Initial move to SnakeYAML Engine

See jruby/jruby#7570 for some of the justification for this move. We only
require the parser from SnakeYAML, but in the original form it is
encumbered with Java object serialization code that keeps getting
flagged as a CVE risk. We disagree with the assessment, at least
as it pertains to JRuby (we do not use the code in question) but
our inclusion of the library continues to get flagged by auditing
tools.

This commit starts the process of moving to the successor library,
SnakeYAML Engine. The parser API is largely unchanged, except as
seen in this commit. No Java exceptions are thrown, but a number
of Psych tests fail (possibly due to Engine being YAML 1.2 only).

Author: headius

Mavenfile

@@ -1,6 +1,6 @@
 #-*- mode: ruby -*-
 
-jar 'org.yaml:snakeyaml:${snakeyaml.version}'
+jar 'org.snakeyaml:snakeyaml-engine:${snakeyaml.version}'
 
 plugin :dependency, '2.8', :outputFile => 'pkg/classpath'
 

ext/java/org/jruby/ext/psych/PsychEmitter.java

@@ -27,10 +27,6 @@
  ***** END LICENSE BLOCK *****/
 package org.jruby.ext.psych;
 
-import java.io.InputStream;
-import java.io.IOException;
-import java.util.Properties;
-
 import org.jcodings.Encoding;
 import org.jcodings.specific.UTF16BEEncoding;
 import org.jcodings.specific.UTF16LEEncoding;
@@ -44,7 +40,10 @@
 import org.jruby.runtime.Visibility;
 import org.jruby.runtime.builtin.IRubyObject;
 import org.jruby.runtime.load.Library;
-import org.yaml.snakeyaml.error.Mark;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
 
 public class PsychLibrary implements Library {
     private static final String DUMMY_VERSION = "0.0";
@@ -54,7 +53,7 @@ public void load(final Ruby runtime, boolean wrap) {
 
         // load version from properties packed with the jar
         Properties props = new Properties();
-        try( InputStream is = runtime.getJRubyClassLoader().getResourceAsStream("META-INF/maven/org.yaml/snakeyaml/pom.properties") ) {
+        try( InputStream is = runtime.getJRubyClassLoader().getResourceAsStream("META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.properties") ) {
             props.load(is);
         }
         catch( IOException e ) {
@@ -66,27 +65,6 @@ public void load(final Ruby runtime, boolean wrap) {
             snakeyamlVersion = snakeyamlVersion.substring(0, snakeyamlVersion.length() - "-SNAPSHOT".length());
         }
 
-        // Try to determine if we have a new enough SnakeYAML.
-        // Versions before 1.21 removed a Mark constructor that JRuby uses.
-        // See https://github.com/bundler/bundler/issues/6878
-        if (snakeyamlVersion.equals(DUMMY_VERSION)) {
-            try {
-                // Use reflection to try to confirm we have a new enough version
-                Mark.class.getConstructor(String.class, int.class, int.class, int.class, int[].class, int.class);
-            } catch (NoSuchMethodException nsme) {
-                throw runtime.newLoadError("bad SnakeYAML version, required 1.21 or higher; check your CLASSPATH for a conflicting jar");
-            }
-        } else {
-            // Parse version string to check for 1.21+
-            String[] majorMinor = snakeyamlVersion.split("\\.");
-
-            if (majorMinor.length < 2 || Integer.parseInt(majorMinor[0]) < 1 || Integer.parseInt(majorMinor[1]) < 21) {
-                throw runtime.newLoadError(
-                        "bad SnakeYAML version " + snakeyamlVersion +
-                                ", required 1.21 or higher; check your CLASSPATH for a conflicting jar");
-            }
-        }
-
         RubyString version = runtime.newString(snakeyamlVersion + ".0");
         version.setFrozen(true);
         psych.setConstant("SNAKEYAML_VERSION", version);

ext/java/org/jruby/ext/psych/PsychLibrary.java

@@ -29,14 +29,15 @@
 
 import org.jruby.Ruby;
 import org.jruby.RubyClass;
+import org.jruby.RubyException;
 import org.jruby.RubyModule;
 import org.jruby.RubyObject;
-import org.jruby.RubyException;
 import org.jruby.anno.JRubyMethod;
 import org.jruby.exceptions.RaiseException;
 import org.jruby.runtime.ThreadContext;
 import org.jruby.runtime.builtin.IRubyObject;
-import static org.jruby.runtime.Visibility.*;
+
+import static org.jruby.runtime.Visibility.PRIVATE;
 
 public class PsychToRuby {
     public static void initPsychToRuby(Ruby runtime, RubyModule psych) {

ext/java/org/jruby/ext/psych/PsychParser.java

@@ -5,6 +5,6 @@ module Psych
   VERSION = '5.0.1'
 
   if RUBY_ENGINE == 'jruby'
-    DEFAULT_SNAKEYAML_VERSION = '1.33'.freeze
+    DEFAULT_SNAKEYAML_VERSION = '2.5'.freeze
   end
 end

ext/java/org/jruby/ext/psych/PsychToRuby.java

@@ -2,4 +2,4 @@
 require 'psych.jar'
 
 require 'jar-dependencies'
-require_jar('org.yaml', 'snakeyaml', Psych::DEFAULT_SNAKEYAML_VERSION)
+require_jar('org.snakeyaml', 'snakeyaml-engine', Psych::DEFAULT_SNAKEYAML_VERSION)

lib/psych/versions.rb

@@ -52,11 +52,10 @@ DESCRIPTION
       "ext/java/org/jruby/ext/psych/PsychLibrary.java",
       "ext/java/org/jruby/ext/psych/PsychParser.java",
       "ext/java/org/jruby/ext/psych/PsychToRuby.java",
-      "ext/java/org/jruby/ext/psych/PsychYamlTree.java",
       "lib/psych_jars.rb",
       "lib/psych.jar"
     ]
-    s.requirements = "jar org.yaml:snakeyaml, #{version_module::Psych::DEFAULT_SNAKEYAML_VERSION}"
+    s.requirements = "jar org.snakeyaml:snakeyaml-engine, #{version_module::Psych::DEFAULT_SNAKEYAML_VERSION}"
     s.add_dependency 'jar-dependencies', '>= 0.1.7'
   else
     s.extensions = ["ext/psych/extconf.rb"]