kyuubi

History

pengqli 9b93e874a0 [KYUUBI #5293 ] upgrade snakeyaml from 1.33 to 2.2 ### _Why are the changes needed?_ upgrade snakeyaml from 1.33 to 2.2 reducing direct CVE vulnerabilities, see (https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes) [CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests) locally before make a pull request ### _Was this patch authored or co-authored using generative AI tooling?_ No Closes #5293 from dev-lpq/snakeyaml_critical. Closes #5293 5b2412d8e [pengqli] upgrade snakeyaml from 1.33 to 2.2 Authored-by: pengqli <pengqli@cisco.com> Signed-off-by: Cheng Pan <chengpan@apache.org>		2023-09-15 11:32:09 +00:00
..
gen	[KYUUBI #5275 ] [DOC] Improve and fix comparation and regeneration for golden files	2023-09-13 17:41:27 +08:00
kyuubi-codecov	Bump 1.9.0-SNAPSHOT	2023-09-04 14:23:12 +08:00
kyuubi-tpcds	Bump 1.9.0-SNAPSHOT	2023-09-04 14:23:12 +08:00
checkout_pr.sh
dependencyList	[KYUUBI #5293 ] upgrade snakeyaml from 1.33 to 2.2	2023-09-15 11:32:09 +00:00
merge_kyuubi_pr.py	[KYUUBI #5152 ] Check milestone and assignees when merging pull request	2023-08-14 09:52:18 +08:00
reformat	[KYUUBI #5018 ] Make kyuubi spark extension compatible with Spark3.4	2023-07-06 18:22:23 +08:00