Reputation: 2670
What can happen when loading a YAML file from an untrusted source with SnakeYAML?
The SnakeYAML documentation says:
Warning: It is not safe to call
Yaml.load()with any data received from an untrusted source!
Is it security issues? What can a malicious YAML file do?
Upvotes: 4
Views: 2987
Answers (2)
Reputation: 5974
I was wondering about this, too, and found the following in the documentation:
Note if you want to limit objects to standard Java objects like List or Long you need to use SafeConstructor.
Yaml yaml = new Yaml(new SafeConstructor());
The link quoted above goes to a test case in which a YAML document contains a reference to a Java object. Without SafeConstructor, yaml.load would call the object's no-argument constructor and this might be a bad thing for some classes in your classpath. With SafeConstructor, only the SafeConstructor nested classes (Java code) would ever be called.
Upvotes: 3
Reputation: 3001
SnakeYAML allows to use any class loader. When the instance of a class is created, it calls the constructor. It will run any code there. If you load classes yourself - no worries.
Upvotes: 0
Related Questions
- How to read from YAML file in Java?
- How to resolve yaml files by java(snakeYaml)
- YAML to Java using snakeyaml
- SnakeYaml Alternatives for loading yaml in java
- yaml YAMLException: How to configure using SnakeYaml?
- Include YAML files from snakeyaml
- Java: YAML file handling
- yaml using SnakeYaml
- How to load a java.util.Set with snakeYAML
- Has anyone succesfully loaded a YAML file using SnakeYAML from a local Maven repo?