All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.openrewrite.java.security.marshalling.SecureSnakeYamlConstructor Maven / Gradle / Ivy

Go to download

Enforce logging best practices and migrate between logging frameworks. Automatically.

There is a newer version: 2.17.1
Show newest version
/*
 * Copyright 2021 the original author or authors.
 * 

* Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at *

* https://www.apache.org/licenses/LICENSE-2.0 *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.openrewrite.java.security.marshalling; import org.openrewrite.ExecutionContext; import org.openrewrite.Recipe; import org.openrewrite.java.JavaParser; import org.openrewrite.java.JavaTemplate; import org.openrewrite.java.JavaVisitor; import org.openrewrite.java.MethodMatcher; import org.openrewrite.java.tree.J; import org.openrewrite.java.tree.JavaType; import java.time.Duration; public class SecureSnakeYamlConstructor extends Recipe { @Override public String getDisplayName() { return "Secure the use of SnakeYAML's constructor"; } @Override public String getDescription() { return "See the [paper](https://github.com/mbechler/marshalsec) on this subject."; } @Override public Duration getEstimatedEffortPerOccurrence() { return Duration.ofMinutes(5); } @Override protected JavaVisitor getVisitor() { MethodMatcher snakeYamlConstructor = new MethodMatcher("org.yaml.snakeyaml.Yaml ()", true); return new JavaVisitor() { @Override public J visitNewClass(J.NewClass newClass, ExecutionContext ctx) { if (snakeYamlConstructor.matches(newClass)) { JavaType.Method ctorType = newClass.getConstructorType(); assert ctorType != null; maybeAddImport("org.yaml.snakeyaml.constructor.SafeConstructor"); return newClass.withTemplate( JavaTemplate .builder(this::getCursor, "new Yaml(new SafeConstructor())") .imports("org.yaml.snakeyaml.Yaml") .imports("org.yaml.snakeyaml.constructor.SafeConstructor") .javaParser(() -> JavaParser.fromJavaVersion() .classpath("snakeyaml") .build()) .build(), newClass.getCoordinates().replace() ); } return super.visitNewClass(newClass, ctx); } }; } }





© 2015 - 2025 Weber Informatics LLC | Privacy Policy