dpc
commented
6 years ago @dtolnay Maybe it should be mentioned on https://github.com/dtolnay/serde-yaml and in the docs, especially if it's a remote code execution.
Closed dpc closed 6 years ago
dpc
commented
6 years ago @dtolnay Maybe it should be mentioned on https://github.com/dtolnay/serde-yaml and in the docs, especially if it's a remote code execution.
dtolnay
commented
6 years ago This crate is 100% safe code outside of its dependency on linked-hash-map so I'm going to go with no remote code execution, or rather this would be more of a question for the linked-hash-map folks.
You're right serde_yaml should have propagated the same disclaimer -- fixed in https://github.com/dtolnay/serde-yaml/commit/3ab6fd433fff6987540a4f23b171e5c7a6a3ca2d.
hoodie
commented
6 years ago I think if this hasn't happened yet this lib should be subject to some fuzzing. I found an infinite loop in here once
chyh1990
commented
6 years ago Thanks to Rust's memory safe property, and this lib is written in pure Rust, it should be impossible to have memory problems like leaks and remote code executions.
It seems that no one have reported bugs panicking or blocking their program since last year, so I think this library can be marked as stable and production ready.
hoodie
commented
6 years ago for completeness sake I'd like to add that leaks are not prevented by Rust, just data races, dangling pointers or things like use after free.
Is this still the case, that this library is not ready for accepting untrusted output?
If so, how much am I risking here? Remote code execution, or a panic? If a panic, that in my application, I could probably live with it, at least temporarily.