Mitigate potential RCE from SnakeYaml (CVE-2022-1471)

This vulnerability is very unlikely to ever happen, since the only way to modify the YAML file is to edit it yourself, and it would be useless for a bot owner to RCE their own bot. No other person can edit the configuration file remotely (eg. with bot commands), so realistically, this could not happen.
This commit is contained in:
Bea 2022-12-24 14:42:01 +01:00
parent 50196bb8f9
commit f5a8c2af48
2 changed files with 2 additions and 6 deletions

View File

@ -50,11 +50,6 @@
<artifactId>commons-text</artifactId>
<version>1.10.0</version>
</dependency>
<dependency>
<groupId>com.vdurmont</groupId>
<artifactId>emoji-java</artifactId>
<version>5.1.1</version>
</dependency>
</dependencies>

View File

@ -2,6 +2,7 @@ package wtf.beatrice.hidekobot.datasources;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.SafeConstructor;
import wtf.beatrice.hidekobot.HidekoBot;
import wtf.beatrice.hidekobot.util.Logger;
@ -57,7 +58,7 @@ public class ConfigurationSource
}
}
// load the YAML file from the filesystem
Yaml fsConfigYaml = new Yaml();
Yaml fsConfigYaml = new Yaml(new SafeConstructor());
LinkedHashMap<String, Object> fsConfigContents = null; // map holding all file entries
try (InputStream fsConfigStream = new FileInputStream(fsConfigFile))
{ fsConfigContents = fsConfigYaml.load(fsConfigStream); }