;
++ }
++
++ public void setAllowRecursiveKeys(boolean allowRecursiveKeys) {
++ this.allowRecursiveKeys = allowRecursiveKeys;
++ }
++
++ public boolean getAllowRecursiveKeys() {
++ return allowRecursiveKeys;
++ }
+ }
+--- a/src/main/java/org/yaml/snakeyaml/Yaml.java
++++ b/src/main/java/org/yaml/snakeyaml/Yaml.java
+@@ -82,7 +82,7 @@
+ * LoadingConfig to control load behavior
+ */
+ public Yaml(LoaderOptions loadingConfig) {
+- this(new Constructor(), new Representer(), new DumperOptions(), loadingConfig);
++ this(new Constructor(loadingConfig), new Representer(), new DumperOptions(), loadingConfig);
+ }
+
+ /**
+@@ -520,7 +520,7 @@
+ }
+
+ private Object loadFromReader(StreamReader sreader, Class<?> type) {
+- Composer composer = new Composer(new ParserImpl(sreader), resolver);
++ Composer composer = new Composer(new ParserImpl(sreader), resolver, loadingConfig);
+ constructor.setComposer(composer);
+ return constructor.getSingleData(type);
+ }
+@@ -535,7 +535,7 @@
+ * sequence
+ */
+ public Iterable<Object> loadAll(Reader yaml) {
+- Composer composer = new Composer(new ParserImpl(new StreamReader(yaml)), resolver);
++ Composer composer = new Composer(new ParserImpl(new StreamReader(yaml)), resolver, loadingConfig);
+ constructor.setComposer(composer);
+ Iterator<Object> result = new Iterator<Object>() {
+ @Override
+@@ -607,7 +607,7 @@
+ * @return parsed root Node for the specified YAML document
+ */
+ public Node compose(Reader yaml) {
+- Composer composer = new Composer(new ParserImpl(new StreamReader(yaml)), resolver);
++ Composer composer = new Composer(new ParserImpl(new StreamReader(yaml)), resolver, loadingConfig);
+ return composer.getSingleNode();
+ }
+
+@@ -621,7 +621,7 @@
+ * @return parsed root Nodes for all the specified YAML documents
+ */
+ public Iterable<Node> composeAll(Reader yaml) {
+- final Composer composer = new Composer(new ParserImpl(new StreamReader(yaml)), resolver);
++ final Composer composer = new Composer(new ParserImpl(new StreamReader(yaml)), resolver, loadingConfig);
+ Iterator<Node> result = new Iterator<Node>() {
+ @Override
+ public boolean hasNext() {
+--- a/src/main/java/org/yaml/snakeyaml/composer/Composer.java
++++ b/src/main/java/org/yaml/snakeyaml/composer/Composer.java
+@@ -22,6 +22,8 @@
+ import java.util.Map;
+ import java.util.Set;
+
++import org.yaml.snakeyaml.LoaderOptions;
++import org.yaml.snakeyaml.error.YAMLException;
+ import org.yaml.snakeyaml.events.AliasEvent;
+ import org.yaml.snakeyaml.events.Event;
+ import org.yaml.snakeyaml.events.MappingStartEvent;
+@@ -50,12 +52,19 @@
+ private final Resolver resolver;
+ private final Map<String, Node> anchors;
+ private final Set<Node> recursiveNodes;
++ private int nonScalarAliasesCount = 0;
++ private final LoaderOptions loadingConfig;
+
+ public Composer(Parser parser, Resolver resolver) {
++ this(parser, resolver, new LoaderOptions());
++ }
++
++ public Composer(Parser parser, Resolver resolver, LoaderOptions loadingConfig) {
+ this.parser = parser;
+ this.resolver = resolver;
+ this.anchors = new HashMap<String, Node>();
+ this.recursiveNodes = new HashSet<Node>();
++ this.loadingConfig = loadingConfig;
+ }
+
+ /**
+@@ -129,6 +138,12 @@
+ event.getStartMark());
+ }
+ node = anchors.get(anchor);
++ if (!(node instanceof ScalarNode)) {
++ this.nonScalarAliasesCount++;
++ if (this.nonScalarAliasesCount > loadingConfig.getMaxAliasesForCollections()) {
++ throw new YAMLException("Number of aliases for non-scalar nodes exceeds the specified max=" + loadingConfig.getMaxAliasesForCollections());
++ }
++ }
+ if (recursiveNodes.remove(node)) {
+ node.setTwoStepsConstruction(true);
+ }
+--- a/src/main/java/org/yaml/snakeyaml/constructor/BaseConstructor.java
++++ b/src/main/java/org/yaml/snakeyaml/constructor/BaseConstructor.java
+@@ -32,6 +32,7 @@
+ import java.util.TreeMap;
