Skip to content

Commit

Permalink
feat(YamlParser): add SafeConstructor to enforce security
Browse files Browse the repository at this point in the history
  • Loading branch information
xael-fry committed Feb 28, 2024
1 parent 55ca839 commit 224ea57
Showing 1 changed file with 17 additions and 18 deletions.
35 changes: 17 additions & 18 deletions framework/src/play/deps/YamlParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import org.apache.ivy.plugins.repository.Resource;
import org.apache.ivy.plugins.repository.url.URLResource;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.SafeConstructor;

import play.Logger;
import play.Play;
Expand All @@ -53,15 +54,13 @@ public boolean accept(Resource rsrc) {
return rsrc.exists() && rsrc.getName().endsWith(".yml");
}



@Override
public ModuleDescriptor parseDescriptor(ParserSettings ps, URL url, Resource rsrc, boolean bln) throws ParseException, IOException {
try {
InputStream srcStream = rsrc.openStream();
long lastModified = (rsrc != null?rsrc.getLastModified():0L);
Yaml yaml = new Yaml();

Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
Object o = null;

// Try to parse the yaml
Expand Down Expand Up @@ -112,7 +111,7 @@ public ModuleDescriptorParser getParser() {
descriptor.setLastModified(lastModified);

boolean transitiveDependencies = get(data, "transitiveDependencies", boolean.class, true);

List<String> confs = new ArrayList<>();
if (data.containsKey("configurations")) {
if (data.get("configurations") instanceof List) {
Expand All @@ -121,7 +120,7 @@ public ModuleDescriptorParser getParser() {
for (Object conf : configurations) {
String confName;
Map options;

if (conf instanceof String) {
confName = ((String) conf).trim();
options = new HashMap();
Expand All @@ -135,7 +134,7 @@ public ModuleDescriptorParser getParser() {
allExcludes &= exclude;
confs.add((exclude ? "!" : "") + confName);
}

if (allExcludes) {
confs.add(0, "*");
}
Expand All @@ -145,7 +144,7 @@ public ModuleDescriptorParser getParser() {
} else {
confs.add("*");
}

if (data.containsKey("require")) {
if (data.get("require") instanceof List) {

Expand Down Expand Up @@ -304,7 +303,7 @@ public static Set<String> getOrderedModuleList(File file) throws ParseException,
System.setProperty("application.path", Play.applicationPath.getAbsolutePath());
return getOrderedModuleList(modules, file);
}

private static Set<String> getOrderedModuleList(Set<String> modules, File file) throws ParseException, IOException {
if (file == null || !file.exists()) {
throw new FileNotFoundException("There was a problem to find the file");
Expand All @@ -317,28 +316,28 @@ private static Set<String> getOrderedModuleList(Set<String> modules, File file)
DependencyDescriptor[] rules = md.getDependencies();
File localModules = Play.getFile("modules");
for (DependencyDescriptor dep : rules) {
ModuleRevisionId rev = dep.getDependencyRevisionId();
ModuleRevisionId rev = dep.getDependencyRevisionId();
String moduleName = filterModuleName(rev);

// Check if the module was already load to avoid circular parsing
if (moduleName != null && !modules.contains(moduleName)) {
// Add the given module
modules.add(moduleName);
// Need to load module dependencies of this given module

// Need to load module dependencies of this given module
File module = new File(localModules, moduleName);
if(module != null && module.isDirectory()) {
if(module != null && module.isDirectory()) {
File ivyModule = new File(module, "conf/dependencies.yml");
if(ivyModule != null && ivyModule.exists()) {
getOrderedModuleList(modules, ivyModule);
}
}
} else {
File modulePath = new File(IO.readContentAsString(module).trim());
if (modulePath.exists() && modulePath.isDirectory()) {
File ivyModule = new File(modulePath, "conf/dependencies.yml");
if(ivyModule != null && ivyModule.exists()) {
getOrderedModuleList(modules, ivyModule);
}
}
}
}
} else if(moduleName == null && rev.getRevision().equals("->")){
Expand All @@ -347,8 +346,8 @@ private static Set<String> getOrderedModuleList(Set<String> modules, File file)
}
return modules;
}


private static String filterModuleName(ModuleRevisionId rev) {
if (rev != null && !"play".equals(rev.getName())) {
File moduleDir = new File(Play.applicationPath, "modules");
Expand Down

0 comments on commit 224ea57

Please sign in to comment.