fix vulnerabiity in yaml constructor (#198)

sbcd90 · web-flow · commit d73be6d89c6f · 2022-12-16T15:53:23.000-08:00
Signed-off-by: Subhobrata Dey &lt;sbcd90@gmail.com&gt;
diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java
@@ -32,6 +32,7 @@
 import org.opensearch.securityanalytics.rules.utils.Either;
 import org.apache.commons.lang3.tuple.Pair;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -70,7 +71,7 @@ public QueryBackend(String ruleCategory, boolean convertAndAsIn, boolean enableF
             assert is != null;
             String content = new String(is.readAllBytes(), Charset.defaultCharset());
 
-            Yaml yaml = new Yaml();
+            Yaml yaml = new Yaml(new SafeConstructor());
             Map<String, Object> fieldMappingsObj = yaml.load(content);
             this.fieldMappings = (Map<String, String>) fieldMappingsObj.get("fieldmappings");
 
diff --git a/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaRule.java b/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaRule.java
@@ -12,6 +12,7 @@
 import org.opensearch.securityanalytics.rules.exceptions.SigmaLogsourceError;
 import org.opensearch.securityanalytics.rules.exceptions.SigmaStatusError;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@@ -167,7 +168,7 @@ protected static SigmaRule fromDict(Map<String, Object> rule, boolean collectErr
     }
 
     public static SigmaRule fromYaml(String rule, boolean collectErrors) throws SigmaError {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> ruleMap = yaml.load(rule);
         return fromDict(ruleMap, collectErrors);
     }
diff --git a/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java b/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java
@@ -21,6 +21,7 @@
 import org.opensearch.securityanalytics.rules.utils.Either;
 import org.opensearch.test.OpenSearchTestCase;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.util.Collections;
 import java.util.List;
@@ -29,7 +30,7 @@
 public class SigmaDetectionsTests extends OpenSearchTestCase {
 
     public void testSigmaDetectionsFromDict() throws SigmaError{
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        EventID: 16\n" +
@@ -61,7 +62,7 @@ public void testSigmaDetectionsFromDict() throws SigmaError{
     }
 
     public void testSigmaDetectionsFromDictNoDetections() {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    condition: selection");
         Exception exception = assertThrows(SigmaDetectionError.class, () -> {
@@ -75,7 +76,7 @@ public void testSigmaDetectionsFromDictNoDetections() {
     }
 
     public void testSigmaDetectionsFromDictNoCondition() {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        EventID: 16\n" +
@@ -93,7 +94,7 @@ public void testSigmaDetectionsFromDictNoCondition() {
     }
 
     public void testDetectionItemAllModifiedKeyPlainValuesPostProcess() throws SigmaError{
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        field|all: [\"val1\", \"val2\", 123]\n" +
@@ -111,7 +112,7 @@ public void testDetectionItemAllModifiedKeyPlainValuesPostProcess() throws Sigma
     }
 
     public void testDetectionItemAllModifiedUnboundPlainValuesPostProcess() throws SigmaError {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                 "        \"|all\": [\"val1\", \"val2\", 123]\n" +
@@ -129,7 +130,7 @@ public void testDetectionItemAllModifiedUnboundPlainValuesPostProcess() throws S
     }
 
     public void testDetectionItemAllModifiedKeySpecialValuesPostProcess() throws SigmaError {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         Map<String, Object> detectionsMap = yaml.load(
                 "    selection:\n" +
                         "        field|all: [\"val1*\", \"val2\", 123]\n" +

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`import org.opensearch.securityanalytics.rules.exceptions.SigmaLogsourceError;`
`13`	`13`	`import org.opensearch.securityanalytics.rules.exceptions.SigmaStatusError;`
`14`	`14`	`import org.yaml.snakeyaml.Yaml;`
	`15`	`+import org.yaml.snakeyaml.constructor.SafeConstructor;`
`15`	`16`
`16`	`17`	`import java.text.SimpleDateFormat;`
`17`	`18`	`import java.util.ArrayList;`
`@@ -167,7 +168,7 @@ protected static SigmaRule fromDict(Map<String, Object> rule, boolean collectErr`
`167`	`168`	`}`
`168`	`169`
`169`	`170`	`public static SigmaRule fromYaml(String rule, boolean collectErrors) throws SigmaError {`
`170`		`- Yaml yaml = new Yaml();`
	`171`	`+ Yaml yaml = new Yaml(new SafeConstructor());`
`171`	`172`	`Map<String, Object> ruleMap = yaml.load(rule);`
`172`	`173`	`return fromDict(ruleMap, collectErrors);`
`173`	`174`	`}`