zio-json-yaml uses SnakeYaml 1.33 which has a 9.8 CVE

[fanf]

SnakeYaml 1.33 has a critical CVE that allows remote code execution (a good one, with a "run anything you want if your yaml file is parsed" level - see : https://www.veracode.com/blog/research/resolving-cve-2022-1471-snakeyaml-20-release-0)

zio-json-yaml uses the faulty new Yaml() constructor.

The correction is either to update to snake-yaml 2.0 or to only use the safe constructors.

[fanf]

A user can't just force snake-yaml 2.0, it leads to the expected missing method exception.

[VinceMacBuche]

The exception is the following:

 Exception in thread "zio-fiber-44010" java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void <init>()' not found
  	at zio.json.yaml.internal.YamlValueConstruction.<init>(YamlValueConstruction.scala:8)

That's here: https://github.com/zio/zio-json/blob/series/2.x/zio-json-yaml/src/main/scala/zio/json/yaml/internal/YamlValueConstruction.scala#L8

snakeyaml removed deprecated constructor of SafeConstructor in 2.0

See 1.33: https://bitbucket.org/snakeyaml/snakeyaml/src/62d2e44a0cd298b48cc14a733735073a8f7f8dc1/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java?at=master#lines-51

2.0 diff: https://bitbucket.org/snakeyaml/snakeyaml/diff/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java?at=master&diff2=3e755d254aeaa902675053047fd53368a175565a

Replacing YamlValueConstruction by this line should fix the issue

private[yaml] final class YamlValueConstruction extends SafeConstructor(new LoaderOptions()) {

[fsvehla]

Any help here is appreciated, realistically, I can’t tackle this until Sunday.

[VinceMacBuche]

I made a pull request here: #974

[fanf]

Since the PR is merged and v 0.6.0 was released with the correction, that ticket can be closed in success.