+ import java.util.TreeSet;
+
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.TypeDescription;
+ import org.yaml.snakeyaml.composer.Composer;
+ import org.yaml.snakeyaml.composer.ComposerException;
+@@ -83,7 +84,13 @@
+ protected final Map<Class<? extends Object>, TypeDescription> typeDefinitions;
+ protected final Map<Tag, Class<? extends Object>> typeTags;
+
++ protected LoaderOptions loadingConfig;
++
+ public BaseConstructor() {
++ this(new LoaderOptions());
++ }
++
++ public BaseConstructor(LoaderOptions loadingConfig) {
+ constructedObjects = new HashMap<Node, Object>();
+ recursiveObjects = new HashSet<Node>();
+ maps2fill = new ArrayList<RecursiveTuple<Map<Object, Object>, RecursiveTuple<Object, Object>>>();
+@@ -98,6 +105,7 @@
+ TreeMap.class));
+ typeDefinitions.put(SortedSet.class, new TypeDescription(SortedSet.class, Tag.SET,
+ TreeSet.class));
++ this.loadingConfig = loadingConfig;
+ }
+
+ public void setComposer(Composer composer) {
+@@ -464,7 +472,11 @@
+ }
+ Object value = constructObject(valueNode);
+ if (keyNode.isTwoStepsConstruction()) {
+- postponeMapFilling(mapping, key, value);
++ if (loadingConfig.getAllowRecursiveKeys()) {
++ postponeMapFilling(mapping, key, value);
++ } else {
++ throw new YAMLException("Recursive key for mapping is detected but it is not configured to be allowed.");
++ }
+ } else {
+ mapping.put(key, value);
+ }
+--- a/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java
++++ b/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java
+@@ -26,6 +26,7 @@
+ import java.util.Set;
+ import java.util.UUID;
+
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.TypeDescription;
+ import org.yaml.snakeyaml.error.YAMLException;
+ import org.yaml.snakeyaml.introspector.Property;
+@@ -46,6 +47,10 @@
+ this(Object.class);
+ }
+
++ public Constructor(LoaderOptions loadingConfig) {
++ this(Object.class, loadingConfig);
++ }
++
+ /**
+ * Create Constructor for the specified class as the root.
+ *
+@@ -56,6 +61,10 @@
+ this(new TypeDescription(checkRoot(theRoot)));
+ }
+
++ public Constructor(Class<? extends Object> theRoot, LoaderOptions loadingConfig) {
++ this(new TypeDescription(checkRoot(theRoot)), loadingConfig);
++ }
++
+ /**
+ * Ugly Java way to check the argument in the constructor
+ */
+@@ -67,10 +76,19 @@
+ }
+
+ public Constructor(TypeDescription theRoot) {
+- this(theRoot, null);
++ this(theRoot, null, new LoaderOptions());
++ }
++
++ public Constructor(TypeDescription theRoot, LoaderOptions loadingConfig) {
++ this(theRoot, null, loadingConfig);
+ }
+
+ public Constructor(TypeDescription theRoot, Collection<TypeDescription> moreTDs) {
++ this(theRoot, moreTDs, new LoaderOptions());
++ }
++
++ public Constructor(TypeDescription theRoot, Collection<TypeDescription> moreTDs, LoaderOptions loadingConfig) {
++ super(loadingConfig);
+ if (theRoot == null) {
+ throw new NullPointerException("Root type must be provided.");
+ }
+@@ -102,6 +120,10 @@
+ this(Class.forName(check(theRoot)));
+ }
+
++ public Constructor(String theRoot, LoaderOptions loadingConfig) throws ClassNotFoundException {
++ this(Class.forName(check(theRoot)), loadingConfig);
++ }
++
+ private static final String check(String s) {
+ if (s == null) {
+ throw new NullPointerException("Root type must be provided.");
+--- a/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java
++++ b/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java
+@@ -29,6 +29,7 @@
+ import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.error.YAMLException;
+ import org.yaml.snakeyaml.external.biz.base64Coder.Base64Coder;
+ import org.yaml.snakeyaml.nodes.MappingNode;
+@@ -47,6 +48,11 @@
+ public static final ConstructUndefined undefinedConstructor = new ConstructUndefined();
+
+ public SafeConstructor() {
++ this(new LoaderOptions());
++ }
++
