Upgrade to SnakeYAML 2.0

asomov · bclozel · commit 097758baf32b · 2023-05-22T14:31:27.000+02:00
This commit raises the SnakeYAML baseline version to 2.0. While most Spring applications are not affected by CVE-2022-1471, upgrading this version should prevent automated tools from raising this as a security issue. Such tools usually do not understand that YAML parsing in Spring is about reading configuration, not parsing untrusted content. Closes gh-30048
diff --git a/framework-platform/framework-platform.gradle b/framework-platform/framework-platform.gradle
@@ -144,6 +144,6 @@ dependencies {
 		api("org.webjars:webjars-locator-core:0.52")
 		api("org.xmlunit:xmlunit-assertj:2.9.1")
 		api("org.xmlunit:xmlunit-matchers:2.9.1")
-		api("org.yaml:snakeyaml:1.33")
+		api("org.yaml:snakeyaml:2.0")
 	}
 }
diff --git a/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java b/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java
@@ -34,6 +34,8 @@
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.Constructor;
+import org.yaml.snakeyaml.inspector.TagInspector;
+import org.yaml.snakeyaml.nodes.Tag;
 import org.yaml.snakeyaml.reader.UnicodeReader;
 import org.yaml.snakeyaml.representer.Representer;
 
@@ -184,8 +186,9 @@ protected void process(MatchCallback callback) {
 	protected Yaml createYaml() {
 		LoaderOptions loaderOptions = new LoaderOptions();
 		loaderOptions.setAllowDuplicateKeys(false);
+		loaderOptions.setTagInspector(new SupportedTagInspector());
 		DumperOptions dumperOptions = new DumperOptions();
-		return new Yaml(new FilteringConstructor(loaderOptions), new Representer(dumperOptions),
+		return new Yaml(new Constructor(loaderOptions), new Representer(dumperOptions),
 				dumperOptions, loaderOptions);
 	}
 
@@ -425,23 +428,11 @@ public enum ResolutionMethod {
 		FIRST_FOUND
 	}
 
-
-	/**
-	 * {@link Constructor} that supports filtering of unsupported types.
-	 * <p>If an unsupported type is encountered in a YAML document, an
-	 * {@link IllegalStateException} will be thrown from {@link #getClassForName}.
-	 */
-	private class FilteringConstructor extends Constructor {
-
-		FilteringConstructor(LoaderOptions loaderOptions) {
-			super(loaderOptions);
-		}
+	private class SupportedTagInspector implements TagInspector {
 
 		@Override
-		protected Class<?> getClassForName(String name) throws ClassNotFoundException {
-			Assert.state(YamlProcessor.this.supportedTypes.contains(name),
-					() -> "Unsupported type encountered in YAML document: " + name);
-			return super.getClassForName(name);
+		public boolean isGlobalTagAllowed(Tag tag) {
+			return supportedTypes.contains(tag.getClassName());
 		}
 	}
 
diff --git a/spring-beans/src/test/java/org/springframework/beans/factory/config/YamlProcessorTests.java b/spring-beans/src/test/java/org/springframework/beans/factory/config/YamlProcessorTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@
 import java.util.Set;
 
 import org.junit.jupiter.api.Test;
-import org.yaml.snakeyaml.constructor.ConstructorException;
+import org.yaml.snakeyaml.composer.ComposerException;
 import org.yaml.snakeyaml.parser.ParserException;
 import org.yaml.snakeyaml.scanner.ScannerException;
 
@@ -156,9 +156,9 @@ void standardTypesSupportedByDefault() throws Exception {
 	void customTypeNotSupportedByDefault() throws Exception {
 		URL url = new URL("https://localhost:9000/");
 		setYaml("value: !!java.net.URL [\"" + url + "\"]");
-		assertThatExceptionOfType(ConstructorException.class)
+		assertThatExceptionOfType(ComposerException.class)
 				.isThrownBy(() -> this.processor.process((properties, map) -> {}))
-				.withMessageContaining("Unsupported type encountered in YAML document: java.net.URL");
+				.withMessageContaining("Global tag is not allowed: tag:yaml.org,2002:java.net.URL");
 	}
 
 	@Test
@@ -180,9 +180,9 @@ void customTypeNotSupportedDueToExplicitConfiguration() {
 
 		setYaml("value: !!java.net.URL [\"https://localhost:9000/\"]");
 
-		assertThatExceptionOfType(ConstructorException.class)
+		assertThatExceptionOfType(ComposerException.class)
 				.isThrownBy(() -> this.processor.process((properties, map) -> {}))
-				.withMessageContaining("Unsupported type encountered in YAML document: java.net.URL");
+				.withMessageContaining("Global tag is not allowed: tag:yaml.org,2002:java.net.URL");
 	}
 
 	private void setYaml(String yaml) {

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,6 @@ dependencies {`
`144`	`144`	`api("org.webjars:webjars-locator-core:0.52")`
`145`	`145`	`api("org.xmlunit:xmlunit-assertj:2.9.1")`
`146`	`146`	`api("org.xmlunit:xmlunit-matchers:2.9.1")`
`147`		`- api("org.yaml:snakeyaml:1.33")`
	`147`	`+ api("org.yaml:snakeyaml:2.0")`
`148`	`148`	`}`
`149`	`149`	`}`