-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow user to override the Code Point Limit required by SnakeYaml #1872
Conversation
With this patch, a user may set the system property 'maxYamlCodePoints' in order to override the default 3MiB limit configured in the org.yaml.snakeyaml package by default. This limit was implemented to prevent certain Denial-of-Service (DOS) attacks, but users should be given the opportunity to override this value for valid configurations which exceed the limit, such as the Redfish OpenAPI specification (developed by DMTF), which weighs in at 4.9MiB. This patch was tested to work with openapi-generator-cli v6.3.0. Signed-off-by: Ethan D. Twardy <ethan.twardy@gmail.com>
I believe this PR also fixes #1857. |
Thanks! |
Doesn't work for me though! Updated the dependency and Tried below command:- Can you guide me where I may be wrong? |
Hmm...which tool are you using, and can you provide the command line that generates the exception? I was using |
I am using Git bash to run my builds .... I think its not taking the "maxYamlCodePoints" |
I'm sorry, I meant which tool is responsible for the error? Are you using |
I am using "swagger-parser-cli". Below is the command:- mvn clean install -DmaxYamlCodePoints="99" |
Ah, I see. This system property is meant to be interpreted at runtime, not at build time. So, if you're running
|
Tried below command :- I searched but I could not find swagger-parser-cli-.jar in my local m2 repo.Only thing I could find was Below is the dependency I am using in my pom.xml:- Also is there any way to use it during build (mvn install)? |
Any suggestions? |
@AmateurECE , i'm running into difficulty with a command of the form: error: any ideas what's wrong? |
I believe openapi-generator is still using version 2.1.6 of swagger-parser. This PR was only merged as recently as 2.1.11. So I expect that when they upgrade the version in their Maven configuration, this issue will be resolved. You can build it from source and manually change the version of swagger-parser as a workaround. |
@ShubhamShekhar1996 The system property just needs to be set whenever swagger-parser is run, so as long as you can set the system property while you're running the swagger maven plugin, it should work for you. I expect your command above did not work because you don't have the library available in your local maven repository. You will have to run |
@samarth Gupta, the example you provided appears to be setting the
`maxYamlCodePoints` value as an *environment variable*, but this mechanism
is triggered by a *JVM system property*. Environment variables cannot be
used to change this value. See https://stackoverflow.com/a/7055010
…On Tue, Jul 25, 2023 at 6:35 AM Samarth Gupta ***@***.***> wrote:
I am still getting limit exceed error even when I set the required env
variable. Below is sample
ParseOptions options = new ParseOptions();
options.setResolve(true);
options.setResolveFully(true);
System.out.println(System.getenv("maxYamlCodePoints"));
String openApiSpec = FileUtils.readFileToString(new File("openapi.yaml"));
OpenAPI openAPI = new OpenAPIParser().readContents(openApiSpec, emptyList(), options).getOpenAPI();
error
Caused by: org.yaml.snakeyaml.error.YAMLException: The incoming YAML document exceeds the limit: 3145728 code points.
have set maxYamlCodePoints to 9999999999
—
Reply to this email directly, view it on GitHub
<#1872 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEU5Q3HPLNITKLRCHNQZHQTXR5SLFANCNFSM6AAAAAAT3CCQLA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Java system properties can be set using export _JAVA_OPTIONS=-DmaxYamlCodePoints=99999999 |
With this patch, a user may set the system property 'maxYamlCodePoints' in order to override the default 3MiB limit configured in the org.yaml.snakeyaml package by default. This limit was implemented to prevent certain Denial-of-Service (DOS) attacks, but users should be given the opportunity to override this value for valid configurations which exceed the limit, such as the Redfish OpenAPI specification (developed by DMTF), which weighs in at 4.9MiB.
This patch was tested to work with openapi-generator-cli v6.3.0.
This PR closes #1871
Signed-off-by: Ethan D. Twardy ethan.twardy@gmail.com