Tree - rpms/prometheus-jmx-exporter

rpms / prometheus-jmx-exporter

Blame SOURCES/0001-Fix-CVE-2017-18640-and-add-a-test.patch

Blob History Raw

		ee38a3	`From 8cbe3bee31e605d535783431bfb74c3e2867ee37 Mon Sep 17 00:00:00 2001`
		ee38a3	`From: Severin Gehwolf <sgehwolf@redhat.com>`
		ee38a3	`Date: Wed, 15 Apr 2020 17:41:17 +0200`
		ee38a3	`Subject: [PATCH] Fix CVE-2017-18640 and add a test`
		ee38a3
		ee38a3	`---`
		ee38a3	`collector/pom.xml \| 2 +-`
		ee38a3	`.../java/io/prometheus/jmx/JmxCollector.java \| 12 ++++++++-`
		ee38a3	`.../io/prometheus/jmx/JmxCollectorTest.java \| 26 ++++++++++++++++---`
		ee38a3	`collector/src/test/resources/testyaml.config \| 9 +++++++`
		ee38a3	`4 files changed, 44 insertions(+), 5 deletions(-)`
		ee38a3	`create mode 100644 collector/src/test/resources/testyaml.config`
		ee38a3
		ee38a3	`diff --git a/collector/pom.xml b/collector/pom.xml`
		ee38a3	`index 8e90d58..b58d94a 100644`
		ee38a3	`--- a/collector/pom.xml`
		ee38a3	`+++ b/collector/pom.xml`
		ee38a3	`@@ -29,7 +29,7 @@`
		ee38a3	`<dependency>`
		ee38a3	`<groupId>org.yaml</groupId>`
		ee38a3	`<artifactId>snakeyaml</artifactId>`
		ee38a3	`- <version>1.16</version>`
		ee38a3	`+ <version>1.26</version>`
		ee38a3	`</dependency>`
		ee38a3	`</dependencies>`
		ee38a3
		ee38a3	`diff --git a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java`
		ee38a3	`index f06d3ef..a5fc96f 100644`
		ee38a3	`--- a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java`
		ee38a3	`+++ b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java`
		ee38a3	`@@ -3,6 +3,7 @@ package io.prometheus.jmx;`
		ee38a3	`import io.prometheus.client.Collector;`
		ee38a3	`import io.prometheus.client.Counter;`
		ee38a3	`import org.yaml.snakeyaml.Yaml;`
		ee38a3	`+import org.yaml.snakeyaml.error.YAMLException;`
		ee38a3
		ee38a3	`import javax.management.MalformedObjectNameException;`
		ee38a3	`import javax.management.ObjectName;`
		ee38a3	`@@ -71,7 +72,16 @@ public class JmxCollector extends Collector implements Collector.Describable {`
		ee38a3
		ee38a3	`public JmxCollector(File in) throws IOException, MalformedObjectNameException {`
		ee38a3	`configFile = in;`
		ee38a3	`- config = loadConfig((Map<String, Object>)new Yaml().load(new FileReader(in)));`
		ee38a3	`+ // Be defensive about loading yaml from a user. In some cases YAMLException`
		ee38a3	`+ // will be thrown for bad configs`
		ee38a3	`+ Map<String, Object> yamlConfig = null;`
		ee38a3	`+ try {`
		ee38a3	`+ yamlConfig = (Map<String, Object>)new Yaml().load(new FileReader(in));`
		ee38a3	`+ } catch (YAMLException e) {`
		ee38a3	`+ System.err.println("YAML configuration error: " + e.getMessage());`
		ee38a3	`+ throw new IllegalArgumentException(e);`
		ee38a3	`+ }`
		ee38a3	`+ config = loadConfig(yamlConfig);`
		ee38a3	`config.lastUpdate = configFile.lastModified();`
		ee38a3	`}`
		ee38a3
		ee38a3	`diff --git a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java`
		ee38a3	`index dc35734..3d4ecf0 100644`
