Skip to content

Commit 6ae7be3

Browse files
munishchouhanpditommaso
munishchouhan
and
pditommaso
authored
Fix logback serialization vulnerability (#88)
 Signed-off-by: munishchouhan <[email protected]> Signed-off-by: Paolo Di Tommaso <[email protected]> Co-authored-by: Paolo Di Tommaso <[email protected]>
1 parent 310f0ab commit 6ae7be3

File tree

3 files changed

+18
-5
lines changed

3 files changed

+18
-5
lines changed

app/conf/reflect-config.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@
1717
"queryAllPublicMethods":true,
1818
"methods":[{"name":"<init>","parameterTypes":[] }]
1919
},
20+
{
21+
"name":"ch.qos.logback.classic.joran.SerializedModelConfigurator",
22+
"methods":[{"name":"<init>","parameterTypes":[] }]
23+
},
2024
{
2125
"name":"ch.qos.logback.classic.pattern.DateConverter",
2226
"methods":[{"name":"<init>","parameterTypes":[] }]
@@ -41,6 +45,10 @@
4145
"name":"ch.qos.logback.classic.pattern.ThreadConverter",
4246
"methods":[{"name":"<init>","parameterTypes":[] }]
4347
},
48+
{
49+
"name":"ch.qos.logback.classic.util.DefaultJoranConfigurator",
50+
"methods":[{"name":"<init>","parameterTypes":[] }]
51+
},
4452
{
4553
"name":"ch.qos.logback.core.ConsoleAppender",
4654
"queryAllPublicMethods":true,

app/conf/resource-config.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,12 @@
2626
"pattern":"\\Qcom/knuddels/jtokkit/cl100k_base.tiktoken\\E"
2727
}, {
2828
"pattern":"\\Qio/seqera/wave/cli/usage-examples.txt\\E"
29+
}, {
30+
"pattern":"\\Qlogback-test.scmo\\E"
2931
}, {
3032
"pattern":"\\Qlogback-test.xml\\E"
33+
}, {
34+
"pattern":"\\Qlogback.scmo\\E"
3135
}, {
3236
"pattern":"\\Qlogback.xml\\E"
3337
}, {

buildSrc/src/main/groovy/io.seqera.wave.cli.java-common-conventions.gradle

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,12 @@ dependencies {
1818
implementation 'org.apache.commons:commons-text:1.9'
1919
}
2020

21-
implementation "org.slf4j:jcl-over-slf4j:2.0.7"
22-
implementation "org.slf4j:jul-to-slf4j:2.0.7"
23-
implementation "org.slf4j:log4j-over-slf4j:2.0.7"
24-
implementation "ch.qos.logback:logback-classic:1.4.6"
25-
implementation "ch.qos.logback:logback-core:1.4.6"
21+
implementation "org.slf4j:slf4j-api:2.0.16"
22+
implementation "org.slf4j:jcl-over-slf4j:2.0.16"
23+
implementation "org.slf4j:jul-to-slf4j:2.0.16"
24+
implementation "org.slf4j:log4j-over-slf4j:2.0.16"
25+
implementation "ch.qos.logback:logback-classic:1.5.12"
26+
implementation "ch.qos.logback:logback-core:1.5.12"
2627

2728
// Use JUnit Jupiter for testing.
2829
testImplementation 'org.junit.jupiter:junit-jupiter:5.9.1'

0 commit comments

Comments
 (0)