CVE-2022-41854

src/main/java/org/yaml/snakeyaml/LoaderOptions.java

@@ -24,6 +24,7 @@ public class LoaderOptions {
     private boolean processComments = false;
     private boolean enumCaseSensitive = true;
     private int nestingDepthLimit = 50;
+    private int codePointLimit = 100 * 1024;
 
     public boolean isAllowDuplicateKeys() {
         return allowDuplicateKeys;
@@ -129,4 +130,16 @@ public int getNestingDepthLimit() {
     public void setNestingDepthLimit(int nestingDepthLimit) {
         this.nestingDepthLimit = nestingDepthLimit;
     }
+    public int getCodePointLimit() {
+        return codePointLimit;
+    }
+
+    /**
+     * The max amount of code points in the input YAML document. Please be aware that byte limit
+    * depends on the encoding.
+    * @param codePointLimit - the max allowed size of the YAML data
+    */
+    public void setCodePointLimit(int codePointLimit) {
+        this.codePointLimit = codePointLimit;
+    }
 }

src/main/java/org/yaml/snakeyaml/parser/ParserImpl.java

@@ -21,6 +21,7 @@
 
 import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.DumperOptions.Version;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.comments.CommentType;
 import org.yaml.snakeyaml.error.Mark;
 import org.yaml.snakeyaml.error.YAMLException;
@@ -139,6 +140,10 @@ public ParserImpl(StreamReader reader, boolean emitComments) {
         this(new ScannerImpl(reader).setEmitComments(emitComments));
     }
 
+    public ParserImpl(StreamReader reader, LoaderOptions options) {
+        this(new ScannerImpl(reader, options));
+    }
+
     public ParserImpl(Scanner scanner) {
         this.scanner = scanner;
         currentEvent = null;

src/main/java/org/yaml/snakeyaml/scanner/ScannerImpl.java

@@ -26,6 +26,7 @@
 import java.util.regex.Pattern;
 
 import org.yaml.snakeyaml.DumperOptions;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.comments.CommentType;
 import org.yaml.snakeyaml.error.Mark;
 import org.yaml.snakeyaml.error.YAMLException;
@@ -180,6 +181,7 @@ public final class ScannerImpl implements Scanner {
 
     // A flag that indicates if comments should be emitted
     private boolean emitComments;
+    private final LoaderOptions loaderOptions;
 
     // Variables related to simple keys treatment. See PyYAML.
 
@@ -217,12 +219,17 @@ public final class ScannerImpl implements Scanner {
     private Map<Integer, SimpleKey> possibleSimpleKeys;
 
     public ScannerImpl(StreamReader reader) {
+        this(reader, new LoaderOptions());
+    }
+
+    public ScannerImpl(StreamReader reader,  LoaderOptions options) {
         this.emitComments = false;
         this.reader = reader;
         this.tokens = new ArrayList<Token>(100);
         this.indents = new ArrayStack<Integer>(10);
         // The order in possibleSimpleKeys is kept for nextPossibleSimpleKey()
         this.possibleSimpleKeys = new LinkedHashMap<Integer, SimpleKey>();
+        this.loaderOptions = options;
         fetchStreamStart();// Add the STREAM-START token.
     }
 
@@ -304,6 +311,10 @@ private boolean needMoreTokens() {
      * Fetch one or more tokens from the StreamReader.
      */
     private void fetchMoreTokens() {
+        if (reader.getIndex() > loaderOptions.getCodePointLimit()) {
+            throw new YAMLException("The incoming YAML document exceeds the limit: " + loaderOptions.getCodePointLimit());
+        }
+
         // Eat whitespaces and process comments until we reach the next token.
         scanToNextToken();
         // Remove obsolete possible simple keys.

src/test/java/org/yaml/snakeyaml/issues/issue102/BigDataLoadTest.java

@@ -15,27 +15,34 @@
  */
 package org.yaml.snakeyaml.issues.issue102;
 
+import static org.junit.Assert.assertEquals;
+
 import java.io.StringReader;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import junit.framework.TestCase;
+import org.yaml.snakeyaml.LoaderOptions;
 
 import org.yaml.snakeyaml.Yaml;
 
 public class BigDataLoadTest extends TestCase {
     private static final int SIZE = 5000;
 
     public void testBigStringData() {
-        Yaml yaml = new Yaml();
+        LoaderOptions options = new LoaderOptions();
+        options.setCodePointLimit(10000000);
+        Yaml yaml = new Yaml(options);
         List<?> loaded = (List<?>) yaml.load(getLongYamlDocument(SIZE));
         assertEquals(SIZE, loaded.size());
     }
 
     public void testBigStreamData() {
-        Yaml yaml = new Yaml();
+        LoaderOptions options = new LoaderOptions();
+        options.setCodePointLimit(10000000);
+        Yaml yaml = new Yaml(options);
         StringReader buffer = new StringReader(getLongYamlDocument(SIZE));
         List<?> loaded = (List<?>) yaml.load(buffer);
         assertEquals(SIZE, loaded.size());

src/test/java/org/yaml/snakeyaml/issues/issue547/ByteLimitTest.java

@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) 2008, SnakeYAML
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.yaml.snakeyaml.issues.issue547;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.junit.Test;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Yaml;
+
+public class ByteLimitTest {
+
+    @Test
+    public void testUnicode() {
+        LoaderOptions options = new LoaderOptions();
+        options.setCodePointLimit(15);
+        Yaml yaml = new Yaml(options);
+        try {
+            yaml.load("12345678901234567890");
+            fail("Long input should not be accepted");
+        } catch (Exception e) {
+            assertEquals("The incoming YAML document exceeds the limit: 15", e.getMessage());
+        }
+    }
+}