diff --git a/.circleci/config.yml b/.circleci/config.yml
index cdc8a7dbb..3c9c74fe6 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -18,11 +18,17 @@ workflows:
requires:
- build-linux
- test-linux:
+ # current LTS version
name: Java 17 - Linux - OpenJDK
docker-image: cimg/openjdk:17.0
with-coverage: true
requires:
- build-linux
+ - test-linux:
+ name: Java 19 - Linux - OpenJDK
+ docker-image: cimg/openjdk:19.0
+ requires:
+ - build-linux
- packaging:
requires:
- build-linux
diff --git a/.ldrelease/config.yml b/.ldrelease/config.yml
index 70511a038..1889bc9a8 100644
--- a/.ldrelease/config.yml
+++ b/.ldrelease/config.yml
@@ -12,7 +12,7 @@ publications:
jobs:
- docker:
- image: gradle:6.8.3-jdk11
+ image: gradle:7.6-jdk11
template:
name: gradle
diff --git a/.ldrelease/publish.sh b/.ldrelease/publish.sh
index a2e9637b3..677f63803 100755
--- a/.ldrelease/publish.sh
+++ b/.ldrelease/publish.sh
@@ -4,4 +4,9 @@ set -ue
# Publish to Sonatype
echo "Publishing to Sonatype"
-./gradlew publishToSonatype closeAndReleaseRepository || { echo "Gradle publish/release failed" >&2; exit 1; }
+if [[ -n "${LD_RELEASE_IS_PRERELEASE}" ]]; then
+ ./gradlew publishToSonatype || { echo "Gradle publish/release failed" >&2; exit 1; }
+else
+ ./gradlew publishToSonatype closeAndReleaseRepository || { echo "Gradle publish/release failed" >&2; exit 1; }
+fi
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4216f177b..cbff40ba8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
All notable changes to the LaunchDarkly Java SDK will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org).
+## [5.10.5] - 2023-01-04
+### Fixed:
+- Fixed vulnerability [CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) which could allow arbitrary code execution if using `FileDataSource` with a YAML file. (Thanks, [antonmos](https://github.com/launchdarkly/java-server-sdk/pull/289)!)
+
## [6.0.1] - 2022-12-20
### Changed:
- The internal implementation of the SSE client for streaming updates has been revised to use a single worker thread instead of two worker threads, reducing thread contention and memory usage.
diff --git a/build.gradle b/build.gradle
index 5fb3d22da..7f524e2db 100644
--- a/build.gradle
+++ b/build.gradle
@@ -150,7 +150,7 @@ libraries.test = [
"junit:junit:4.12",
"com.fasterxml.jackson.core:jackson-core:${versions.jackson}",
"com.fasterxml.jackson.core:jackson-databind:${versions.jackson}",
- "com.launchdarkly:test-helpers:1.3.0"
+ "com.launchdarkly:test-helpers:2.0.1"
]
configurations {
@@ -173,6 +173,7 @@ dependencies {
}
checkstyle {
+ toolVersion = "9.3"
configFile file("${project.rootDir}/config/checkstyle/checkstyle.xml")
}
diff --git a/config/checkstyle/checkstyle.xml b/config/checkstyle/checkstyle.xml
index a1d367afe..9759ef3c0 100644
--- a/config/checkstyle/checkstyle.xml
+++ b/config/checkstyle/checkstyle.xml
@@ -10,7 +10,7 @@
-
+
diff --git a/contract-tests/service/build.gradle b/contract-tests/service/build.gradle
index 5793f10be..64de63e38 100644
--- a/contract-tests/service/build.gradle
+++ b/contract-tests/service/build.gradle
@@ -30,7 +30,7 @@ ext.versions = [
"gson": "2.7",
"logback": "1.1.3",
"okhttp": "4.5.0",
- "testHelpers": "1.1.0",
+ "testHelpers": "2.0.1",
"launchdarklyJavaSdkCommon": project(":sdk").versions["launchdarklyJavaSdkCommon"]
]
diff --git a/contract-tests/service/src/main/java/sdktest/TestService.java b/contract-tests/service/src/main/java/sdktest/TestService.java
index c4a8bd6c3..1abd1ebe9 100644
--- a/contract-tests/service/src/main/java/sdktest/TestService.java
+++ b/contract-tests/service/src/main/java/sdktest/TestService.java
@@ -58,7 +58,7 @@ public BadRequestException(String message) {
}
}
- public static void main(String[] args) {
