Wiki
Clone wikisnakeyaml / Billion laughs attack
From time to time we receive reports about a potential problem parsing YAML when too many anchors and aliases may blow up the memory consumption.
The (only) use case provided is similar to this picture:
The problem is: when you stay with the mouth open and eyes closed then they may throw trash and you get sick.
SnakeYAML Engine has a way to restrict the amount of aliases for collections to fail early without allocation too much resources.
Solution
- If the YAML is not coming from untrusted source (it is merely a configuration file) then it is a false positive. Just ignore it. The quality of NVD database is very low and contains tons of issues which appear to be false positives.
- Read the YAML and check its quality before giving the document to SnakeYAML (count
*
and&
for instance) - Migrate to SnakeYAML Engine. It has a configuration option to restrict aliases for collections (the aliases for scalars cannot grow and they are not restricted)
- SnakeYAML has now also possibility to fail early.
Enjoy.
Updated