++ public SafeConstructor(LoaderOptions loadingConfig) {
++ super(loadingConfig);
+ this.yamlConstructors.put(Tag.NULL, new ConstructYamlNull());
+ this.yamlConstructors.put(Tag.BOOL, new ConstructYamlBool());
+ this.yamlConstructors.put(Tag.INT, new ConstructYamlInt());
+--- /dev/null
++++ b/src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java
+@@ -0,0 +1,97 @@
++/**
++ * Copyright (c) 2018, http://www.snakeyaml.org
++ * <p>
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ * <p>
++ * http://www.apache.org/licenses/LICENSE-2.0
++ * <p>
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.yaml.snakeyaml.issues.issue377;
++
++import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertNotNull;
++import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
++
++import java.util.Map;
++
++import org.junit.Test;
++import org.yaml.snakeyaml.LoaderOptions;
++import org.yaml.snakeyaml.Yaml;
++import org.yaml.snakeyaml.error.YAMLException;
++
++/**
++ * https://en.wikipedia.org/wiki/Billion_laughs_attack#Variations
++ */
++public class BillionLaughsAttackTest {
++ public static final String data = "a: &a [\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\"]\n" +
++ "b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n" +
++ "c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n" +
++ "d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n" +
++ "e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n" +
++ "f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n" +
++ "g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n" +
++ "h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n" +
++ "i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]";
++
++ public static final String scalarAliasesData = "a: &a foo\n" +
++ "b: *a\n" +
++ "c: *a\n" +
++ "d: *a\n" +
++ "e: *a\n" +
++ "f: *a\n" +
++ "g: *a\n";
++
++ @Test
++ public void billionLaughsAttackLoaded() {
++ LoaderOptions settings = new LoaderOptions();
++ settings.setMaxAliasesForCollections(72);
++ Yaml yaml = new Yaml(settings);
++ Map map = (Map) yaml.load(data);
++ assertNotNull(map);
++ }
++
++ @Test
++ public void billionLaughsAttackExpanded() {
++ LoaderOptions settings = new LoaderOptions();
++ settings.setMaxAliasesForCollections(100);
++ Yaml yaml = new Yaml(settings);
++ Map map = (Map) yaml.load(data);
++ assertNotNull(map);
++ try {
++ map.toString();
++ fail("Expected overflow");
++ } catch (Throwable e) {
++ assertTrue(e.getMessage().contains("heap"));
++ }
++ }
++
++ @Test
++ public void billionLaughsAttackWithRestrictedAliases() {
++ LoaderOptions settings = new LoaderOptions();
++ Yaml yaml = new Yaml(settings);
++ try {
++ yaml.load(data);
++ fail();
++ } catch (YAMLException e) {
++ assertEquals("Number of aliases for non-scalar nodes exceeds the specified max=50", e.getMessage());
++ }
++ }
++
++ @Test
++ public void doNotRestrictScalarAliases() {
++ LoaderOptions settings = new LoaderOptions();
++ settings.setMaxAliasesForCollections(5); //smaller than number of aliases for scalars
++ Yaml yaml = new Yaml(settings);
++ Map map = (Map) yaml.load(scalarAliasesData);
++ assertNotNull(map);
++ }
++
++}
+\ No newline at end of file
+--- a/src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java
++++ b/src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java
+@@ -16,42 +16,29 @@
+ package org.yaml.snakeyaml.issues.issue377;
+
+ import org.junit.Test;
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.Yaml;
+ import org.yaml.snakeyaml.constructor.SafeConstructor;
+
+ import java.util.HashMap;
+-import java.util.Map;
+
+-import static org.junit.Assert.assertNotNull;
++import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
+
+ public class ReferencesTest {
+
+ /**
+- * https://en.wikipedia.org/wiki/Billion_laughs_attack#Variations
++ * Create data which is difficult to parse.
