From f78518ceba1b9481df46656832e7277c0cf8b286 Mon Sep 17 00:00:00 2001
From: Amit Agam <amit.a@sealsecurity.io>
Date: Thu, 19 Sep 2024 17:24:45 +0300
Subject: [PATCH] CVE-2022-1471

---
 .../org/yaml/snakeyaml/LoaderOptions.java     | 121 ++++++++++++++++++
 .../snakeyaml/constructor/Constructor.java    |  19 +++
 2 files changed, 140 insertions(+)

diff --git a/src/main/java/org/yaml/snakeyaml/LoaderOptions.java b/src/main/java/org/yaml/snakeyaml/LoaderOptions.java
index 47d09e8c0..74028e887 100644
--- a/src/main/java/org/yaml/snakeyaml/LoaderOptions.java
+++ b/src/main/java/org/yaml/snakeyaml/LoaderOptions.java
@@ -15,6 +15,9 @@
  */
 package org.yaml.snakeyaml;
 
+import java.util.ArrayList;
+import java.util.List;
+
 public class LoaderOptions {
 
     private boolean allowDuplicateKeys = true;
@@ -25,6 +28,106 @@ public class LoaderOptions {
     private boolean enumCaseSensitive = true;
     private int nestingDepthLimit = 50;
     private int codePointLimit = 100 * 1024;
+  private List<String> denyList = new ArrayList<String>();
+
+  public LoaderOptions() {
+    denyList.add("javax.script.ScriptEngineManager");
+    denyList.add("URLClassLoader");
+    denyList.add("bsh.XThis");
+    denyList.add("bsh.Interpreter");
+    denyList.add("com.mchange.v2.c3p0.PoolBackedDataSource");
+    denyList.add("com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase");
+    denyList.add("clojure.lang.PersistentArrayMap");
+    denyList.add("clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a");
+    denyList.add("org.apache.commons.beanutils.BeanComparator");
+    denyList.add("org.apache.commons.collections.Transformer");
+    denyList.add("org.apache.commons.collections.functors.ChainedTransformer");
+    denyList.add("org.apache.commons.collections.functors.ConstantTransformer");
+    denyList.add("org.apache.commons.collections.functors.InstantiateTransformer");
+    denyList.add("org.apache.commons.collections.map.LazyMap");
+    denyList.add("org.apache.commons.collections.functors.InvokerTransformer");
+    denyList.add("org.apache.commons.collections.keyvalue.TiedMapEntry");
+    denyList.add("org.apache.commons.collections4.comparators.TransformingComparator");
+    denyList.add("org.apache.commons.collections4.functors.InvokerTransformer");
+    denyList.add("org.apache.commons.collections4.functors.ChainedTransformer");
+    denyList.add("org.apache.commons.collections4.functors.ConstantTransformer");
+    denyList.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+    denyList.add("org.apache.commons.fileupload.disk.DiskFileItem");
+    denyList.add("org.apache.commons.io.output.DeferredFileOutputStream");
+    denyList.add("org.apache.commons.io.output.ThresholdingOutputStream");
+    denyList.add("org.apache.wicket.util.upload.DiskFileItem");
+    denyList.add("org.apache.wicket.util.io.DeferredFileOutputStream");
+    denyList.add("org.apache.wicket.util.io.ThresholdingOutputStream");
+    denyList.add("org.codehaus.groovy.runtime.ConvertedClosure");
+    denyList.add("org.codehaus.groovy.runtime.MethodClosure");
+    denyList.add("org.hibernate.engine.spi.TypedValue");
+    denyList.add("org.hibernate.tuple.component.AbstractComponentTuplizer");
+    denyList.add("org.hibernate.tuple.component.PojoComponentTuplizer");
+    denyList.add("org.hibernate.type.AbstractType");
+    denyList.add("org.hibernate.type.ComponentType");
+    denyList.add("org.hibernate.type.Type");
+    denyList.add("org.hibernate.EntityMode");
+    denyList.add("com.sun.rowset.JdbcRowSetImpl");
+    denyList.add("org.jboss.interceptor.builder.InterceptionModelBuilder");
+    denyList.add("org.jboss.interceptor.builder.MethodReference");
+    denyList.add("org.jboss.interceptor.proxy.DefaultInvocationContextFactory");
+    denyList.add("org.jboss.interceptor.proxy.InterceptorMethodHandler");
+    denyList.add("org.jboss.interceptor.reader.ClassMetadataInterceptorReference");
+    denyList.add("org.jboss.interceptor.reader.DefaultMethodMetadata");
+    denyList.add("org.jboss.interceptor.reader.ReflectiveClassMetadata");
+    denyList.add("org.jboss.interceptor.reader.SimpleInterceptorMetadata");
+    denyList.add("org.jboss.interceptor.spi.instance.InterceptorInstantiator");
+    denyList.add("org.jboss.interceptor.spi.metadata.InterceptorReference");
+    denyList.add("org.jboss.interceptor.spi.metadata.MethodMetadata");
+    denyList.add("org.jboss.interceptor.spi.model.InterceptionType");
+    denyList.add("org.jboss.interceptor.spi.model.InterceptionModel");
+    denyList.add("sun.rmi.server.UnicastRef");
+    denyList.add("sun.rmi.transport.LiveRef");
+    denyList.add("sun.rmi.transport.tcp.TCPEndpoint");
+    denyList.add("java.rmi.server.RemoteObject");
+    denyList.add("java.rmi.server.RemoteRef");
+    denyList.add("java.rmi.server.UnicastRemoteObject");
+    denyList.add("sun.rmi.server.ActivationGroupImpl");
+    denyList.add("sun.rmi.server.UnicastServerRef");
+    denyList.add("org.springframework.aop.framework.AdvisedSupport");
+    denyList.add("net.sf.json.JSONObject");
+    denyList.add("org.jboss.weld.interceptor.builder.InterceptionModelBuilder");
+    denyList.add("org.jboss.weld.interceptor.builder.MethodReference");
+    denyList.add("org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory");
+    denyList.add("org.jboss.weld.interceptor.proxy.InterceptorMethodHandler");
+    denyList.add("org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference");
+    denyList.add("org.jboss.weld.interceptor.reader.DefaultMethodMetadata");
+    denyList.add("org.jboss.weld.interceptor.reader.ReflectiveClassMetadata");
+    denyList.add("org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata");
+    denyList.add("org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator");
+    denyList.add("org.jboss.weld.interceptor.spi.metadata.InterceptorReference");
+    denyList.add("org.jboss.weld.interceptor.spi.metadata.MethodMetadata");
+    denyList.add("org.jboss.weld.interceptor.spi.model.InterceptionModel");
+    denyList.add("org.jboss.weld.interceptor.spi.model.InterceptionType");
+    denyList.add("org.python.core.PyObject");
+    denyList.add("org.python.core.PyBytecode");
+    denyList.add("org.python.core.PyFunction");
+    denyList.add("org.mozilla.javascript");
+    denyList.add("org.apache.myfaces.context.servlet.FacesContextImpl");
+    denyList.add("org.apache.myfaces.context.servlet.FacesContextImplBase");
+    denyList.add("org.apache.myfaces.el.CompositeELResolver");
+    denyList.add("org.apache.myfaces.el.unified.FacesELContext");
+    denyList.add("org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression");
+    denyList.add("com.sun.syndication.feed.impl.ObjectBean");
+    denyList.add("org.springframework.beans.factory.ObjectFactory");
+    denyList.add("org.springframework.aop.framework.AdvisedSupport");
+    denyList.add("org.springframework.aop.target.SingletonTargetSource");
+    denyList.add("com.vaadin.data.util.NestedMethodProperty");
+    denyList.add("com.vaadin.data.util.PropertysetItem");
+    denyList.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+    denyList.add("org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor");
+    denyList.add("javax.management.BadAttributeValueExpException");
+    denyList.add("org.apache.commons.configuration.ConfigurationMap");
+    denyList.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+    denyList.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+    denyList.add("com.sun.rowset.JdbcRowSetImpl");
+    denyList.add("org.eclipse.jetty.plus.jndi.Resource");
+  }
 
