Recipe Name:
Injection: Avoid Code Injection: Use SafeConstructor: no arguments
Description:
Could lead to Remote Code Execution
Level:
error
Language:
  • java
Tags:
  • security
  • basic protection set
  • injection
  • YAML
  • OWASP Top 10
Documentation

Secure coding practices prescribe that a safe constructor should be used for instance creation of a org.yaml.snakeyaml.Yaml object.

When creating object of the type org.yaml.snakeyaml.Yaml it is advised to use safe constructors. By default the Yaml class will use the Constructor class, which extends the SafeConstructor class. However, if a custom constructor is created and used, it should extend from either SafeConstructor or Constructor. Extending the abstract BaseConstructor directly results in an unsafe constructor, which potentially makes the Yaml processor vulnerable to injection attacks and remote code execution.

Before
Yaml yaml = new Yaml(new BaseConstructor(){});
After
import org.yaml.snakeyaml.constructor.SafeConstructor;

Yaml yaml = new Yaml(new SafeConstructor());
References
Recipe
id: scw:snakeyaml:safeconstructor-no-args
version: 10
metadata:
  name: 'Injection: Avoid Code Injection: Use SafeConstructor: no arguments'
  shortDescription: Could lead to Remote Code Execution
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:code
  enabled: true
  descriptionFile: descriptions/java_snakeyaml.html
  tags: security;basic protection set;injection;YAML;OWASP Top 10
search:
  instanceCreation:
    argCount: 0
    type: org.yaml.snakeyaml.Yaml
scopes:
  library:
    name:
      contains: org.yaml:snakeyaml
    maxVersion: "1.27"
availableFixes:
- name: Add SafeConstructor
  actions:
  - modifyArguments:
      insert:
        1: new org.yaml.snakeyaml.constructor.SafeConstructor()