Merge pull request #2543 from brendandburns/r0.15

[Cherry-pick] Add a rule to block empty YAML constructors.
kubernetes-client · Jan 30, 2023 · 8e53bda · 8e53bda
2 parents bd7ea09 + d4fe343
commit 8e53bda
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -468,6 +468,17 @@
                 <replacement>INVALID IMPORTS (GUAVA)</replacement>
               </replaceRegex>
             </format>
+            <!-- prevents empty SnakeYaml constructor -->
+            <format>
+              <includes>
+                <include>src/**/*.java</include>
+              </includes>
+              <replaceRegex>
+                <name>Forbids new Yaml()</name>
+                <searchRegex>^.*new Yaml\(\).*$</searchRegex>
+                <replacement>INVALID CONSTRUCTOR (SNAKEYAML)</replacement>
+              </replaceRegex>
+            </format>
           </formats>
           <java>
             <removeUnusedImports /> <!-- self-explanatory -->

diff --git a/util/src/main/java/io/kubernetes/client/util/FilePersister.java b/util/src/main/java/io/kubernetes/client/util/FilePersister.java
@@ -18,6 +18,7 @@
 import java.util.ArrayList;
 import java.util.HashMap;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 public class FilePersister implements ConfigPersister {
   File configFile;
@@ -50,7 +51,7 @@ public void save(
     // Note this is imperfect, should protect against other processes writing this file too...
     synchronized (configFile) {
       try (FileWriter fw = new FileWriter(configFile)) {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         yaml.dump(config, fw);
         fw.flush();
       }

diff --git a/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java b/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
@@ -17,11 +17,12 @@
 import io.kubernetes.client.openapi.JSON;
 import java.util.Map;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 public class Dynamics {
 
   static final JSON internalJSONCodec = new JSON();
-  static final Yaml internalYamlCodec = new Yaml();
+  static final Yaml internalYamlCodec = new Yaml(new SafeConstructor());
 
   public static DynamicKubernetesObject newFromJson(String jsonContent) {
     return newFromJson(internalJSONCodec.getGson(), jsonContent);