Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using complex arrays as map keys may hang the process #475

Closed
rlidwka opened this issue Mar 20, 2019 · 0 comments
Closed

Using complex arrays as map keys may hang the process #475

rlidwka opened this issue Mar 20, 2019 · 0 comments
Labels
bug

Comments

@rlidwka
Copy link
Member

rlidwka commented Mar 20, 2019

Arrays can be yaml keys. Arrays can be arbitrarily nested data structures that can reference each other. Yaml keys are serialized into strings.

As a result, we have a possibility of user creating yaml that will cause map key to grow exponentially from linearly growing input.

? - &c
    - &a 1
    - &b 2
  - &d
    - *a
    - *b
: key

expands into { "1,2,1,2": "key" }

?
  - &e
    - &c
      - &a 1
      - &b 2
    - &d
      - *a
      - *b
  - &f
    - *c
    - *d
: key

expands into { "1,2,1,2,1,2,1,2": "key" }

?
  - &g
    - &e
      - &c
        - &a 1
        - &b 2
      - &d
        - *a
        - *b
    - &f
      - *c
      - *d
  - &h
    - *e
    - *f
: key

expands into { "1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2": "key" }

Which is doubling the output, with only linearly growing input... and so on. Give it 30 levels of nesting, you'll get 1GB worth of data out of 10kB input file.

relevant issue here: #169
@puzrin puzrin added the bug label Mar 20, 2019
@eemeli eemeli mentioned this issue Mar 30, 2019
Merged
@waitingsong waitingsong mentioned this issue Jun 6, 2019
Merged
@johncowen johncowen mentioned this issue Jun 6, 2019
Merged
cappadona added a commit to cul-it/mann-wagon that referenced this issue Jun 6, 2019
@cappadona
Bump to sass-lint@1.13.1
d9013fc 
Along with all dependencies which in turn bumps to js-yaml@3.13.1 to
address the multiple severity vulnerabilities [1, 2] as reported by
GitHub's dependency graph.

[1] nodeca/js-yaml#475
[2] nodeca/js-yaml#480
@cappadona cappadona mentioned this issue Jun 6, 2019
Merged
cappadona added a commit to cul-it/mann-wagon that referenced this issue Jun 6, 2019
@cappadona
Bump to sass-lint@1.13.1 (#993)
107f348 
Along with all dependencies which in turn bumps to js-yaml@3.13.1 to
address the multiple severity vulnerabilities [1, 2] as reported by
GitHub's dependency graph.

[1] nodeca/js-yaml#475
[2] nodeca/js-yaml#480
@kassens kassens mentioned this issue Jun 6, 2019
Closed
facebook-github-bot pushed a commit to facebook/relay that referenced this issue Jun 7, 2019
@kassens @facebook-github-bot
yarn upgrade --deep (#2758)
966fbdc 
Summary:
Addressing CVE WS-2019-0032:

Affected versions: < 3.13.0
Fixed in version: 3.13.0
Reference: nodeca/js-yaml#475
Pull Request resolved: #2758

Reviewed By: alunyov

Differential Revision: D15702131

Pulled By: kassens

fbshipit-source-id: a81c27bc1f22a8caf788c70db3bc3856b6c4241f
poveden added a commit to axa-group/oauth2-mock-server that referenced this issue Jun 7, 2019
@poveden
Update npm dependencies
6d970bf 
Fixes:
- WS-2019-0032 (nodeca/js-yaml#475)
- WS-2019-0063 (nodeca/js-yaml#480)
- WS-2019-0064 (handlebars-lang/handlebars.js@v4.1.1...v4.1.2)
@poveden poveden mentioned this issue Jun 7, 2019
Merged
3 tasks
@s2terminal s2terminal mentioned this issue Jun 8, 2019
Merged
@opdavies opdavies mentioned this issue Jun 9, 2019
Merged
@zgreen zgreen mentioned this issue Jun 10, 2019
Merged
@losbeekos losbeekos mentioned this issue Jun 13, 2019
Merged
billchurch added a commit to billchurch/nodejs-read-config that referenced this issue Jun 13, 2019
@billchurch
update js-yaml to 3.13.1 for secuirty issue
6e79091 
see nodeca/js-yaml#475
@billchurch billchurch mentioned this issue Jun 13, 2019
Open
billchurch added a commit to billchurch/webssh2 that referenced this issue Jun 13, 2019
@billchurch
Missing require('fs') in server/app.js See issue [#135](../../issue…
56086b0 
…s/135)

