Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check SnakeYAML subclassing #5823

Closed
tjquinno opened this issue Jan 10, 2023 · 1 comment
Closed

Check SnakeYAML subclassing #5823

tjquinno opened this issue Jan 10, 2023 · 1 comment
Assignees
@tjquinno
Labels
3.x Issues for 3.x version branch investigation open-api
Milestone
3.1.1

Comments

@tjquinno
Copy link
Member

Environment Details

  • Helidon Version: 3.x
  • Helidon SE or Helidon MP
  • JDK version:
  • OS:
  • Docker version (if applicable):

Problem Description

We use some SnakeYAML classes as superclasses. Make sure we are using the right ones.
@tjquinno tjquinno added open-api 3.x Issues for 3.x version branch investigation labels Jan 10, 2023
@tjquinno tjquinno added this to the 3.1.1 milestone Jan 10, 2023
@tjquinno tjquinno self-assigned this Jan 10, 2023
@tjquinno tjquinno reopened this Jan 10, 2023
@tjquinno
Copy link
Member Author

TL;DR - We seem to be OK.

Helidon uses SnakeYAML in config and OpenAPI.

Config uses SnakeYAML with SafeConstructor already.

Our OpenAPI code extends Constructor and cannot change to extend or use SafeConstructor because we need to use SnakeYAML’s ability to deserialize from the document into the various MP OpenAPI types.

That said, the only time we parse YAML in OpenAPI is when the developer has provided a static OpenAPI document as part of the application, and we only read it from the file system (not an arbitrary URI which could pull in arbitrary and untrusted content over the network).

We read from the default location /META-INF/openapi.yaml unless the developer specifies some other path. Either way, the developer is explicitly putting the OpenAPI document into the app and therefore controls the content.

As a result, our use of SnakeYAML never parses content from an untrusted source.

@tjquinno tjquinno mentioned this issue Jan 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tjquinno tjquinno

Labels
3.x Issues for 3.x version branch investigation open-api
Projects
Backlog
Archived in project
Milestone
3.1.1
Development

No branches or pull requests
1 participant
@tjquinno