From 281f0f90c357015a4e5e7bcdc7257edd85e172e5 Mon Sep 17 00:00:00 2001
From: Brendan Burns <bburns@microsoft.com>
Date: Tue, 24 Jan 2023 22:54:00 +0000
Subject: [PATCH 1/2] Switch to SafeConstructor for YAML everywhere.

---
 .../src/main/java/io/kubernetes/client/util/FilePersister.java | 3 ++-
 .../io/kubernetes/client/util/generic/dynamic/Dynamics.java    | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/util/src/main/java/io/kubernetes/client/util/FilePersister.java b/util/src/main/java/io/kubernetes/client/util/FilePersister.java
index 16163927b5..f4c800268d 100644
--- a/util/src/main/java/io/kubernetes/client/util/FilePersister.java
+++ b/util/src/main/java/io/kubernetes/client/util/FilePersister.java
@@ -18,6 +18,7 @@
 import java.util.ArrayList;
 import java.util.HashMap;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 public class FilePersister implements ConfigPersister {
   File configFile;
@@ -50,7 +51,7 @@ public void save(
     // Note this is imperfect, should protect against other processes writing this file too...
     synchronized (configFile) {
       try (FileWriter fw = new FileWriter(configFile)) {
-        Yaml yaml = new Yaml();
+        Yaml yaml = new Yaml(new SafeConstructor());
         yaml.dump(config, fw);
         fw.flush();
       }
diff --git a/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java b/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
index 47e263beae..f93e05b34f 100644
--- a/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
+++ b/util/src/main/java/io/kubernetes/client/util/generic/dynamic/Dynamics.java
@@ -17,11 +17,12 @@
 import io.kubernetes.client.openapi.JSON;
 import java.util.Map;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 public class Dynamics {
 
   static final JSON internalJSONCodec = new JSON();
-  static final Yaml internalYamlCodec = new Yaml();
+  static final Yaml internalYamlCodec = new Yaml(new SafeConstructor());
 
   public static DynamicKubernetesObject newFromJson(String jsonContent) {
     return newFromJson(internalJSONCodec.getGson(), jsonContent);

From c63574f7275c00e4681eb183017905cf304421ea Mon Sep 17 00:00:00 2001
From: Brendan Burns <bburns@microsoft.com>
Date: Tue, 24 Jan 2023 23:02:37 +0000
Subject: [PATCH 2/2] Add a rule to block empty YAML constructors.

---
 pom.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pom.xml b/pom.xml
index 8f08b02deb..cc7e4c06c8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -470,6 +470,17 @@
                 <replacement>INVALID IMPORTS (GUAVA)</replacement>
               </replaceRegex>
             </format>
+            <!-- prevents empty SnakeYaml constructor -->
+            <format>
+              <includes>
+                <include>src/**/*.java</include>
+              </includes>
+              <replaceRegex>
+                <name>Forbids new Yaml()</name>
+                <searchRegex>^.*new Yaml\(\).*$</searchRegex>
+                <replacement>INVALID CONSTRUCTOR (SNAKEYAML)</replacement>
+              </replaceRegex>
+            </format>
           </formats>
           <java>
             <removeUnusedImports /> <!-- self-explanatory -->