Allow list of classes for SafeConstructor
23 views
Skip to first unread message
Connor Tumbleson
Feb 13, 2022, 10:06:30 AM2/13/22
to SnakeYAML
Hi,
I'm struggling to patch a program for untrusted code being loaded using the non-safe constructor method. I would under impression that I could simply instruct SnakeYAML on allowable classes to resolve after swapping to SafeConstructor.
So that I could allow my classes (MetaInfo, etc), but disallow any rogue attempt to like load `!!javax.script.ScriptEngineManager`
As I dug into more, I became copying lots of code from the base constructor for resolving nodes into class(es). Am I missing something that makes this easier? I've peeked tests and can't quite test, but I was hoping I could do something like.
```
this.yamlClassAllowableEntities.put(MetaInfo.class);
```
Do you have an example that I can follow for allowing specific classes to resolve while working in the SafeConstructor?
maslovalex
Feb 14, 2022, 8:05:22 AM2/14/22
to SnakeYAML
Maybe you can override
-Alex
```java
protected Object newInstance(Class<?> ancestor, Node node, boolean tryDefault)
```
and make required checks there.
-Alex
Connor Tumbleson
Feb 19, 2022, 12:24:43 PM2/19/22
to SnakeYAML
Hi,
Thank you - that worked great.
Connor
Thank you - that worked great.
Connor
Reply all
Reply to author
Forward
0 new messages