+ public static void main(String[] args) throws Exception {
// ((ch.qos.logback.classic.Logger)LoggerFactory.getLogger(org.slf4j.Logger.ROOT_LOGGER_NAME)).setLevel(
// Level.valueOf(config.logLevel.toUpperCase()));
@@ -75,6 +75,11 @@ public static void main(String[] args) {
server.getRecorder().setEnabled(false); // don't accumulate a request log
System.out.println("Listening on port " + PORT);
+
+ // need to explicitly sleep because HttpServer now starts as a daemon thread
+ while (true) {
+ Thread.sleep(1000);
+ }
}
private Status getStatus() {
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
index e708b1c02..7454180f2 100644
Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 2e6e5897b..070cb702f 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
index 4f906e0c8..1b6c78733 100755
--- a/gradlew
+++ b/gradlew
@@ -1,7 +1,7 @@
-#!/usr/bin/env sh
+#!/bin/sh
#
-# Copyright 2015 the original author or authors.
+# Copyright © 2015-2021 the original authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,67 +17,101 @@
#
##############################################################################
-##
-## Gradle start up script for UN*X
-##
+#
+# Gradle start up script for POSIX generated by Gradle.
+#
+# Important for running:
+#
+# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+# noncompliant, but you have some other compliant shell such as ksh or
+# bash, then to run this script, type that shell name before the whole
+# command line, like:
+#
+# ksh Gradle
+#
+# Busybox and similar reduced shells will NOT work, because this script
+# requires all of these POSIX shell features:
+# * functions;
+# * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+# «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+# * compound commands having a testable exit status, especially «case»;
+# * various built-in commands including «command», «set», and «ulimit».
+#
+# Important for patching:
+#
+# (2) This script targets any POSIX shell, so it avoids extensions provided
+# by Bash, Ksh, etc; in particular arrays are avoided.
+#
+# The "traditional" practice of packing multiple parameters into a
+# space-separated string is a well documented source of bugs and security
+# problems, so this is (mostly) avoided, by progressively accumulating
+# options in "$@", and eventually passing that to Java.
+#
+# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+# see the in-line comments for details.
+#
+# There are tweaks for specific operating systems such as AIX, CygWin,
+# Darwin, MinGW, and NonStop.
+#
+# (3) This script is generated from the Groovy template
+# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+# within the Gradle project.
+#
+# You can find Gradle at https://github.com/gradle/gradle/.
+#
##############################################################################
# Attempt to set APP_HOME
+
# Resolve links: $0 may be a link
-PRG="$0"
-# Need this for relative symlinks.
-while [ -h "$PRG" ] ; do
- ls=`ls -ld "$PRG"`
- link=`expr "$ls" : '.*-> \(.*\)$'`
- if expr "$link" : '/.*' > /dev/null; then
- PRG="$link"
- else
- PRG=`dirname "$PRG"`"/$link"
- fi
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+ APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
+ [ -h "$app_path" ]
+do
+ ls=$( ls -ld "$app_path" )
+ link=${ls#*' -> '}
+ case $link in #(
+ /*) app_path=$link ;; #(
+ *) app_path=$APP_HOME$link ;;
+ esac
done
-SAVED="`pwd`"
-cd "`dirname \"$PRG\"`/" >/dev/null
-APP_HOME="`pwd -P`"
-cd "$SAVED" >/dev/null
+
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
APP_NAME="Gradle"
-APP_BASE_NAME=`basename "$0"`
+APP_BASE_NAME=${0##*/}
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Use the maximum available, or set MAX_FD != -1 to use that value.
