Prevent object creation when loading YAML files.

oheger · oheger · commit add7375cf37f · 2020-03-04T21:33:22.000+01:00
When creating a new Yaml instance from SnakeYaml to read in a
configuration file the instance is now configured that no objects are
created automatically.
diff --git a/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java b/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
@@ -18,11 +18,14 @@
 package org.apache.commons.configuration2;
 
 import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.ex.ConfigurationRuntimeException;
 import org.apache.commons.configuration2.io.InputStreamSupport;
 import org.apache.commons.configuration2.tree.ImmutableNode;
 import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.Constructor;
+import org.yaml.snakeyaml.representer.Representer;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -65,7 +68,7 @@ public void read(final Reader in) throws ConfigurationException
     {
         try
         {
-            final Yaml yaml = new Yaml();
+            final Yaml yaml = createYamlForReading(new LoaderOptions());
             final Map<String, Object> map = (Map) yaml.load(in);
             load(map);
         }
@@ -80,7 +83,7 @@ public void read(final Reader in, final LoaderOptions options)
     {
         try
         {
-            final Yaml yaml = new Yaml(options);
+            final Yaml yaml = createYamlForReading(options);
             final Map<String, Object> map = (Map) yaml.load(in);
             load(map);
         }
@@ -117,7 +120,7 @@ public void read(final InputStream in) throws ConfigurationException
     {
         try
         {
-            final Yaml yaml = new Yaml();
+            final Yaml yaml = createYamlForReading(new LoaderOptions());
             final Map<String, Object> map = (Map) yaml.load(in);
             load(map);
         }
@@ -132,7 +135,7 @@ public void read(final InputStream in, final LoaderOptions options)
     {
         try
         {
-            final Yaml yaml = new Yaml(options);
+            final Yaml yaml = createYamlForReading(options);
             final Map<String, Object> map = (Map) yaml.load(in);
             load(map);
         }
@@ -142,4 +145,34 @@ public void read(final InputStream in, final LoaderOptions options)
         }
     }
 
+    /**
+     * Creates a {@code Yaml} object for reading a Yaml file. The object is
+     * configured with some default settings.
+     *
+     * @param options options for loading the file
+     * @return the {@code Yaml} instance for loading a file
+     */
+    private static Yaml createYamlForReading(LoaderOptions options)
+    {
+        return new Yaml(createClassLoadingDisablingConstructor(), new Representer(), new DumperOptions(), options);
+    }
+
+    /**
+     * Returns a {@code Constructor} object for the YAML parser that prevents
+     * all classes from being loaded. This effectively disables the dynamic
+     * creation of Java objects that are declared in YAML files to be loaded.
+     *
+     * @return the {@code Constructor} preventing object creation
+     */
+    private static Constructor createClassLoadingDisablingConstructor()
+    {
+        return new Constructor()
+        {
+            @Override
+            protected Class<?> getClassForName(String name)
+            {
+                throw new ConfigurationRuntimeException("Class loading is disabled.");
+            }
+        };
+    }
 }
diff --git a/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java b/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
@@ -17,26 +17,37 @@
 
