-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivial Untrusted DoS vuln #18
Comments
Confirmed on master as well. |
I've manually reduced the pattern-space, and have some eunit tests. It seems wise to consider QuickCheck/Mini, PropEr or other property/type fuzzing because YAML is complex and difficult to get right (400+ hits on CVEMITRE). |
Hi! Thank you for doing this analysis. You can reach me at one of the uids of my PGP key. |
Will do daytime. Looked at QuickCheck Mini* for property testing. Fuzzing utf8/16/32, lexical, syntactic and document levels seems to make sense. * EULA is short isn't too awful (not BSD) and the reducer is superior compared to triq and PropEr. |
Email sent. |
Here's an expanded EUnit test for this issue (deep-link to a private repo) |
LGTM (tested, couldn't break it) 🍻 Thanks for releasing too. |
Version 0.4.0. This means affecting hex packages and other packages like yaml_elixir.
Impact Launching observer, it shows consuming all CPU by running in infinite loop and growing memory without bound.
Vuln For responsible disclosure practices, an email address with an associated GPG public key (maybe one of these) is needed to transfer specifics. If no reply is made, it will be publicly disclosed 2 months from today.
The text was updated successfully, but these errors were encountered: