SnakeYaml loader options to allow configuration of CodePointLimit for YAML input files (#2407)

Co-authored-by: Stegen Smith <[email protected]>

Author: mslocrian

plugin/src/main/java/io/jenkins/plugins/casc/ConfigurationContext.java

@@ -17,13 +17,16 @@ public class ConfigurationContext implements ConfiguratorRegistry {
 
     public static final String CASC_YAML_MAX_ALIASES_ENV = "CASC_YAML_MAX_ALIASES";
     public static final String CASC_YAML_MAX_ALIASES_PROPERTY = "casc.yaml.max.aliases";
+    public static final String CASC_YAML_CODE_POINT_LIMIT_ENV = "CASC_YAML_CODE_POINT_LIMIT";
+    public static final String CASC_YAML_CODE_POINT_LIMIT_PROPERTY = "casc.yaml.code_point_limit";
     public static final String CASC_MERGE_STRATEGY_ENV = "CASC_MERGE_STRATEGY";
     public static final String CASC_MERGE_STRATEGY_PROPERTY = "casc.merge.strategy";
     private Deprecation deprecation = Deprecation.reject;
     private Restriction restriction = Restriction.reject;
     private Unknown unknown = Unknown.reject;
     private String mergeStrategy;
     private final transient int yamlMaxAliasesForCollections;
+    private final transient int yamlCodePointLimit;
 
     /**
      * the model-introspection model to be applied by configuration-as-code.
@@ -45,6 +48,8 @@ public ConfigurationContext(ConfiguratorRegistry registry) {
         this.registry = registry;
         String prop = getPropertyOrEnv(CASC_YAML_MAX_ALIASES_ENV, CASC_YAML_MAX_ALIASES_PROPERTY);
         yamlMaxAliasesForCollections = NumberUtils.toInt(prop, 50);
+        prop = getPropertyOrEnv(CASC_YAML_CODE_POINT_LIMIT_ENV, CASC_YAML_CODE_POINT_LIMIT_PROPERTY);
+        yamlCodePointLimit = NumberUtils.toInt(prop, 3) * 1024 * 1024;
         secretSourceResolver = new SecretSourceResolver(this);
         mergeStrategy = getPropertyOrEnv(CASC_MERGE_STRATEGY_ENV, CASC_MERGE_STRATEGY_PROPERTY);
     }
@@ -111,6 +116,10 @@ public int getYamlMaxAliasesForCollections() {
         return yamlMaxAliasesForCollections;
     }
 
+    public int getYamlCodePointLimit() {
+        return yamlCodePointLimit;
+    }
+
     // --- delegate methods for ConfigurationContext
 
     @Override

plugin/src/main/java/io/jenkins/plugins/casc/yaml/YamlUtils.java

@@ -56,6 +56,7 @@ public static Node merge(List<YamlSource> sources, ConfigurationContext context)
 
     public static Node read(YamlSource source, Reader reader, ConfigurationContext context) throws IOException {
         LoaderOptions loaderOptions = new LoaderOptions();
+        loaderOptions.setCodePointLimit(context.getYamlCodePointLimit());
         loaderOptions.setMaxAliasesForCollections(context.getYamlMaxAliasesForCollections());
         Composer composer = new Composer(
                 new ParserImpl(new StreamReaderWithSource(source, reader), loaderOptions),
@@ -112,6 +113,7 @@ public static Mapping loadFrom(List<YamlSource> sources, ConfigurationContext co
     private static Mapping loadFrom(Node node, ConfigurationContext context) {
         final LoaderOptions loaderOptions = new LoaderOptions();
         loaderOptions.setMaxAliasesForCollections(context.getYamlMaxAliasesForCollections());
+        loaderOptions.setCodePointLimit(context.getYamlCodePointLimit());
         final ModelConstructor constructor = new ModelConstructor(loaderOptions);
         constructor.setComposer(
                 new Composer(

test-harness/src/test/java/io/jenkins/plugins/casc/YamlCodePointLimitTest.java

@@ -0,0 +1,45 @@
+package io.jenkins.plugins.casc;
+
+import static org.junit.Assert.assertEquals;
+
+import io.jenkins.plugins.casc.misc.EnvVarsRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.contrib.java.lang.system.RestoreSystemProperties;
+import org.junit.rules.RuleChain;
+import org.jvnet.hudson.test.JenkinsRule;
+
+public class YamlCodePointLimitTest {
+
+    private JenkinsRule j;
+
+    private EnvVarsRule env;
+
+    @Rule
+    public RuleChain rc = RuleChain.outerRule(env = new EnvVarsRule())
+            .around(new RestoreSystemProperties())
+            .around(j = new JenkinsRule());
+
+    @Test
+    public void testCodePointLimitSetFifty() throws ConfiguratorException {
+        System.setProperty(ConfigurationContext.CASC_YAML_CODE_POINT_LIMIT_PROPERTY, "50");
+        ConfiguratorRegistry registry = ConfiguratorRegistry.get();
+        ConfigurationContext context = new ConfigurationContext(registry);
+        assertEquals(50 * 1024 * 1024, context.getYamlCodePointLimit());
+    }
+
+    @Test
+    public void invalidCodePointLimitSetToDefault() throws ConfiguratorException {
+        System.setProperty(ConfigurationContext.CASC_YAML_CODE_POINT_LIMIT_PROPERTY, "HELLO");
+        ConfiguratorRegistry registry = ConfiguratorRegistry.get();
+        ConfigurationContext context = new ConfigurationContext(registry);
+        assertEquals(3 * 1024 * 1024, context.getYamlCodePointLimit());
+    }
+
+    @Test
+    public void defaultCodePointLimit() throws ConfiguratorException {
+        ConfiguratorRegistry registry = ConfiguratorRegistry.get();
+        ConfigurationContext context = new ConfigurationContext(registry);
+        assertEquals(3 * 1024 * 1024, context.getYamlCodePointLimit());
+    }
+}