From 75785d28008e2cb5c433c512a0f1d25c21c839db Mon Sep 17 00:00:00 2001
From: Adam Nichols <anichols@broadinstitute.org>
Date: Fri, 1 Oct 2021 16:02:05 -0400
Subject: [PATCH] Use best practice YAML parsing. Add security contact to
 README. [BW-833] (#6510)

---
 CHANGELOG.md                                | 10 ++++++++++
 README.md                                   |  4 ++++
 wom/src/main/scala/wom/util/YamlUtils.scala |  4 ++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b7b26a210ac..e6954ea74bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Cromwell Change Log
 
+## 70 Release Notes
+
+### CWL security fix [#6510](https://github.com/broadinstitute/cromwell/pull/6510)
+
+Fixed an issue that could allow submission of an untrusted CWL file to initiate remote code execution. The vector was improper deserialization of the YAML source file.
+
+CWL execution is enabled by default unless a `CWL` [stanza](https://github.com/broadinstitute/cromwell/blob/develop/core/src/main/resources/reference.conf#L460-L482) is present in the configuration that specifies `enabled: false`. Cromwell instances with CWL disabled were not affected. Consequently, users who wish to mitigate the vulnerability without upgrading Cromwell may do so via this config change.
+
+- Thank you to [Bruno P. Kinoshita](https://github.com/kinow) who first found the issue in a different CWL project ([CVE-2021-41110](https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7)) and [Michael R. Crusoe](https://github.com/mr-c) who suggested we investigate ours.
+
 ## 68 Release Notes
 
 ### Virtual Private Cloud
diff --git a/README.md b/README.md
index 936a484889b..2f053f1a821 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,10 @@ Users with specialized needs who wish to install and maintain their own Cromwell
 
 Cromwell [supports](https://cromwell.readthedocs.io/en/stable/LanguageSupport/) the WDL and CWL workflow languages. The Cromwell team is actively developing WDL, while maintenance for CWL is primarily community-based.  
 
+### Security reports
+
+If you believe you have found a security issue please contact `infosec@broadinstitute.org`.
+
 ### Issue tracking in JIRA
 
 <!--
diff --git a/wom/src/main/scala/wom/util/YamlUtils.scala b/wom/src/main/scala/wom/util/YamlUtils.scala
index e1356839ad2..fbd3562eb87 100644
--- a/wom/src/main/scala/wom/util/YamlUtils.scala
+++ b/wom/src/main/scala/wom/util/YamlUtils.scala
@@ -13,7 +13,7 @@ import net.ceedubs.ficus.readers.ValueReader
 import org.yaml.snakeyaml.LoaderOptions
 import org.yaml.snakeyaml.comments.CommentLine
 import org.yaml.snakeyaml.composer.Composer
-import org.yaml.snakeyaml.constructor.Constructor
+import org.yaml.snakeyaml.constructor.SafeConstructor
 import org.yaml.snakeyaml.nodes.{MappingNode, Node, NodeTuple}
 import org.yaml.snakeyaml.parser.ParserImpl
 import org.yaml.snakeyaml.reader.StreamReader
@@ -38,7 +38,7 @@ object YamlUtils {
             maxDepth: Int Refined NonNegative = defaultMaxDepth
            ): Either[ParsingFailure, Json] = {
     try {
-      val yamlConstructor = new Constructor()
+      val yamlConstructor = new SafeConstructor()
       val yamlComposer = new MaxDepthComposer(yaml, maxDepth)
       yamlConstructor.setComposer(yamlComposer)
       val parsed = yamlConstructor.getSingleData(classOf[AnyRef])