Repository: brooklyn-server Updated Branches: refs/heads/0.10.0 635068a69 -> ad34129fd
Use SnakeYAML SafeConstructor by default Overridable by setting a system property. Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/ad34129f Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/ad34129f Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/ad34129f Branch: refs/heads/0.10.0 Commit: ad34129fd19b4b4c6d65a6e906c6f04e4185ef31 Parents: 635068a Author: Richard Downer <[email protected]> Authored: Thu Dec 8 16:43:40 2016 +0000 Committer: Svetoslav Neykov <[email protected]> Committed: Sun Dec 11 09:17:14 2016 +0000 ---------------------------------------------------------------------- .../util/internal/BrooklynSystemProperties.java | 2 ++ .../org/apache/brooklyn/util/yaml/Yamls.java | 20 +++++++++++++----- .../apache/brooklyn/util/yaml/YamlsTest.java | 22 ++++++++++++++++++-- 3 files changed, 37 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/ad34129f/utils/common/src/main/java/org/apache/brooklyn/util/internal/BrooklynSystemProperties.java ---------------------------------------------------------------------- diff --git a/utils/common/src/main/java/org/apache/brooklyn/util/internal/BrooklynSystemProperties.java b/utils/common/src/main/java/org/apache/brooklyn/util/internal/BrooklynSystemProperties.java index 3d0048b..58c27d9 100644 --- a/utils/common/src/main/java/org/apache/brooklyn/util/internal/BrooklynSystemProperties.java +++ b/utils/common/src/main/java/org/apache/brooklyn/util/internal/BrooklynSystemProperties.java @@ -37,4 +37,6 @@ public class BrooklynSystemProperties { public static StringSystemProperty HOST_GEO_LOOKUP_IMPL_LEGACY = new StringSystemProperty("brooklyn.location.geo.HostGeoLookup"); public static StringSystemProperty HOST_GEO_LOOKUP_IMPL = new StringSystemProperty("org.apache.brooklyn.core.location.geo.HostGeoLookup"); + /** Allows the use of YAML tags to create arbitrary types known to Java. */ + public static BooleanSystemProperty YAML_TYPE_INSTANTIATION = new BooleanSystemProperty("org.apache.brooklyn.unsafe.YamlTypeInstantiation"); } http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/ad34129f/utils/common/src/main/java/org/apache/brooklyn/util/yaml/Yamls.java ---------------------------------------------------------------------- diff --git a/utils/common/src/main/java/org/apache/brooklyn/util/yaml/Yamls.java b/utils/common/src/main/java/org/apache/brooklyn/util/yaml/Yamls.java index 1697097..8230676 100644 --- a/utils/common/src/main/java/org/apache/brooklyn/util/yaml/Yamls.java +++ b/utils/common/src/main/java/org/apache/brooklyn/util/yaml/Yamls.java @@ -34,11 +34,13 @@ import org.apache.brooklyn.util.collections.Jsonya; import org.apache.brooklyn.util.collections.MutableList; import org.apache.brooklyn.util.exceptions.Exceptions; import org.apache.brooklyn.util.exceptions.UserFacingException; +import org.apache.brooklyn.util.internal.BrooklynSystemProperties; import org.apache.brooklyn.util.text.Strings; -import org.apache.brooklyn.util.yaml.Yamls; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.Constructor; +import org.yaml.snakeyaml.constructor.SafeConstructor; import org.yaml.snakeyaml.error.Mark; import org.yaml.snakeyaml.nodes.MappingNode; import org.yaml.snakeyaml.nodes.Node; @@ -54,6 +56,14 @@ public class Yamls { private static final Logger log = LoggerFactory.getLogger(Yamls.class); + private static Yaml newYaml() { + return new Yaml( + BrooklynSystemProperties.YAML_TYPE_INSTANTIATION.isEnabled() + ? new Constructor() // allows instantiation of arbitrary Java types + : new SafeConstructor() // allows instantiation of limited