- Missing require('fs') in `server/app.js` See issue [#135](../../issues/135)
- Patched read-config to mitigate vulnerability in js-yaml
  - issue not exploitable on webssh2 implementation
  - patched anyway
  - sending my patch upstream to read-config, webssh2 package.json points to patched version in my repository https://github.com/billchurch/nodejs-read-config
  - See nodeca/js-yaml#475 for more detail
@maxpou maxpou mentioned this issue Jun 14, 2019
Merged
maxpou added a commit to maxpou/gatsby-starter-morning-dew that referenced this issue Jun 14, 2019
@maxpou
chore(package.json): bump dependencies (#59)
89c13c5 
Trying to fix: js-yaml (nodeca/js-yaml#475 / nodeca/js-yaml#480)
@rushtong rushtong mentioned this issue Jun 17, 2019
Merged
cacilhas pushed a commit to cacilhas/cacilhas.github.io that referenced this issue Jun 20, 2019
@chicoamorim
fix js-yaml
b00edb1 
WS-2019-0032
nodeca/js-yaml#475

WS-2019-0063
nodeca/js-yaml#480
This was referenced Jun 21, 2019
Merged
Merged
@cdmo cdmo mentioned this issue Jul 2, 2019
Closed
@markmandel markmandel mentioned this issue Jul 3, 2019
Closed
simonwiles added a commit to sul-cidr/noh that referenced this issue Jul 3, 2019
@simonwiles
Upgrade js-yaml to ^3.13.1
e270f4b 
see: nodeca/js-yaml#475
see: nodeca/js-yaml#480
jessp01 pushed a commit to kaltura/developer-platform that referenced this issue Jul 8, 2019
Upgrade js-yaml - nodeca/js-yaml#475
8f8b64c
@github-actions github-actions bot mentioned this issue May 11, 2022
Closed
This was referenced May 16, 2022
Open
Open
hktalent pushed a commit to hktalent/webssh2 that referenced this issue Jun 3, 2022
@billchurch
Missing require('fs') in server/app.js See issue [billchurch#135](.…
8caff42 
…./..billchurch/issues/135)

- Missing require('fs') in `server/app.js` See issue [billchurch#135](../..billchurch/issues/135)
- Patched read-config to mitigate vulnerability in js-yaml
  - issue not exploitable on webssh2 implementation
  - patched anyway
  - sending my patch upstream to read-config, webssh2 package.json points to patched version in my repository https://github.com/billchurch/nodejs-read-config
  - See nodeca/js-yaml#475 for more detail
hktalent pushed a commit to hktalent/webssh2 that referenced this issue Jun 3, 2022
@billchurch
Missing require('fs') in server/app.js See issue [billchurch#135](.…
a8c8b7e 
…./..billchurch/issues/135)

- Missing require('fs') in `server/app.js` See issue [billchurch#135](../..billchurch/issues/135)
- Patched read-config to mitigate vulnerability in js-yaml
  - issue not exploitable on webssh2 implementation
  - patched anyway
  - sending my patch upstream to read-config, webssh2 package.json points to patched version in my repository https://github.com/billchurch/nodejs-read-config
  - See nodeca/js-yaml#475 for more detail
This was referenced May 6, 2022
Open
Open
Open
Open
This was referenced Jun 16, 2022
Open
Open
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
This was referenced Aug 10, 2022
Open
Open
This was referenced Feb 7, 2023
Open
Open
This was referenced Feb 7, 2023
Open
Open
This was referenced Feb 27, 2023
Open
Open
This was referenced Mar 7, 2023
Open
Open
Open
This was referenced Jun 27, 2023
Open
Open
Open
This was referenced Aug 17, 2023
Closed
Closed
This was referenced Jun 23, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@puzrin @rlidwka