How to prevent a potential remote code execution via SnakeYAML deserialization

#yaml #security #rce #java

A popular java library for YAML parsing, SnakeYAML, has a well know vulnerability if used incorrectly to parse user generated YAMLs.

You can read about the vulnerability itself here:

SnakeYaml Deserilization exploited | by Swapneil Kumar Dash | Medium

Swapneil Kumar Dash ・ Sep 9, 2019 ・
swapneildash.Medium

The solutions for this problem that I have found on the net are either incorrect or unusable in real life. So I want to share here the solution that I have come up with.

It is quite simple:

  public static <T> T parseYamlSafe(String yaml, Constructor constructor) {
    Yaml yamlParser = new Yaml(new SafeConstructor());
    // the following line throws an exception
    // if constructors for non standard java types exist in yaml
    yamlParser.load(yaml);

    //if we got here, the YAML is safe to parse.
    yamlParser = new Yaml(constructor); 
    return yamlParser.load(yaml);
  }

DEV Community

How to prevent a potential remote code execution via SnakeYAML deserialization

SnakeYaml Deserilization exploited | by Swapneil Kumar Dash | Medium

Swapneil Kumar Dash ・ Sep 9, 2019 ・
swapneildash.Medium

Top comments (0)

Read next

Running a Database Server on EC2: Best Practices and Considerations

Building a Rotated Sorted Array Search in Java: Understanding Pivot and Binary Search

Exploring the New Features of Java 23

How I Made $6,200 in a Single Bug Bounty

SnakeYaml Deserilization exploited | by Swapneil Kumar Dash | Medium

Swapneil Kumar Dash ・ Sep 9, 2019 ・ swapneildash.Medium

Read next

Running a Database Server on EC2: Best Practices and Considerations

Building a Rotated Sorted Array Search in Java: Understanding Pivot and Binary Search

Exploring the New Features of Java 23

How I Made $6,200 in a Single Bug Bounty

Swapneil Kumar Dash ・ Sep 9, 2019 ・
swapneildash.Medium