set of types only + ); + } + /** returns the given (yaml-parsed) object as the given yaml type. * <p> * if the object is an iterable or iterator this method will fully expand it as a list. @@ -93,7 +103,7 @@ public class Yamls { */ @Beta public static Object getAt(String yaml, List<String> path) { - Iterable<Object> result = new org.yaml.snakeyaml.Yaml().loadAll(yaml); + Iterable<Object> result = newYaml().loadAll(yaml); Object current = result.iterator().next(); return getAtPreParsed(current, path); } @@ -152,14 +162,14 @@ public class Yamls { /** simplifies new Yaml().loadAll, and converts to list to prevent single-use iterable bug in yaml */ @SuppressWarnings("unchecked") public static Iterable<Object> parseAll(String yaml) { - Iterable<Object> result = new org.yaml.snakeyaml.Yaml().loadAll(yaml); + Iterable<Object> result = newYaml().loadAll(yaml); return (List<Object>) getAs(result, List.class); } /** as {@link #parseAll(String)} */ @SuppressWarnings("unchecked") public static Iterable<Object> parseAll(Reader yaml) { - Iterable<Object> result = new org.yaml.snakeyaml.Yaml().loadAll(yaml); + Iterable<Object> result = newYaml().loadAll(yaml); return (List<Object>) getAs(result, List.class); } @@ -536,7 +546,7 @@ b: 1 try { int pathIndex = 0; result.yaml = yaml; - result.focus = new Yaml().compose(new StringReader(yaml)); + result.focus = newYaml().compose(new StringReader(yaml)); findTextOfYamlAtPath(result, pathIndex, path); return result; http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/ad34129f/utils/common/src/test/java/org/apache/brooklyn/util/yaml/YamlsTest.java ---------------------------------------------------------------------- diff --git a/utils/common/src/test/java/org/apache/brooklyn/util/yaml/YamlsTest.java b/utils/common/src/test/java/org/apache/brooklyn/util/yaml/YamlsTest.java index bd701d5..50e499e 100644 --- a/utils/common/src/test/java/org/apache/brooklyn/util/yaml/YamlsTest.java +++ b/utils/common/src/test/java/org/apache/brooklyn/util/yaml/YamlsTest.java @@ -19,18 +19,20 @@ package org.apache.brooklyn.util.yaml; import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertFalse; import java.util.Iterator; import java.util.List; +import org.apache.brooklyn.test.Asserts; import org.apache.brooklyn.util.collections.MutableList; import org.apache.brooklyn.util.exceptions.UserFacingException; -import org.apache.brooklyn.util.yaml.Yamls; -import org.apache.brooklyn.util.yaml.YamlsTest; +import org.apache.brooklyn.util.internal.BrooklynSystemProperties; import org.apache.brooklyn.util.yaml.Yamls.YamlExtract; import org.testng.Assert; import org.testng.TestNG; import org.testng.annotations.Test; +import org.yaml.snakeyaml.constructor.ConstructorException; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; @@ -183,6 +185,22 @@ public class YamlsTest { } } + @Test + public void testSafeYaml() throws Exception { + assertFalse(BrooklynSystemProperties.YAML_TYPE_INSTANTIATION.isEnabled(), + "Set property to false (or do not set at all): " + BrooklynSystemProperties.YAML_TYPE_INSTANTIATION.getPropertyName()); + + try { + Yamls.parseAll("!!java.util.Date\n" + + "date: 25\n" + + "month: 12\n" + + "year: 2016"); + Asserts.shouldHaveFailedPreviously("Expected exception: " + ConstructorException.class.getCanonicalName()); + } catch(ConstructorException e) { + Asserts.expectedFailureContains(e, "could not determine a constructor"); + } + } + // convenience, since running with older TestNG IDE plugin will fail (older snakeyaml dependency); // if you run as a java app it doesn't bring in the IDE TestNG jar version, and it works public static void main(String[] args) {
