Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning about DoS attacks at parsing CUE #158

Open
cueckoo opened this issue Jul 3, 2021 · 4 comments
Open

Warning about DoS attacks at parsing CUE #158

cueckoo opened this issue Jul 3, 2021 · 4 comments
Labels
Documentation

Comments

@cueckoo
Copy link
Collaborator

cueckoo commented Jul 3, 2021

Originally opened by @tredoe in cuelang/cue#158

Does CUE could be vulnerable to a DoS attack like "Billion Laughs" one discovered recently at go-yaml?

kubernetes/kubernetes#83253
@cueckoo
Copy link
Collaborator Author

cueckoo commented Jul 3, 2021

Original reply by @rogpeppe in cuelang/cue#158 (comment)

Yes, it's definitely vulnerable to that kind of expansion attack.

@cueckoo
Copy link
Collaborator Author

cueckoo commented Jul 3, 2021

Original reply by @rogpeppe in cuelang/cue#158 (comment)

Note that this isn't an issue when parsing CUE, only when exporting values from it.

@cueckoo
Copy link
Collaborator Author

cueckoo commented Jul 3, 2021

Original reply by @myitcv in cuelang/cue#158 (comment)

Per cue help filetypes there is a solution here:

The following tags can be used in qualifiers to further
influence input or output. For input these act as
restrictions, validating the input. For output these act
as filters, showing only the requested data and picking
defaults as requested.

    Tag         Description
    data        Require concrete input and output that does
                not require any evaluation.
    graph       Like data, but allow references.
    schema      Export data and definitions.

e.g.

# Data is always allowed
exec cue eval cue+data: data.cue
exec cue eval cue+graph: data.cue
exec cue eval cue+schema: data.cue

# References are not allowed in data mode
! exec cue eval cue+data: reference.cue
stderr 'references not allowed in data mode'
exec cue eval cue+graph: reference.cue
exec cue eval cue+schema: reference.cue

# Expressions are not allowed in data or graph modes
! exec cue eval cue+data: expression.cue
stderr 'expressions not allowed in data mode'
! exec cue eval cue+graph: expression.cue
stderr 'expressions not allowed in graph mode'
exec cue eval cue+schema: expression.cue

# Definitions are not allowed in data or graph modes
! exec cue eval cue+data: definitions.cue
stderr 'definitions not allowed in data mode'
! exec cue eval cue+graph: definitions.cue
stderr 'definitions not allowed in graph mode'
exec cue eval cue+schema: definitions.cue


-- data.cue --
l: [1, 2, 3, 4, 5]
-- expression.cue --
 for _, v in [1, 2, 3, 4, 5] {
	"\(v)": v
}
-- definitions.cue --
#Def: {
	name: string
}
-- reference.cue --
l: [1, 2, 3, 4, 5]
l2: l

The said, I think these docs could be better surfaced because I missed this until it was pointed out by @mpvl!

@cueckoo cueckoo mentioned this issue Jul 3, 2021
Closed
@antong antong mentioned this issue Nov 11, 2021
Open
@myitcv
Copy link
Member

myitcv commented May 19, 2022

For reference (linking to a previous answer by @mpvl) please see the section "Structure Sharing" on how this type of attack can be handled by CUE: #804

ptMcGit pushed a commit to ptMcGit/cue that referenced this issue Jan 22, 2023
@cnbailian
usecases/validation.md: unified file names (cue-lang#158)
e2b1e42 
* usecases: fix various typos
@myitcv myitcv added the zGarden label Jun 15, 2023
@mvdan mvdan removed the zGarden label Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@myitcv @mvdan @cueckoo