From e65ec54fd7d48e5daf3f9d252971a79839d0a1fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beatrice=20Dellac=C3=A0?= Date: Sat, 24 Dec 2022 14:42:01 +0100 Subject: [PATCH] Mitigate potential RCE from SnakeYaml (CVE-2022-1471) This vulnerability is very unlikely to ever happen, since the only way to modify the YAML file is to edit it yourself, and it would be useless for a bot owner to RCE their own bot. No other person can edit the configuration file remotely (eg. with bot commands), so realistically, this could not happen. --- pom.xml | 5 ----- .../beatrice/hidekobot/datasources/ConfigurationSource.java | 3 ++- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index bc2331d..51893db 100644 --- a/pom.xml +++ b/pom.xml @@ -50,11 +50,6 @@ commons-text 1.10.0 - - com.vdurmont - emoji-java - 5.1.1 - diff --git a/src/main/java/wtf/beatrice/hidekobot/datasources/ConfigurationSource.java b/src/main/java/wtf/beatrice/hidekobot/datasources/ConfigurationSource.java index b00c6f9..ab3ff71 100644 --- a/src/main/java/wtf/beatrice/hidekobot/datasources/ConfigurationSource.java +++ b/src/main/java/wtf/beatrice/hidekobot/datasources/ConfigurationSource.java @@ -2,6 +2,7 @@ package wtf.beatrice.hidekobot.datasources; import org.yaml.snakeyaml.DumperOptions; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.SafeConstructor; import wtf.beatrice.hidekobot.HidekoBot; import wtf.beatrice.hidekobot.util.Logger; @@ -57,7 +58,7 @@ public class ConfigurationSource } } // load the YAML file from the filesystem - Yaml fsConfigYaml = new Yaml(); + Yaml fsConfigYaml = new Yaml(new SafeConstructor()); LinkedHashMap fsConfigContents = null; // map holding all file entries try (InputStream fsConfigStream = new FileInputStream(fsConfigFile)) { fsConfigContents = fsConfigYaml.load(fsConfigStream); }