Browse Source

Disable the use of anchors when parsing yaml

This can be used as a DDoS attack

Closes-Bug: 1785657
Change-Id: Icf460fea113e9279715cae87df3ef88a77575e04
(cherry picked from commit eac23d9e774f658f9d4743c99aa2743eb104c3f9)
changes/58/736158/1
Eyal 7 months ago
committed by Renat Akhmerov
parent
commit
f0824730fc
6 changed files with 146 additions and 13 deletions
  1. +3
    -3
      mistral/event_engine/default_event_engine.py
  2. +2
    -2
      mistral/lang/parser.py
  3. +4
    -4
      mistral/services/workflows.py
  4. +5
    -4
      mistral/tests/unit/lang/v2/base.py
  5. +70
    -0
      mistral/tests/unit/utils/test_safeLoader.py
  6. +62
    -0
      mistral/utils/safe_yaml.py

+ 3
- 3
mistral/event_engine/default_event_engine.py View File

@@ -23,7 +23,6 @@ from oslo_log import log as logging
from oslo_service import threadgroup
from oslo_utils import fnmatch
import six
import yaml

from mistral import context as auth_ctx
from mistral.db.v2 import api as db_api
@@ -33,6 +32,7 @@ from mistral import expressions
from mistral import messaging as mistral_messaging
from mistral.rpc import clients as rpc
from mistral.services import security
from mistral.utils import safe_yaml


LOG = logging.getLogger(__name__)
@@ -83,8 +83,8 @@ class NotificationsConverter(object):
config = cf.read()

try:
definition_cfg = yaml.safe_load(config)
except yaml.YAMLError as err:
definition_cfg = safe_yaml.load(config)
except safe_yaml.YAMLError as err:
if hasattr(err, 'problem_mark'):
mark = err.problem_mark
errmsg = (


+ 2
- 2
mistral/lang/parser.py View File

@@ -15,7 +15,6 @@

import cachetools
import threading
import yaml
from yaml import error

import six
@@ -27,6 +26,7 @@ from mistral.lang.v2 import actions as actions_v2
from mistral.lang.v2 import tasks as tasks_v2
from mistral.lang.v2 import workbook as wb_v2
from mistral.lang.v2 import workflows as wf_v2
from mistral.utils import safe_yaml

V2_0 = '2.0'

@@ -50,7 +50,7 @@ def parse_yaml(text):
"""

try:
return yaml.safe_load(text) or {}
return safe_yaml.load(text) or {}
except error.YAMLError as e:
raise exc.DSLParsingException(
"Definition could not be parsed: %s\n" % e


+ 4
- 4
mistral/services/workflows.py View File

@@ -12,12 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.

import yaml

from mistral.db.v2 import api as db_api
from mistral import exceptions as exc
from mistral.lang import parser as spec_parser
from mistral import services
from mistral.utils import safe_yaml
from mistral.workflow import states
from mistral_lib import utils
from oslo_log import log as logging
@@ -95,7 +95,7 @@ def _append_all_workflows(definition, is_system, scope, namespace,
wf_list_spec, db_wfs):
wfs = wf_list_spec.get_workflows()

wfs_yaml = yaml.load(definition) if len(wfs) != 1 else None
wfs_yaml = safe_yaml.load(definition) if len(wfs) != 1 else None

for wf_spec in wfs:
if len(wfs) != 1:
@@ -135,7 +135,7 @@ def update_workflows(definition, scope='private', identifier=None,

db_wfs = []

wfs_yaml = yaml.load(definition) if len(wfs) != 1 else None
wfs_yaml = safe_yaml.load(definition) if len(wfs) != 1 else None

with db_api.transaction():
for wf_spec in wfs:
@@ -205,7 +205,7 @@ def _update_workflow(wf_spec, definition, scope, identifier=None,


def _cut_wf_definition_from_all(wfs_yaml, wf_name):
return yaml.dump({
return safe_yaml.dump({
'version': wfs_yaml['version'],
wf_name: wfs_yaml[wf_name]
})

+ 5
- 4
mistral/tests/unit/lang/v2/base.py View File

@@ -14,11 +14,11 @@

import copy

import yaml

from mistral import exceptions as exc
from mistral.lang import parser as spec_parser
from mistral.tests.unit import base
from mistral.utils import safe_yaml
from mistral_lib import utils


