cue icon indicating copy to clipboard operation
cue copied to clipboard

Published 20 hours ago verified publisher icon cue-lang

Warning about DoS attacks at parsing CUE

Open cueckoo opened this issue 3 years ago • 4 comments

Originally opened by @tredoe in https://github.com/cuelang/cue/issues/158

Does CUE could be vulnerable to a DoS attack like "Billion Laughs" one discovered recently at go-yaml?

https://github.com/kubernetes/kubernetes/issues/83253

cueckoo avatar Jul 03 '21 10:07 cueckoo

Original reply by @rogpeppe in https://github.com/cuelang/cue/issues/158#issuecomment-542594775

Yes, it's definitely vulnerable to that kind of expansion attack.

cueckoo avatar Jul 03 '21 10:07 cueckoo

Original reply by @rogpeppe in https://github.com/cuelang/cue/issues/158#issuecomment-542595433

Note that this isn't an issue when parsing CUE, only when exporting values from it.

cueckoo avatar Jul 03 '21 10:07 cueckoo

Original reply by @myitcv in https://github.com/cuelang/cue/issues/158#issuecomment-772290958

Per cue help filetypes there is a solution here:

The following tags can be used in qualifiers to further
influence input or output. For input these act as
restrictions, validating the input. For output these act
as filters, showing only the requested data and picking
defaults as requested.

    Tag         Description
    data        Require concrete input and output that does
                not require any evaluation.
    graph       Like data, but allow references.
    schema      Export data and definitions.

e.g.

# Data is always allowed
exec cue eval cue+data: data.cue
exec cue eval cue+graph: data.cue
exec cue eval cue+schema: data.cue

# References are not allowed in data mode
! exec cue eval cue+data: reference.cue
stderr 'references not allowed in data mode'
exec cue eval cue+graph: reference.cue
exec cue eval cue+schema: reference.cue

# Expressions are not allowed in data or graph modes
! exec cue eval cue+data: expression.cue
stderr 'expressions not allowed in data mode'
! exec cue eval cue+graph: expression.cue
stderr 'expressions not allowed in graph mode'
exec cue eval cue+schema: expression.cue

# Definitions are not allowed in data or graph modes
! exec cue eval cue+data: definitions.cue
stderr 'definitions not allowed in data mode'
! exec cue eval cue+graph: definitions.cue
stderr 'definitions not allowed in graph mode'
exec cue eval cue+schema: definitions.cue


-- data.cue --
l: [1, 2, 3, 4, 5]
-- expression.cue --
 for _, v in [1, 2, 3, 4, 5] {
	"\(v)": v
}
-- definitions.cue --
#Def: {
	name: string
}
-- reference.cue --
l: [1, 2, 3, 4, 5]
l2: l

The said, I think these docs could be better surfaced because I missed this until it was pointed out by @mpvl!

cueckoo avatar Jul 03 '21 10:07 cueckoo

For reference (linking to a previous answer by @mpvl) please see the section "Structure Sharing" on how this type of attack can be handled by CUE: https://github.com/cue-lang/cue/issues/804

myitcv avatar May 19 '22 05:05 myitcv