stackoom
  简体   繁体   中英

Why does the npm YAML library have a max alias number?

 原文  2020-07-24 14:06:20       javascript/ npm/ yaml

Question

I am using the npm package yaml do store densely inter-referential Javascript objects to a text format that I can later restore in Javascript, and also to do deep copying in-memory (by serializing and then unserializing a deeply nested object.)

I've recently run into an error message regarding a max object size:

Excessive alias count indicates a resource exhaustion attack

Is there a legitimate danger in serializing inter-referential objects if all YAML does is make an alias reference? (There's no danger of cycles in traversing the graph, right?) – Is there any way of disabling this max, or an alternative for storing inter-referential objects to text / deep-copying them?

Thanks!

Edit: I accepted flyx 's answer to the question because it better explained the context of why there is a max alias count, but rexfordkelly better explains how to disable the check in the npm yaml library.

2 answers

solution1
 1  2020-07-24 14:55:08

You can turn off this check by setting maxAliasCount=-1 in yaml parse options.

YAML, is attempting to protect against essentially a form of denial of service attach. If you YAML contains no user controlled content, and is sound, it should be fine to disable these checks.

But, yeah, there would be a danger of running out of resources, while processing the YAML.

I would test and profile it.

solution2
 1 ACCPTED  2020-07-24 17:54:08

Some YAML implementations are prone to the billion laughs attack . The example given there is

a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]

You can test this in the online demo of js-yaml which cannot process it (I don't know much about the JS ecosystem – the YAML implementation you use seems to be a different or modified one (?) and I can't find an online demo of it). Theoretically, this should not be a problem since YAML defines anchors & aliases to generate references, not copies. However, for whatever reason, some implementations copy the lists instead (PyYAML is also guilty of this, and quite some implementations are rewrites of PyYAML in different languages).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why does array have max size 2 ^ 32 -1 in JavaScript? Why does d3.max() output second largest number? Why does function variable can have object property and number variable not? Why does `keyof any` have type of `string | number | symbol` in typescript? Why does the childNodes array have and inaccurate number of items Why does it work with npm but yarn not? Why does the hasOwnProperty alias falsely return undefined? Does npm install also builds the library? Install npm package that does not have typings Does AngularJS have a syntax to alias a property within a div?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM