Remove and ignore object references from Yaml files

Yaml 2.0 fixes CVE-2022–1471 to error on object references. This commit adapts our use of Yaml to not output object references anymore and on loading explicitly allow object references to expected types. Fixes #498
eclipse-cdt · Aug 10, 2023 · de012f4 · de012f4
1 parent e725b88
commit de012f4
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/...make.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java b/...make.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java
@@ -22,9 +22,13 @@
 import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean;
 import org.eclipse.cdt.cmake.core.properties.CMakeGenerator;
 import org.junit.Test;
+import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
+import org.yaml.snakeyaml.inspector.TagInspector;
+import org.yaml.snakeyaml.nodes.Tag;
+import org.yaml.snakeyaml.representer.Representer;
 
 /**
  * @author Martin Weber
@@ -57,7 +61,14 @@ public void testSaveLoadEvolution_1() throws IOException {
 		extraArgs.add("arg2");
 		props.setExtraArguments(extraArgs);
 
-		Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), new LoaderOptions()));
+		var loaderoptions = new LoaderOptions();
+		TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName());
+		loaderoptions.setTagInspector(taginspector);
+		Representer customRepresenter = new Representer(new DumperOptions());
+		customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP);
+
+		Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), loaderoptions),
+				customRepresenter);
 		String output = yaml.dump(props);
 
 		// try to load as evolved properties..

diff --git a/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF b/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF
@@ -22,4 +22,7 @@ Automatic-Module-Name: org.eclipse.cdt.cmake.core
 Bundle-Localization: plugin
 Import-Package: org.eclipse.core.variables,
  org.yaml.snakeyaml;version="[2.0.0,3.0.0)",
- org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)"
+ org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)",
+ org.yaml.snakeyaml.inspector;version="[2.0.0,3.0.0)",
+ org.yaml.snakeyaml.nodes;version="[2.0.0,3.0.0)",
+ org.yaml.snakeyaml.representer;version="[2.0.0,3.0.0)"
diff --git a/...pse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java b/...pse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java
@@ -27,9 +27,14 @@
 import org.eclipse.cdt.cmake.core.properties.CMakeGenerator;
 import org.eclipse.cdt.cmake.core.properties.ICMakeProperties;
 import org.eclipse.cdt.cmake.core.properties.ICMakePropertiesController;
+import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
+import org.yaml.snakeyaml.inspector.TagInspector;
+import org.yaml.snakeyaml.nodes.Tag;
+import org.yaml.snakeyaml.representer.Representer;
 
 /**
  * A {@code ICMakePropertiesController} that monitors modifications to the project properties that force
@@ -68,7 +73,13 @@ public ICMakeProperties load() throws IOException {
 		if (Files.exists(storageFile)) {
 			try (InputStream is = Files.newInputStream(storageFile)) {
 				var classLoader = this.getClass().getClassLoader();
-				var clConstructor = new CustomClassLoaderConstructor(classLoader, new LoaderOptions());
+
+				var loaderoptions = new LoaderOptions();
+				TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName());
+				loaderoptions.setTagInspector(taginspector);
+
+				var clConstructor = new CustomClassLoaderConstructor(classLoader, loaderoptions);
+
 				props = new Yaml(clConstructor).loadAs(is, CMakePropertiesBean.class);
 				// props is null here if if no document was available in the file
 			}
@@ -95,7 +106,10 @@ public void save(ICMakeProperties properties) throws IOException {
 			}
 		}
 		try (Writer wr = new OutputStreamWriter(Files.newOutputStream(storageFile))) {
-			new Yaml().dump(properties, wr);
+			Representer customRepresenter = new Representer(new DumperOptions());
+			customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP);
+			new Yaml(new Constructor(CMakePropertiesBean.class, new LoaderOptions()), customRepresenter)
+					.dump(properties, wr);
 		}
 
 		setupModifyDetection(properties);