Change to use SafeConstructor

ngrinder-controller/src/main/java/org/ngrinder/script/service/GitHubFileEntryService.java

@@ -27,6 +27,7 @@
 import org.tmatesoft.svn.core.auth.BasicAuthenticationManager;
 import org.tmatesoft.svn.core.wc.*;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -281,14 +282,14 @@ public Set<GitHubConfig> getAllGitHubConfig(User user) throws FileNotFoundExcept
 	private Set<GitHubConfig> getAllGithubConfig(FileEntry gitConfigYaml) {
 		Set<GitHubConfig> gitHubConfig = new HashSet<>();
 		// Yaml is not thread safe. so create it every time.
-		Yaml yaml = new Yaml();
-		Iterable<Map<String, Object>> gitConfigs = cast(yaml.loadAll(gitConfigYaml.getContent()));
-		for (Map<String, Object> configMap : gitConfigs) {
+		Yaml yaml = new Yaml(new SafeConstructor());
+		Iterable<Map<String, String>> gitConfigs = cast(yaml.loadAll(gitConfigYaml.getContent()));
+		for (Map<String, String> configMap : gitConfigs) {
 			if (configMap == null) {
 				continue;
 			}
-			configMap.put("revision", gitConfigYaml.getRevision());
 			GitHubConfig config = objectMapper.convertValue(configMap, GitHubConfig.class);
+			config.setRevision(String.valueOf(gitConfigYaml.getRevision()));
 
 			if (gitHubConfig.contains(config)) {
 				throw new InvalidGitHubConfigurationException("GitHub configuration '"

ngrinder-controller/src/test/java/org/ngrinder/script/service/GitHubFileEntryServiceTest.java

@@ -0,0 +1,69 @@
+package org.ngrinder.script.service;
+
+import org.junit.Test;
+import org.ngrinder.AbstractNGrinderTransactionalTest;
+import org.ngrinder.common.exception.NGrinderRuntimeException;
+import org.ngrinder.script.model.FileEntry;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.yaml.snakeyaml.constructor.ConstructorException;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class GitHubFileEntryServiceTest extends AbstractNGrinderTransactionalTest {
+	@Autowired
+	private GitHubFileEntryService gitHubFileEntryService;
+
+	@Test
+	public void testValidateInvalidConfigNameLength() {
+		FileEntry fileEntry = new FileEntry();
+		fileEntry.setContent(
+				"name: My Long Long Long Long Long Long Github Config Name\n" +
+						"owner: naver\n" +
+						"repo: ngrinder\n" +
+						"access-token: e1a47e652762b60a...3ddc0713b07g13k\n"
+		);
+		fileEntry.setRevision(-1L);
+
+		try {
+			gitHubFileEntryService.validate(fileEntry);
+		} catch (Exception e) {
+			assertTrue(e instanceof NGrinderRuntimeException);
+			assertTrue(e.getMessage().contains("Configuration name must be shorter than"));
+		}
+	}
+
+	@Test
+	public void testValidateInvalidYamlValue() {
+		FileEntry fileEntry = new FileEntry();
+		fileEntry.setContent(
+				"!!com.sun.rowset.JdbcRowSetImpl\n " +
+						"dataSourceName: rmi://127.0.0.1:13243/jmxrmi\n " +
+						"autoCommit: true"
+		);
+		fileEntry.setRevision(-1L);
+
+		try {
+			gitHubFileEntryService.validate(fileEntry);
+		} catch (Exception e) {
+			assertTrue(e instanceof ConstructorException);
+			assertTrue(e.getMessage().contains("could not determine a constructor for the tag"));
+		}
+	}
+
+	@Test
+	public void testValidateInvalidYamlValue2() {
+		FileEntry fileEntry = new FileEntry();
+		fileEntry.setContent(
+				"some_var: !!javax.script.ScriptEngineManager " +
+						"[!!java.net.URLClassLoader [[!!java.net.URL [\"http://localhost:8080\"]]]]"
+		);
+		fileEntry.setRevision(-1L);
+
+		try {
+			gitHubFileEntryService.validate(fileEntry);
+		} catch (Exception e) {
+			assertTrue(e instanceof ConstructorException);
+			assertTrue(e.getMessage().contains("could not determine a constructor for the tag"));
+		}
+	}
+}