eemeli
commented
1 year ago I do agree with each of the mitigations prescribed for the aforementioned exploits, but it does seem counterintuitive to me to validate all the documents in the stream before processing. Does this defeat the purpose of streaming?
The term "YAML stream" designates one or more serialized YAML documents, independently on how they are processed (e.g. a stored file is a YAML stream). While you are correct that the suggestions are counter-intuitive when processing YAML streams on the fly, we are not implying that "YAML streams" should be streamed. Instead, we are just using the YAML terminology.
Looking at this section now, I think the language in the recommendation could be clarified a bit. While it is indeed based in the YAML terminology of referring to a sequence of documents as a stream, validating a document does require at least some processing of it. Maybe something like this?
Incremental parsing and processing of a YAML stream can produce partial results and later indicate failure to parse the remainder of the stream. To prevent partial processing, implementers might prefer validating and processing all the documents in a stream at the same time.
Secdir review
The term "YAML stream" designates one or more serialized YAML documents, independently on how they are processed (e.g. a stored file is a YAML stream). While you are correct that the suggestions are counter-intuitive when processing YAML streams on the fly, we are not implying that "YAML streams" should be streamed. Instead, we are just using the YAML terminology.
CC: @eemeli could you please check if this reply is correct?
This should be: "Same as application/yaml".
This should be: "Same as application/yaml".