prepare 5.10.5 release (#290)

* update CI and Gradle to test with newer JDKs (#259)

* update okhttp to 3.14.9 (fixes incompatibility with OpenJDK 8.0.252)

* prepare 4.14.2 release (#205)

* Releasing version 4.14.2

* update okhttp to 4.8.1 (fixes incompatibility with OpenJDK 8.0.252)

* gitignore

* Bump SnakeYAML from 1.19 to 1.26 to address CVE-2017-18640

* prepare 4.14.3 release (#209)

* Releasing version 4.14.3

* comments

* only log initialization message once in polling mode

* [ch89935] Correct some logging call format strings (#264)

Also adds debug logs for full exception information in a couple locations.

* [ch90109] Remove outdated trackMetric comment from before service support. (#265)

* Fix compatibility with Java 7.

* Remove import that is no longer used.

* add Java 7 build (#267)

* prepare 4.14.4 release (#214)

* Releasing version 4.14.4

* add and use getSocketFactory

* alignment

* add socketFactory to builder

* test socket factory builder

* preserve dummy CI config file when pushing to gh-pages (#271)

* fix concatenation when base URI has a context path (#270)

* fix shaded jar builds to exclude Jackson classes and not modify Jackson return types (#268)

* add test httpClientCanUseCustomSocketFactory for DefaultFeatureRequestor

* add httpClientCanUseCustomSocketFactory() test for DefaultEventSenderTest

* add httpClientCanUseCustomSocketFactory() test to StreamProcessorTest

* pass URI to in customSocketFactory event test

* make test less ambiguous

* copy rules to new FlagBuilder instances (#273)

* Bump guava version (#274)

* Removed the guides link

* increment versions when loading file data, so FlagTracker will work (#275)

* increment versions when loading file data, so FlagTracker will work

* update doc comment about flag change events with file data

* add ability to ignore duplicate keys in file data (#276)

* add alias events (#278)

* add alias events and function
* update tests for new functionality
* update javadoc strings

* add validation of javadoc build to CI

* update commons-codec to 1.15 (#279)

* Add support for experiment rollouts

* add tests and use seed for allocating user to partition

* test serialization and add check for isExperiment

* fix PollingProcessorTest test race condition + other test issues (#282)

* use launchdarkly-java-sdk-common 1.1.0-alpha-expalloc.2

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* changes per code review comments

* Please enter the commit message for your changes. Lines starting

* fix null pointer exception

* address code review comments

* address more comments

* missed a ! for isUntracked()

* fix default boolean for json

* make untracked FALSE by default

* refactoring of bucketing logic to remove the need for an extra result object (#283)

* add comment to enum

* various JSON fixes, update common-sdk (#284)

* simlpify the logic and make it match node/.Net sdks

* Update src/main/java/com/launchdarkly/sdk/server/EventFactory.java

Co-authored-by: Sam Stokes <[email protected]>

* add the same comment as the Node SDK

* Remove outdated/meaningless doc comment. (#286)

* protect against NPEs if flag/segment JSON contains a null value

* use java-sdk-common 1.2.0

* fix Jackson-related build issues (again) (#288)

* update to okhttp-eventsource patch for stream retry bug, improve tests (#289)

* update to okhttp-eventsource patch for stream retry bug, improve test

* add test for appropriate stream retry

* add public builder for FeatureFlagsState (#290)

* add public builder for FeatureFlagsState

* javadoc fixes

* clarify FileData doc comment to say you shouldn't use offline mode (#291)

* improve validation of SDK key so we won't throw an exception that contains the key (#293)

* fix javadoc link in FileData comment (#294)

* fix PollingProcessor 401 behavior and use new HTTP test helpers (#292)

* re-fix metadata to remove Jackson dependencies, also remove Class-Path from manifest (#295)

* make FeatureFlagsState.Builder.build() public (#297)

* clean up tests using java-test-helpers 1.1.0 (#296)

* use Releaser v2 config + newer CI images (#298)

* [ch123129] Fix `PollingDataSourceBuilder` example. (#299)

* Updates docs URLs

* always use US locale when parsing HTTP dates

* use Gson 2.8.9

* don't try to send more diagnostic events after an unrecoverable HTTP error

* ensure module-info file isn't copied into our jars during build

* use Gradle 7

* update build for benchmarks

* more Gradle 7 compatibility changes for benchmark job

* test with Java 17 in CI (#307)

* test with Java 17 in CI

* also test in Java 17 for Windows

* fix choco install command

* do date comparisons as absolute times, regardless of time zone (#310)

* fix suppression of nulls in JSON representations (#311)

* fix suppression of nulls in JSON representations

* distinguish between situations where we do or do not want to suppress nulls

* fix identify/track null user key check, also don't create index event for alias

* use latest java-sdk-common

* fix setting of trackEvents/trackReason in allFlagsState data when there's an experiment

* implement contract tests (#314)

* Merge Big Segments feature branch for 5.7.0 release (#316)

Includes Big Segments implementation and contract test support for the new behavior.

* Fix for pom including SDK common library as a dependency. (#317)

* use new logging API

* update readme notes about logging

* set base logger name for SDK per test

* comment

* javadoc fixes

* revert accidental commit

* Upload JUnit XML to CircleCI on failure (#320)

Fix a bug in the CircleCI config that was only uploading JUnit XML on _success_, not failure.

