import prometheus-jmx-exporter-0.12.0-10.el8

c8 imports/c8/prometheus-jmx-exporter-0.12.0-10.el8
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
commit b5bb13bb27

1
.gitignore vendored

@ -0,0 +1 @@
SOURCES/parent-0.12.0.tar.gz

@ -0,0 +1 @@
61ed0c2188d91bec8dc17b515087193bf9f42044 SOURCES/parent-0.12.0.tar.gz

@ -0,0 +1,123 @@
From 8cbe3bee31e605d535783431bfb74c3e2867ee37 Mon Sep 17 00:00:00 2001
From: Severin Gehwolf <sgehwolf@redhat.com>
Date: Wed, 15 Apr 2020 17:41:17 +0200
Subject: [PATCH] Fix CVE-2017-18640 and add a test
---
collector/pom.xml | 2 +-
.../java/io/prometheus/jmx/JmxCollector.java | 12 ++++++++-
.../io/prometheus/jmx/JmxCollectorTest.java | 26 ++++++++++++++++---
collector/src/test/resources/testyaml.config | 9 +++++++
4 files changed, 44 insertions(+), 5 deletions(-)
create mode 100644 collector/src/test/resources/testyaml.config
diff --git a/collector/pom.xml b/collector/pom.xml
index 8e90d58..b58d94a 100644
--- a/collector/pom.xml
+++ b/collector/pom.xml
@@ -29,7 +29,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
- <version>1.16</version>
+ <version>1.26</version>
</dependency>
</dependencies>
diff --git a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java
index f06d3ef..a5fc96f 100644
--- a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java
+++ b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java
@@ -3,6 +3,7 @@ package io.prometheus.jmx;
import io.prometheus.client.Collector;
import io.prometheus.client.Counter;
import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.error.YAMLException;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
@@ -71,7 +72,16 @@ public class JmxCollector extends Collector implements Collector.Describable {
public JmxCollector(File in) throws IOException, MalformedObjectNameException {
configFile = in;
- config = loadConfig((Map<String, Object>)new Yaml().load(new FileReader(in)));
+ // Be defensive about loading yaml from a user. In some cases YAMLException
+ // will be thrown for bad configs
+ Map<String, Object> yamlConfig = null;
+ try {
+ yamlConfig = (Map<String, Object>)new Yaml().load(new FileReader(in));
+ } catch (YAMLException e) {
+ System.err.println("YAML configuration error: " + e.getMessage());
+ throw new IllegalArgumentException(e);
+ }
+ config = loadConfig(yamlConfig);
config.lastUpdate = configFile.lastModified();
}
diff --git a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java
index dc35734..3d4ecf0 100644
--- a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java
+++ b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java
@@ -3,15 +3,21 @@ package io.prometheus.jmx;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import io.prometheus.client.Collector;
-import io.prometheus.client.CollectorRegistry;
+import java.io.File;
import java.lang.management.ManagementFactory;
+
import javax.management.MBeanServer;
-import org.junit.Test;
+
import org.junit.Before;
import org.junit.BeforeClass;
+import org.junit.Test;
+import org.yaml.snakeyaml.error.YAMLException;
+
+import io.prometheus.client.Collector;
+import io.prometheus.client.CollectorRegistry;
public class JmxCollectorTest {
@@ -252,4 +258,18 @@ public class JmxCollectorTest {
Thread.sleep(2000);
assertEquals(1.0, registry.getSampleValue("boolean_Test_True", new String[]{}, new String[]{}), .001);
}
+
+ @Test
+ public void testBillionLaughs() throws Exception {
+ File configFile = new File(getClass().getResource("/testyaml.config").getPath());
+ assertTrue(configFile.exists());
+ try {
+ JmxCollector jc = new JmxCollector(configFile);
+ fail("Excected yaml exception due to billion laughs");
+ } catch (IllegalArgumentException e) {
+ Throwable ex = e.getCause();
+ String prefix = YAMLException.class.getName() + ": ";
