roccodev
commented
2 years ago I'd add - CVE-2017-18640 to related // KigPaper (start) comments, looks good otherwise.
Thanks!
Closed archer-321 closed 2 years ago
roccodev
commented
2 years ago I'd add - CVE-2017-18640 to related // KigPaper (start) comments, looks good otherwise.
Thanks!
archer-321
commented
2 years ago @RoccoDev Thank you for the review! I've updated the comments and added some missing comments in PaperSpigot-Server :+1:
This pull request updates
snake-yamlto the latest version. Version 1.30 contains a loading configuration option that can limit the maximum number of aliases for collections to prevent DOS attacks when parsing untrusted YAML files early.With this change, plugin descriptions, YamlConfigurations, and the permission specification can only load a maximum of 32 aliases for collections. This should prevent attacks with malicious configuration files, but it does not prevent attacks on plugin-created
org.yaml.snakeyaml.Yamlinstances if they don't use LoaderOptions to limit aliases themselves.Nevertheless, with the update snake-yaml dependency, it's now possible for users to easily prevent this attack by using the new API to fail early when a YAML file contains too many aliases.
Related-CVE: CVE-2017-18640 Related: https://en.wikipedia.org/wiki/Billion_laughs_attack#Variations
PS, I knew writing good commit messages would pay off. I could almost reuse everything for this PR :smile: