use SafeConstructor in snakeyaml to fix CVE

frantuma · frantuma · commit 67e1bc467e93 · 2019-06-04T08:58:53.000+02:00
diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/DeserializationUtils.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/DeserializationUtils.java
@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import io.swagger.v3.core.util.Yaml;
 import io.swagger.v3.core.util.Json;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.io.IOException;
 
@@ -57,12 +58,12 @@ private static boolean isJson(String contents) {
     }
 
     public static JsonNode readYamlTree(String contents) {
-        org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml();
+        org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(new SafeConstructor());
         return Json.mapper().convertValue(yaml.load(contents), JsonNode.class);
     }
 
     public static <T> T readYamlValue(String contents, Class<T> expectedType) {
-        org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml();
+        org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(new SafeConstructor());
         return Json.mapper().convertValue(yaml.load(contents), expectedType);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`import com.fasterxml.jackson.databind.JsonNode;`
`4`	`4`	`import io.swagger.v3.core.util.Yaml;`
`5`	`5`	`import io.swagger.v3.core.util.Json;`
	`6`	`+import org.yaml.snakeyaml.constructor.SafeConstructor;`
`6`	`7`
`7`	`8`	`import java.io.IOException;`
`8`	`9`
`@@ -57,12 +58,12 @@ private static boolean isJson(String contents) {`
`57`	`58`	`}`
`58`	`59`
`59`	`60`	`public static JsonNode readYamlTree(String contents) {`
`60`		`- org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml();`
	`61`	`+ org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(new SafeConstructor());`
`61`	`62`	`return Json.mapper().convertValue(yaml.load(contents), JsonNode.class);`
`62`	`63`	`}`
`63`	`64`
`64`	`65`	`public static <T> T readYamlValue(String contents, Class<T> expectedType) {`
`65`		`- org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml();`
	`66`	`+ org.yaml.snakeyaml.Yaml yaml = new org.yaml.snakeyaml.Yaml(new SafeConstructor());`
`66`	`67`	`return Json.mapper().convertValue(yaml.load(contents), expectedType);`
`67`	`68`	`}`
`68`	`69`	`}`