+ assertEquals(prefix + "Number of aliases for non-scalar nodes exceeds the specified max=50", e.getMessage());
+ }
+ }
}
diff --git a/collector/src/test/resources/testyaml.config b/collector/src/test/resources/testyaml.config
new file mode 100644
index 0000000..4a3ed69
--- /dev/null
+++ b/collector/src/test/resources/testyaml.config
@@ -0,0 +1,9 @@
+a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
+b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
+c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
+d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
+e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
+f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
+g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
+h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
+i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
\ No newline at end of file
--
2.21.1

@ -0,0 +1,219 @@
From fa99814967c44e654aae64802947209e2817359f Mon Sep 17 00:00:00 2001
From: Severin Gehwolf <sgehwolf@redhat.com>
Date: Tue, 6 Dec 2022 17:32:30 +0100
Subject: [PATCH] Fix CVE-2022-1471 and add a test
---
.../java/io/prometheus/jmx/JmxCollector.java | 34 +++++++++----
.../io/prometheus/jmx/JmxCollectorTest.java | 51 +++++++++++++++++++
.../test/java/io/prometheus/jmx/Person.java | 38 ++++++++++++++
.../test/resources/testyaml_javabean.config | 6 +++
4 files changed, 119 insertions(+), 10 deletions(-)
create mode 100644 collector/src/test/java/io/prometheus/jmx/Person.java
create mode 100644 collector/src/test/resources/testyaml_javabean.config
diff --git a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java
index a5fc96f..38f13ed 100644
--- a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java
+++ b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java
@@ -1,12 +1,7 @@
package io.prometheus.jmx;
-import io.prometheus.client.Collector;
-import io.prometheus.client.Counter;
-import org.yaml.snakeyaml.Yaml;
-import org.yaml.snakeyaml.error.YAMLException;
+import static java.lang.String.format;
-import javax.management.MalformedObjectNameException;
-import javax.management.ObjectName;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
@@ -25,7 +20,19 @@ import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-import static java.lang.String.format;
+import javax.management.MalformedObjectNameException;
+import javax.management.ObjectName;
+
+import org.yaml.snakeyaml.DumperOptions;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
+import org.yaml.snakeyaml.error.YAMLException;
+import org.yaml.snakeyaml.representer.Representer;
+import org.yaml.snakeyaml.resolver.Resolver;
+
+import io.prometheus.client.Collector;
+import io.prometheus.client.Counter;
public class JmxCollector extends Collector implements Collector.Describable {
static final Counter configReloadSuccess = Counter.build()
@@ -76,7 +83,7 @@ public class JmxCollector extends Collector implements Collector.Describable {
// will be thrown for bad configs
Map<String, Object> yamlConfig = null;
try {
- yamlConfig = (Map<String, Object>)new Yaml().load(new FileReader(in));
+ yamlConfig = (Map<String, Object>)createYamlInstance().load(new FileReader(in));
} catch (YAMLException e) {
System.err.println("YAML configuration error: " + e.getMessage());
throw new IllegalArgumentException(e);
@@ -86,7 +93,14 @@ public class JmxCollector extends Collector implements Collector.Describable {
}
public JmxCollector(String yamlConfig) throws MalformedObjectNameException {
- config = loadConfig((Map<String, Object>)new Yaml().load(yamlConfig));
+ config = loadConfig((Map<String, Object>)createYamlInstance().load(yamlConfig));
+ }
+
+ private static Yaml createYamlInstance() {
+ // Equivalent to default Yaml() constructor but using SafeConstructor()
+ // over Constructor();
