Comments (5)
hoodie
commented on September 26, 2024
1
I think if this hasn't happened yet this lib should be subject to some fuzzing. I found an infinite loop in here once
from yaml-rust.
chyh1990
commented on September 26, 2024
1
Thanks to Rust's memory safe property, and this lib is written in pure Rust, it should be impossible to have memory problems like leaks and remote code executions.
It seems that no one have reported bugs panicking or blocking their program since last year, so I think this library can be marked as stable and production ready.
from yaml-rust.
dpc
commented on September 26, 2024
@dtolnay Maybe it should be mentioned on https://github.com/dtolnay/serde-yaml and in the docs, especially if it's a remote code execution.
from yaml-rust.
dtolnay
commented on September 26, 2024
This crate is 100% safe code outside of its dependency on linked-hash-map so I'm going to go with no remote code execution, or rather this would be more of a question for the linked-hash-map folks.
You're right serde_yaml should have propagated the same disclaimer -- fixed in dtolnay/serde-yaml@3ab6fd4.
from yaml-rust.
hoodie
commented on September 26, 2024
for completeness sake I'd like to add that leaks are not prevented by Rust, just data races, dangling pointers or things like use after free.
from yaml-rust.
Related Issues (20)
- Add support for YAML 1.1 HOT 1
- Support alternate line endings
- Bug in anchor handling? HOT 2
- Panic uninitialised linked hash map HOT 2
- can not part ref HOT 1
- Doesn't seem possible to iteratate over results HOT 3
- misleading? HOT 1
- is it wasm compatible? HOT 1
- Dupliacte keys are not detected as invalid YAML
- Add API to emit YAML strings (i.e. `need_quotes` and `escape_str`)
- tabs are not allowed as the first character of a block scalar
- `Parser` parses empty scalar as '~' HOT 1
- Support no-std with alloc crate
- Integration with google oss-fuzz fuzzing service
- Maintainers HOT 8
- unsafe-libyaml looks... unsafe? HOT 1
- Dynamically choosing a YAML document path? HOT 1
- `True` and `False` boolean literals seem to be parsed as strings HOT 2
- Is this crate maintained? HOT 4
- Read This First ~ Switch to the actively maintained yaml-rust2 fork
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yaml-rust.