* Add application tag support (#319)

* Enforce 64 character limit on application tag values (#323)

* fix "wrong type" logic in evaluations when default value is null

* Rename master to main in .ldrelease/config.yml (#325)

* Simpler way of setting base URIs in Java (#322)

Now supports the `ServiceEndpoints` config for setting custom URIs for endpoints in a single place

* update logging info in readme

* use 1.0.0 release of logging package

* misc cleanup

* remove unnecessary extra interfaces, just use default methods instead

* make BigSegmentStoreWrapper.pollingDetectsStaleStatus test less timing-sensitive

* make LDEndToEndClientTest.test____SpecialHttpConfigurations less timing-sensitive

* make data source status tests less timing-sensitive

* use streaming JSON parsing for incoming LD data

* fix tests

* rm unused

* rm unused

* use okhttp-eventsource 2.6.0

* update eventsource to 2.6.1 to fix pom/manifest problem

* increase efficiency of summary event data structures (#335)

* make reusable EvaluationDetail instances as part of flag preprocessing (#336)

* make evaluator result object immutable and reuse instances

* comment

* avoid creating List iterators during evaluations

* remove unnecessary copy

* fix allFlagsState to not generate prereq eval events

* add "...ForAll" TestData methods to replace "...ForAllUsers"

* bump okhttp & okhttp-eventsource dependencies

* update comment to clarify that level() doesn't apply to SLF4J

* update readme to mention different logging examples in hello-java

* switch to use snapshot build of java-logging, pending next release

* level setting does not apply to SLF4J and JUL

* use java-logging 1.1.0 release

* make sure META-INF files are never mistaken for classes and relocated

* update shared data store test logic to pass ClientContext with logger

* enable external javadoc links for com.launchdarkly.logging types

* use variable for dependency version

* fix flaky big segment status polling tests

* Update Windows orb, fix Windows JDK install in CI (#372)

* update snakeyaml for CVE-CVE-2022-25857

* latest snakeyaml is 1.31

* bump snakeyaml version for CVE-2022-38752

* disable Windows Java 11 build

* fix packaging of com.launchdarkly.logging classes

* rm debugging

* reconsidered - let's include the logging classes in the jars

* fix packaging test logic

* correct documentation

* use synchronous EventSource (5.x backport)

* backport YAML CVE fix from 6.x

Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: Eli Bishop <[email protected]>
Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: Gavin Whelan <[email protected]>
Co-authored-by: ssrm <[email protected]>
Co-authored-by: Harpo Roeder <[email protected]>
Co-authored-by: Ben Woskow <[email protected]>
Co-authored-by: Elliot <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Sam Stokes <[email protected]>
Co-authored-by: LaunchDarklyReleaseBot <[email protected]>
Co-authored-by: Ember Stevens <[email protected]>
Co-authored-by: ember-stevens <[email protected]>
Co-authored-by: Alex Engelberg <[email protected]>
Co-authored-by: Alex Engelberg <[email protected]>

Author: 13 people

src/main/java/com/launchdarkly/sdk/server/integrations/FileDataSourceParsing.java

@@ -10,7 +10,9 @@
 import com.launchdarkly.sdk.server.interfaces.DataStoreTypes.ItemDescriptor;
 
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 import org.yaml.snakeyaml.error.YAMLException;
+import org.yaml.snakeyaml.representer.Representer;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -149,7 +151,8 @@ public FlagFileRep parseJson(JsonElement tree) throws FileDataException, IOExcep
    * </ul>
    */
   static final class YamlFlagFileParser extends FlagFileParser {
-    private static final Yaml yaml = new Yaml();
+    private static final Yaml yaml = new Yaml(new SafeConstructor(), new Representer());
+      // Using SafeConstructor disables instantiation of arbitrary classes - https://github.com/launchdarkly/java-server-sdk/issues/288
     private static final Gson gson = new Gson();
     private static final JsonFlagFileParser jsonFileParser = new JsonFlagFileParser();
 

src/test/java/com/launchdarkly/sdk/server/integrations/FileDataSourceTest.java

@@ -8,6 +8,7 @@
 import com.launchdarkly.sdk.server.interfaces.DataSource;
 import com.launchdarkly.sdk.server.interfaces.DataSourceStatusProvider;
 import com.launchdarkly.sdk.server.interfaces.DataStore;
+import com.launchdarkly.testhelpers.TempFile;
 
 import org.junit.Test;
 
@@ -29,6 +30,7 @@
 import static com.launchdarkly.sdk.server.integrations.FileDataSourceTestData.resourceFilePath;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertEquals;
 
 @SuppressWarnings("javadoc")
@@ -142,4 +144,28 @@ private void verifyUnsuccessfulStart(DataSource fp) {
     DataSourceStatusProvider.Status status = requireDataSourceStatus(statuses, DataSourceStatusProvider.State.INITIALIZING);
     assertEquals(DataSourceStatusProvider.ErrorKind.INVALID_DATA, status.getLastError().getKind());
   }
+  
+  @Test
+  public void instantiationOfArbitraryTypeIsNotAllowed() throws Exception {
+    // test for https://nvd.nist.gov/vuln/detail/CVE-2022-1471 - this test fails if we use the
+    // empty Yaml() constructor in FileDataSourceParsing
+    String className = SimulatedMaliciousType.class.getName();
+    Class.forName(this.getClass().getName());
+    Class.forName(className);
+    try (TempFile f = TempFile.create()) {
+      f.setContents("---\nbad_thing: !!" + className + " [value]\n");
+      try (DataSource fp = makeDataSource(FileData.dataSource().filePaths(f.getPath()))) {
+        verifyUnsuccessfulStart(fp);
+        assertThat(SimulatedMaliciousType.wasInstantiated, is(false));
+      }
+    }
+  }
+  
+  public static class SimulatedMaliciousType {
+    static volatile boolean wasInstantiated = false;
+    
+    public SimulatedMaliciousType(String value) {
+      wasInstantiated = true;
+    }
+  }
 }