+ return new Yaml(new SafeConstructor(), new Representer(), new DumperOptions(), new LoaderOptions(),
+ new Resolver());
}
private void reloadConfig() {
@@ -94,7 +108,7 @@ public class JmxCollector extends Collector implements Collector.Describable {
FileReader fr = new FileReader(configFile);
try {
- Map<String, Object> newYamlConfig = (Map<String, Object>)new Yaml().load(fr);
+ Map<String, Object> newYamlConfig = (Map<String, Object>)createYamlInstance().load(fr);
config = loadConfig(newYamlConfig);
config.lastUpdate = configFile.lastModified();
configReloadSuccess.inc();
diff --git a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java
index 3d4ecf0..f499fb3 100644
--- a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java
+++ b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java
@@ -8,12 +8,15 @@ import static org.junit.Assert.fail;
import java.io.File;
import java.lang.management.ManagementFactory;
+import java.nio.file.Files;
+import java.util.stream.Collectors;
import javax.management.MBeanServer;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
+import org.yaml.snakeyaml.constructor.ConstructorException;
import org.yaml.snakeyaml.error.YAMLException;
import io.prometheus.client.Collector;
@@ -272,4 +275,52 @@ public class JmxCollectorTest {
assertEquals(prefix + "Number of aliases for non-scalar nodes exceeds the specified max=50", e.getMessage());
}
}
+
+ @Test
+ public void javaBeanLoadTestFile() throws Exception {
+ try {
+ File configFile = new File(getClass().getResource("/testyaml_javabean.config").getPath());
+ doJavaBeanLoadTest(configFile, false);
+ } finally {
+ Person.fixtureReset();
+ }
+ }
+
+ @Test
+ public void javaBeanLoadTestString() throws Exception {
+ try {
+ File configFile = new File(getClass().getResource("/testyaml_javabean.config").getPath());
+ doJavaBeanLoadTest(configFile, true);
+ } finally {
+ Person.fixtureReset();
+ }
+ }
+
+ private void doJavaBeanLoadTest(File configFile, boolean passAsString) throws Exception {
+ assertTrue(configFile.exists());
+ assertEquals(0, Person.loadCount.get());
+ try {
+ if (passAsString) {
+ String config = Files.readAllLines(configFile.toPath()).stream().collect(Collectors.joining("\n"));
+ new JmxCollector(config);
+ } else {
+ new JmxCollector(configFile);
+ }
+ assertEquals("Expected Person class to not be instantiated", 0, Person.loadCount.get());
+ } catch (ConstructorException e) {
+ String problem = e.getProblem();
+ assertTrue(problem.contains(Person.class.getName()));
+ assertTrue(problem.contains("could not determine a constructor"));
+ } catch (IllegalArgumentException e) {
+ Throwable cause = e.getCause();
+ if (cause instanceof ConstructorException) {
+ ConstructorException ce = (ConstructorException) cause;
+ String problem = ce.getProblem();
+ assertTrue(problem.contains(Person.class.getName()));
+ assertTrue(problem.contains("could not determine a constructor"));
+ } else {
+ fail("Expected ConstructorException as cause!");
+ }
+ }
+ }
}
diff --git a/collector/src/test/java/io/prometheus/jmx/Person.java b/collector/src/test/java/io/prometheus/jmx/Person.java
new file mode 100644
index 0000000..e3b339a
--- /dev/null
+++ b/collector/src/test/java/io/prometheus/jmx/Person.java
@@ -0,0 +1,38 @@
+package io.prometheus.jmx;
+
+import java.util.concurrent.atomic.AtomicInteger;
+
+/**
+ * Simple java bean (used by yaml load test)
+ *
+ */
+public class Person {
+
+ public static final AtomicInteger loadCount = new AtomicInteger(0);
+
+ private String firstName;
+ private String lastName;
+
+ public String getFirstName() {
+ return firstName;
+ }
+
+ public void setFirstName(String firstName) {
+ loadCount.incrementAndGet();
+ this.firstName = firstName;
+ }
+
+ public String getLastName() {
+ return lastName;
+ }
+
+ public void setLastName(String lastName) {
