From: Felix K. <ya...@fl...> - 2019-10-17 19:23:59
|
I'll reiterate my point made on the related StackOverflow answer [1]: The YAML spec describes anchors & aliases as a way to (de-)serialize graph structures in which a node is referenced by multiple other nodes (also enabling cycles in the graph to be properly handled). The billion laughs attack that triggers the problematic behavior in gopkg.in/yaml.v2 is caused by the implementation expanding aliases (i.e. making copies of a node for each alias referencing it) instead of linking to the node from multiple places as the specification suggests. The specification does not explicitly forbid this behavior. Rightfully so (in my opinion), because not all programming languages do support multiple references to a node; for example, a Python str is immutable and therefore helper structures would be needed to represent a modifyable !!str scalar node that is linked from multiple places in a native Python structure. I assume this is the reason why PyYAML suffers from the same behavior as described in the CVE. My conclusion is that on one hand, the issue emerges because of an implementation choice that is in no way endorsed by the spec, so it does not concern the spec. On the other hand, we see that there is at least one other implementation (PyYAML) that suffers from this problem and chances are that others do too since most YAML implementations are rewrites of PyYAML. An implementation suggestion in the spec about this problem might be a good idea. Regards, Felix Krause [1]: https://stackoverflow.com/a/58131348/347964 |