How to prevent a potential remote code execution via SnakeYAML deserialization

02210

A popular java library for YAML parsing, SnakeYAML, has a well know vulnerability if used incorrectly to parse user generated YAMLs.

You can read about the vulnerability itself here:

图片[1]-How to prevent a potential remote code execution via SnakeYAML deserialization - 拾光赋-拾光赋

SnakeYaml Deserilization exploited | by Swapneil Kumar Dash | Medium

Swapneil Kumar Dash ・ Sep 9, 2019 ・ swapneildash.Medium

The solutions for this problem that I have found on the net are either incorrect or unusable in real life. So I want to share here the solution that I have come up with.

It is quite simple: 

  public static <T> T parseYamlSafe(String yaml, Constructor constructor) {
    Yaml yamlParser = new Yaml(new SafeConstructor());
    // the following line throws an exception
    // if constructors for non standard java types exist in yaml
    yamlParser.load(yaml);

    //if we got here, the YAML is safe to parse.
    yamlParser = new Yaml(constructor); 
    return yamlParser.load(yaml);
  }

Enter fullscreen mode Exit fullscreen mode

原文链接:How to prevent a potential remote code execution via SnakeYAML deserialization

© 版权声明
文章版权声明 1、本网站名称:拾光赋
2、本站永久网址:https://www.blogs.ink
3、本网站的文章部分内容可能来源于网络,仅供大家学习与参考,如有侵权,请联系站长QQ:805375623进行删除处理。
4、本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。
5、本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报
6、本站资源大多存储在云盘,如发现链接失效,请联系我们我们会第一时间更新。

THE END
Java(EN)
# java# security# yaml# rce
喜欢就支持一下吧
点赞10 分享
kity的头像-拾光赋
SpringBoot Web Service – Part 1 – Create Repository-拾光赋
SpringBoot Web Service – Part 1 – Create Repository
SpringBoot Web Service – Part 1 – Create Repository
3天前 55
BCP Calltree – Twilio SMS Api-拾光赋
BCP Calltree – Twilio SMS Api
BCP Calltree – Twilio SMS Api
5年前 54
Wednesday Links – Edition 2025-01-08-拾光赋
Wednesday Links – Edition 2025-01-08
Wednesday Links – Edition 2025-01-08
3天前 53
why java does not support multiple inheritance?-拾光赋
why java does not support multiple inheritance?
why java does not support multiple inheritance?
22天前 53
Why Struggle with Software Challenges When Tanzu Can Do the Heavy Lifting?-拾光赋
Why Struggle with Software Challenges When Tanzu Can Do the Heavy Lifting?
Why Struggle with Software Challenges When Tanzu Can Do the Heav...
15天前 53
what is java ?-拾光赋
what is java ?
what is java ?
24天前 53
相关推荐
Java基础总结篇(上)-拾光赋
Java基础总结篇(上)
Java基础总结篇(上)
5年前 733
引用JS文件错误导致无法读取代码-拾光赋
引用JS文件错误导致无法读取代码
引用JS文件错误导致无法读取代码
4年前 552
ideaIU-2019.3.1 破解汉化教程-拾光赋
ideaIU-2019.3.1 破解汉化教程
ideaIU-2019.3.1 破解汉化教程
5年前 528
A依赖B,B依赖A Spring如何处理。-拾光赋
A依赖B,B依赖A Spring如何处理。
A依赖B,B依赖A Spring如何处理。
4年前 471
Java中&&和&的区别-拾光赋
Java中&&和&的区别
Java中&&和&的区别
4年前 403
Win10下安装JDK及Java环境变量配置-拾光赋
Win10下安装JDK及Java环境变量配置
Win10下安装JDK及Java环境变量配置
5年前 378
评论 抢沙发

请登录后发表评论

    暂无评论内容

旧时代博客
kity的头像-拾光赋
Top 30 Must-Read Productivity Articles for January 9, 2025-拾光赋
Top 30 Must-Read Productivity Articles for January 9, 2025
Top 30 Must-Read Productivity Articles for January 9, 2025
前天 21
My First RAG Chatbot: What I Built and How-拾光赋
My First RAG Chatbot: What I Built and How
My First RAG Chatbot: What I Built and How
2天前 37
Modernizing HyperGraph’s CLI: A Journey Towards Better Architecture-拾光赋
Modernizing HyperGraph’s CLI: A Journey Towards Better Architecture
Modernizing HyperGraph’s CLI: A Journey Towards Better Arc...
3天前 24
Guide to Download Public Instagram Reels with Python-拾光赋
Guide to Download Public Instagram Reels with Python
Guide to Download Public Instagram Reels with Python
3天前 50
Java OOP: Week 2 – The OOP Adventure Continues-拾光赋
Java OOP: Week 2 – The OOP Adventure Continues
Java OOP: Week 2 – The OOP Adventure Continues
3天前 33
JAVA PARA INICIANTES – 1. Introdução, Fundamentos e Prática 11/01/25 #Cap1-拾光赋
JAVA PARA INICIANTES – 1. Introdução, Fundamentos e Prática 11/01/25 #Cap1
JAVA PARA INICIANTES – 1. Introdução, Fundamentos e Prá...
3天前 23
今日剩余 100%
本周剩余 100%
本月剩余 100%
本年剩余 100%
最近评论
Vito的头像-拾光赋

Vito3个月前2

你就是我心中的那首忐忑,总是让我惊心动魄
Jason.Meng的头像-拾光赋钻石会员

Jason.Meng徽章-人气大使-拾光赋3个月前2

总是会在人生的不同阶段反复爱上大佬的文章~
每日一言