-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a decoder option to limit the number of unmarshalled values #375
Conversation
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
decode_test.go
Outdated
d = yaml.NewDecoder(bytes.NewBuffer([]byte(ordinalCase)), yaml.WithLimitDecodedValuesCount(3)) | ||
// decoded values are [Hello, World, [Hello:World pair]] | ||
err = d.Decode(&v) | ||
c.Assert(err, Equals, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
c.Assert(err, IsNil)
yaml.go
Outdated
@@ -89,26 +89,45 @@ func UnmarshalStrict(in []byte, out interface{}) (err error) { | |||
return unmarshal(in, out, true) | |||
} | |||
|
|||
// DecoderOption is an option to apply to modyfy a decoder's behavior |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: s/modyfy/modify
@silvin-lubecki fixed, thanks :) |
The issue has been addressed in v3 without additional API changes. The proper fix for v2 would be to backport that over. Closing this one on that basis. |
@niemeyer do you know which PR fixed it in v3? Happy to open a backport/cherry-pick (if possible) |
@thaJeztah Thanks! That was addressed with caeefd8 |
It's been backported to v2 with bb4e33b. |
You literally copied his contribution without attribution. While it would have been best if the commit was cherry-picked, but the least @simonferquel should get credited for this fix. |
His proposal: https://github.com/go-yaml/yaml/pull/375/files What was committed: Enjoy your day. |
Don't fight over me and this PR please, I don't care if I am mentioned in anything. This commit just allowed to workaround the issue for a project I had, and I made a PR in case it could help others. |
@omeid the implementation that was merged is different; this PR suggested a configurable limit, whereas the code merged has a hard coded limit. The test case looks similar, because both are based on the same YAML exploit (the example can be found on WikiPedia: https://en.m.wikipedia.org/wiki/Billion_laughs_attack) That said, it would've been nice if this PR had gotten attention earlier. |
@simonferquel You are right, and your help was appreciated. Even if we got something else in, you gave a plave for people to organize around the issue and think about it. Thank you. |
@thaJeztah Yeah, it's internally handled, but it's not quite hardcoded. We consider the percentage of aliases in the overall document. And we also look at the depth since that's where the issue happens. You are also right that this should have been looked into before. |
This PR gives user code the opportunity to limit the number of values unmarshalled while decoding a yaml payload.
This is very usefull to protect programs from malicious external yaml documents such as these:
This is a valid document, but parsing this will crash the program with an out of memory panic at some point.