 package org.apache.commons.configuration2;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
+import java.io.ByteArrayInputStream;
+import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.io.StringReader;
 import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
 import org.apache.commons.configuration2.ex.ConfigurationException;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
 import org.yaml.snakeyaml.Yaml;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 /**
  * Unit test for {@link YAMLConfiguration}
  */
 public class TestYAMLConfiguration
 {
+    @Rule
+    public TemporaryFolder temporaryFolder = new TemporaryFolder();
+
     /** The files that we test with. */
     private final String testYaml =
             ConfigurationAssert.getTestFile("test.yaml").getAbsolutePath();
@@ -134,4 +145,40 @@ public void testCopyConstructor()
         yamlConfiguration = new YAMLConfiguration(c);
         assertEquals("bar", yamlConfiguration.getString("foo"));
     }
+
+    @Test
+    public void testObjectCreationFromReader()
+    {
+        final File createdFile = new File(temporaryFolder.getRoot(), "data.txt");
+        final String yaml = "!!java.io.FileOutputStream [" + createdFile.getAbsolutePath() + "]";
+
+        try
+        {
+            yamlConfiguration.read(new StringReader(yaml));
+            fail("Loading configuration did not cause an exception!");
+        }
+        catch (ConfigurationException e)
+        {
+            //expected
+        }
+        assertFalse("Java object was created", createdFile.exists());
+    }
+
+    @Test
+    public void testObjectCreationFromStream()
+    {
+        final File createdFile = new File(temporaryFolder.getRoot(), "data.txt");
+        final String yaml = "!!java.io.FileOutputStream [" + createdFile.getAbsolutePath() + "]";
+
+        try
+        {
+            yamlConfiguration.read(new ByteArrayInputStream(yaml.getBytes(StandardCharsets.UTF_8)));
+            fail("Loading configuration did not cause an exception!");
+        }
+        catch (ConfigurationException e)
+        {
+            //expected
+        }
+        assertFalse("Java object was created", createdFile.exists());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,11 +18,14 @@`
`18`	`18`	`package org.apache.commons.configuration2;`
`19`	`19`
`20`	`20`	`import org.apache.commons.configuration2.ex.ConfigurationException;`
	`21`	`+import org.apache.commons.configuration2.ex.ConfigurationRuntimeException;`
`21`	`22`	`import org.apache.commons.configuration2.io.InputStreamSupport;`
`22`	`23`	`import org.apache.commons.configuration2.tree.ImmutableNode;`
`23`	`24`	`import org.yaml.snakeyaml.DumperOptions;`
`24`	`25`	`import org.yaml.snakeyaml.LoaderOptions;`
`25`	`26`	`import org.yaml.snakeyaml.Yaml;`
	`27`	`+import org.yaml.snakeyaml.constructor.Constructor;`
	`28`	`+import org.yaml.snakeyaml.representer.Representer;`
`26`	`29`
`27`	`30`	`import java.io.IOException;`
`28`	`31`	`import java.io.InputStream;`
`@@ -65,7 +68,7 @@ public void read(final Reader in) throws ConfigurationException`
`65`	`68`	`{`
`66`	`69`	`try`
`67`	`70`	`{`
`68`		`- final Yaml yaml = new Yaml();`
	`71`	`+ final Yaml yaml = createYamlForReading(new LoaderOptions());`
`69`	`72`	`final Map<String, Object> map = (Map) yaml.load(in);`
`70`	`73`	`load(map);`
`71`	`74`	`}`
`@@ -80,7 +83,7 @@ public void read(final Reader in, final LoaderOptions options)`
`80`	`83`	`{`
`81`	`84`	`try`
`82`	`85`	`{`
`83`		`- final Yaml yaml = new Yaml(options);`
	`86`	`+ final Yaml yaml = createYamlForReading(options);`
`84`	`87`	`final Map<String, Object> map = (Map) yaml.load(in);`
`85`	`88`	`load(map);`
`86`	`89`	`}`
`@@ -117,7 +120,7 @@ public void read(final InputStream in) throws ConfigurationException`
`117`	`120`	`{`
`118`	`121`	`try`
`119`	`122`	`{`
`120`		`- final Yaml yaml = new Yaml();`
	`123`	`+ final Yaml yaml = createYamlForReading(new LoaderOptions());`
`121`	`124`	`final Map<String, Object> map = (Map) yaml.load(in);`
`122`	`125`	`load(map);`
`123`	`126`	`}`
`@@ -132,7 +135,7 @@ public void read(final InputStream in, final LoaderOptions options)`
`132`	`135`	`{`
`133`	`136`	`try`
`134`	`137`	`{`
`135`		`- final Yaml yaml = new Yaml(options);`
	`138`	`+ final Yaml yaml = createYamlForReading(options);`
`136`	`139`	`final Map<String, Object> map = (Map) yaml.load(in);`
`137`	`140`	`load(map);`
`138`	`141`	`}`
`@@ -142,4 +145,34 @@ public void read(final InputStream in, final LoaderOptions options)`
`142`	`145`	`}`
`143`	`146`	`}`
`144`	`147`
	`148`	`+ /**`
	`149`	`+ * Creates a {@code Yaml} object for reading a Yaml file. The object is`
	`150`	`+ * configured with some default settings.`
	`151`	`+ *`
	`152`	`+ * @param options options for loading the file`
	`153`	`+ * @return the {@code Yaml} instance for loading a file`
	`154`	`+ */`
	`155`	`+ private static Yaml createYamlForReading(LoaderOptions options)`
	`156`	`+ {`
	`157`	`+ return new Yaml(createClassLoadingDisablingConstructor(), new Representer(), new DumperOptions(), options);`
	`158`	`+ }`
	`159`	`+`
	`160`	`+ /**`
	`161`	`+ * Returns a {@code Constructor} object for the YAML parser that prevents`
	`162`	`+ * all classes from being loaded. This effectively disables the dynamic`
	`163`	`+ * creation of Java objects that are declared in YAML files to be loaded.`
	`164`	`+ *`
	`165`	`+ * @return the {@code Constructor} preventing object creation`
	`166`	`+ */`
	`167`	`+ private static Constructor createClassLoadingDisablingConstructor()`
	`168`	`+ {`
	`169`	`+ return new Constructor()`
	`170`	`+ {`
	`171`	`+ @Override`
	`172`	`+ protected Class<?> getClassForName(String name)`
	`173`	`+ {`
	`174`	`+ throw new ConfigurationRuntimeException("Class loading is disabled.");`
	`175`	`+ }`
	`176`	`+ };`
	`177`	`+ }`
`145`	`178`	`}`