fix: Disable alias resolution with maxAliasCount:0 (#677)

Author: eemeli

src/nodes/Alias.ts

@@ -42,6 +42,9 @@ export class Alias extends NodeBase {
     doc: Document,
     ctx?: ToJSContext
   ): Scalar | YAMLMap | YAMLSeq | undefined {
+    if (ctx?.maxAliasCount === 0)
+      throw new ReferenceError('Alias resolution is disabled')
+
     let nodes: Node[]
     if (ctx?.aliasResolveCache) {
       nodes = ctx.aliasResolveCache

src/schema/yaml-1.1/merge.ts

@@ -43,19 +43,19 @@ export function addMergeToJSMap(
   map: MapLike,
   value: unknown
 ) {
-  value = ctx && isAlias(value) ? value.resolve(ctx.doc) : value
-  if (isSeq(value)) for (const it of value.items) mergeValue(ctx, map, it)
-  else if (Array.isArray(value))
-    for (const it of value) mergeValue(ctx, map, it)
-  else mergeValue(ctx, map, value)
+  const source = resolveAliasValue(ctx, value)
+  if (isSeq(source)) for (const it of source.items) mergeValue(ctx, map, it)
+  else if (Array.isArray(source))
+    for (const it of source) mergeValue(ctx, map, it)
+  else mergeValue(ctx, map, source)
 }
 
 function mergeValue(
   ctx: ToJSContext | undefined,
   map: MapLike,
   value: unknown
 ) {
-  const source = ctx && isAlias(value) ? value.resolve(ctx.doc) : value
+  const source = resolveAliasValue(ctx, value)
   if (!isMap(source))
     throw new Error('Merge sources must be maps or map aliases')
   const srcMap = source.toJSON(null, ctx, Map)
@@ -75,3 +75,7 @@ function mergeValue(
   }
   return map
 }
+
+function resolveAliasValue(ctx: ToJSContext | undefined, value: unknown) {
+  return ctx && isAlias(value) ? value.resolve(ctx.doc, ctx) : value
+}

tests/doc/anchors.ts

@@ -3,13 +3,14 @@ import { Document, parse, parseDocument } from 'yaml'
 
 test('basic', () => {
   const src = `- &a 1\n- *a\n`
-  const doc = parseDocument<YAMLSeq>(src)
+  const doc = parseDocument<YAMLSeq, false>(src)
   expect(doc.errors).toHaveLength(0)
   expect(doc.contents?.items).toMatchObject([
     { anchor: 'a', value: 1 },
     { source: 'a' }
   ])
   expect(String(doc)).toBe(src)
+  expect(doc.get(1).resolve(doc)).toBe(doc.get(0, true))
 })
 
 test('re-defined anchor', () => {
@@ -27,7 +28,7 @@ test('re-defined anchor', () => {
 
 test('circular reference', () => {
   const src = '&a [ 1, *a ]\n'
-  const doc = parseDocument(src)
+  const doc = parseDocument<YAMLSeq, false>(src)
   expect(doc.errors).toHaveLength(0)
   expect(doc.warnings).toHaveLength(0)
   expect(doc.contents).toMatchObject({
@@ -37,6 +38,7 @@ test('circular reference', () => {
   const res = doc.toJS()
   expect(res[1]).toBe(res)
   expect(String(doc)).toBe(src)
+  expect(doc.get(1).resolve(doc)).toBe(doc.contents)
 })
 
 describe('anchor on tagged collection', () => {
@@ -146,6 +148,25 @@ describe('errors', () => {
     const doc = parseDocument('- &\n')
     expect(doc.errors).toMatchObject([{ code: 'BAD_ALIAS' }])
   })
+
+  test('resolution with maxAliasCount:0', () => {
+    const src = `- &a 1\n- *a\n`
+    const doc = parseDocument<YAMLSeq, false>(src)
+    expect(doc.errors).toHaveLength(0)
+    expect(() => doc.get(1).resolve(doc, { maxAliasCount: 0 })).toThrow(
+      ReferenceError
+    )
+  })
+
+  test('circular reference', () => {
+    const src = '&A { <<: *A, B: b }\n'
+    const doc = parseDocument(src, { merge: true })
+    expect(doc.errors).toHaveLength(0)
+    expect(doc.warnings).toHaveLength(0)
+    expect(() => doc.toJS()).toThrow('Maximum call stack size exceeded')
+    expect(() => doc.toJS({ maxAliasCount: 0 })).toThrow(ReferenceError)
+    expect(String(doc)).toBe(src)
+  })
 })
 
 describe('warnings', () => {
@@ -455,15 +476,6 @@ y:
       )
     })
 
-    test('circular reference', () => {
-      const src = '&A { <<: *A, B: b }\n'
-      const doc = parseDocument(src, { merge: true })
-      expect(doc.errors).toHaveLength(0)
-      expect(doc.warnings).toHaveLength(0)
-      expect(() => doc.toJS()).toThrow('Maximum call stack size exceeded')
-      expect(String(doc)).toBe(src)
-    })
-
     test('missing whitespace', () => {
       expect(() => parse('&a{}')).toThrow(
         'Tags and anchors must be separated from the next token by white space'

tests/doc/parse.ts

@@ -530,14 +530,18 @@ describe('Resource exhaustion attacks', () => {
         'e: [*d]'
       ]
 
-      test(`depth 0: maxAliasCount 1 passes`, () => {
-        expect(() => YAML.parse(rows[0], { maxAliasCount: 1 })).not.toThrow()
-      })
+      for (const maxAliasCount of [0, 1]) {
+        test(`depth 0: maxAliasCount ${maxAliasCount} passes`, () => {
+          expect(() => YAML.parse(rows[0], { maxAliasCount })).not.toThrow()
+        })
 
-      test(`depth 1: maxAliasCount 1 fails on first alias`, () => {
-        const src = `${rows[0]}\nb: *a`
-        expect(() => YAML.parse(src, { maxAliasCount: 1 })).toThrow()
-      })
+        test(`depth 1: maxAliasCount ${maxAliasCount} fails on first alias`, () => {
+          const src = `${rows[0]}\nb: *a`
+          expect(() => YAML.parse(src, { maxAliasCount })).toThrow(
+            ReferenceError
+          )
+        })
+      }
 
       const limits = [10, 50, 150, 300]
       for (let i = 0; i < 4; ++i) {
@@ -546,7 +550,7 @@ describe('Resource exhaustion attacks', () => {
         test(`depth ${i + 1}: maxAliasCount ${limits[i] - 1} fails`, () => {
           expect(() =>
             YAML.parse(src, { maxAliasCount: limits[i] - 1 })
-          ).toThrow()
+          ).toThrow(ReferenceError)
         })
 
         test(`depth ${i + 1}: maxAliasCount ${limits[i]} passes`, () => {