fix vulnerabiity in yaml constructor

Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
opensearch-project · Dec 14, 2022 · c75e1be · c75e1be
1 parent 9579e51
commit c75e1be
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java
@@ -32,6 +32,7 @@
 import org.opensearch.securityanalytics.rules.utils.Either;
 import org.apache.commons.lang3.tuple.Pair;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -70,7 +71,7 @@ public QueryBackend(String ruleCategory, boolean convertAndAsIn, boolean enableF
             assert is != null;
             String content = new String(is.readAllBytes(), Charset.defaultCharset());
 
-            Yaml yaml = new Yaml();
+            Yaml yaml = new Yaml(new SafeConstructor());
             Map<String, Object> fieldMappingsObj = yaml.load(content);
             this.fieldMappings = (Map<String, String>) fieldMappingsObj.get("fieldmappings");
 

diff --git a/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaRule.java b/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaRule.java
@@ -12,6 +12,7 @@
 import org.opensearch.securityanalytics.rules.exceptions.SigmaLogsourceError;
 import org.opensearch.securityanalytics.rules.exceptions.SigmaStatusError;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@@ -167,7 +168,7 @@ protected static SigmaRule fromDict(Map<String, Object> rule, boolean collectErr
     }
 
     public static SigmaRule fromYaml(String rule, boolean collectErrors) throws SigmaError {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> ruleMap = yaml.load(rule);
         return fromDict(ruleMap, collectErrors);
     }

diff --git a/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java b/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java
@@ -21,6 +21,7 @@
 import org.opensearch.securityanalytics.rules.utils.Either;
 import org.opensearch.test.OpenSearchTestCase;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.util.Collections;
 import java.util.List;
@@ -29,7 +30,7 @@
 public class SigmaDetectionsTests extends OpenSearchTestCase {
 
     public void testSigmaDetectionsFromDict() throws SigmaError{
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        EventID: 16\n" +
@@ -61,7 +62,7 @@ public void testSigmaDetectionsFromDict() throws SigmaError{
     }
 
     public void testSigmaDetectionsFromDictNoDetections() {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    condition: selection");
         Exception exception = assertThrows(SigmaDetectionError.class, () -> {
@@ -75,7 +76,7 @@ public void testSigmaDetectionsFromDictNoDetections() {
     }
 
     public void testSigmaDetectionsFromDictNoCondition() {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        EventID: 16\n" +
@@ -93,7 +94,7 @@ public void testSigmaDetectionsFromDictNoCondition() {
     }
 
     public void testDetectionItemAllModifiedKeyPlainValuesPostProcess() throws SigmaError{
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        field|all: [\"val1\", \"val2\", 123]\n" +
@@ -111,7 +112,7 @@ public void testDetectionItemAllModifiedKeyPlainValuesPostProcess() throws Sigma
     }
 
     public void testDetectionItemAllModifiedUnboundPlainValuesPostProcess() throws SigmaError {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        \"|all\": [\"val1\", \"val2\", 123]\n" +
@@ -129,7 +130,7 @@ public void testDetectionItemAllModifiedUnboundPlainValuesPostProcess() throws S
     }
 
     public void testDetectionItemAllModifiedKeySpecialValuesPostProcess() throws SigmaError {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                         "        field|all: [\"val1*\", \"val2\", 123]\n" +