diff --git a/pom.xml b/pom.xml
index e335ad4bc0..a8225e5e10 100644
--- a/pom.xml
+++ b/pom.xml
@@ -468,6 +468,17 @@
INVALID IMPORTS (GUAVA)
+
+
+
+ src/**/*.java
+
+
+ Forbids new Yaml()
+ ^.*new Yaml\(\).*$
+ INVALID CONSTRUCTOR (SNAKEYAML)
+
+
diff --git a/util/src/main/java/io/kubernetes/client/util/FilePersister.java b/util/src/main/java/io/kubernetes/client/util/FilePersister.java
index 16163927b5..f4c800268d 100644
--- a/util/src/main/java/io/kubernetes/client/util/FilePersister.java
+++ b/util/src/main/java/io/kubernetes/client/util/FilePersister.java
@@ -18,6 +18,7 @@
import java.util.ArrayList;
import java.util.HashMap;
import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
public class FilePersister implements ConfigPersister {
File configFile;
@@ -50,7 +51,7 @@ public void save(
// Note this is imperfect, should protect against other processes writing this file too...
synchronized (configFile) {
try (FileWriter fw = new FileWriter(configFile)) {
- Yaml yaml = new Yaml();
+ Yaml yaml = new Yaml(new SafeConstructor());
yaml.dump(config, fw);
fw.flush();
}
diff --git a/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java b/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
index 47e263beae..f93e05b34f 100644
--- a/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
+++ b/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
@@ -17,11 +17,12 @@
import io.kubernetes.client.openapi.JSON;
import java.util.Map;
import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
public class Dynamics {
static final JSON internalJSONCodec = new JSON();
- static final Yaml internalYamlCodec = new Yaml();
+ static final Yaml internalYamlCodec = new Yaml(new SafeConstructor());
public static DynamicKubernetesObject newFromJson(String jsonContent) {
return newFromJson(internalJSONCodec.getGson(), jsonContent);