Restrict use of custom YAML types

[philwebb]

SnakeYaml allows for custom types to be loaded when they are specified inside the YAML. Whilst we only parse YAML from trusted sources, it would be prudent to restrict the types that can be constructed.

[sbrannen]

Although this issue has already been closed, I'd like to make a suggestion regarding the following.

spring-boot/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/json/YamlJsonParser.java

Lines 64 to 67 in 685b279

	@Override
	protected Class<?> getClassForName(String name) throws ClassNotFoundException {
	return (SUPPORTED_TYPES.contains(name)) ? super.getClassForName(name) : null;
	}

If an unsupported type is encountered, the current exception would look something like the following.

Can't construct a java object for tag:yaml.org,2002:java.net.URL; exception=null
 in 'reader', line 1, column 8:
    value: !!java.net.URL [!!java.lang.Stri ... 
           ^
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:336)

...

Caused by: java.lang.NullPointerException
    at org.yaml.snakeyaml.nodes.Node.setType(Node.java:104)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.getConstructor(Constructor.java:323)
    at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:331)

For Spring Framework, I took a different approach inspired by the example from the SnakeYaml test suite and came up with the following.

https://github.com/spring-projects/spring-framework/blob/5f9e9513efb75e8626c522053235bbd2920dd9fd/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java#L445-L450

Throwing an explicit exception instead of returning null for unsupported types results in an exception message and stack trace that may better help the user to diagnose the core issue. For example, the following is produced in Spring Framework.

Can't construct a java object for tag:yaml.org,2002:java.net.URL; exception=Unsupported type encountered in YAML document: java.net.URL
 in 'reader', line 1, column 8:
  value: !!java.net.URL [!!java.lang.Stri ... 
      ^

...

Caused by: java.lang.IllegalStateException: Unsupported type encountered in YAML document: java.net.URL
	at org.springframework.util.Assert.state(Assert.java:94)
	at org.springframework.beans.factory.config.YamlProcessor$FilteringConstructor.getClassForName(YamlProcessor.java:443)
	at org.yaml.snakeyaml.constructor.Constructor.getClassForNode(Constructor.java:662)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.getConstructor(Constructor.java:322)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:331)
	... 79 more

The presence of exception=Unsupported type encountered in YAML document: java.net.URL in the ConstructorException provides immediate feedback to the user. In addition, the cause also points out exactly where the type was rejected, i.e., YamlProcessor$FilteringConstructor in Spring Framework.

Perhaps you'd like to reopen this issue to apply a similar change to Spring Boot.

Or if you'd prefer that I open a new issue for this, just let me know.

Cheers

[philwebb]

Thanks for the suggestion @sbrannen