     public boolean isAllowDuplicateKeys() {
         return allowDuplicateKeys;
@@ -142,4 +245,22 @@ public int getCodePointLimit() {
     public void setCodePointLimit(int codePointLimit) {
         this.codePointLimit = codePointLimit;
     }
+
+  /**
+   * Get the part of the class name which cannot be instantiated. 
+   *
+   * @return the strings which may not be a part of a class to be created
+   */
+  public List<String> getDenyList() {
+    return denyList;
+  }
+  /**
+   * Set the parts of the class name which may not be created to avoid unintended code execution.
+   *
+   * @param denyList - the parts of the class name to prohibit
+   */
+  public void setDenyList(List<String> denyList) {
+    this.denyList = denyList;
+  }
+
 }
diff --git a/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java b/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java
index eaac83888..55e534eeb 100644
--- a/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java
+++ b/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java
@@ -662,6 +662,11 @@ protected Class<?> getClassForNode(Node node) {
         Class<? extends Object> classForTag = typeTags.get(node.getTag());
         if (classForTag == null) {
             String name = node.getTag().getClassName();
+      if (isNameDenied(name)) {
+        throw new ConstructorException(null, null,
+            "Class is denied. (Remove from the deny list to continue) " + name,
+            node.getStartMark());
+      }
             Class<?> cl;
             try {
                 cl = getClassForName(name);
@@ -675,6 +680,20 @@ protected Class<?> getClassForNode(Node node) {
         }
     }
 
+  /**
+   * Check if the name of the class to be created contains a denied pattern
+   *
+   * @param name - class name to create
+   * @return true when the class should not be created
+   */
+  protected boolean isNameDenied(String name) {
+    for (String black : loadingConfig.getDenyList()) {
+      if (name.contains(black))
+        return true;
+    }
+    return false;
+  }
+
     protected Class<?> getClassForName(String name) throws ClassNotFoundException {
         try {
             return Class.forName(name, true, Thread.currentThread().getContextClassLoader());