Use SafeConstuctor with SnakeYaml (#1056)

Fixes #1055

Author: onobc

spring-cloud-skipper-server-core/src/main/java/org/springframework/cloud/skipper/server/service/ReleaseReportService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,12 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.springframework.cloud.skipper.server.service;
 
 import java.util.Map;
 
 import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.cloud.skipper.SkipperException;
 import org.springframework.cloud.skipper.domain.ConfigValues;
@@ -44,6 +46,7 @@
 
 /**
  * @author Mark Pollack
+ * @author Chris Bono
  */
 public class ReleaseReportService {
 
@@ -136,7 +139,7 @@ private Release updateReplacingReleaseConfigValues(Release targetRelease, Releas
 	}
 
 	private Map<String, Object> getConfigValuesAsMap(ConfigValues configValues) {
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		if (StringUtils.hasText(configValues.getRaw())) {
 			Object data = yaml.load(configValues.getRaw());
 			if (data instanceof Map) {

spring-cloud-skipper-server-core/src/main/java/org/springframework/cloud/skipper/server/util/ConfigValueUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import java.util.TreeMap;
 
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.cloud.skipper.SkipperException;
 import org.springframework.cloud.skipper.domain.ConfigValues;
@@ -29,7 +30,9 @@
 
 /**
  * Utility methods for merging of configuration values.
+ *
  * @author Mark Pollack
+ * @author Chris Bono
  */
 @SuppressWarnings("unchecked")
 public class ConfigValueUtils {
@@ -50,7 +53,7 @@ public class ConfigValueUtils {
 	 */
 	public static Map<String, Object> mergeConfigValues(Package pkg, ConfigValues overrideValues) {
 		// parse ConfigValues to a map.
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Map<String, Object> mergedValues;
 		// merge top level override values on top level package values
 		if (StringUtils.hasText(overrideValues.getRaw())) {
@@ -86,7 +89,7 @@ public static Map<String, Object> mergeOverrideMap(Package pkg, Map<String, Obje
 			return overrideMap;
 		}
 		// load the package values
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Object object = yaml.load(pkg.getConfigValues().getRaw());
 		if (object == null) {
 			// Config Values could have been file with comments only, no data.
@@ -160,7 +163,7 @@ private static Map<String, Object> mergePackagesIncludingDependencies(Package pk
 	}
 
 	private static Map<String, Object> convertConfigValuesToMap(Package pkg) {
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Map<String, Object> currentPackageValueMap = new TreeMap<>();
 		if (pkg.getConfigValues() != null && StringUtils.hasText(pkg.getConfigValues().getRaw())) {
 			currentPackageValueMap = (Map<String, Object>) yaml.load(pkg.getConfigValues().getRaw());

spring-cloud-skipper-server-core/src/main/java/org/springframework/cloud/skipper/server/util/ManifestUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import com.samskivert.mustache.Mustache;
 import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 import org.yaml.snakeyaml.nodes.Node;
 import org.yaml.snakeyaml.nodes.Tag;
 import org.yaml.snakeyaml.representer.Representer;
@@ -38,6 +39,7 @@
  * Utility functions for manifest file processing.
  * @author Mark Pollack
  * @author Christian Tzolov
+ * @author Chris Bono
  */
 public class ManifestUtils {
 
@@ -60,7 +62,7 @@ public static String resolveKind(String manifest) {
 		if (!StringUtils.hasText(manifest)) {
 			return null;
 		}
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Iterable<Object> object = yaml.loadAll(manifest);
 		for (Object o : object) {
 			if (o != null && o instanceof Map) {

spring-cloud-skipper-server-core/src/test/java/org/springframework/cloud/skipper/server/service/PackageServiceTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.springframework.cloud.skipper.server.service;
 
 import java.io.IOException;
@@ -24,6 +25,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cloud.skipper.SkipperException;
@@ -53,6 +55,7 @@
  * managed test method transaction
  * @author Mark Pollack
  * @author Ilayaperumal Gopinathan
+ * @author Chris Bono
  */
 @ActiveProfiles("repo-test")
 @Transactional
@@ -272,7 +275,7 @@ private void assertPackageContent(Package pkgContent) {
 	protected void assertConfigValues(Package pkg) {
 		// Note same config values for both time and log
 		ConfigValues configValues = pkg.getConfigValues();
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Map<String, Object> logConfigValueMap = (Map<String, Object>) yaml.load(configValues.getRaw());
 		assertThat(logConfigValueMap).containsKeys("version", "spec");
 		if (pkg.getMetadata().getName().equals("log")) {

spring-cloud-skipper-server-core/src/test/java/org/springframework/cloud/skipper/server/templates/PackageTemplateTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.springframework.cloud.skipper.server.templates;
 
 import java.io.IOException;
@@ -26,6 +27,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
@@ -49,6 +51,7 @@
 