-MAX_FD="maximum"
+MAX_FD=maximum
warn () {
echo "$*"
-}
+} >&2
die () {
echo
echo "$*"
echo
exit 1
-}
+} >&2
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
-case "`uname`" in
- CYGWIN* )
- cygwin=true
- ;;
- Darwin* )
- darwin=true
- ;;
- MINGW* )
- msys=true
- ;;
- NONSTOP* )
- nonstop=true
- ;;
+case "$( uname )" in #(
+ CYGWIN* ) cygwin=true ;; #(
+ Darwin* ) darwin=true ;; #(
+ MSYS* | MINGW* ) msys=true ;; #(
+ NONSTOP* ) nonstop=true ;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
@@ -87,9 +121,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
- JAVACMD="$JAVA_HOME/jre/sh/java"
+ JAVACMD=$JAVA_HOME/jre/sh/java
else
- JAVACMD="$JAVA_HOME/bin/java"
+ JAVACMD=$JAVA_HOME/bin/java
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
@@ -98,7 +132,7 @@ Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
- JAVACMD="java"
+ JAVACMD=java
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
@@ -106,80 +140,95 @@ location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
-if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
- MAX_FD_LIMIT=`ulimit -H -n`
- if [ $? -eq 0 ] ; then
- if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
- MAX_FD="$MAX_FD_LIMIT"
- fi
- ulimit -n $MAX_FD
- if [ $? -ne 0 ] ; then
- warn "Could not set maximum file descriptor limit: $MAX_FD"
- fi
- else
- warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
- fi
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+ case $MAX_FD in #(
+ max*)
+ MAX_FD=$( ulimit -H -n ) ||
+ warn "Could not query maximum file descriptor limit"
+ esac
+ case $MAX_FD in #(
+ '' | soft) :;; #(
+ *)
+ ulimit -n "$MAX_FD" ||
+ warn "Could not set maximum file descriptor limit to $MAX_FD"
+ esac
fi
-# For Darwin, add options to specify how the application appears in the dock
-if $darwin; then
- GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
-fi
+# Collect all arguments for the java command, stacking in reverse order:
+# * args from the command line
+# * the main class name
+# * -classpath
+# * -D...appname settings
+# * --module-path (only if needed)
+# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
# For Cygwin or MSYS, switch paths to Windows format before running java
-if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
- APP_HOME=`cygpath --path --mixed "$APP_HOME"`
- CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
-
- JAVACMD=`cygpath --unix "$JAVACMD"`
-
- # We build the pattern for arguments to be converted via cygpath
- ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
- SEP=""
- for dir in $ROOTDIRSRAW ; do
- ROOTDIRS="$ROOTDIRS$SEP$dir"
- SEP="|"
- done
- OURCYGPATTERN="(^($ROOTDIRS))"
- # Add a user-defined pattern to the cygpath arguments
- if [ "$GRADLE_CYGPATTERN" != "" ] ; then
- OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
- fi
+if "$cygwin" || "$msys" ; then
+ APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+ CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+ JAVACMD=$( cygpath --unix "$JAVACMD" )
+
# Now convert the arguments - kludge to limit ourselves to /bin/sh
- i=0
- for arg in "$@" ; do
- CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
- CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
-
- if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
- eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
- else
- eval `echo args$i`="\"$arg\""
+ for arg do
+ if
+ case $arg in #(
+ -*) false ;; # don't mess with options #(
+ /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
+ [ -e "$t" ] ;; #(
+ *) false ;;
+ esac
+ then
+ arg=$( cygpath --path --ignore --mixed "$arg" )
fi
- i=`expr $i + 1`
+ # Roll the args list around exactly as many times as the number of
+ # args, so each arg winds up back in the position where it started, but
+ # possibly modified.
+ #
+ # NB: a `for` loop captures its iteration list before it begins, so
+ # changing the positional parameters here affects neither the number of
+ # iterations, nor the values presented in `arg`.
