What can happen when loading a YAML file from an untrusted source with SnakeYAML?

2.8k Views Asked by jobukkit At 03 April 2025 at 07:01

The SnakeYAML documentation says:

Warning: It is not safe to call Yaml.load() with any data received from an untrusted source!

Is it security issues? What can a malicious YAML file do?

There are 2 best solutions below

Andrey On 11 September 2013 at 20:52

SnakeYAML allows to use any class loader. When the instance of a class is created, it calls the constructor. It will run any code there. If you load classes yourself - no worries.

Jim Pivarski On 22 January 2014 at 16:52

I was wondering about this, too, and found the following in the documentation:

Note if you want to limit objects to standard Java objects like List or Long you need to use SafeConstructor.
Yaml yaml = new Yaml(new SafeConstructor());

The link quoted above goes to a test case in which a YAML document contains a reference to a Java object. Without SafeConstructor, yaml.load would call the object's no-argument constructor and this might be a bad thing for some classes in your classpath. With SafeConstructor, only the SafeConstructor nested classes (Java code) would ever be called.

What can happen when loading a YAML file from an untrusted source with SnakeYAML?

There are 2 best solutions below

Related Questions in JAVA

Related Questions in YAML

Related Questions in SNAKEYAML

Trending Questions

Popular # Hahtags

Popular Questions