Skip to content

Commit

Permalink
Revert "CVE-2022-38752"
Browse files Browse the repository at this point in the history
This reverts commit 94b1d7f.
  • Loading branch information
amita-seal committed Sep 19, 2024
1 parent b337e87 commit b028e7d
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 37 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -221,17 +221,21 @@ protected Object constructObject(Node node) {
}

protected Object constructObjectNoCheck(Node node) {
if (recursiveObjects.contains(node)) {
throw new ConstructorException(null, null, "found unconstructable recursive node",
node.getStartMark());
}
recursiveObjects.add(node);
Construct constructor = getConstructor(node);
Object data = (constructedObjects.containsKey(node)) ? constructedObjects.get(node)
: constructor.construct(node);

finalizeConstruction(node, data);
constructedObjects.put(node, data);
recursiveObjects.remove(node);
if (node.isTwoStepsConstruction()) {
constructor.construct2ndStep(node, data);
}
recursiveObjects.remove(node);
return data;
}

Expand Down
19 changes: 6 additions & 13 deletions src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java
Original file line number Diff line number Diff line change
Expand Up @@ -90,19 +90,12 @@ protected void processDuplicateKeys(MappingNode node) {
if (!keyNode.getTag().equals(Tag.MERGE)) {
Object key = constructObject(keyNode);
if (key != null) {
if (keyNode.isTwoStepsConstruction()) {
if(!loadingConfig.getAllowRecursiveKeys()) {
throw new YAMLException(
"Recursive key is detected but it is not configured to be allowed.");
} else {
try {
key.hashCode();// check circular dependencies
} catch (Exception e) {
throw new ConstructorException("while constructing a mapping",
node.getStartMark(), "found unacceptable key " + key,
tuple.getKeyNode().getStartMark(), e);
}
}
try {
key.hashCode();// check circular dependencies
} catch (Exception e) {
throw new ConstructorException("while constructing a mapping",
node.getStartMark(), "found unacceptable key " + key,
tuple.getKeyNode().getStartMark(), e);
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@

import junit.framework.TestCase;

import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.Util;
import org.yaml.snakeyaml.Yaml;

Expand Down Expand Up @@ -59,9 +58,7 @@ public void testLoadException() {
public void testLoadRecursiveTest() {
String doc = Util.getLocalResource("issues/issue73-recursive5.txt");
// System.out.println(doc);
LoaderOptions options = new LoaderOptions();
options.setAllowRecursiveKeys(true);
Yaml yaml = new Yaml(options);
Yaml yaml = new Yaml();
Bean1 obj = (Bean1) yaml.load(doc);
Set<Object> set = obj.getSet();
// System.out.println(set);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@

import junit.framework.TestCase;

import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.Util;
import org.yaml.snakeyaml.Yaml;

Expand Down Expand Up @@ -58,9 +57,7 @@ public void testLoadException() {
public void testLoadRecursiveTest() {
String doc = Util.getLocalResource("issues/issue73-recursive9.txt");
// System.out.println(doc);
LoaderOptions options = new LoaderOptions();
options.setAllowRecursiveKeys(true);
Yaml yaml = new Yaml(options);
Yaml yaml = new Yaml();
Bean11 beanWithSet = (Bean11) yaml.load(doc);
Set<Object> set = beanWithSet.getSet();
assertEquals(TreeSet.class, set.getClass());
Expand Down
15 changes: 3 additions & 12 deletions src/test/java/org/yaml/snakeyaml/recursive/HumanTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -137,10 +137,7 @@ public void testChildren() {
assertEquals(etalon, output);
TypeDescription humanDescription = new TypeDescription(Human.class);
humanDescription.putMapPropertyType("children", Human.class, Object.class);
LoaderOptions loaderOptions = new LoaderOptions();
loaderOptions.setAllowRecursiveKeys(true);
Yaml beanLoader = new Yaml(new Constructor(humanDescription, loaderOptions));

Yaml beanLoader = new Yaml(new Constructor(humanDescription));
//
Human son2 = beanLoader.loadAs(output, Human.class);
assertNotNull(son2);
Expand Down Expand Up @@ -213,10 +210,7 @@ public void testChildrenPretty() {
assertEquals(etalon, output);
TypeDescription humanDescription = new TypeDescription(Human.class);
humanDescription.putMapPropertyType("children", Human.class, Object.class);
LoaderOptions loaderOptions = new LoaderOptions();
loaderOptions.setAllowRecursiveKeys(true);
Yaml beanLoader = new Yaml(new Constructor(humanDescription, loaderOptions));

Yaml beanLoader = new Yaml(new Constructor(humanDescription));
//
Human son2 = beanLoader.loadAs(output, Human.class);
assertNotNull(son2);
Expand Down Expand Up @@ -640,10 +634,7 @@ public void testChildrenWithoutRootTag() {
assertEquals(etalon, output);
TypeDescription humanDescription = new TypeDescription(Human.class);
humanDescription.putMapPropertyType("children", Human.class, Object.class);
LoaderOptions loaderOptions = new LoaderOptions();
loaderOptions.setAllowRecursiveKeys(true);
Yaml beanLoader = new Yaml(new Constructor(humanDescription, loaderOptions));

Yaml beanLoader = new Yaml(new Constructor(humanDescription));
//
Human son2 = beanLoader.loadAs(output, Human.class);
assertNotNull(son2);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,7 @@ public void testChildren() throws IOException, IntrospectionException {
mother.setChildren(children);
//

LoaderOptions options = new LoaderOptions();
options.setAllowRecursiveKeys(true);
Constructor constructor = new Constructor(options);
Constructor constructor = new Constructor();
TypeDescription humanDescription = new TypeDescription(HumanGen.class);
humanDescription.putMapPropertyType("children", HumanGen.class, Object.class);
constructor.addTypeDescription(humanDescription);
Expand Down

0 comments on commit b028e7d

Please sign in to comment.