From 7d81cd425aac52537200f3e848ec379f304163e9 Mon Sep 17 00:00:00 2001 From: James Greenhill Date: Thu, 23 Apr 2026 11:03:31 -0700 Subject: [PATCH] security: fix SnakeYAML deserialization vulnerability in JDBC tests Wiz identified a vulnerability where SnakeYAML was used without SafeConstructor, potentially allowing arbitrary class instantiation during YAML deserialization. This change: 1. Explicitly uses SafeConstructor with LoaderOptions in both JdbcCompatTest implementations. 2. Updates .gitignore to exclude dashboard UI build artifacts discovered during implementation. Fixes: SnakeYAML deserialization vulnerability reported by Wiz. --- .gitignore | 4 ++++ .../src/main/java/com/duckgres/compat/JdbcCompatTest.java | 4 +++- .../jdbc/src/main/java/com/posthog/compat/JdbcCompatTest.java | 4 +++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 405b771a..afda11e9 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,10 @@ certs/ *.swp *.swo +# Dashboard UI +dashboard/ui/node_modules/ +dashboard/ui/.svelte-kit/ + # OS .DS_Store Thumbs.db diff --git a/scripts/client-compat/clients/jdbc/src/main/java/com/duckgres/compat/JdbcCompatTest.java b/scripts/client-compat/clients/jdbc/src/main/java/com/duckgres/compat/JdbcCompatTest.java index 893d2649..23f37295 100644 --- a/scripts/client-compat/clients/jdbc/src/main/java/com/duckgres/compat/JdbcCompatTest.java +++ b/scripts/client-compat/clients/jdbc/src/main/java/com/duckgres/compat/JdbcCompatTest.java @@ -15,7 +15,9 @@ import java.sql.*; import java.util.*; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.SafeConstructor; public class JdbcCompatTest { @@ -112,7 +114,7 @@ private static void waitForDuckgres() throws Exception { @SuppressWarnings("unchecked") private static List> loadQueries(String path) throws Exception { String content = Files.readString(Path.of(path)); - Yaml yaml = new Yaml(); + Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); return yaml.load(content); } diff --git a/scripts/client-compat/clients/jdbc/src/main/java/com/posthog/compat/JdbcCompatTest.java b/scripts/client-compat/clients/jdbc/src/main/java/com/posthog/compat/JdbcCompatTest.java index 20de4c10..303b6aa8 100644 --- a/scripts/client-compat/clients/jdbc/src/main/java/com/posthog/compat/JdbcCompatTest.java +++ b/scripts/client-compat/clients/jdbc/src/main/java/com/posthog/compat/JdbcCompatTest.java @@ -1,6 +1,8 @@ package com.posthog.compat; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.SafeConstructor; import java.io.IOException; import java.io.InputStream; @@ -345,7 +347,7 @@ private void runRepeatedScalarQuery(String sql, String testName, int iterations) } private static List> loadQueries(String path) throws IOException { - Yaml yaml = new Yaml(); + Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); try (InputStream in = Files.newInputStream(Path.of(path))) { Object loaded = yaml.load(in); if (!(loaded instanceof List list)) {