Recipe Name:
Injection: Avoid Code Injection: Use SafeConstructor: 1st argument of type Constructor
Description:
Could lead to Remote Code Execution
Level:
error
Language:
- java
Tags:
- security
- basic protection set
- injection
- YAML
- OWASP Top 10
Documentation
Secure coding practices prescribe that a safe constructor should be used for instance creation of a org.yaml.snakeyaml.Yaml
object.
When creating object of the type org.yaml.snakeyaml.Yaml
it is advised to use safe constructors. By default the Yaml
class will use the Constructor
class, which extends the SafeConstructor
class. However, if a custom constructor is created and used, it should extend from either SafeConstructor
or Constructor
. Extending the abstract BaseConstructor
directly results in an unsafe constructor, which potentially makes the Yaml processor vulnerable to injection attacks and remote code execution.
Yaml yaml = new Yaml(new BaseConstructor(){});After
import org.yaml.snakeyaml.constructor.SafeConstructor; Yaml yaml = new Yaml(new SafeConstructor());References
Recipe
id: scw:snakeyaml:safeconstructor-constructor-arg version: 10 metadata: name: 'Injection: Avoid Code Injection: Use SafeConstructor: 1st argument of type Constructor' shortDescription: Could lead to Remote Code Execution level: error language: java newCodeOnly: false scwCategory: injection:code enabled: true descriptionFile: descriptions/java_snakeyaml.html tags: security;basic protection set;injection;YAML;OWASP Top 10 search: instanceCreation: args: 1: type: org.yaml.snakeyaml.constructor.Constructor type: org.yaml.snakeyaml.Yaml scopes: library: name: contains: org.yaml:snakeyaml maxVersion: "1.27" availableFixes: - name: Change Constructor to SafeConstructor actions: - modifyArguments: rewrite: 1: new org.yaml.snakeyaml.constructor.SafeConstructor()