What can happen when downloading a YAML file from an untrusted source using SnakeYAML?

Question

What can happen when downloading a YAML file from an untrusted source using SnakeYAML?

SnakeYAML documentation says :

Warning. Unable to call Yaml.load() with any data received from an unreliable source!

Are these security issues? What can a malicious YAML file do?

+4

java yaml snakeyaml

Jop V. Sep 09 '13 at 17:22

source share

2 answers

Jim pivarski · Answer 1 · 2014-01-22T16:52:38+0000

I was also interested about this and found the following in the documentation:

Note that if you want to restrict objects to standard Java objects such as List or Long, you need to use SafeConstructor .
 Yaml yaml = new Yaml(new SafeConstructor()); 

The link above refers to a test case in which a YAML document contains a reference to a Java object. Without SafeConstructor , yaml.load will invoke the constructor without object arguments, and this may be bad for some classes in your class path. With SafeConstructor , only SafeConstructor nested classes ( Java code ).

Andrey · Answer 2 · 2013-09-11T20:52:21+0000

SnakeYAML allows you to use any class loader. When an instance of the class is created, it calls the constructor. Any code will work there. If you load the classes themselves - don't worry.

What can happen when downloading a YAML file from an untrusted source using SnakeYAML?

More articles: