springboot Restrict use of custom YAML types - 玖涯软件开发|java/go/python

SnakeYaml allows for custom types to be loaded when they are specified inside the YAML. Whilst we only parse YAML from trusted sources, it would be prudent to restrict the types that can be constructed.

Comment From: sbrannen

Although this issue has already been closed, I'd like to make a suggestion regarding the following.

https://github.com/spring-projects/spring-boot/blob/685b2796f0e709d8b1bd5b9bd10a309496180024/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/YamlJsonParser.java#L64-L67

If an unsupported type is encountered, the current exception would look something like the following.

Can't construct a java object for tag:yaml.org,2002:java.net.URL; exception=null
 in 'reader', line 1, column 8:
    value: !!java.net.URL [!!java.lang.Stri ... 
           ^
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:336)

...

Caused by: java.lang.NullPointerException
    at org.yaml.snakeyaml.nodes.Node.setType(Node.java:104)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.getConstructor(Constructor.java:323)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:331)

For Spring Framework, I took a different approach inspired by the example from the SnakeYaml test suite and came up with the following.

https://github.com/spring-projects/spring-framework/blob/5f9e9513efb75e8626c522053235bbd2920dd9fd/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java#L445-L450

Throwing an explicit exception instead of returning null for unsupported types results in an exception message and stack trace that may better help the user to diagnose the core issue. For example, the following is produced in Spring Framework.

Can't construct a java object for tag:yaml.org,2002:java.net.URL; exception=Unsupported type encountered in YAML document: java.net.URL
 in 'reader', line 1, column 8:
  value: !!java.net.URL [!!java.lang.Stri ... 
      ^

...

Caused by: java.lang.IllegalStateException: Unsupported type encountered in YAML document: java.net.URL
    at org.springframework.util.Assert.state(Assert.java:94)
    at org.springframework.beans.factory.config.YamlProcessor$FilteringConstructor.getClassForName(YamlProcessor.java:443)
    at org.yaml.snakeyaml.constructor.Constructor.getClassForNode(Constructor.java:662)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.getConstructor(Constructor.java:322)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:331)
    ... 79 more

The presence of exception=Unsupported type encountered in YAML document: java.net.URL in the ConstructorException provides immediate feedback to the user. In addition, the cause also points out exactly where the type was rejected, i.e., YamlProcessor$FilteringConstructor in Spring Framework.

Perhaps you'd like to reopen this issue to apply a similar change to Spring Boot.

Or if you'd prefer that I open a new issue for this, just let me know.

Cheers

Comment From: philwebb

Thanks for the suggestion @sbrannen