		ee38a3	`--- a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java`
		ee38a3	`+++ b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java`
		ee38a3	`@@ -3,15 +3,21 @@ package io.prometheus.jmx;`
		ee38a3	`import static org.junit.Assert.assertEquals;`
		ee38a3	`import static org.junit.Assert.assertNotNull;`
		ee38a3	`import static org.junit.Assert.assertNull;`
		ee38a3	`+import static org.junit.Assert.assertTrue;`
		ee38a3	`import static org.junit.Assert.fail;`
		ee38a3
		ee38a3	`-import io.prometheus.client.Collector;`
		ee38a3	`-import io.prometheus.client.CollectorRegistry;`
		ee38a3	`+import java.io.File;`
		ee38a3	`import java.lang.management.ManagementFactory;`
		ee38a3	`+`
		ee38a3	`import javax.management.MBeanServer;`
		ee38a3	`-import org.junit.Test;`
		ee38a3	`+`
		ee38a3	`import org.junit.Before;`
		ee38a3	`import org.junit.BeforeClass;`
		ee38a3	`+import org.junit.Test;`
		ee38a3	`+import org.yaml.snakeyaml.error.YAMLException;`
		ee38a3	`+`
		ee38a3	`+import io.prometheus.client.Collector;`
		ee38a3	`+import io.prometheus.client.CollectorRegistry;`
		ee38a3
		ee38a3
		ee38a3	`public class JmxCollectorTest {`
		ee38a3	`@@ -252,4 +258,18 @@ public class JmxCollectorTest {`
		ee38a3	`Thread.sleep(2000);`
		ee38a3	`assertEquals(1.0, registry.getSampleValue("boolean_Test_True", new String[]{}, new String[]{}), .001);`
		ee38a3	`}`
		ee38a3	`+`
		ee38a3	`+ @Test`
		ee38a3	`+ public void testBillionLaughs() throws Exception {`
		ee38a3	`+ File configFile = new File(getClass().getResource("/testyaml.config").getPath());`
		ee38a3	`+ assertTrue(configFile.exists());`
		ee38a3	`+ try {`
		ee38a3	`+ JmxCollector jc = new JmxCollector(configFile);`
		ee38a3	`+ fail("Excected yaml exception due to billion laughs");`
		ee38a3	`+ } catch (IllegalArgumentException e) {`
		ee38a3	`+ Throwable ex = e.getCause();`
		ee38a3	`+ String prefix = YAMLException.class.getName() + ": ";`
		ee38a3	`+ assertEquals(prefix + "Number of aliases for non-scalar nodes exceeds the specified max=50", e.getMessage());`
		ee38a3	`+ }`
		ee38a3	`+ }`
		ee38a3	`}`
		ee38a3	`diff --git a/collector/src/test/resources/testyaml.config b/collector/src/test/resources/testyaml.config`
		ee38a3	`new file mode 100644`
		ee38a3	`index 0000000..4a3ed69`
		ee38a3	`--- /dev/null`
		ee38a3	`+++ b/collector/src/test/resources/testyaml.config`
		ee38a3	`@@ -0,0 +1,9 @@`
		ee38a3	`+a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]`
		ee38a3	`+b: &b [a,a,a,a,a,a,a,a,*a]`
		ee38a3	`+c: &c [b,b,b,b,b,b,b,b,*b]`
		ee38a3	`+d: &d [c,c,c,c,c,c,c,c,*c]`
		ee38a3	`+e: &e [d,d,d,d,d,d,d,d,*d]`
		ee38a3	`+f: &f [e,e,e,e,e,e,e,e,*e]`
		ee38a3	`+g: &g [f,f,f,f,f,f,f,f,*f]`
		ee38a3	`+h: &h [g,g,g,g,g,g,g,g,*g]`
		ee38a3	`+i: &i [h,h,h,h,h,h,h,h,*h]`
		ee38a3	`\ No newline at end of file`
		ee38a3	`--`
		ee38a3	`2.21.1`
		ee38a3

rpms / prometheus-jmx-exporter

Source Code

Blame SOURCES/0001-Fix-CVE-2017-18640-and-add-a-test.patch