Skip to content

Commit

Permalink
Fix logback serialization vulnerability (#88)
Browse files Browse the repository at this point in the history 
Signed-off-by: munishchouhan <hrma017@gmail.com>
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
  • Loading branch information
@munishchouhan @pditommaso
munishchouhan and pditommaso authored Dec 17, 2024
1 parent 310f0ab commit 6ae7be3
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 5 deletions.
8 changes: 8 additions & 0 deletions app/conf/reflect-config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@
"queryAllPublicMethods":true,
"methods":[{"name":"<init>","parameterTypes":[] }]
},
{
"name":"ch.qos.logback.classic.joran.SerializedModelConfigurator",
"methods":[{"name":"<init>","parameterTypes":[] }]
},
{
"name":"ch.qos.logback.classic.pattern.DateConverter",
"methods":[{"name":"<init>","parameterTypes":[] }]
Expand All @@ -41,6 +45,10 @@
"name":"ch.qos.logback.classic.pattern.ThreadConverter",
"methods":[{"name":"<init>","parameterTypes":[] }]
},
{
"name":"ch.qos.logback.classic.util.DefaultJoranConfigurator",
"methods":[{"name":"<init>","parameterTypes":[] }]
},
{
"name":"ch.qos.logback.core.ConsoleAppender",
"queryAllPublicMethods":true,
Expand Down
4 changes: 4 additions & 0 deletions app/conf/resource-config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,12 @@
"pattern":"\\Qcom/knuddels/jtokkit/cl100k_base.tiktoken\\E"
}, {
"pattern":"\\Qio/seqera/wave/cli/usage-examples.txt\\E"
}, {
"pattern":"\\Qlogback-test.scmo\\E"
}, {
"pattern":"\\Qlogback-test.xml\\E"
}, {
"pattern":"\\Qlogback.scmo\\E"
}, {
"pattern":"\\Qlogback.xml\\E"
}, {
Expand Down
11 changes: 6 additions & 5 deletions buildSrc/src/main/groovy/io.seqera.wave.cli.java-common-conventions.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,12 @@ dependencies {
implementation 'org.apache.commons:commons-text:1.9'
}

implementation "org.slf4j:jcl-over-slf4j:2.0.7"
implementation "org.slf4j:jul-to-slf4j:2.0.7"
implementation "org.slf4j:log4j-over-slf4j:2.0.7"
implementation "ch.qos.logback:logback-classic:1.4.6"
implementation "ch.qos.logback:logback-core:1.4.6"
implementation "org.slf4j:slf4j-api:2.0.16"
implementation "org.slf4j:jcl-over-slf4j:2.0.16"
implementation "org.slf4j:jul-to-slf4j:2.0.16"
implementation "org.slf4j:log4j-over-slf4j:2.0.16"
implementation "ch.qos.logback:logback-classic:1.5.12"
implementation "ch.qos.logback:logback-core:1.5.12"

// Use JUnit Jupiter for testing.
testImplementation 'org.junit.jupiter:junit-jupiter:5.9.1'
Expand Down

0 comments on commit 6ae7be3

Please sign in to comment.