Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Billion laughs attack
See original GitHub issueIs there a way to disable anchors and aliases or cap the number of characters that can be created through expansions?
Right now PyYAML seems to be susceptible to billion laughs attacks.
@guyskk created a new version in #37 that prevents that but it also uses OrderedDict and SafeLoader, so it might be a good idea to implement just this functionality like the ignore_aliases=True flag in #104 for yaml.load/yaml.safe_load.
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Billion laughs attack - Wikipedia
In computer security, a billion laughs attack is a type of denial-of-service (DoS) attack which is aimed at parsers of XML documents.
Read more >XEE attack (billion laughs attack) - PVS-Studio
An XEE attack is a type of an application attack. It's also called a billion laughs attack or an XML bombs attack.
Read more >Kill 'em With Laughter: “The Billion Laughs” Attack Through ...
This is my first ever blog post about a very interesting vulnerability class for me, and it is a bit complex so I...
Read more >XML External Entity (XXE) and Billion Laughs attack
Another common vulnerability associated with XML parsing is called A Billion Laughs Attack. It uses an entity to resolve itself cyclically ...
Read more >How does the billion laughs XML DoS attack work?
The Billion Laughs attack is a denial-of-service attack that targets XML parsers. The Billion Laughs attack is also known as an XML bomb, ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Off the top of my head, customizing a
Composerto completely disable anchor support and propagation would probably be pretty straightforward even in the current code. Any other kind of memory limiting behavior would be better accomplished by the runtime environment (eg, OS memory quotas, cgroups), as the details can vary significantly between Python versions, implementations (eg CPython vs PyPy), and even build parameters. Attempting to track and limit memory usage within a library with so many variables in play doesn’t seem like a recipe for success.If it is indeed as easy as I think it might be to disable anchor support at the Composer level, that might be a customization we could include in the box with some of the new work that’s going on… I’ve added this to the 6.0 project as something to consider and play with (but no promises).
EDIT: and TBC, what I’m thinking of here would not address the ask in #37- anchors and refs would still be syntactically significant to the parser, they’d just be errors when actually composing the final representation of the doc.
For what is worth, this attack is harmless (and perhaps a valid use case) if one were to do lazy anchor resolution. That is, one would never resolve references, merely follow them until the resulting end node.
Admittedly this is perhaps a hard thing to do in many languages.
Doing it that way, makes YAML suitable for representing any arbitrary hierarchy of objects, including ones with cyclic references.
For future versions of the spec I would argue that this is the default behavior.