codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

CodeQL Docs: SnakeYaml is now secure by default

Open JLLeitschuh opened this issue 5 months ago • 3 comments
trafficstars

https://codeql.github.com/codeql-query-help/java/java-unsafe-deserialization/

This query currently documents that SnakeYaml is currently insecure by default. As of 2.0, this is no longer the case. It's now secure by default. This should be updated in the documentation, and the query, if relevant, should also be updated.

JLLeitschuh avatar Jun 03 '25 23:06 JLLeitschuh

Thanks for reporting. @github/codeql-java this is one for you.

hvitved avatar Jun 17 '25 11:06 hvitved

If you want the full story of how this vulnerability got resolved, here's the link: https://medium.com/bugbountywriteup/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

JLLeitschuh avatar Jun 17 '25 20:06 JLLeitschuh

That seems to be correct. We will try to get around to it, though fixing FPs are not a priority at the moment. Or perhaps you could submit a PR to fix it yourself, @JLLeitschuh ?

owen-mc avatar Jun 20 '25 13:06 owen-mc

Looking at this in more detail, it says here that in SnakeYaml 2.0 all constructors now extend SafeConstructor. Looking through the SnakeYaml documentation online, this seems to be correct. In this case, java/unsafe-deserialization should correctly not alert for any constructors for 2.0 onwards. I've made https://github.com/github/codeql/pull/20018 to update the query help.

owen-mc avatar Jul 10 '25 15:07 owen-mc