+ shift # remove old arg
+ set -- "$@" "$arg" # push replacement arg
done
- case $i in
- 0) set -- ;;
- 1) set -- "$args0" ;;
- 2) set -- "$args0" "$args1" ;;
- 3) set -- "$args0" "$args1" "$args2" ;;
- 4) set -- "$args0" "$args1" "$args2" "$args3" ;;
- 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
- 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
- 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
- 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
- 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
- esac
fi
-# Escape application args
-save () {
- for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
- echo " "
-}
-APP_ARGS=`save "$@"`
+# Collect all arguments for the java command;
+# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+# shell script including quotes and variable substitutions, so put them in
+# double quotes to make sure that they get re-expanded; and
+# * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+ "-Dorg.gradle.appname=$APP_BASE_NAME" \
+ -classpath "$CLASSPATH" \
+ org.gradle.wrapper.GradleWrapperMain \
+ "$@"
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+# readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+# set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
-# Collect all arguments for the java command, following the shell quoting and substitution rules
-eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+eval "set -- $(
+ printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+ xargs -n1 |
+ sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+ tr '\n' ' '
+ )" '"$@"'
exec "$JAVACMD" "$@"
diff --git a/src/main/java/com/launchdarkly/sdk/server/integrations/FileDataSourceParsing.java b/src/main/java/com/launchdarkly/sdk/server/integrations/FileDataSourceParsing.java
index cca8aac93..c6eb2f294 100644
--- a/src/main/java/com/launchdarkly/sdk/server/integrations/FileDataSourceParsing.java
+++ b/src/main/java/com/launchdarkly/sdk/server/integrations/FileDataSourceParsing.java
@@ -10,7 +10,9 @@
import com.launchdarkly.sdk.server.subsystems.DataStoreTypes.ItemDescriptor;
import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
import org.yaml.snakeyaml.error.YAMLException;
+import org.yaml.snakeyaml.representer.Representer;
import java.io.ByteArrayInputStream;
import java.io.IOException;
@@ -149,7 +151,8 @@ public FlagFileRep parseJson(JsonElement tree) throws FileDataException, IOExcep
*
*/
static final class YamlFlagFileParser extends FlagFileParser {
- private static final Yaml yaml = new Yaml();
+ private static final Yaml yaml = new Yaml(new SafeConstructor(), new Representer());
+ // Using SafeConstructor disables instantiation of arbitrary classes - https://github.com/launchdarkly/java-server-sdk/issues/288
private static final Gson gson = new Gson();
private static final JsonFlagFileParser jsonFileParser = new JsonFlagFileParser();
diff --git a/src/test/java/com/launchdarkly/sdk/server/LDClientEndToEndTest.java b/src/test/java/com/launchdarkly/sdk/server/LDClientEndToEndTest.java
index 36d86754e..4ea95f92c 100644
--- a/src/test/java/com/launchdarkly/sdk/server/LDClientEndToEndTest.java
+++ b/src/test/java/com/launchdarkly/sdk/server/LDClientEndToEndTest.java
@@ -20,6 +20,7 @@
import java.time.Duration;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.LinkedBlockingQueue;
+import java.util.concurrent.TimeUnit;
import java.util.function.BiFunction;
import static com.launchdarkly.sdk.server.Components.externalUpdatesOnly;
@@ -114,7 +115,7 @@ public void clientFailsInPollingModeWith401Error() throws Exception {
assertFalse(client.boolVariation(flagKey, user, false));
server.getRecorder().requireRequest();
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
}
