sandynz commented on code in PR #30505:
URL: https://github.com/apache/shardingsphere/pull/30505#discussion_r1527019770
##########
infra/util/src/main/java/org/apache/shardingsphere/infra/util/yaml/constructor/ShardingSphereYamlConstructor.java:
##########
@@ -49,6 +49,7 @@ public ShardingSphereYamlConstructor(final Class<?>
rootClass) {
private static LoaderOptions createLoaderOptions() {
LoaderOptions result = new LoaderOptions();
+ result.setMaxAliasesForCollections(Integer.MAX_VALUE);
Review Comment:
And could we set `maxAliasesForCollections` value to limited value? e.g.
`1000`. Since
1) It's enough for now.
2) Use `Integer.MAX_VALUE` might have vulnerability, see:
- https://github.com/spring-projects/spring-boot/issues/23096
- https://en.wikipedia.org/wiki/Billion_laughs_attack
##########
infra/util/src/main/java/org/apache/shardingsphere/infra/util/yaml/constructor/ShardingSphereYamlConstructor.java:
##########
@@ -49,6 +49,7 @@ public ShardingSphereYamlConstructor(final Class<?>
rootClass) {
private static LoaderOptions createLoaderOptions() {
LoaderOptions result = new LoaderOptions();
+ result.setMaxAliasesForCollections(Integer.MAX_VALUE);
Review Comment:
Could we add unit test for `YamlEngine.unmarshal`, when
`maxAliasesForCollections` is not overwritten, it'll throw exception.
##########
infra/util/src/main/java/org/apache/shardingsphere/infra/util/yaml/constructor/ShardingSphereYamlConstructor.java:
##########
@@ -49,6 +49,7 @@ public ShardingSphereYamlConstructor(final Class<?>
rootClass) {
private static LoaderOptions createLoaderOptions() {
LoaderOptions result = new LoaderOptions();
+ result.setMaxAliasesForCollections(Integer.MAX_VALUE);
Review Comment:
And could we disable anchor and alias in snakeyaml?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
