Skip to content

Commit 8e53bda

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #2543 from brendandburns/r0.15
[Cherry-pick] Add a rule to block empty YAML constructors.
2 parents bd7ea09 + d4fe343 commit 8e53bda

File tree

3 files changed

+15
-2
lines changed

3 files changed

+15
-2
lines changed

pom.xml

+11
Original file line numberDiff line numberDiff line change
@@ -468,6 +468,17 @@
468468
<replacement>INVALID IMPORTS (GUAVA)</replacement>
469469
</replaceRegex>
470470
</format>
471+
<!-- prevents empty SnakeYaml constructor -->
472+
<format>
473+
<includes>
474+
<include>src/**/*.java</include>
475+
</includes>
476+
<replaceRegex>
477+
<name>Forbids new Yaml()</name>
478+
<searchRegex>^.*new Yaml\(\).*$</searchRegex>
479+
<replacement>INVALID CONSTRUCTOR (SNAKEYAML)</replacement>
480+
</replaceRegex>
481+
</format>
471482
</formats>
472483
<java>
473484
<removeUnusedImports /> <!-- self-explanatory -->

util/src/main/java/io/kubernetes/client/util/FilePersister.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import java.util.ArrayList;
1919
import java.util.HashMap;
2020
import org.yaml.snakeyaml.Yaml;
21+
import org.yaml.snakeyaml.constructor.SafeConstructor;
2122

2223
public class FilePersister implements ConfigPersister {
2324
File configFile;
@@ -50,7 +51,7 @@ public void save(
5051
// Note this is imperfect, should protect against other processes writing this file too...
5152
synchronized (configFile) {
5253
try (FileWriter fw = new FileWriter(configFile)) {
53-
Yaml yaml = new Yaml();
54+
Yaml yaml = new Yaml(new SafeConstructor());
5455
yaml.dump(config, fw);
5556
fw.flush();
5657
}

util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,12 @@
1717
import io.kubernetes.client.openapi.JSON;
1818
import java.util.Map;
1919
import org.yaml.snakeyaml.Yaml;
20+
import org.yaml.snakeyaml.constructor.SafeConstructor;
2021

2122
public class Dynamics {
2223

2324
static final JSON internalJSONCodec = new JSON();
24-
static final Yaml internalYamlCodec = new Yaml();
25+
static final Yaml internalYamlCodec = new Yaml(new SafeConstructor());
2526

2627
public static DynamicKubernetesObject newFromJson(String jsonContent) {
2728
return newFromJson(internalJSONCodec.getGson(), jsonContent);

0 commit comments

Comments
 (0)