Mitigate potential RCE from SnakeYaml (CVE-2022-1471)

This vulnerability is very unlikely to ever happen, since the only way to modify the YAML file is to edit it yourself, and it would be useless for a bot owner to RCE their own bot. No other person can edit the configuration file remotely (eg. with bot commands), so realistically, this could not happen.

pom.xml

@@ -50,11 +50,6 @@
             <artifactId>commons-text</artifactId>
             <version>1.10.0</version>
         </dependency>
-        <dependency>
-            <groupId>com.vdurmont</groupId>
-            <artifactId>emoji-java</artifactId>
-            <version>5.1.1</version>
-        </dependency>
     </dependencies>
 
 

src/main/java/wtf/beatrice/hidekobot/datasources/ConfigurationSource.java

@@ -2,6 +2,7 @@ package wtf.beatrice.hidekobot.datasources;
 
 import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 import wtf.beatrice.hidekobot.HidekoBot;
 import wtf.beatrice.hidekobot.util.Logger;
 
@@ -57,7 +58,7 @@ public class ConfigurationSource
             }
         }
         // load the YAML file from the filesystem
-        Yaml fsConfigYaml = new Yaml();
+        Yaml fsConfigYaml = new Yaml(new SafeConstructor());
         LinkedHashMap<String, Object> fsConfigContents = null; // map holding all file entries
         try (InputStream fsConfigStream = new FileInputStream(fsConfigFile))
         { fsConfigContents = fsConfigYaml.load(fsConfigStream); }