Skip to content

Commit a567ef3

Browse files
rlidwkarlidwka
committed
Restrict data types for object keys
fix #475
1 parent 59b6e76 commit a567ef3

File tree

4 files changed

+268
-0
lines changed

4 files changed

+268
-0
lines changed

lib/js-yaml/loader.js

+12
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,18 @@ function mergeMappings(state, destination, source, overridableKeys) {
285285
function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, startLine, startPos) {
286286
var index, quantity;
287287

288+
// The output is a plain object here, so keys can only be strings.
289+
// We need to convert keyNode to a string, but doing so can hang the process
290+
// (deeply nested arrays that explode exponentially using aliases) or execute
291+
// code via toString.
292+
if (Array.isArray(keyNode)) {
293+
for (index = 0, quantity = keyNode.length; index < quantity; index += 1) {
294+
if (Array.isArray(keyNode[index])) {
295+
throwError(state, 'nested arrays are not supported inside keys');
296+
}
297+
}
298+
}
299+
288300
keyNode = String(keyNode);
289301

290302
if (_result === null) {

test/issues/0475-case1.yml

+117
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
? - - &id057
2+
- &id055
3+
- &id053
4+
- &id051
5+
- &id049
6+
- &id047
7+
- &id045
8+
- &id043
9+
- &id041
10+
- &id039
11+
- &id037
12+
- &id035
13+
- &id033
14+
- &id031
15+
- &id029
16+
- &id027
17+
- &id025
18+
- &id023
19+
- &id021
20+
- &id019
21+
- &id017
22+
- &id015
23+
- &id013
24+
- &id011
25+
- &id009
26+
- &id007
27+
- &id005
28+
- &id003
29+
- &id001 [lol]
30+
- &id002 [lol]
31+
- &id004
32+
- *id001
33+
- *id002
34+
- &id006
35+
- *id003
36+
- *id004
37+
- &id008
38+
- *id005
39+
- *id006
40+
- &id010
41+
- *id007
42+
- *id008
43+
- &id012
44+
- *id009
45+
- *id010
46+
- &id014
47+
- *id011
48+
- *id012
49+
- &id016
50+
- *id013
51+
- *id014
52+
- &id018
53+
- *id015
54+
- *id016
55+
- &id020
56+
- *id017
57+
- *id018
58+
- &id022
59+
- *id019
60+
- *id020
61+
- &id024
62+
- *id021
63+
- *id022
64+
- &id026
65+
- *id023
66+
- *id024
67+
- &id028
68+
- *id025
69+
- *id026
70+
- &id030
71+
- *id027
72+
- *id028
73+
- &id032
74+
- *id029
75+
- *id030
76+
- &id034
77+
- *id031
78+
- *id032
79+
- &id036
80+
- *id033
81+
- *id034
82+
- &id038
83+
- *id035
84+
- *id036
85+
- &id040
86+
- *id037
87+
- *id038
88+
- &id042
89+
- *id039
90+
- *id040
91+
- &id044
92+
- *id041
93+
- *id042
94+
- &id046
95+
- *id043
96+
- *id044
97+
- &id048
98+
- *id045
99+
- *id046
100+
- &id050
101+
- *id047
102+
- *id048
103+
- &id052
104+
- *id049
105+
- *id050
106+
- &id054
107+
- *id051
108+
- *id052
109+
- &id056
110+
- *id053
111+
- *id054
112+
- &id058
113+
- *id055
114+
- *id056
115+
- - *id057
116+
- *id058
117+
: key

test/issues/0475-case2.yml

+112
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
- &id057
2+
- &id055
3+
- &id053
4+
- &id051
5+
- &id049
6+
- &id047
7+
- &id045
8+
- &id043
9+
- &id041
10+
- &id039
11+
- &id037
12+
- &id035
13+
- &id033
14+
- &id031
15+
- &id029
16+
- &id027
17+
- &id025
18+
- &id023
19+
- &id021
20+
- &id019
21+
- &id017
22+
- &id015
23+
- &id013
24+
- &id011
25+
- &id009
26+
- &id007
27+
- &id005
28+
- &id003
29+
- &id001 [lol]
30+
- &id002 [lol]
31+
- &id004
32+
- *id001
33+
- *id002
34+
- &id006
35+
- *id003
36+
- *id004
37+
- &id008
38+
- *id005
39+
- *id006
40+
- &id010
41+
- *id007
42+
- *id008
43+
- &id012
44+
- *id009
45+
- *id010
46+
- &id014
47+
- *id011
48+
- *id012
49+
- &id016
50+
- *id013
51+
- *id014
52+
- &id018
53+
- *id015
54+
- *id016
55+
- &id020
56+
- *id017
57+
- *id018
58+
- &id022
59+
- *id019
60+
- *id020
61+
- &id024
62+
- *id021
63+
- *id022
64+
- &id026
65+
- *id023
66+
- *id024
67+
- &id028
68+
- *id025
69+
- *id026
70+
- &id030
71+
- *id027
72+
- *id028
73+
- &id032
74+
- *id029
75+
- *id030
76+
- &id034
77+
- *id031
78+
- *id032
79+
- &id036
80+
- *id033
81+
- *id034
82+
- &id038
83+
- *id035
84+
- *id036
85+
- &id040
86+
- *id037
87+
- *id038
88+
- &id042
89+
- *id039
90+
- *id040
91+
- &id044
92+
- *id041
93+
- *id042
94+
- &id046
95+
- *id043
96+
- *id044
97+
- &id048
98+
- *id045
99+
- *id046
100+
- &id050
101+
- *id047
102+
- *id048
103+
- &id052
104+
- *id049
105+
- *id050
106+
- &id054
107+
- *id051
108+
- *id052
109+
- &id056
110+
- *id053
111+
- *id054
112+
- *id057 : 1

test/issues/0475.js

+27
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
'use strict';
2+
3+
4+
var assert = require('assert');
5+
var yaml = require('../../');
6+
var readFileSync = require('fs').readFileSync;
7+
8+
9+
test('Should not allow nested arrays in map keys (explicit syntax)', function () {
10+
try {
11+
yaml.safeLoad(readFileSync(require('path').join(__dirname, '/0475-case1.yml'), 'utf8'));
12+
} catch (err) {
13+
assert(err.stack.startsWith('YAMLException: nested arrays are not supported inside keys'));
14+
return;
15+
}
16+
assert.fail(null, null, 'Expected an error to be thrown');
17+
});
18+
19+
test('Should not allow nested arrays in map keys (implicit syntax)', function () {
20+
try {
21+
yaml.safeLoad(readFileSync(require('path').join(__dirname, '/0475-case2.yml'), 'utf8'));
22+
} catch (err) {
23+
assert(err.stack.startsWith('YAMLException: nested arrays are not supported inside keys'));
24+
return;
25+
}
26+
assert.fail(null, null, 'Expected an error to be thrown');
27+
});

0 commit comments

Comments
 (0)