Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add settings for alias limits, recursion, and duplicate keys #649

Open
headius opened this issue Sep 19, 2023 · 8 comments
Open

Add settings for alias limits, recursion, and duplicate keys #649

headius opened this issue Sep 19, 2023 · 8 comments
Labels

Comments

@headius
Copy link
Contributor

headius commented Sep 19, 2023

In #613 and #647 I exposed settings in SnakeYAML Engine for limiting code points, aliases, recursive keys, and duplicate keys.

I was able to add one test that worked, for the code point limit setting. I could not get the others to error, and I think I've figured out why: they are not done at the parser level.

The maximum alias detection, for example, which is used to prevent the "billion laughs" attack, is done above the parser in SnakeYAML Engine as part of composing YAML nodes for the rest of the library. JRuby's Psych backend bypasses the composer/node API and uses the parser directly, with the node-wrangling logic living in the rest of Psych.

https://bitbucket.org/snakeyaml/snakeyaml-engine/src/8fc70e5d943a24ed9eb94eb333a4da7ca79e62c1/src/main/java/org/snakeyaml/engine/v2/composer/Composer.java#Composer.java-187:194

I suspect this is the same situation for the duplicate and recursive keys, but hopefully @asomov can tell us if this is the case.

If so, then three out of the four settings I added are not really being used by SnakeYAML Engine, and they should be changed into Psych-level settings. However I am not sure how the C version of Psych detects and prevents these situations. Need clarification from @tenderlove or @hsbt.

Alternatively, it may make sense for the SnakeYAML Engine parser itself to honor these settings, but that would be up to @asomov.

@headius
Copy link
Contributor Author

headius commented Sep 19, 2023

@oliverbarnes Ping! I believe this is why I could not get the other settings to work properly. I'm glad the one you needed is hooked up, though!

@headius
Copy link
Contributor Author

headius commented Oct 5, 2023

@tenderlove @hsbt I would like your input here. In #647 I added the ability to set the SnakeYAML defaults for four settings, but it appears only one of those four is actually checked in the parser (maximum code points). The others appear to be done as part of SnakeYAML's node graph building, such as the alias limit I mention in this issue's description.

In order for these settings to be useful, one of two things would need to happen:

  • SnakeYAML Engine would need to check them during parse, rather than during tree building or other higher-level parts of the API as it does now; OR
  • Psych would need to add equivalent checks within its own tree-building etc logic. (Probably the more logical place since it would bring these limits to all Psych users).

Either of these would require work beyond my expertise, so I don't expect them to happen soon. And that leaves us with three JRuby-specific settings that don't really do anything (they do, but they don't affect execution of the parts of SnakeYAML Engine that Psych uses).

I'm thinking it would just be best to remove the other settings until such time as they make sense to add again. Then we could get a release out with the code point setting available. We keep getting bug reports about it, so I'd like a Psych update we can ship in 9.4.4.0 by the end of this month.

@tenderlove @hsbt Thoughts?

headius added a commit to headius/psych that referenced this issue Oct 5, 2023
These settings are not enforced at the parser level in SnakeYAML
Engine, instead being enforced during the construction of the YAML
node graph. Because the JRuby Psych wrapper around SnakeYAML only
uses the parser directly, the settings have no effect. This commit
removes the ineffective settings until we can decide what to do
about them.

See ruby#613, ruby#647, and ruby#649.
@headius
Copy link
Contributor Author

headius commented Oct 5, 2023

I've pushed #653 which removes the ineffective settings.

@hsbt
Copy link
Member

hsbt commented Oct 5, 2023

I'm +1 to remove them.

@tenderlove
Copy link
Member

@headius yes we should remove them. The default API (YAML.load) doesn't allow aliases or recursive data structures by default, the user has to specifically opt-in. We could theoretically add alias / depth limiting to the AST -> Ruby pass, but I'm not sure if it's necessary.

@oliverbarnes
Copy link

@oliverbarnes Ping! I believe this is why I could not get the other settings to work properly. I'm glad the one you needed is hooked up, though!

thanks for the heads up @headius! I'm glad there'll be a resolution for these settings for 9.4.4.0, good to know

@asomov
Copy link

asomov commented Oct 5, 2023

Unfortunately, I do not know know how to change SnakeYAML Engine - some checks can only be done when the Node tree is created.

@headius
Copy link
Contributor Author

headius commented Oct 7, 2023

@tenderlove Sounds good. Perhaps the code point limit could be added as an additional DoS measure, but I'll go with what I have to remove the inoperable settings and hopefully we can release that soon.

@hsbt hsbt added the JRuby label Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants