yossarian (1.3.6.1.4.1.55738)Sep 22, 2025

Dear GitHub: no YAML anchors, please

https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors

#programming #rant

Dear GitHub: no YAML anchors, please

Show threadmedium rare birdSep 22, 2025
@yossarian interesting, are eagerly "copying" parsers like the ones mentioned here susceptible to some variant of billion laughs attack?
Show threadyossarian (1.3.6.1.4.1.55738)
@migratory yep! https://github.com/dubniczky/Yaml-Bomb
GitHub - dubniczky/Yaml-Bomb: Yaml bomb files and exploitable programming languages

Yaml bomb files and exploitable programming languages - dubniczky/Yaml-Bomb

GitHub
Sep 22, 2025 at 3:28pmWeb
Show threadEemeli AroSep 23, 2025
@yossarian @migratory Huh, thanks to this pointer I filed https://github.com/dubniczky/Yaml-Bomb/pull/1 to fix its test for the JS `yaml` library, as it can deal fine with a billion laugh attack like this but was just bailing out early due to detecting the bomb.
Fix JS yaml test to work when DoS detection is disabled by eemeli · Pull Request #1 · dubniczky/Yaml-Bomb

Here's a small fix for the JS yaml package's test, to avoid the default alias detection that's causing the early error in its calls. The library itself is completely fine when dealing w...

GitHub