Re: [PR] [Improvement] Use safe constructor with snake yaml [dolphinscheduler]

Sun, 24 Mar 2024 20:11:51 -0700 


EricGao888 commented on code in PR #15758:
URL: 
https://github.com/apache/dolphinscheduler/pull/15758#discussion_r1537009519


##########
dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/loop/template/http/parser/HttpTaskDefinitionParser.java:
##########
@@ -60,9 +60,9 @@ public class HttpTaskDefinitionParser implements 
TaskDefinitionParser<HttpLoopTa
     }
 
     protected @NonNull LoopTaskYamlDefinition parseYamlConfigFile(@NonNull 
String yamlConfigFile) throws IOException {
-        Yaml yaml = new Yaml(new Constructor(LoopTaskYamlDefinition.class));
         try (FileReader fileReader = new FileReader(yamlConfigFile)) {
-            return yaml.load(fileReader);
+            return new Yaml(new ClassFilterConstructor(new 
Class[]{LoopTaskYamlDefinition.class}))

Review Comment:
   @kezhenxu94 In `ClassFilterConstructor`, it overrides the method 
`getClassForName` from its super class `Constructor` which is called in the 
method `getClassForNode`.  The strange thing is that if you put a check point 
at `cl = this.getClassForName(name);`, run 
`HttpTaskDefinitionParserTest.parseYamlConfigFile` and you will find that `cl = 
this.getClassForName(name);` only gets called once, which means the fields and 
the fields of the fields in `LoopTaskYamlDefinition` such as 
`LoopTaskServiceYamlDefinition`, `LoopTaskQueryStateYamlDefinition`, etc. are 
not checked iteratively. I think whether to add these nested types or not does 
not make any difference and the nested types still bypass the check in this 
solution.
   
   ``` java
       protected Class<?> getClassForNode(Node node) {
           Class<? extends Object> classForTag = 
(Class)this.typeTags.get(node.getTag());
           if (classForTag == null) {
               String name = node.getTag().getClassName();
   
               Class cl;
               try {
                   cl = this.getClassForName(name);
               } catch (ClassNotFoundException var6) {
                   throw new YAMLException("Class not found: " + name);
               }
   
               this.typeTags.put(node.getTag(), cl);
               return cl;
           } else {
               return classForTag;
           }
       }
   ```
   
   
   
![image](https://github.com/apache/dolphinscheduler/assets/34905992/e684ff4e-57a9-423c-bb8b-cbeb84b2952d)
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to