fix(abg): protect against billion laughs attack (#1662)

Vampire · krzema12 · web-flow · commit 221a14296da8 · 2024-09-27T16:08:17.000Z
Co-authored-by: Piotr Krzemiński &lt;3110813+krzema12@users.noreply.github.com&gt;
diff --git a/action-binding-generator/build.gradle.kts b/action-binding-generator/build.gradle.kts
@@ -13,6 +13,7 @@ version = rootProject.version
 
 dependencies {
     implementation("com.squareup:kotlinpoet:1.18.1")
+    implementation("it.krzeminski:snakeyaml-engine-kmp:3.0.2")
     implementation("com.charleskorn.kaml:kaml:0.61.0")
     implementation(projects.sharedInternal)
 
diff --git a/action-binding-generator/src/main/kotlin/io/github/typesafegithub/workflows/actionbindinggenerator/typing/TypesProviding.kt b/action-binding-generator/src/main/kotlin/io/github/typesafegithub/workflows/actionbindinggenerator/typing/TypesProviding.kt
@@ -12,6 +12,7 @@ import io.github.typesafegithub.workflows.actionbindinggenerator.domain.repoName
 import io.github.typesafegithub.workflows.actionbindinggenerator.domain.subName
 import io.github.typesafegithub.workflows.actionbindinggenerator.metadata.fetchUri
 import io.github.typesafegithub.workflows.actionbindinggenerator.utils.toPascalCase
+import it.krzeminski.snakeyaml.engine.kmp.api.Load
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.decodeFromString
 import java.io.IOException
@@ -79,7 +80,7 @@ private fun ActionCoords.fetchTypingsForOlderVersionFromCatalog(fetchUri: (URI)
         } catch (e: IOException) {
             return null
         }
-    val metadata = yaml.decodeFromString<CatalogMetadata>(metadataYml)
+    val metadata = yaml.protectedDecodeFromString<CatalogMetadata>(metadataYml)
     val requestedVersionAsInt = this.version.versionToIntOrNull() ?: return null
     val fallbackVersion =
         metadata.versionsWithTypings
@@ -147,11 +148,18 @@ private inline fun <reified T> Yaml.decodeFromStringOrDefaultIfEmpty(
     default: T,
 ): T =
     if (text.isNotBlank()) {
-        decodeFromString(text)
+        protectedDecodeFromString(text)
     } else {
         default
     }
 
+private inline fun <reified T> Yaml.protectedDecodeFromString(text: String): T {
+    // protect against billion laughs attack until
+    // https://github.com/charleskorn/kaml/pull/620 is available
+    Load().loadOne(text)
+    return decodeFromString(text)
+}
+
 private fun String.versionToInt() = this.versionToIntOrNull() ?: error("Version '$this' cannot be treated as numeric!")
 
 private fun String.versionToIntOrNull() = lowercase().removePrefix("v").toIntOrNull()
diff --git a/action-binding-generator/src/test/kotlin/io/github/typesafegithub/workflows/actionbindinggenerator/typing/TypesProvidingTest.kt b/action-binding-generator/src/test/kotlin/io/github/typesafegithub/workflows/actionbindinggenerator/typing/TypesProvidingTest.kt
@@ -3,8 +3,10 @@ package io.github.typesafegithub.workflows.actionbindinggenerator.typing
 import io.github.typesafegithub.workflows.actionbindinggenerator.domain.ActionCoords
 import io.github.typesafegithub.workflows.actionbindinggenerator.domain.CommitHash
 import io.github.typesafegithub.workflows.actionbindinggenerator.domain.TypingActualSource
+import io.kotest.assertions.throwables.shouldThrow
 import io.kotest.core.spec.style.FunSpec
 import io.kotest.matchers.shouldBe
+import it.krzeminski.snakeyaml.engine.kmp.exceptions.YamlEngineException
 import java.io.IOException
 import java.net.URI
 
@@ -508,6 +510,36 @@ class TypesProvidingTest :
                         TypingActualSource.TYPING_CATALOG,
                     )
             }
+
+            test("billion laughs attack is prevented") {
+                // Given
+                val billionLaughsAttack =
+                    """
+                    a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
+                    b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
+                    c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
+                    d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
+                    e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
+                    f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
+                    g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
+                    h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
+                    i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
+                    """.trimIndent()
+                val fetchUri: (URI) -> String = {
+                    when (it) {
+                        URI("https://raw.githubusercontent.com/some-owner/some-name/some-hash/action-types.yml") -> billionLaughsAttack
+                        else -> throw IOException()
+                    }
+                }
+                val actionCoord = ActionCoords("some-owner", "some-name", "v3")
+
+                // Expect
+                val exception =
+                    shouldThrow<YamlEngineException> {
+                        actionCoord.provideTypes(metadataRevision = CommitHash("some-hash"), fetchUri = fetchUri)
+                    }
+                exception.message shouldBe "Number of aliases for non-scalar nodes exceeds the specified max=50"
+            }
         }
 
         test("non-numeric version is provided and metadata in typing catalog exists") {