+ loadCount.incrementAndGet();
+ this.lastName = lastName;
+ }
+
+ public static void fixtureReset() {
+ loadCount.set(0);
+ }
+
+}
diff --git a/collector/src/test/resources/testyaml_javabean.config b/collector/src/test/resources/testyaml_javabean.config
new file mode 100644
index 0000000..6552d83
--- /dev/null
+++ b/collector/src/test/resources/testyaml_javabean.config
@@ -0,0 +1,6 @@
+lowercaseOutputName: true
+lowercaseOutputLabelNames: true
+blacklistObjectNames:
+# handled by agent's default exporter
+- "java.lang:*"
+other: !!io.prometheus.jmx.Person { firstName: Andrey, lastName: Tool }
--
2.38.1

@ -0,0 +1,28 @@
diff --git a/jmx_prometheus_javaagent/pom.xml b/jmx_prometheus_javaagent/pom.xml
index 5a14679..fb47a94 100644
--- a/jmx_prometheus_javaagent/pom.xml
+++ b/jmx_prometheus_javaagent/pom.xml
@@ -62,9 +62,11 @@
<include>javax.servlet.**</include>
<include>org.eclipse.**</include>
<include>org.yaml.**</include>
+ <include>biz.source_code.**</include>
+ <include>org.apache.**</include>
</includes>
<excludes>
- <exclude>io.prometheus.jmx.shaded.**</exclude>
+ <exclude>io.prometheus.jmx.**</exclude>
</excludes>
</relocation>
</relocations>
@@ -81,8 +83,8 @@
<transformers>
<transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
<manifestEntries>
- <Premain-Class>io.prometheus.jmx.shaded.io.prometheus.jmx.JavaAgent</Premain-Class>
- <Agent-Class>io.prometheus.jmx.shaded.io.prometheus.jmx.JavaAgent</Agent-Class>
+ <Premain-Class>io.prometheus.jmx.JavaAgent</Premain-Class>
+ <Agent-Class>io.prometheus.jmx.JavaAgent</Agent-Class>
<Implementation-Version>${project.version}</Implementation-Version>
<Implementation-Title>${project.artifactId}</Implementation-Title>
</manifestEntries>

@ -0,0 +1,155 @@
%global version_id parent
%global upstream_name jmx_exporter
%global simple_client_version 0.6.0
# Filter requires for the Java Agent as deps are shaded within.
%global jmx_or_client io\\.prometheus\\.jmx:.*|io\\.prometheus:simpleclient.*|org\\.yaml:snakeyaml.*
%global mvn_requires_filter .*mvn\\(%{jmx_or_client}\\)
%global java_headless_filter \\(?.*java-headless.*\\)?
%global __requires_exclude ^%{java_headless_filter}|%{mvn_requires_filter}$
Name: prometheus-jmx-exporter
Version: 0.12.0
Release: 10%{?dist}
Summary: Prometheus JMX Exporter
License: ASL 2.0
URL: https://github.com/prometheus/jmx_exporter/
Source0: https://github.com/prometheus/jmx_exporter/archive/%{version_id}-%{version}.tar.gz
Patch1: properly_rewrite_namespace.patch
Patch2: 0001-Fix-CVE-2017-18640-and-add-a-test.patch
Patch3: 0001-Fix-CVE-2022-1471-and-add-a-test.patch
BuildArch: noarch
Requires: %{name}-jdk-binding
Suggests: %{name}-openjdk11 = %{version}-%{release}
BuildRequires: maven-local
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-shade-plugin)
BuildRequires: mvn(org.yaml:snakeyaml)
BuildRequires: mvn(io.prometheus:simpleclient)
BuildRequires: mvn(io.prometheus:simpleclient_hotspot)
BuildRequires: mvn(io.prometheus:simpleclient_common)
BuildRequires: mvn(io.prometheus:simpleclient_httpserver)
Provides: bundled(io.prometheus.jmx:collector) = %{version}
Provides: bundled(io.prometheus:simpleclient) = %{simple_client_version}
Provides: bundled(org.yaml:snakeyaml) = 1.32
Provides: bundled(biz.source_code:base64coder) = 2010.12.19
Provides: bundled(commons-codec:commons-codec) = 1.11
Provides: bundled(io.prometheus:simpleclient_hotspot) = %{simple_client_version}
Provides: bundled(io.prometheus:simpleclient_httpserver) = %{simple_client_version}
Provides: bundled(io.prometheus:simpleclient_common) = %{simple_client_version}
%description
JMX to Prometheus exporter: a collector that can be configured to scrape
and expose MBeans of a JMX target. This exporter is intended to be run as
a Java Agent, exposing a HTTP server and serving metrics of the local JVM.
