<enebo[m]>
Looks like yaml guy rejected this out of hand
<headius>
It looks like this issue was raised a few weeks back and only recently filed as a CVE
<headius>
Yeah, looking at the stack trace is triggering a stack overflow somewhere
<headius>
I'm not sure if a stack overflow should be considered a DOS
<headius>
I suppose you can feed bad ammo to a server endlessly causing it to keep raising stack overflow errors but is that really different than feeding it bad yaml over and over again?
<headius>
Bad yaml
<enebo[m]>
his link to the explanation is more or less: don't feed trash yaml from the internet to your app
<headius>
Yeah I am dubious about the DOS potential here
<enebo[m]>
yeah I mean I don't know how this library handles nesting but I would not be surprised if it is recursive
<enebo[m]>
which if you let any yaml into your app then you can blow stack
<headius>
Is arguably should be imposing some recursion limit but at worst this will fill up the stack of one thread and then raise an error
<enebo[m]>
yeah it should definitely be a property
<enebo[m]>
I think libraries can make reasonable efforts to prevent malicious untrusted data but if you even think of what yaml is ... it allow reification of objects and has cycles in it
<headius>
It almost looks like it's inserting an array list into itself and so it can't calculate the hash code but wouldn't that be more of a JDK bug?
<headius>
There's nothing illegal about a recursive list
<enebo[m]>
yeah
<headius>
There's no snakeyaml lines in the recursing part of that stack trace
<enebo[m]>
well I suppose we can see on Monday if someone re-raises this or not
<enebo[m]>
atm he is not doing anything here and it looks like it may not even be in his hands
<enebo[m]>
circling back though. I don't think we do 9.2.x unless we get enough pushback to reconsider
<enebo[m]>
I have to say it is amusing how many parsers demonstrate how hard it is to not have bugs
<enebo[m]>
I don't think it is anything specifically wrong with parsers but I think because the boundaries of language are precise it is easier for people to figure out problems
<headius>
He has largely walked away from this library so I imagine he's reluctant to put a lot of work in
<enebo[m]>
which in my head means all software probably has way more bugs than we see CVEs for parsers 😀
<headius>
He's been working on a completely new library that doesn't mimic libyaml and supports newer standards
<enebo[m]>
interesting...can we use it?
<enebo[m]>
or is the fact that it is not emulating libyaml an issue
<headius>
It would be worth attempting to plug it into psych, and I have chatted with tenderlove about this, but I have not made the attempt
<headius>
The core of psych is pretty small but might be tricky to adapt to a very different API
<headius>
The whole yaml landscape seems to be perpetually in flux
<enebo[m]>
heh
<headius>
Andrey says recursive lists as keys must be supported by the specification but I am arguing maybe this is an area where strict conformance should not be the default
<headius>
I still don't see this as a vulnerability though
<enebo[m]>
yum sinus pressure from this front
<enebo[m]>
not horrible but present. I could tell people if it was going to rain without windows at this point in life
<headius>
I've been hoping for rain. We had a kid birthday party at my place and a huge section of my back patio is 100% covered by sidewalk chalk
<enebo[m]>
yeah I saw the photos...that is a lot of chalk :)
<enebo[m]>
you could also use a hose
<headius>
I have been avoiding walking on it because it tracks everywhere
<headius>
I should probably suck it up and go buy a hose to spray it down
<headius>
We'll see how the rain goes
<enebo[m]>
you will need a hose eventually anyways
<enebo[m]>
I have been wondering if there is a fancy hose with silicon olocks like brewing
<enebo[m]>
standard hoses always feel a bit shitty
<headius>
Yeah what's the state of the art in hose technology
<headius>
Can I get a smart hose that hooks up to Alexa or Google home
<enebo[m]>
at my house the same state of the art from 40 years ago
<headius>
Hey Google, spray mode on
<enebo[m]>
you still need those ends if you want to put a spayer on the end or a sprinkler (we have in-ground so only sprayer)
<headius>
Yeah I have in ground as well so just a sprayer needed
<enebo[m]>
we replaced our control module for the in-ground and it is about 100x easier to program but not that simple
<enebo[m]>
I like that we can turn them on a 5am and not worry about it
<enebo[m]>
I think Valerie had it on every other day this year too
<headius>
The new house came with a smart sprinkler controller so I can run it all from my phone and the default every other day smart mode seems to do the trick without any configuration
<enebo[m]>
they can save a lot of water but I suppose it is a luxury to get them installed
<enebo[m]>
MN is not smarting on water as much as the rest of the country but we will
<headius>
It automatically reduced watering for autumn and skips it whenever the weather report says they'll be rain
<enebo[m]>
hah
<enebo[m]>
that's fancy
<enebo[m]>
0.03" for today so you may not quite get that chalk off unless it comes in one blast
<headius>
Phooey
<enebo[m]>
I guess I will look at a 9.3 bug in the parser giving a bogus warning
<enebo[m]>
It is very minor but someone is seeing it because they like if a = foo ... as a pattern
<enebo[m]>
I used LiteralNode but that is not the same as LITERAL in MRI so we warn more
<enebo[m]>
err NODE_LIT
<enebo[m]>
headius: should we make an effort to triage what we marked for 9.3.8 or only do the security update?
<headius>
We could do a 9.3.7.1 I guess
<enebo[m]>
The unbound method and visibility stuff I think may be ready but we both should review that
<enebo[m]>
I am ok doing it either way
<headius>
It would reduce the potential for introducing new bugs along with the security fix but there are some other good fixes in 9.3.8 as well
<headius>
Yeah
<enebo[m]>
yeah one less release with delivery fixes faster
<enebo[m]>
I think the Time.at fix which made it to master was wrong as I more or less reveryed it so that one is still broken too
<headius>
Ah ok
<enebo[m]>
started raining and it seems significant
<headius>
Well I will review and triage today then
<enebo[m]>
ok I will also look over those two PRs and try and fix our overzealous warnings
<enebo[m]>
Seems like that new arch issue may just need something in jnr world landed
<enebo[m]>
but that is not important (at least to me :) )
razetime has joined #jruby
sagax has joined #jruby
<headius>
You know this CVE may be a good justification for us to make it possible to put gem files in classpath and have them picked up as installed gems
<headius>
Or something similar that would allow a sort of overlay gem set when using the complete jar
<headius>
I wonder what it would take to add support to RubyGems for either loading directly from the gym or for a new zip-based file format
<enebo[m]>
yeah I also wondered if we have a better mechanism for including jars
<enebo[m]>
the jars themselves as deps could make this potentially very simple except for due-diligence that a point release will not break the ruby part of the gem
<byteit101[m]>
what does the maven-rubygems stuff do? does it repack the complete jar?
razetime has quit [Remote host closed the connection]