Recipe Name:
Injection: Avoid Code Injection: Use SafeConstructor: arguments, but no Constructor argument
Description:
Could lead to Remote Code Execution
Level:
error
Language:
  • java
Tags:
  • security
  • basic protection set
  • injection
  • YAML
  • OWASP Top 10
Documentation

Secure coding practices prescribe that a safe constructor should be used for instance creation of a org.yaml.snakeyaml.Yaml object.

When creating object of the type org.yaml.snakeyaml.Yaml it is advised to use safe constructors. By default the Yaml class will use the Constructor class, which extends the SafeConstructor class. However, if a custom constructor is created and used, it should extend from either SafeConstructor or Constructor. Extending the abstract BaseConstructor directly results in an unsafe constructor, which potentially makes the Yaml processor vulnerable to injection attacks and remote code execution.

Before
Yaml yaml = new Yaml(new BaseConstructor(){});
After
import org.yaml.snakeyaml.constructor.SafeConstructor;

Yaml yaml = new Yaml(new SafeConstructor());
References
Recipe
id: scw:snakeyaml:safeconstructor-no-constructor-arg
version: 10
metadata:
  name: 'Injection: Avoid Code Injection: Use SafeConstructor: arguments, but no Constructor argument'
  shortDescription: Could lead to Remote Code Execution
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:code
  enabled: true
  descriptionFile: descriptions/java_snakeyaml.html
  tags: security;basic protection set;injection;YAML;OWASP Top 10
search:
  instanceCreation:
    with:
      args:
        1:
          type: org.yaml.snakeyaml.constructor.BaseConstructor
    argCount:
      greaterThan: 0
    type: org.yaml.snakeyaml.Yaml
    without:
      args:
        1:
          type: org.yaml.snakeyaml.constructor.SafeConstructor
availableFixes:
- name: Add SafeConstructor
  actions:
  - modifyArguments:
      insert:
        1: new org.yaml.snakeyaml.constructor.SafeConstructor()