fix: Replace the unsafe Yaml instantiation in ReferenceVisitor.getYaml() with SafeConstructor (#2344)

ewaostrowska · web-flow · commit 119fa73b5b53 · 2026-06-11T11:24:09.000+02:00
diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java
@@ -19,8 +19,11 @@
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.LoggerFactory;
+import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
+import org.yaml.snakeyaml.representer.Representer;
 
 import java.util.HashMap;
 import java.util.HashSet;
@@ -319,15 +322,13 @@ public JsonNode deserializeIntoTree(String content) throws Exception {
     }
 
     private Yaml getYaml() {
-        Yaml yaml;
         String yamlCodePoints = System.getProperty("maxYamlCodePoints");
         if (yamlCodePoints != null && !yamlCodePoints.isEmpty() && StringUtils.isNumeric(yamlCodePoints)) {
-            loaderOptions.setCodePointLimit(Integer.parseInt(yamlCodePoints));
-            yaml = new Yaml(loaderOptions);
-        } else {
-            yaml = new Yaml();
+            LoaderOptions opts = new LoaderOptions();
+            opts.setCodePointLimit(Integer.parseInt(yamlCodePoints));
+            return new Yaml(new SafeConstructor(opts), new Representer(new DumperOptions()), new DumperOptions(), opts);
         }
-        return yaml;
+        return new Yaml(new SafeConstructor(new LoaderOptions()));
     }
 
     public JsonNode parse(String absoluteUri, List<AuthorizationValue> auths) throws Exception {
diff --git a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/reference/ReferenceVisitorTest.java b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/reference/ReferenceVisitorTest.java
@@ -28,6 +28,12 @@ public void largeFileShouldBeParsedByJacksonLibraryWhenCodeLimitIsSet() throws E
         System.clearProperty("maxYamlCodePoints");
     }
 
+    @Test(expectedExceptions = YAMLException.class)
+    public void unsafeYamlTagShouldBeRejected() throws Exception {
+        ReferenceVisitor visitor = new ReferenceVisitor(null, null, null, null);
+        visitor.deserializeIntoTree("!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[]]]");
+    }
+
     @Test
     public void largeFileShouldNotBeParsedByJacksonLibraryWhenCodeLimitIsNotSet() throws Exception {
         ReferenceVisitor visitor = new ReferenceVisitor(null, null, null, null);
