diff options
Diffstat (limited to 'src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java')
-rw-r--r-- | src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java b/src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java new file mode 100644 index 00000000..ea2e3ce8 --- /dev/null +++ b/src/test/java/org/yaml/snakeyaml/issues/issue377/BillionLaughsAttackTest.java @@ -0,0 +1,89 @@ +/** + * Copyright (c) 2008, SnakeYAML + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.yaml.snakeyaml.issues.issue377; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.util.Map; +import org.junit.Test; +import org.yaml.snakeyaml.LoaderOptions; +import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.error.YAMLException; + +/** + * https://en.wikipedia.org/wiki/Billion_laughs_attack#Variations + */ +public class BillionLaughsAttackTest { + + public static final String data = + "a: &a [\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\"]\n" + + "b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n" + "c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n" + + "d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n" + "e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n" + + "f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n" + "g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n" + + "h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n" + "i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]"; + + public static final String scalarAliasesData = + "a: &a foo\n" + "b: *a\n" + "c: *a\n" + "d: *a\n" + "e: *a\n" + "f: *a\n" + "g: *a\n"; + + @Test + public void billionLaughsAttackLoaded() { + LoaderOptions settings = new LoaderOptions(); + settings.setMaxAliasesForCollections(72); + Yaml yaml = new Yaml(settings); + Map map = yaml.load(data); + assertNotNull(map); + } + + @Test + public void billionLaughsAttackExpanded() { + LoaderOptions settings = new LoaderOptions(); + settings.setMaxAliasesForCollections(100); + Yaml yaml = new Yaml(settings); + Map map = yaml.load(data); + assertNotNull(map); + try { + map.toString(); + fail("Expected overflow"); + } catch (Throwable e) { + assertTrue("Catched exception " + e + " is not an instance of OutOfMemoryError", + e instanceof OutOfMemoryError); + } + } + + @Test + public void billionLaughsAttackWithRestrictedAliases() { + LoaderOptions settings = new LoaderOptions(); + Yaml yaml = new Yaml(settings); + try { + yaml.load(data); + fail(); + } catch (YAMLException e) { + assertEquals("Number of aliases for non-scalar nodes exceeds the specified max=50", + e.getMessage()); + } + } + + @Test + public void doNotRestrictScalarAliases() { + LoaderOptions settings = new LoaderOptions(); + settings.setMaxAliasesForCollections(5); // smaller than number of aliases for scalars + Yaml yaml = new Yaml(settings); + Map map = yaml.load(scalarAliasesData); + assertNotNull(map); + } + +} |