 /**
  * @author Mark Pollack
+ * @author Chris Bono
  */
 @RunWith(SpringRunner.class)
 @SpringBootTest(classes = TestConfig.class, properties = "spring.main.allow-bean-definition-overriding=true")
@@ -65,7 +68,7 @@ public class PackageTemplateTests {
 	@Test
 	@SuppressWarnings("unchecked")
 	public void testMustasche() throws IOException {
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Map model = (Map) yaml.load(valuesResource.getInputStream());
 		String templateAsString = StreamUtils.copyToString(nestedMapResource.getInputStream(),
 				Charset.defaultCharset());

spring-cloud-skipper-shell-commands/src/main/java/org/springframework/cloud/skipper/shell/command/support/YmlUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,13 +13,15 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.springframework.cloud.skipper.shell.command.support;
 
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.cloud.skipper.SkipperException;
 import org.springframework.cloud.skipper.support.DeploymentPropertiesUtils;
@@ -33,13 +35,14 @@
  *
  * @author Ilayaperumal Gopinathan
  * @author Mark Pollack
+ * @author Chris Bono
  */
 public abstract class YmlUtils {
 
 	public static String getYamlConfigValues(File yamlFile, String properties) {
 		String configValuesYML = null;
 		if (yamlFile != null) {
-			Yaml yaml = new Yaml();
+			Yaml yaml = new Yaml(new SafeConstructor());
 			// Validate it is yaml formatted.
 			try {
 				configValuesYML = yaml.dump(yaml.load(new FileInputStream(yamlFile)));

spring-cloud-skipper/src/main/java/org/springframework/cloud/skipper/domain/CloudFoundryApplicationManifestReader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.cloud.skipper.SkipperException;
 
@@ -41,6 +42,7 @@
  * will not throw an exception in the deserialization process.
  *
  * @author Ilayaperumal Gopinathan
+ * @author Chris Bono
  */
 public class CloudFoundryApplicationManifestReader implements SkipperManifestReader {
 
@@ -78,7 +80,7 @@ public List<CloudFoundryApplicationSkipperManifest> read(String manifest) {
 	}
 
 	public boolean canSupport(String manifest) {
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Iterable<Object> object = yaml.loadAll(manifest);
 		for (Object o : object) {
 			boolean supportKind = assertSupportedKind(o);

spring-cloud-skipper/src/main/java/org/springframework/cloud/skipper/domain/SpringCloudDeployerApplicationManifestReader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.cloud.skipper.SkipperException;
 
@@ -41,6 +42,7 @@
  *
  * @author Mark Pollack
  * @author Ilayaperumal Gopinathan
+ * @author Chris Bono
  */
 public class SpringCloudDeployerApplicationManifestReader implements SkipperManifestReader {
 
@@ -79,7 +81,7 @@ public List<SpringCloudDeployerApplicationManifest> read(String manifest) {
 	}
 
 	public boolean canSupport(String manifest) {
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Iterable<Object> object = yaml.loadAll(manifest);
 		for (Object o : object) {
 			boolean supportKind = assertSupportedKind(o);

spring-cloud-skipper/src/test/java/org/springframework/cloud/skipper/io/PackageReaderTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 the original author or authors.
+ * Copyright 2017-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.springframework.cloud.skipper.io;
 
 import java.io.IOException;
@@ -22,6 +23,7 @@
 
 import org.junit.Test;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import org.springframework.cloud.skipper.domain.Package;
 import org.springframework.cloud.skipper.domain.PackageMetadata;
@@ -33,6 +35,7 @@
 
 /**
  * @author Mark Pollack
+ * @author Chris Bono
  */
 public class PackageReaderTests {
 
@@ -60,7 +63,7 @@ private void assertTickTockPackage(Package pkg) {
 		assertThat(metadata.getMaintainer()).isEqualTo("https://github.com/markpollack");
 		assertThat(metadata.getDescription()).isEqualTo("The ticktock stream sends a time stamp and logs the value.");
 		String rawYamlString = pkg.getConfigValues().getRaw();
-		Yaml yaml = new Yaml();
+		Yaml yaml = new Yaml(new SafeConstructor());
 		Map<String, String> valuesAsMap = (Map<String, String>) yaml.load(rawYamlString);
 		assertThat(valuesAsMap).hasSize(2).containsEntry("foo", "bar").containsEntry("biz", "baz");