-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add settings for alias limits, recursion, and duplicate keys #649
Comments
@oliverbarnes Ping! I believe this is why I could not get the other settings to work properly. I'm glad the one you needed is hooked up, though! |
@tenderlove @hsbt I would like your input here. In #647 I added the ability to set the SnakeYAML defaults for four settings, but it appears only one of those four is actually checked in the parser (maximum code points). The others appear to be done as part of SnakeYAML's node graph building, such as the alias limit I mention in this issue's description. In order for these settings to be useful, one of two things would need to happen:
Either of these would require work beyond my expertise, so I don't expect them to happen soon. And that leaves us with three JRuby-specific settings that don't really do anything (they do, but they don't affect execution of the parts of SnakeYAML Engine that Psych uses). I'm thinking it would just be best to remove the other settings until such time as they make sense to add again. Then we could get a release out with the code point setting available. We keep getting bug reports about it, so I'd like a Psych update we can ship in 9.4.4.0 by the end of this month. @tenderlove @hsbt Thoughts? |
These settings are not enforced at the parser level in SnakeYAML Engine, instead being enforced during the construction of the YAML node graph. Because the JRuby Psych wrapper around SnakeYAML only uses the parser directly, the settings have no effect. This commit removes the ineffective settings until we can decide what to do about them. See ruby#613, ruby#647, and ruby#649.
I've pushed #653 which removes the ineffective settings. |
I'm +1 to remove them. |
@headius yes we should remove them. The default API ( |
thanks for the heads up @headius! I'm glad there'll be a resolution for these settings for 9.4.4.0, good to know |
Unfortunately, I do not know know how to change SnakeYAML Engine - some checks can only be done when the Node tree is created. |
@tenderlove Sounds good. Perhaps the code point limit could be added as an additional DoS measure, but I'll go with what I have to remove the inoperable settings and hopefully we can release that soon. |
In #613 and #647 I exposed settings in SnakeYAML Engine for limiting code points, aliases, recursive keys, and duplicate keys.
I was able to add one test that worked, for the code point limit setting. I could not get the others to error, and I think I've figured out why: they are not done at the parser level.
The maximum alias detection, for example, which is used to prevent the "billion laughs" attack, is done above the parser in SnakeYAML Engine as part of composing YAML nodes for the rest of the library. JRuby's Psych backend bypasses the composer/node API and uses the parser directly, with the node-wrangling logic living in the rest of Psych.
https://bitbucket.org/snakeyaml/snakeyaml-engine/src/8fc70e5d943a24ed9eb94eb333a4da7ca79e62c1/src/main/java/org/snakeyaml/engine/v2/composer/Composer.java#Composer.java-187:194
I suspect this is the same situation for the duplicate and recursive keys, but hopefully @asomov can tell us if this is the case.
If so, then three out of the four settings I added are not really being used by SnakeYAML Engine, and they should be changed into Psych-level settings. However I am not sure how the C version of Psych detects and prevents these situations. Need clarification from @tenderlove or @hsbt.
Alternatively, it may make sense for the SnakeYAML Engine parser itself to honor these settings, but that would be up to @asomov.
The text was updated successfully, but these errors were encountered: