From 875e868d3e20c7430e2bca499cf748148309bbfe Mon Sep 17 00:00:00 2001
From: Alexander Jackson <jacksonal@vmware.com>
Date: Tue, 4 Apr 2023 13:08:58 -0600
Subject: [PATCH 1/3] MONIT-34093 - Upgrade to snakeyaml 2.0 for CVE-2022-1471
 - explicitly add dependency on snakeyaml since we import it directly in the
 code - update test to use explict loadOptions on the YamlFactory for the
 objectmapper

---
 proxy/pom.xml                                 |  5 +++++
 .../logsharvesting/LogsIngesterTest.java      | 20 +++++++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/proxy/pom.xml b/proxy/pom.xml
index 73213c3c5..6ab173e9a 100644
--- a/proxy/pom.xml
+++ b/proxy/pom.xml
@@ -593,6 +593,11 @@
       <artifactId>proto-google-common-protos</artifactId>
       <version>2.0.1</version>
     </dependency>
+    <dependency>
+      <groupId>org.yaml</groupId>
+      <artifactId>snakeyaml</artifactId>
+      <version>2.0</version>
+    </dependency>
   </dependencies>
 
   <profiles>
diff --git a/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java b/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
index 05ae35a61..7c139f697 100644
--- a/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
+++ b/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
@@ -5,12 +5,15 @@
 import static org.hamcrest.Matchers.*;
 import static org.hamcrest.Matchers.contains;
 
+import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
+
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactoryBuilder;
 import com.wavefront.agent.PointMatchers;
 import com.wavefront.agent.auth.TokenAuthenticatorBuilder;
 import com.wavefront.agent.channel.NoopHealthCheckManager;
@@ -41,6 +44,8 @@
 import org.junit.After;
 import org.junit.Test;
 import org.logstash.beats.Message;
+import org.yaml.snakeyaml.LoaderOptions;
+
 import wavefront.report.Histogram;
 import wavefront.report.ReportPoint;
 
@@ -53,9 +58,16 @@ public class LogsIngesterTest {
   private ReportableEntityHandlerFactory mockFactory;
   private ReportableEntityHandler<ReportPoint, String> mockPointHandler;
   private ReportableEntityHandler<ReportPoint, String> mockHistogramHandler;
-  private AtomicLong now = new AtomicLong((System.currentTimeMillis() / 60000) * 60000);
-  private AtomicLong nanos = new AtomicLong(System.nanoTime());
-  private ObjectMapper objectMapper = new ObjectMapper(new YAMLFactory());
+  private AtomicLong now;
+  private AtomicLong nanos;
+  private ObjectMapper objectMapper;
+
+  public LogsIngesterTest() {
+    this.now = new AtomicLong((System.currentTimeMillis() / 60000) * 60000);
+    this.nanos = new AtomicLong(System.nanoTime());
+    YAMLFactoryBuilder factory = new YAMLFactoryBuilder(new YAMLFactory());
+    this.objectMapper = new ObjectMapper(factory.loaderOptions(new LoaderOptions()).build());
+  }
 
   private LogsIngestionConfig parseConfigFile(String configPath) throws IOException {
     File configFile =
@@ -696,4 +708,4 @@ public void testWavefrontHistogramMultipleCentroids() throws Exception {
   public void testBadName() throws Exception {
     setup(parseConfigFile("badName.yml"));
   }
-}
+}
\ No newline at end of file

From da20d9c97dffb2389c5644d948eb8e91849afd37 Mon Sep 17 00:00:00 2001
From: Alexander Jackson <jacksonal@vmware.com>
Date: Tue, 4 Apr 2023 13:17:57 -0600
Subject: [PATCH 2/3] MONIT-34093 - Upgrade to snakeyaml 2.0 for CVE-2022-1471
 - explicitly add dependency on snakeyaml since we import it directly in the
 code - update test to use explict loadOptions on the YamlFactory for the
 objectmapper - code cleanup in LogsIngesterTest