++ *
++ * @param size - size of the map, defines the complexity
++ * @return YAML to parse
+ */
+- @Test
+- public void billionLaughsAttack() {
+- String data = "a: &a [\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\"]\n" +
+- "b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n" +
+- "c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n" +
+- "d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n" +
+- "e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n" +
+- "f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n" +
+- "g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n" +
+- "h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n" +
+- "i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]";
+- Yaml yaml = new Yaml();
+- Map map = yaml.load(data);
+- assertNotNull(map);
+- }
+-
+- @Test
+- public void referencesAttack() {
++ private String createDump(int size) {
+ HashMap root = new HashMap();
+ HashMap s1, s2, t1, t2;
+ s1 = root;
+ s2 = new HashMap();
+- long time1 = System.currentTimeMillis();
+ /*
+ the time to parse grows very quickly
+ SIZE -> time to parse in seconds
+@@ -66,8 +53,7 @@
+ 33 -> 245
+ 34 -> 500
+ */
+- int SIZE = 25;
+- for (int i = 0; i < SIZE; i++) {
++ for (int i = 0; i < size; i++) {
+
+ t1 = new HashMap();
+ t2 = new HashMap();
+@@ -83,20 +69,73 @@
+ s2 = t2;
+ }
+
+- //FIXME
+ // this is VERY BAD code
+- // the map has itself as a key (no idea why it may be used)
++ // the map has itself as a key (no idea why it may be used except of a DoS attack)
+ HashMap f = new HashMap();
+ f.put(f, "a");
+ f.put("g", root);
+
+ Yaml yaml = new Yaml(new SafeConstructor());
+ String output = yaml.dump(f);
++ return output;
++ }
++
++ @Test
++ public void referencesWithRecursiveKeysNotAllowedByDefault() {
++ String output = createDump(30);
+ //System.out.println(output);
++ long time1 = System.currentTimeMillis();
++ // Load
++ LoaderOptions settings = new LoaderOptions();
++ settings.setMaxAliasesForCollections(150);
++ Yaml yaml = new Yaml(settings);
++ try {
++ yaml.load(output);
++ fail();
++ } catch (Exception e) {
++ assertEquals("Recursive key for mapping is detected but it is not configured to be allowed.", e.getMessage());
++ }
++ long time2 = System.currentTimeMillis();
++ float duration = (time2 - time1) / 1000;
++ assertTrue("It should fail quickly. Time was " + duration + " seconds.", duration < 1.0);
++ }
+
++ @Test
++ public void parseManyAliasesForCollections() {
++ String output = createDump(25);
+ // Load
++ // long time1 = System.currentTimeMillis();
++ LoaderOptions settings = new LoaderOptions();
++ settings.setMaxAliasesForCollections(50);
++ settings.setAllowRecursiveKeys(true);
++ Yaml yaml = new Yaml(settings);
+ yaml.load(output);
++ // Disabling this as it runs slower than 0.9 on my machine
++ // long time2 = System.currentTimeMillis();
++ // double duration = (time2 - time1) / 1000.0;
++ // assertTrue("It should take time. Time was " + duration + " seconds.", duration > 0.9);
++ // assertTrue("Time was " + duration + " seconds.", duration < 5.0);
++ }
++
++ @Test
++ public void referencesWithRestrictedAliases() {
++ // without alias restriction this size should occupy tons of CPU, memory and time to parse
++ String bigYAML = createDump(35);
++ // Load
++ long time1 = System.currentTimeMillis();
++ LoaderOptions settings = new LoaderOptions();
++ settings.setMaxAliasesForCollections(40);
++ settings.setAllowRecursiveKeys(true);
++ Yaml yaml = new Yaml(settings);
++ try {
++ yaml.load(bigYAML);
++ fail();
++ } catch (Exception e) {
++ assertEquals("Number of aliases for non-scalar nodes exceeds the specified max=40", e.getMessage());