@@ -168,7 +169,7 @@ public void clientStartsInStreamingModeAfterRecoverableError() throws Exception
server.getRecorder().requireRequest();
server.getRecorder().requireRequest();
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
}
@@ -201,7 +202,7 @@ public void clientFailsInStreamingModeWith401Error() throws Exception {
assertThat(statuses.isEmpty(), equalTo(true));
server.getRecorder().requireRequest();
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
}
diff --git a/src/test/java/com/launchdarkly/sdk/server/PollingProcessorTest.java b/src/test/java/com/launchdarkly/sdk/server/PollingProcessorTest.java
index 21a164e77..610893453 100644
--- a/src/test/java/com/launchdarkly/sdk/server/PollingProcessorTest.java
+++ b/src/test/java/com/launchdarkly/sdk/server/PollingProcessorTest.java
@@ -232,7 +232,7 @@ public void startingWhenAlreadyStartedDoesNothing() throws Exception {
Future initFuture2 = pollingProcessor.start();
assertSame(initFuture1, initFuture2);
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
}
@@ -286,7 +286,7 @@ private void testUnrecoverableHttpError(int statusCode) throws Exception {
verifyHttpErrorCausedShutdown(statuses, statusCode);
server.getRecorder().requireRequest();
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
});
@@ -311,7 +311,7 @@ private void testUnrecoverableHttpError(int statusCode) throws Exception {
while (server.getRecorder().count() > 0) {
server.getRecorder().requireRequest();
}
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
});
diff --git a/src/test/java/com/launchdarkly/sdk/server/StreamProcessorTest.java b/src/test/java/com/launchdarkly/sdk/server/StreamProcessorTest.java
index 63b8329a2..81aebb267 100644
--- a/src/test/java/com/launchdarkly/sdk/server/StreamProcessorTest.java
+++ b/src/test/java/com/launchdarkly/sdk/server/StreamProcessorTest.java
@@ -156,7 +156,7 @@ public void setup() {
@Test
public void builderHasDefaultConfiguration() throws Exception {
ComponentConfigurer f = Components.streamingDataSource();
- try (StreamProcessor sp = (StreamProcessor)f.build(clientContext(SDK_KEY, LDConfig.DEFAULT)
+ try (StreamProcessor sp = (StreamProcessor)f.build(clientContext(SDK_KEY, baseConfig().build())
.withDataSourceUpdateSink(dataSourceUpdates))) {
assertThat(sp.initialReconnectDelay, equalTo(StreamingDataSourceBuilder.DEFAULT_INITIAL_RECONNECT_DELAY));
assertThat(sp.streamUri, equalTo(StandardEndpoints.DEFAULT_STREAMING_BASE_URI));
@@ -167,7 +167,7 @@ public void builderHasDefaultConfiguration() throws Exception {
public void builderCanSpecifyConfiguration() throws Exception {
ComponentConfigurer f = Components.streamingDataSource()
.initialReconnectDelay(Duration.ofMillis(5555));
- try (StreamProcessor sp = (StreamProcessor)f.build(clientContext(SDK_KEY, LDConfig.DEFAULT)
+ try (StreamProcessor sp = (StreamProcessor)f.build(clientContext(SDK_KEY, baseConfig().build())
.withDataSourceUpdateSink(dataSourceUpdates(dataStore)))) {
assertThat(sp.initialReconnectDelay, equalTo(Duration.ofMillis(5555)));
}
@@ -175,7 +175,7 @@ public void builderCanSpecifyConfiguration() throws Exception {
@Test
public void verifyStreamRequestProperties() throws Exception {
- HttpConfiguration httpConfig = clientContext(SDK_KEY, LDConfig.DEFAULT).getHttp();
+ HttpConfiguration httpConfig = clientContext(SDK_KEY, baseConfig().build()).getHttp();
try (HttpServer server = HttpServer.start(streamResponse(EMPTY_DATA_EVENT))) {
try (StreamProcessor sp = createStreamProcessor(null, server.getUri())) {
@@ -532,7 +532,7 @@ public void restartsStreamIfStoreNeedsRefresh() throws Exception {
dataSourceUpdates.awaitInit();
server.getRecorder().requireRequest();
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
}
@@ -548,7 +548,7 @@ public void doesNotRestartStreamIfStoreHadOutageButDoesNotNeedRefresh() throws E
