From bc44c80efa3e74994712d12d83d2f97933ac23d3 Mon Sep 17 00:00:00 2001 From: Michael Barry Date: Sun, 5 Feb 2023 14:22:57 -0500 Subject: [PATCH] Use snakeyaml safe constructor (#68) --- src/main/java/org/openmaptiles/Generate.java | 11 ++++++++--- submodule.pom.xml | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/openmaptiles/Generate.java b/src/main/java/org/openmaptiles/Generate.java index 82258c3..c8af4db 100644 --- a/src/main/java/org/openmaptiles/Generate.java +++ b/src/main/java/org/openmaptiles/Generate.java @@ -34,8 +34,11 @@ import org.commonmark.parser.Parser; import org.commonmark.renderer.html.HtmlRenderer; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.yaml.snakeyaml.DumperOptions; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.SafeConstructor; +import org.yaml.snakeyaml.representer.Representer; /** * Generates code in the {@code generated} package from the OpenMapTiles schema crawled from a tag or branch in the @@ -98,10 +101,12 @@ public class Generate { private static final HtmlRenderer renderer = HtmlRenderer.builder().build(); static { + var loadOptions = new LoaderOptions(); // bump the default limit of 50 - var options = new LoaderOptions(); - options.setMaxAliasesForCollections(1_000); - yaml = new Yaml(options); + loadOptions.setMaxAliasesForCollections(1_000); + var dumpOptions = new DumperOptions(); + // SafeConstructor restricts types which can be instantiated during deserialization (CVE-2022-1471) + yaml = new Yaml(new SafeConstructor(loadOptions), new Representer(dumpOptions), dumpOptions, loadOptions); } private static T loadAndParseYaml(String url, PlanetilerConfig config, Class clazz) throws IOException { diff --git a/submodule.pom.xml b/submodule.pom.xml index 54b3e90..0141f98 100644 --- a/submodule.pom.xml +++ b/submodule.pom.xml @@ -23,6 +23,7 @@ org.yaml snakeyaml + 1.33 org.commonmark