Allow overriding of file size limit for YAMLParser by exposing SnakeYAML LoaderOptions

[pjfanning]

Relates to #335 (comment)

snakeyaml 1.32 brings in a default limit of 3Mb when parsing yaml files.

Need to allow users to specify another value if they need to.

https://bitbucket.org/snakeyaml/snakeyaml/src/72dfa9f1074abe2b8a6c8776bee4476b0aed02e3/src/main/java/org/yaml/snakeyaml/LoaderOptions.java

[cowtowncoder]

See my notes on #335: there will be need, likely, to carefully apply any new configurations so as to avoid having a hard limit on very recent SnakeYAML versions, assuming configurability will be added post-1.32 (which seems likely).

[pjfanning]

@cowtowncoder probably best to revert the v2.13 branch to stick with snakeyaml 1.31 - with v2.14, I see YAMLParser has feature support but this is boolean - is there a preferred to set int properties?

[cowtowncoder]

@pjfanning That might make sense (2.13).

As to int value configuration, right, I think it has to go via YAMLFactory.Builder and no there isn't anything out of the box. I guess there's no point in doing on/off setting here, it being a security feature and realistically I think it makes sense to always have some upper limit, even it was Integer.MAX_VALUE.

On Builder, further, it may get bit trickier with 2.x vs 3.0 since 2.x has no immutability requirement but 3.0 has.

[cowtowncoder]

Added notes to the PR: my position now is that I kind of like exposing LoaderOptions, to make users configure aspects they want to. This reduces some of compatibility problems, and increases configurability significantly.

It will also be a problem for 2.x/3.0 migration, likely; may need to see how snakeyaml-engine deals with this. Seems likely there is a counterpart to this configuration object, and if so, it may be relatively easy to offer similar extension point.

Put another way, I am ok with tighter bundling of SnakeYAML at least for Jackson 2.x.
There are no alternatives that I know of, and really my only wish would be performance improvements. But functionality is solid and author has been very quick with fixes, releases.

[pjfanning]

@cowtowncoder LoaderOptions seems to have been added to snakeyaml in v1.18 - methods have been added over time

[cowtowncoder]

Ok, 1.18 sounds fine: jackson-dataformat-yaml 2.10.0 required version 1.24 already.
So that's good, no need to (IMO) add dynamic loading there.

Addition of methods sort of works well for us, as long as caller passes instance(s).

[pjfanning]

@cowtowncoder I'm closing this because the changes were released with jackson v2.14.0. Feel free to reopen.

[cowtowncoder]

Thank you @pjfanning -- yes, I had forgotten to close it.