Issue #377 invalid

Allow configuration for preventing billion laughs attack

Anonymous created an issue

What steps will reproduce the problem?

Currently parser will always evaluate Aliases present in YAML documents. Malicious payload such as [1] could be used to perform an DOS attack against application that are internally using SnakeYaml (this payload will result in heap overflow).

[1] https://en.wikipedia.org/wiki/Billion_laughs#Variations

What is the expected output? What do you see instead?

It is expected that there would be a configuration, usable to turn off Alias support altogether, or to define the maximum depth parser should resolve dependencies before throwing an exception.

What version of SnakeYAML are you using? What is the Java version? v1.18

Test logic usable to reproduce the behaviour

        String data = "a: &a [\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\"]\n" +
                "b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n" +
                "c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n" +
                "d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n" +
                "e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n" +
                "f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n" +
                "g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n" +
                "h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n" +
                "i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]";
        Yaml yaml = new Yaml();
        Map map = (Map) yaml.load(data);

How XML parsers address same issue*

Check [2] dbf.setExpandEntityReferences(false);

[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J

Thank you!

Comments (3)

  1. Log in to comment