%package openjdk8
Summary: OpenJDK 1.8.0 binding for %{name}
Provides: %{name}-jdk-binding = %{version}-%{release}
Conflicts: %{name}-jdk-binding
Requires: %{name} = %{version}-%{release}
Requires: java-1.8.0-headless
%description openjdk8
OpenJDK 1.8.0 binding package for %{name}
%package openjdk11
Summary: OpenJDK 11 binding for %{name}
Provides: %{name}-jdk-binding = %{version}-%{release}
Conflicts: %{name}-jdk-binding
Requires: %{name} = %{version}-%{release}
Requires: java-11-headless
%description openjdk11
OpenJDK 11 binding package for %{name}
%package openjdk17
Summary: OpenJDK 17 binding for %{name}
Provides: %{name}-jdk-binding = %{version}-%{release}
Conflicts: %{name}-jdk-binding
Requires: %{name} = %{version}-%{release}
Requires: java-17-headless
%description openjdk17
OpenJDK 17 binding package for %{name}
%prep
%setup -q -n %{upstream_name}-%{version_id}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%pom_remove_plugin org.vafer:jdeb jmx_prometheus_httpserver
%pom_remove_plugin org.apache.maven.plugins:maven-failsafe-plugin jmx_prometheus_javaagent
%pom_remove_plugin org.codehaus.mojo:build-helper-maven-plugin jmx_prometheus_javaagent
# Don't install artefacts from the reactor but the java agent itself. This is because
# the agent needs deps from the reactor but shades them.
%mvn_package "io.prometheus.jmx:jmx_prometheus_httpserver" __noinstall
%mvn_package "io.prometheus.jmx:parent" __noinstall
# Don't depend on obsolete sonatype-oss-parent
# See: https://github.com/prometheus/jmx_exporter/issues/420
%pom_xpath_remove pom:project/pom:parent
%build
# ignore spurious test errors with: -Dmaven.test.failure.ignore=true
%mvn_build -j
%install
%mvn_install
%files -f .mfiles
%license LICENSE
%doc NOTICE
%files openjdk8
# empty files for the binding package
%files openjdk11
# empty files for the binding package
%files openjdk17
# empty files for the binding package
%changelog
* Wed Dec 07 2022 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-10
- Bump release.
* Wed Dec 07 2022 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-9
- Fix CVE-2022-1471 by using SafeConstructor.
* Mon Sep 26 2022 Jonathan Dowland <jdowland@redhat.com> - 0.12.0-8
- Bump snakeyaml version to 1.32 to collect fix for CVE-2022-25857
(BZ 2126789)
* Tue Aug 31 2021 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-7
- Add JDK binding sub-packages so that the package
can be used with either JDK 11 or JDK 17.
- Add requirement on base package for the JDK binding packages.
* Mon Apr 20 2020 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-6
- Fix CVE-2017-18640 by using updated snakeyaml.
* Wed Oct 09 2019 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-5
- rebuilt
* Wed Oct 09 2019 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-4
- rebuilt
* Wed Oct 09 2019 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-3
- Advertise correct bundled snakeyaml version (1.25)
* Tue Sep 03 2019 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-2
- Add patch to properly name-space included dependencies
* Mon Aug 12 2019 Severin Gehwolf <sgehwolf@redhat.com> - 0.12.0-1
- Initial package.
Loading…
Cancel
Save