@@ -75,9 +75,10 @@ class WorkflowSpecValidationTestCase(base.BaseTest):
dsl_yaml = base.get_resource(self._resource_path + '/' + dsl_file)

if changes:
dsl_dict = yaml.safe_load(dsl_yaml)
dsl_dict = safe_yaml.safe_load(dsl_yaml)
utils.merge_dicts(dsl_dict, changes)
dsl_yaml = yaml.safe_dump(dsl_dict, default_flow_style=False)
dsl_yaml = safe_yaml.safe_dump(dsl_dict,
default_flow_style=False)
else:
dsl_dict = copy.deepcopy(self._dsl_blank)

@@ -87,7 +88,7 @@ class WorkflowSpecValidationTestCase(base.BaseTest):
if changes:
utils.merge_dicts(dsl_dict, changes)

dsl_yaml = yaml.safe_dump(dsl_dict, default_flow_style=False)
dsl_yaml = safe_yaml.safe_dump(dsl_dict, default_flow_style=False)

if not expect_error:
return self._spec_parser(dsl_yaml)


+ 70
- 0
mistral/tests/unit/utils/test_safeLoader.py View File

@@ -0,0 +1,70 @@
# Copyright 2019 - Nokia Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

from unittest import TestCase

from mistral.utils import safe_yaml


class TestSafeLoader(TestCase):
def test_safe_load(self):
yaml_text = """
version: '2.0'

wf1:
type: direct

input:
- a: &a ["lol","lol","lol","lol","lol"]
- b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
- c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
- d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
- e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
- f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
- g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
- h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
- i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]


tasks:
hello:
action: std.echo output="Hello"
wait-before: 1
publish:
result: <% task(hello).result %>
"""

result = {
'version': '2.0',
'wf1':
{'type': 'direct',
'input': [
{'a': '&a ["lol","lol","lol","lol","lol"]'},
{'b': '&b [*a,*a,*a,*a,*a,*a,*a,*a,*a]'},
{'c': '&c [*b,*b,*b,*b,*b,*b,*b,*b,*b]'},
{'d': '&d [*c,*c,*c,*c,*c,*c,*c,*c,*c]'},
{'e': '&e [*d,*d,*d,*d,*d,*d,*d,*d,*d]'},
{'f': '&f [*e,*e,*e,*e,*e,*e,*e,*e,*e]'},
{'g': '&g [*f,*f,*f,*f,*f,*f,*f,*f,*f]'},
{'h': '&h [*g,*g,*g,*g,*g,*g,*g,*g,*g]'},
{'i': '&i [*h,*h,*h,*h,*h,*h,*h,*h,*h]'}],
'tasks':
{'hello': {
'action': 'std.echo output="Hello"',
'wait-before': 1, 'publish':
{'result': '<% task(hello).result %>'}
}}
}
}
self.assertEqual(result, safe_yaml.load(yaml_text))

+ 62
- 0
mistral/utils/safe_yaml.py View File

@@ -0,0 +1,62 @@
# Copyright 2019 - Nokia Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import yaml
from yaml import * # noqa

yaml.SafeDumper.ignore_aliases = lambda *args: True


class SafeLoader(yaml.SafeLoader):
"""Treat '@', '&', '*' as plain string.

Anchors are not used in mistral workflow. It's better to
disable them completely. Anchors can be used as an exploit to a
Denial of service attack through expansion (Billion Laughs)
see https://en.wikipedia.org/wiki/Billion_laughs_attack.
Also this module uses the safe loader by default which is always
a better loader.

When using yaml module to load a yaml file or a string use this
module instead of yaml.

Example:
import mistral.utils.safe_yaml as safe_yaml
...
...

safe_yaml.load(...)

"""

def fetch_alias(self):
return self.fetch_plain()

def fetch_anchor(self):
return self.fetch_plain()

def check_plain(self):
# Modified: allow '@'
if self.peek() == '@':
return True
else:
return super(SafeLoader, self).check_plain()


def load(stream):
return yaml.load(stream, SafeLoader)


def safe_load(stream):
return load(stream)

Loading…
Cancel
Save