java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor
semgrepAuthor
134
Download Count*
License
Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.
Run Locally
Run in CI
Defintion
rules:
- id: use-snakeyaml-constructor
languages:
- java
metadata:
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
references:
- https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability
category: security
technology:
- snakeyaml
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments,
which is vulnerable to deserialization attacks. Use the one-argument
Yaml(...) constructor instead, with SafeConstructor or a custom
Constructor as the argument.
patterns:
- pattern: |
$Y = new org.yaml.snakeyaml.Yaml();
...
$Y.load(...);
severity: WARNING
Examples
use-snakeyaml-constructor.java
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.SafeConstructor;
public class SnakeYamlTestCase {
public void unsafeLoad(String toLoad) {
// ruleid:use-snakeyaml-constructor
Yaml yaml = new Yaml();
yaml.load(toLoad);
}
public void safeConstructorLoad(String toLoad) {
// ok:use-snakeyaml-constructor
Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(toLoad);
}
public void customConstructorLoad(String toLoad, Class goodClass) {
// ok:use-snakeyaml-constructor
Yaml yaml = new Yaml(new Constructor(goodClass));
yaml.load(toLoad);
}
}
Short Link: https://sg.run/L8qY