Recipe Name:
Injection: Avoid Code Injection: Use SafeConstructor: arguments, but no Constructor argument
Description:
Could lead to Remote Code Execution
Level:
error
Language:
- java
Tags:
- security
- basic protection set
- injection
- YAML
- OWASP Top 10
Documentation
Secure coding practices prescribe that a safe constructor should be used for instance creation of a org.yaml.snakeyaml.Yaml
object.
When creating object of the type org.yaml.snakeyaml.Yaml
it is advised to use safe constructors. By default the Yaml
class will use the Constructor
class, which extends the SafeConstructor
class. However, if a custom constructor is created and used, it should extend from either SafeConstructor
or Constructor
. Extending the abstract BaseConstructor
directly results in an unsafe constructor, which potentially makes the Yaml processor vulnerable to injection attacks and remote code execution.
Yaml yaml = new Yaml(new BaseConstructor(){});After
import org.yaml.snakeyaml.constructor.SafeConstructor; Yaml yaml = new Yaml(new SafeConstructor());References
Recipe
id: scw:snakeyaml:safeconstructor-no-constructor-arg version: 10 metadata: name: 'Injection: Avoid Code Injection: Use SafeConstructor: arguments, but no Constructor argument' shortDescription: Could lead to Remote Code Execution level: error language: java newCodeOnly: false scwCategory: injection:code enabled: true descriptionFile: descriptions/java_snakeyaml.html tags: security;basic protection set;injection;YAML;OWASP Top 10 search: instanceCreation: with: args: 1: type: org.yaml.snakeyaml.constructor.BaseConstructor argCount: greaterThan: 0 type: org.yaml.snakeyaml.Yaml without: args: 1: type: org.yaml.snakeyaml.constructor.SafeConstructor availableFixes: - name: Add SafeConstructor actions: - modifyArguments: insert: 1: new org.yaml.snakeyaml.constructor.SafeConstructor()