Merge pull request #17 from jenkinsci/SECURITY-1825

Resolved remote code execution vulnerability
jenkinsci · Apr 6, 2020 · 3468028 · 3468028
2 parents 2e1f0b2 + 356a7ba
commit 3468028
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/build.gradle b/build.gradle
@@ -47,7 +47,7 @@ repositories {
 dependencies {
     // NOTE: groovy version included in Jenkins is 1.8.9
     runtime 'org.codehaus.groovy:groovy-all:1.8.9'
-    compile 'org.yaml:snakeyaml:1.16'
+    compile 'org.yaml:snakeyaml:1.26'
 
     testCompile 'org.spockframework:spock-core:0.7-groovy-1.8'
 

diff --git a/src/main/groovy/org/jenkinsci/plugins/yamlaxis/YamlFileLoader.groovy b/src/main/groovy/org/jenkinsci/plugins/yamlaxis/YamlFileLoader.groovy
@@ -3,6 +3,7 @@ import groovy.transform.TupleConstructor
 import hudson.FilePath
 import hudson.Util
 import org.yaml.snakeyaml.Yaml
+import org.yaml.snakeyaml.constructor.SafeConstructor
 
 @TupleConstructor
 class YamlFileLoader extends YamlLoader {
@@ -17,7 +18,7 @@ class YamlFileLoader extends YamlLoader {
             return null
         }
 
-        Yaml yaml = new Yaml()
+        Yaml yaml = new Yaml(new SafeConstructor())
         InputStream input = createFilePath().read()
 
         try{

diff --git a/src/main/groovy/org/jenkinsci/plugins/yamlaxis/YamlTextLoader.groovy b/src/main/groovy/org/jenkinsci/plugins/yamlaxis/YamlTextLoader.groovy
@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.yamlaxis
 import groovy.transform.TupleConstructor
 import org.yaml.snakeyaml.Yaml
+import org.yaml.snakeyaml.constructor.SafeConstructor
 
 @TupleConstructor
 class YamlTextLoader extends YamlLoader {
@@ -10,7 +11,7 @@ class YamlTextLoader extends YamlLoader {
 
     @Override
     Map getContent() {
-        Yaml yaml = new Yaml()
+        Yaml yaml = new Yaml(new SafeConstructor())
         yaml.load(yamlText)
     }
 }