Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow user to override the Code Point Limit required by SnakeYaml #1872

Merged
merged 1 commit into from
Jan 16, 2023

Conversation

AmateurECE
Copy link
Contributor

With this patch, a user may set the system property 'maxYamlCodePoints' in order to override the default 3MiB limit configured in the org.yaml.snakeyaml package by default. This limit was implemented to prevent certain Denial-of-Service (DOS) attacks, but users should be given the opportunity to override this value for valid configurations which exceed the limit, such as the Redfish OpenAPI specification (developed by DMTF), which weighs in at 4.9MiB.

This patch was tested to work with openapi-generator-cli v6.3.0.

This PR closes #1871

Signed-off-by: Ethan D. Twardy ethan.twardy@gmail.com

With this patch, a user may set the system property
'maxYamlCodePoints' in order to override the default 3MiB limit
configured in the org.yaml.snakeyaml package by default. This limit
was implemented to prevent certain Denial-of-Service (DOS) attacks,
but users should be given the opportunity to override this value for
valid configurations which exceed the limit, such as the Redfish
OpenAPI specification (developed by DMTF), which weighs in at 4.9MiB.

This patch was tested to work with openapi-generator-cli v6.3.0.

Signed-off-by: Ethan D. Twardy <ethan.twardy@gmail.com>
@AmateurECE
Copy link
Contributor Author

I believe this PR also fixes #1857.

@frantuma frantuma merged commit 93d1f49 into swagger-api:master Jan 16, 2023
@frantuma
Copy link
Member

Thanks!

@ShubhamShekhar1996
Copy link

Doesn't work for me though! Updated the dependency and Tried below command:-
mvn clean install -DmaxYamlCodePoints="999999999"
Still getting same error:-
Caused by: org.yaml.snakeyaml.error.YAMLException: The incoming YAML document exceeds the limit: 3145728 code points

Can you guide me where I may be wrong?

@AmateurECE
Copy link
Contributor Author

Hmm...which tool are you using, and can you provide the command line that generates the exception? I was using openapi-generator-cli. It's possible there's another code path that results in construction of a ScannerImpl without checking the system properties.

@ShubhamShekhar1996
Copy link

ShubhamShekhar1996 commented Jan 17, 2023

I am using Git bash to run my builds .... I think its not taking the "maxYamlCodePoints"

@AmateurECE
Copy link
Contributor Author

I'm sorry, I meant which tool is responsible for the error? Are you using swagger-parser-cli to do validation, or are you using openapi-generator-cli to generate client/server code for an API? Can you provide the command that you are running in Git Bash?

@ShubhamShekhar1996
Copy link

I'm sorry, I meant which tool is responsible for the error? Are you using swagger-parser-cli to do validation, or are you using openapi-generator-cli to generate client/server code for an API? Can you provide the command that you are running in Git Bash?

I am using "swagger-parser-cli". Below is the command:-

mvn clean install -DmaxYamlCodePoints="99"

@AmateurECE
Copy link
Contributor Author

Ah, I see. This system property is meant to be interpreted at runtime, not at build time. So, if you're running swagger-parser-cli, I suggest setting the system property in that invocation, like so:

$ java -DmaxYamlCodePoints=999999 -jar ~/.m2/repository/[...]/swagger-parser-cli-<version>.jar <other arguments>

@ShubhamShekhar1996
Copy link

ShubhamShekhar1996 commented Jan 18, 2023

Tried below command :-
java -DmaxYamlCodePoints=999999 -jar swagger-parser-v3-2.1.10.jar
But it gives below error though :-
no main manifest attribute, in swagger-parser-v3-2.1.10.jar

I searched but I could not find swagger-parser-cli-.jar in my local m2 repo.Only thing I could find was
.....m2\repository\io\swagger\parser\v3\swagger-parser-v3\2.1.10\wagger-parser-v3-2.1.10.jar

Below is the dependency I am using in my pom.xml:-

io.swagger.parser.v3
swagger-parser
2.1.11

Also is there any way to use it during build (mvn install)?

@ShubhamShekhar1996
Copy link

Any suggestions?

@elmehi
Copy link

elmehi commented Mar 13, 2023

@AmateurECE , i'm running into difficulty with a command of the form:
java -DmaxYamlCodePoints=999999 -jar ./generator/openapi-generator-cli-6.4.0.jar <other arguments>

error: Caused by: org.yaml.snakeyaml.error.YAMLException: The incoming YAML document exceeds the limit: 3145728 code points.

any ideas what's wrong?

@AmateurECE
Copy link
Contributor Author

I believe openapi-generator is still using version 2.1.6 of swagger-parser. This PR was only merged as recently as 2.1.11. So I expect that when they upgrade the version in their Maven configuration, this issue will be resolved. You can build it from source and manually change the version of swagger-parser as a workaround.

@AmateurECE
Copy link
Contributor Author

Any suggestions?

@ShubhamShekhar1996 The system property just needs to be set whenever swagger-parser is run, so as long as you can set the system property while you're running the swagger maven plugin, it should work for you. I expect your command above did not work because you don't have the library available in your local maven repository. You will have to run mvn install.

@AmateurECE
Copy link
Contributor Author

AmateurECE commented Jul 25, 2023 via email

@svghadi
Copy link

svghadi commented Feb 29, 2024

Java system properties can be set using _JAVA_OPTIONS env var. Below worked for me

export _JAVA_OPTIONS=-DmaxYamlCodePoints=99999999

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

No mechanism to override codePointLimit in org.yaml.SnakeYaml.LoaderOptions
5 participants