You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Config uses SnakeYAML with SafeConstructor already.
Our OpenAPI code extends Constructor and cannot change to extend or use SafeConstructor because we need to use SnakeYAML’s ability to deserialize from the document into the various MP OpenAPI types.
That said, the only time we parse YAML in OpenAPI is when the developer has provided a static OpenAPI document as part of the application, and we only read it from the file system (not an arbitrary URI which could pull in arbitrary and untrusted content over the network).
We read from the default location /META-INF/openapi.yaml unless the developer specifies some other path. Either way, the developer is explicitly putting the OpenAPI document into the app and therefore controls the content.
As a result, our use of SnakeYAML never parses content from an untrusted source.
Environment Details
Problem Description
We use some SnakeYAML classes as superclasses. Make sure we are using the right ones.
The text was updated successfully, but these errors were encountered: