Remove and ignore object references from Yaml files

Yaml 2.0 fixes CVE-2022–1471 to error on object references. This commit adapts our use of Yaml to not output object references anymore and on loading explicitly allow object references to expected types. Fixes #498
2025-04-29 19:45:01 +02:00 · 2023-08-09 15:40:43 -04:00 · 2023-08-09 15:40:43 -04:00 · de012f42a6
commit de012f42a6
parent e725b88951
3 changed files with 32 additions and 4 deletions
--- a/cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java
+++ b/cmake/org.eclipse.cdt.cmake.core.tests/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesEvolutionTest.java
@ -22,9 +22,13 @@ import java.util.List;
 import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean;
 import org.eclipse.cdt.cmake.core.properties.CMakeGenerator;
 import org.junit.Test;
+import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
+import org.yaml.snakeyaml.inspector.TagInspector;
+import org.yaml.snakeyaml.nodes.Tag;
+import org.yaml.snakeyaml.representer.Representer;

 /**
 * @author Martin Weber
@ -57,7 +61,14 @@ public class CMakePropertiesEvolutionTest {
 		extraArgs.add("arg2");
 		props.setExtraArguments(extraArgs);

-		Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), new LoaderOptions()));
+		var loaderoptions = new LoaderOptions();
+		TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName());
+		loaderoptions.setTagInspector(taginspector);
+		Representer customRepresenter = new Representer(new DumperOptions());
+		customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP);
+
+		Yaml yaml = new Yaml(new CustomClassLoaderConstructor(this.getClass().getClassLoader(), loaderoptions),
+				customRepresenter);
 		String output = yaml.dump(props);

 		// try to load as evolved properties..
--- a/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF
+++ b/cmake/org.eclipse.cdt.cmake.core/META-INF/MANIFEST.MF
@ -22,4 +22,7 @@ Automatic-Module-Name: org.eclipse.cdt.cmake.core
 Bundle-Localization: plugin
 Import-Package: org.eclipse.core.variables,
 org.yaml.snakeyaml;version="[2.0.0,3.0.0)",
- org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)"
+ org.yaml.snakeyaml.constructor;version="[2.0.0,3.0.0)",
+ org.yaml.snakeyaml.inspector;version="[2.0.0,3.0.0)",
+ org.yaml.snakeyaml.nodes;version="[2.0.0,3.0.0)",
+ org.yaml.snakeyaml.representer;version="[2.0.0,3.0.0)"
--- a/cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java
+++ b/cmake/org.eclipse.cdt.cmake.core/src/org/eclipse/cdt/cmake/core/internal/CMakePropertiesController.java
@ -27,9 +27,14 @@ import org.eclipse.cdt.cmake.core.internal.properties.CMakePropertiesBean;
 import org.eclipse.cdt.cmake.core.properties.CMakeGenerator;
 import org.eclipse.cdt.cmake.core.properties.ICMakeProperties;
 import org.eclipse.cdt.cmake.core.properties.ICMakePropertiesController;
+import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
+import org.yaml.snakeyaml.inspector.TagInspector;
+import org.yaml.snakeyaml.nodes.Tag;
+import org.yaml.snakeyaml.representer.Representer;

 /**
 * A {@code ICMakePropertiesController} that monitors modifications to the project properties that force
@ -68,7 +73,13 @@ class CMakePropertiesController implements ICMakePropertiesController {
 		if (Files.exists(storageFile)) {
 			try (InputStream is = Files.newInputStream(storageFile)) {
 				var classLoader = this.getClass().getClassLoader();
-				var clConstructor = new CustomClassLoaderConstructor(classLoader, new LoaderOptions());
+
+				var loaderoptions = new LoaderOptions();
+				TagInspector taginspector = tag -> tag.getClassName().equals(CMakePropertiesBean.class.getName());
+				loaderoptions.setTagInspector(taginspector);
+
+				var clConstructor = new CustomClassLoaderConstructor(classLoader, loaderoptions);
+
 				props = new Yaml(clConstructor).loadAs(is, CMakePropertiesBean.class);
 				// props is null here if if no document was available in the file
 			}
@ -95,7 +106,10 @@ class CMakePropertiesController implements ICMakePropertiesController {
 			}
 		}
 		try (Writer wr = new OutputStreamWriter(Files.newOutputStream(storageFile))) {
-			new Yaml().dump(properties, wr);
+			Representer customRepresenter = new Representer(new DumperOptions());
+			customRepresenter.addClassTag(CMakePropertiesBean.class, Tag.MAP);
+			new Yaml(new Constructor(CMakePropertiesBean.class, new LoaderOptions()), customRepresenter)
+					.dump(properties, wr);
 		}

 		setupModifyDetection(properties);