---
 .../wavefront/agent/logsharvesting/LogsIngesterTest.java   | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java b/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
index 7c139f697..2e9359273 100644
--- a/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
+++ b/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
@@ -5,7 +5,6 @@
 import static org.hamcrest.Matchers.*;
 import static org.hamcrest.Matchers.contains;
 
-import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.google.common.collect.ImmutableList;
@@ -58,9 +57,9 @@ public class LogsIngesterTest {
   private ReportableEntityHandlerFactory mockFactory;
   private ReportableEntityHandler<ReportPoint, String> mockPointHandler;
   private ReportableEntityHandler<ReportPoint, String> mockHistogramHandler;
-  private AtomicLong now;
-  private AtomicLong nanos;
-  private ObjectMapper objectMapper;
+  private final AtomicLong now;
+  private final AtomicLong nanos;
+  private final ObjectMapper objectMapper;
 
   public LogsIngesterTest() {
     this.now = new AtomicLong((System.currentTimeMillis() / 60000) * 60000);

From 70faa80331a4e18a17d3110feb3fb296d47f390d Mon Sep 17 00:00:00 2001
From: Alexander Jackson <jacksonal@vmware.com>
Date: Tue, 4 Apr 2023 13:30:07 -0600
Subject: [PATCH 3/3] MONIT-34093 - Upgrade to snakeyaml 2.0 for CVE-2022-1471
 - explicitly add dependency on snakeyaml since we import it directly in the
 code - update test to use explict loadOptions on the YamlFactory for the
 objectmapper - code cleanup in LogsIngesterTest

---
 .../logsharvesting/LogsIngesterTest.java      | 26 ++++++++++++-------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java b/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
index 2e9359273..1f17a8bc1 100644
--- a/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
+++ b/proxy/src/test/java/com/wavefront/agent/logsharvesting/LogsIngesterTest.java
@@ -1,18 +1,27 @@
 package com.wavefront.agent.logsharvesting;
 
-import static org.easymock.EasyMock.*;
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.expectLastCall;
+import static org.easymock.EasyMock.replay;
+import static org.easymock.EasyMock.reset;
+import static org.easymock.EasyMock.verify;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
 import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.emptyIterable;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.lessThan;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactoryBuilder;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
-
-import com.fasterxml.jackson.dataformat.yaml.YAMLFactoryBuilder;
 import com.wavefront.agent.PointMatchers;
 import com.wavefront.agent.auth.TokenAuthenticatorBuilder;
 import com.wavefront.agent.channel.NoopHealthCheckManager;
@@ -44,12 +53,14 @@
 import org.junit.Test;
 import org.logstash.beats.Message;
 import org.yaml.snakeyaml.LoaderOptions;
-
 import wavefront.report.Histogram;
 import wavefront.report.ReportPoint;
 
 /** @author Mori Bellamy (mori@wavefront.com) */
 public class LogsIngesterTest {
+  private final AtomicLong now;
+  private final AtomicLong nanos;
+  private final ObjectMapper objectMapper;
   private LogsIngestionConfig logsIngestionConfig;
   private LogsIngester logsIngesterUnderTest;
   private FilebeatIngester filebeatIngesterUnderTest;
@@ -57,9 +68,6 @@ public class LogsIngesterTest {
   private ReportableEntityHandlerFactory mockFactory;
   private ReportableEntityHandler<ReportPoint, String> mockPointHandler;
   private ReportableEntityHandler<ReportPoint, String> mockHistogramHandler;
-  private final AtomicLong now;
-  private final AtomicLong nanos;
-  private final ObjectMapper objectMapper;
 
   public LogsIngesterTest() {
     this.now = new AtomicLong((System.currentTimeMillis() / 60000) * 60000);
@@ -707,4 +715,4 @@ public void testWavefrontHistogramMultipleCentroids() throws Exception {
   public void testBadName() throws Exception {
     setup(parseConfigFile("badName.yml"));
   }
-}
\ No newline at end of file
+}