++ }
+ long time2 = System.currentTimeMillis();
+- System.out.println("Time was " + ((time2 - time1) / 1000) + " seconds.");
++ float duration = (time2 - time1) / 1000;
++ assertTrue("It should fail quickly. Time was " + duration + " seconds.", duration < 1.0);
+ }
++
+ }
+\ No newline at end of file
+--- a/src/test/java/org/yaml/snakeyaml/issues/issue38/BigNumberIdTest.java
++++ b/src/test/java/org/yaml/snakeyaml/issues/issue38/BigNumberIdTest.java
+@@ -20,6 +20,7 @@
+
+ import junit.framework.TestCase;
+
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.Yaml;
+
+ /**
+@@ -34,7 +35,9 @@
+ list.add(value);
+ list.add(value);
+ }
+- Yaml yaml = new Yaml();
++ LoaderOptions options = new LoaderOptions();
++ options.setMaxAliasesForCollections(1500);
++ Yaml yaml = new Yaml(options);
+ String output = yaml.dump(list);
+ // System.out.println(output);
+ //
+--- a/src/test/java/org/yaml/snakeyaml/recursive/HumanTest.java
++++ b/src/test/java/org/yaml/snakeyaml/recursive/HumanTest.java
+@@ -28,11 +28,13 @@
+ import junit.framework.TestCase;
+
+ import org.yaml.snakeyaml.DumperOptions;
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.DumperOptions.FlowStyle;
+ import org.yaml.snakeyaml.TypeDescription;
+ import org.yaml.snakeyaml.Util;
+ import org.yaml.snakeyaml.Yaml;
+ import org.yaml.snakeyaml.constructor.Constructor;
++import org.yaml.snakeyaml.representer.Representer;
+
+ public class HumanTest extends TestCase {
+
+@@ -272,12 +274,14 @@
+ mother.setChildren(children);
+ //
+
+- Constructor constructor = new Constructor(Human2.class);
++ LoaderOptions options = new LoaderOptions();
++ options.setAllowRecursiveKeys(true);
++ Constructor constructor = new Constructor(Human2.class, options);
+ TypeDescription humanDescription = new TypeDescription(Human2.class);
+ humanDescription.putMapPropertyType("children", Human2.class, String.class);
+ constructor.addTypeDescription(humanDescription);
+
+- Yaml yaml = new Yaml(constructor);
++ Yaml yaml = new Yaml(constructor, new Representer(), new DumperOptions(), options);
+ String output = yaml.dump(son);
+ // System.out.println(output);
+ String etalon = Util.getLocalResource("recursive/with-children-2.yaml");
+--- a/src/test/java/org/yaml/snakeyaml/recursive/generics/HumanGenericsTest.java
++++ b/src/test/java/org/yaml/snakeyaml/recursive/generics/HumanGenericsTest.java
+@@ -29,6 +29,7 @@
+
+ import junit.framework.TestCase;
+
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.TypeDescription;
+ import org.yaml.snakeyaml.Util;
+ import org.yaml.snakeyaml.Yaml;
+@@ -226,7 +227,10 @@
+ // load
+ TypeDescription humanDescription = new TypeDescription(HumanGen2.class);
+ humanDescription.putMapPropertyType("children", HumanGen2.class, String.class);
+- Yaml beanLoader = new Yaml(new Constructor(humanDescription));
++
++ LoaderOptions options = new LoaderOptions();
++ options.setAllowRecursiveKeys(true);
++ Yaml beanLoader = new Yaml(new Constructor(humanDescription, options));
+ //
+ HumanGen2 son2 = beanLoader.loadAs(output, HumanGen2.class);
+ assertNotNull(son2);
=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
java9.patch
+CVE-2017-18640.patch
View it on GitLab: https://salsa.debian.org/java-team/snakeyaml/-/compare/99529473a39be7562b3fd5f2e299dbe6b1e54063...82d9698a16bcfeb4249a98e12ca8b9e7db8ed07a
--
View it on GitLab: https://salsa.debian.org/java-team/snakeyaml/-/compare/99529473a39be7562b3fd5f2e299dbe6b1e54063...82d9698a16bcfeb4249a98e12ca8b9e7db8ed07a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200326/cbaa787a/attachment.html>
More information about the pkg-java-commits
mailing list