psych icon indicating copy to clipboard operation
psych copied to clipboard
verified publisher icon ruby

JRuby: Provide some sort of ability to configure SnakeYAML LoaderOptions

Open chadlwilson opened this issue 3 years ago • 0 comments

Currently, it appears the JRuby Psych extension does not configure the SnakeYaml LoaderOptions or allow the user to override them somehow.

The parser seems to be constructed at https://github.com/ruby/psych/blob/a565e1fcec3dad4de7e753b9c3e113c7ed1a22a4/ext/java/org/jruby/ext/psych/PsychParser.java#L195-L201

There is an optional second arg to allow specifying options.

There is some discussion related to this because of CVEs being raised by OSS Fuzz about the risks of using SnakeYaml (or most YAML parsers really) with fully untrusted content. I am unclear if folks might be using JRuby and thus Psych to do this, e.g a YAML-based API or config approach. Having said this, the default LoaderOptions do seem to be relatively "secure by default" so this doesn't seem to be a security issue.

Possible things folks might want to do with LoaderOptions.

  1. Increase/decrease maxAliasesForCollections or nestingDepthLimit which are DoS/billion laughs mitigations
  2. Disallow duplicate keys allowDuplicateKeys

Related discussion

  • https://github.com/jruby/jruby/issues/7342#issuecomment-1242888995
  • https://github.com/ruby/psych/pull/426#issuecomment-625597776
  • https://github.com/ruby/psych/pull/574

chadlwilson avatar Sep 11 '22 05:09 chadlwilson