[SECURITY-1826] Use conservative constructors

Update YAML usage to be more conservative in how it parses YAML into Java Objects. Restricts it to basic objects like HashMap or LinkedList. See also: - [SECURITY-1826][SECURITY-1826] [SECURITY-1826]: https://issues.jenkins-ci.org/browse/SECURITY-1826
jenkinsci · Apr 19, 2020 · a36e8bd · a36e8bd
1 parent d4d1158
commit a36e8bd
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/build.gradle b/build.gradle
@@ -95,8 +95,8 @@ jenkinsPlugin {
 
 dependencies {
     implementation "org.codehaus.groovy:groovy-all:${groovyVersion}"
-    implementation 'net.gleske:jervis:1.5'
-    implementation 'org.yaml:snakeyaml:1.25'
+    implementation 'net.gleske:jervis:1.7'
+    implementation 'org.yaml:snakeyaml:1.26'
 
     jenkinsPlugins 'org.jenkins-ci.plugins:credentials:2.1.18'
     jenkinsPlugins 'org.jenkins-ci.plugins:scm-api:2.2.2'

diff --git a/src/main/groovy/net/gleske/scmfilter/impl/trait/JervisFilterTrait.groovy b/src/main/groovy/net/gleske/scmfilter/impl/trait/JervisFilterTrait.groovy
@@ -49,6 +49,7 @@ import java.util.logging.Level
 import java.util.logging.Logger
 import java.util.regex.Pattern
 import org.yaml.snakeyaml.Yaml
+import org.yaml.snakeyaml.constructor.SafeConstructor
 
 
 public class JervisFilterTrait extends SCMSourceTrait {
@@ -191,7 +192,7 @@ public class JervisFilterTrait extends SCMSourceTrait {
                     LOGGER.fine("On target ref ${target_ref}, found ${yamlFile}:\n${['='*80, yamlText, '='*80].join('\n')}\nEND YAML FILE")
 
                     // parse the YAML for filtering
-                    Map jervis_yaml = (new Yaml()).load(yamlText)
+                    Map jervis_yaml = (new Yaml(new SafeConstructor())).load(yamlText)
                     if(head in TagSCMHead) {
                         // tag
                         if(!('tags' in jervis_yaml)) {