pom: bump org.yaml:snakeyaml to 2.4

dupondje · dupondje · commit 6f65f34b2de9 · 2025-02-19T08:58:27.000+01:00
This fixes CVE-2022-1471. Signed-off-by: Jean-Louis Dupond <jean-louis@dupond.be>
diff --git a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/rsdl/RsdlManager.java b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/rsdl/RsdlManager.java
@@ -20,9 +20,11 @@
 import org.ovirt.engine.api.model.ObjectFactory;
 import org.ovirt.engine.api.model.Rsdl;
 import org.ovirt.engine.api.utils.ApiRootLinksCreator;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor;
+import org.yaml.snakeyaml.inspector.TagInspector;
 
 public class RsdlManager {
 
@@ -112,7 +114,10 @@ private static MetaData loadMetaData() throws IOException {
     }
 
     private static MetaData loadMetaData(InputStream in) throws IOException {
-        Constructor constructor = new CustomClassLoaderConstructor(Thread.currentThread().getContextClassLoader());
+        LoaderOptions loaderOptions = new LoaderOptions();
+        TagInspector tagInspector = tag -> tag.getClassName().equals(MetaData.class.getName());
+        loaderOptions.setTagInspector(tagInspector);
+        Constructor constructor = new CustomClassLoaderConstructor(Thread.currentThread().getContextClassLoader(), loaderOptions);
         MetaData metaData = (MetaData) new Yaml(constructor).load(in);
         if (metaData == null) {
             throw new IOException("Can't load metadata from input stream");
diff --git a/i18n/pom.xml b/i18n/pom.xml
@@ -14,7 +14,7 @@
     <maven.compiler.target>11</maven.compiler.target>
     <maven-resources-plugin.version>2.5</maven-resources-plugin.version>
     <slf4j.version>1.7.22</slf4j.version>
-    <snakeyaml.version>1.33</snakeyaml.version>
+    <snakeyaml.version>2.4</snakeyaml.version>
 
     <working-zanata-directory>target/zanata</working-zanata-directory>
   </properties>
diff --git a/pom.xml b/pom.xml
@@ -108,7 +108,7 @@
     <reflections.version>0.9.9</reflections.version>
     <resteasy.version>3.9.3.Final</resteasy.version>
     <slf4j.version>1.7.22</slf4j.version>
-    <snakeyaml.version>1.33</snakeyaml.version>
+    <snakeyaml.version>2.4</snakeyaml.version>
     <spring.version>5.3.39</spring.version>
     <sshd-core.version>2.14.0</sshd-core.version>
     <validation-api.version>2.0.1.Final</validation-api.version>
