From 6df6b325590a215a0ca7b6bb663a118c320f68d7 Mon Sep 17 00:00:00 2001
From: imb <im.b@navercorp.com>
Date: Wed, 15 May 2024 03:03:16 +0900
Subject: [PATCH] Change to use SafeConstructor

---
 .../service/GitHubFileEntryService.java       |  9 +--
 .../service/GitHubFileEntryServiceTest.java   | 69 +++++++++++++++++++
 2 files changed, 74 insertions(+), 4 deletions(-)
 create mode 100644 ngrinder-controller/src/test/java/org/ngrinder/script/service/GitHubFileEntryServiceTest.java

diff --git a/ngrinder-controller/src/main/java/org/ngrinder/script/service/GitHubFileEntryService.java b/ngrinder-controller/src/main/java/org/ngrinder/script/service/GitHubFileEntryService.java
index f9529cd7fb..18966fd81a 100644
--- a/ngrinder-controller/src/main/java/org/ngrinder/script/service/GitHubFileEntryService.java
+++ b/ngrinder-controller/src/main/java/org/ngrinder/script/service/GitHubFileEntryService.java
@@ -27,6 +27,7 @@
 import org.tmatesoft.svn.core.auth.BasicAuthenticationManager;
 import org.tmatesoft.svn.core.wc.*;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -281,14 +282,14 @@ public Set<GitHubConfig> getAllGitHubConfig(User user) throws FileNotFoundExcept
 	private Set<GitHubConfig> getAllGithubConfig(FileEntry gitConfigYaml) {
 		Set<GitHubConfig> gitHubConfig = new HashSet<>();
 		// Yaml is not thread safe. so create it every time.
-		Yaml yaml = new Yaml();
-		Iterable<Map<String, Object>> gitConfigs = cast(yaml.loadAll(gitConfigYaml.getContent()));
-		for (Map<String, Object> configMap : gitConfigs) {
+		Yaml yaml = new Yaml(new SafeConstructor());
+		Iterable<Map<String, String>> gitConfigs = cast(yaml.loadAll(gitConfigYaml.getContent()));
+		for (Map<String, String> configMap : gitConfigs) {
 			if (configMap == null) {
 				continue;
 			}
-			configMap.put("revision", gitConfigYaml.getRevision());
 			GitHubConfig config = objectMapper.convertValue(configMap, GitHubConfig.class);
+			config.setRevision(String.valueOf(gitConfigYaml.getRevision()));
 
 			if (gitHubConfig.contains(config)) {
 				throw new InvalidGitHubConfigurationException("GitHub configuration '"
diff --git a/ngrinder-controller/src/test/java/org/ngrinder/script/service/GitHubFileEntryServiceTest.java b/ngrinder-controller/src/test/java/org/ngrinder/script/service/GitHubFileEntryServiceTest.java
new file mode 100644
index 0000000000..17f3579dd1
--- /dev/null
+++ b/ngrinder-controller/src/test/java/org/ngrinder/script/service/GitHubFileEntryServiceTest.java
@@ -0,0 +1,69 @@
+package org.ngrinder.script.service;
+
+import org.junit.Test;
+import org.ngrinder.AbstractNGrinderTransactionalTest;
+import org.ngrinder.common.exception.NGrinderRuntimeException;
+import org.ngrinder.script.model.FileEntry;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.yaml.snakeyaml.constructor.ConstructorException;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class GitHubFileEntryServiceTest extends AbstractNGrinderTransactionalTest {
+	@Autowired
+	private GitHubFileEntryService gitHubFileEntryService;
+
+	@Test
+	public void testValidateInvalidConfigNameLength() {
+		FileEntry fileEntry = new FileEntry();
+		fileEntry.setContent(
+				"name: My Long Long Long Long Long Long Github Config Name\n" +
+						"owner: naver\n" +
+						"repo: ngrinder\n" +
+						"access-token: e1a47e652762b60a...3ddc0713b07g13k\n"
+		);
+		fileEntry.setRevision(-1L);
+
+		try {
+			gitHubFileEntryService.validate(fileEntry);
+		} catch (Exception e) {
+			assertTrue(e instanceof NGrinderRuntimeException);
+			assertTrue(e.getMessage().contains("Configuration name must be shorter than"));
+		}
+	}
+
+	@Test
+	public void testValidateInvalidYamlValue() {
+		FileEntry fileEntry = new FileEntry();
+		fileEntry.setContent(
+				"!!com.sun.rowset.JdbcRowSetImpl\n " +
+						"dataSourceName: rmi://127.0.0.1:13243/jmxrmi\n " +
+						"autoCommit: true"
+		);
+		fileEntry.setRevision(-1L);
+
+		try {
+			gitHubFileEntryService.validate(fileEntry);
+		} catch (Exception e) {
+			assertTrue(e instanceof ConstructorException);
+			assertTrue(e.getMessage().contains("could not determine a constructor for the tag"));
+		}
+	}
+
+	@Test
+	public void testValidateInvalidYamlValue2() {
+		FileEntry fileEntry = new FileEntry();
+		fileEntry.setContent(
+				"some_var: !!javax.script.ScriptEngineManager " +
+						"[!!java.net.URLClassLoader [[!!java.net.URL [\"http://localhost:8080\"]]]]"
+		);
+		fileEntry.setRevision(-1L);
+
+		try {
+			gitHubFileEntryService.validate(fileEntry);
+		} catch (Exception e) {
+			assertTrue(e instanceof ConstructorException);
+			assertTrue(e.getMessage().contains("could not determine a constructor for the tag"));
+		}
+	}
+}