Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support max Read/Write nesting depth limits (StreamReadConstraints/StreamWriteConstraints) for YAML #456

Closed
cowtowncoder opened this issue Jan 25, 2024 · 1 comment
Closed

Support max Read/Write nesting depth limits (StreamReadConstraints/StreamWriteConstraints) for YAML #456

cowtowncoder opened this issue Jan 25, 2024 · 1 comment
Labels
2.17 Fix or feature targeted at 2.17 release yaml Issue related to YAML format backend
Milestone
2.17.0

Comments

@cowtowncoder
Copy link
Member

(note: related to / part of #430)

Currently YAML backend does not enforce any of the constraints. As the first step, let's see if we could easily add support for constraining maximum nesting depth, as this is an easily DoS-able problem.

(note: it is possible that underlying SnakeYAML still has issues with deeper nesting but we'll see)
@cowtowncoder cowtowncoder added yaml Issue related to YAML format backend 2.17 Fix or feature targeted at 2.17 release labels Jan 25, 2024
cowtowncoder added a commit that referenced this issue Jan 25, 2024
@cowtowncoder
Fixes #456: limit maximum nesting of YAML documents read with StreamR…
22a9a87 
…eadConstraints
@cowtowncoder cowtowncoder changed the title Support StreamReadConstraints.getMaxNestingDepth() with YAML Support max Read/Write nesting depth limits (StreamReadConstraints/StreamWriteConstraints) for YAML Jan 25, 2024
@cowtowncoder
Copy link
Member Author

Looks like writer (generator) -side limits were already enforced, but reader-side not: YAMLParser was not calling method that does validation -- but now does, for 2.17.0.

@cowtowncoder cowtowncoder added this to the 2.17.0 milestone Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.17 Fix or feature targeted at 2.17 release yaml Issue related to YAML format backend
Projects
None yet
Milestone
2.17.0
Development

No branches or pull requests
1 participant
@cowtowncoder