dataStoreStatusProvider.updateStatus(new DataStoreStatusProvider.Status(false, false));
dataStoreStatusProvider.updateStatus(new DataStoreStatusProvider.Status(true, false));
- server.getRecorder().requireNoRequests(Duration.ofMillis(100));
+ server.getRecorder().requireNoRequests(100, TimeUnit.MILLISECONDS);
}
}
}
@@ -669,7 +669,7 @@ public void testSpecialHttpConfigurations() throws Exception {
SpecialHttpConfigurations.testAll(handler,
(URI serverUri, SpecialHttpConfigurations.Params params) -> {
- LDConfig config = new LDConfig.Builder()
+ LDConfig config = baseConfig()
.http(TestUtil.makeHttpConfigurationFromTestParams(params))
.build();
@@ -707,7 +707,7 @@ private void testUnrecoverableHttpError(int statusCode) throws Exception {
assertEquals(statusCode, newStatus.getLastError().getStatusCode());
server.getRecorder().requireRequest();
- server.getRecorder().requireNoRequests(Duration.ofMillis(50));
+ server.getRecorder().requireNoRequests(50, TimeUnit.MILLISECONDS);
}
}
}
@@ -759,12 +759,12 @@ private void testRecoverableHttpError(int statusCode) throws Exception {
}
private StreamProcessor createStreamProcessor(URI streamUri) {
- return createStreamProcessor(LDConfig.DEFAULT, streamUri, null);
+ return createStreamProcessor(baseConfig().build(), streamUri, null);
}
private StreamProcessor createStreamProcessor(LDConfig config, URI streamUri, DiagnosticStore acc) {
return new StreamProcessor(
- ComponentsImpl.toHttpProperties(clientContext(SDK_KEY, config == null ? LDConfig.DEFAULT : config).getHttp()),
+ ComponentsImpl.toHttpProperties(clientContext(SDK_KEY, config == null ? baseConfig().build() : config).getHttp()),
dataSourceUpdates,
Thread.MIN_PRIORITY,
acc,
diff --git a/src/test/java/com/launchdarkly/sdk/server/integrations/FileDataSourceTest.java b/src/test/java/com/launchdarkly/sdk/server/integrations/FileDataSourceTest.java
index 9ac12dbf7..e0bc143f4 100644
--- a/src/test/java/com/launchdarkly/sdk/server/integrations/FileDataSourceTest.java
+++ b/src/test/java/com/launchdarkly/sdk/server/integrations/FileDataSourceTest.java
@@ -8,6 +8,7 @@
import com.launchdarkly.sdk.server.interfaces.DataSourceStatusProvider;
import com.launchdarkly.sdk.server.subsystems.DataSource;
import com.launchdarkly.sdk.server.subsystems.DataStore;
+import com.launchdarkly.testhelpers.TempFile;
import org.junit.Test;
@@ -29,6 +30,7 @@
import static com.launchdarkly.sdk.server.integrations.FileDataSourceTestData.resourceFilePath;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertEquals;
@SuppressWarnings("javadoc")
@@ -142,4 +144,28 @@ private void verifyUnsuccessfulStart(DataSource fp) {
DataSourceStatusProvider.Status status = requireDataSourceStatus(statuses, DataSourceStatusProvider.State.INITIALIZING);
assertEquals(DataSourceStatusProvider.ErrorKind.INVALID_DATA, status.getLastError().getKind());
}
+
+ @Test
+ public void instantiationOfArbitraryTypeIsNotAllowed() throws Exception {
+ // test for https://nvd.nist.gov/vuln/detail/CVE-2022-1471 - this test fails if we use the
+ // empty Yaml() constructor in FileDataSourceParsing
+ String className = SimulatedMaliciousType.class.getName();
+ Class.forName(this.getClass().getName());
+ Class.forName(className);
+ try (TempFile f = TempFile.create()) {
+ f.setContents("---\nbad_thing: !!" + className + " [value]\n");
+ try (DataSource fp = makeDataSource(FileData.dataSource().filePaths(f.getPath()))) {
+ verifyUnsuccessfulStart(fp);
+ assertThat(SimulatedMaliciousType.wasInstantiated, is(false));
+ }
+ }
+ }
+
+ public static class SimulatedMaliciousType {
+ static volatile boolean wasInstantiated = false;
+
+ public SimulatedMaliciousType(String value) {
+ wasInstantiated = true;
+ }
+ }
}