suyiiyii/yq
1
0
Fork 0
mirror of https://github.com/mikefarah/yq.git synced 2026-06-29 08:38:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,233 Commits 87 Branches 208 Tags 16 MiB
8fc8eedd3b
Commit Graph

51 Commits

Author SHA1 Message Date
Jan Dubois
2ef934281e
Fix panic and OOM in repeatString for large repeat counts (#2644) 
The existing check (count > 10 million) does not account for string
length. A 68-byte string repeated 35 trillion times passes the count
check but panics in strings.Repeat with "makeslice: len out of range".
Smaller counts (e.g. 10 million * 6-byte string = 60 MB) cause OOM on
memory-constrained environments like OSS-Fuzz (2560 MB limit).

Replace the count-only check with a result size check: the product of
string length and repeat count must not exceed 10 MiB. Use division
(len > limit/count) instead of multiplication (len*count > limit) to
avoid integer overflow — a large count can wrap the product to a
negative value, bypassing the guard entirely.

Fixes at least four OSS-Fuzz bugs found via Lima's FuzzEvaluateExpression:
  https://issues.oss-fuzz.com/issues/418818862 (makeslice overflow)
  https://issues.oss-fuzz.com/issues/422001683 (timeout from huge alloc)
  https://issues.oss-fuzz.com/issues/383195001 (OOM, 3 GB allocation)
  https://issues.oss-fuzz.com/issues/385180606 (OOM, 97 TB allocation)

Signed-off-by: Jan Dubois <jan@jandubois.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 18:22:46 +10:00
Mike Farah
2824d66a65 Multiply uses a readonly context #2558 2026-01-31 16:47:58 +11:00
Mike Farah
4bbffa9022 Fixed merge globbing wildcards in keys #2564 2026-01-31 15:44:50 +11:00
Mike Farah
20b5129120 Updating golanglint 2025-05-03 16:34:21 +10:00
Mike Farah
342efb23ff Fixed panic on multipling string by very large number #2211 2024-12-07 16:53:40 +11:00
Mike Farah
2201381235 Fixed multiply string by negative number panic #2211 2024-12-07 16:28:59 +11:00
Matt Benson
3b85cef340
support string X int multiplication as jq (#1988) 2024-03-22 20:44:49 +11:00
Mike Farah
3c3f1180d9 Cleaning up log message formats 2024-02-16 09:44:22 +11:00
Mike Farah
13d1bbb45f
Generic ast (#1829) 
Remove dependency on yaml.Node for internal AST representation. Yaml decoder is now just another decoder.
 2023-10-18 12:11:53 +11:00
Mike Farah
d7da0cca3c Fixed value operator bug #1515 2023-01-12 15:11:45 +11:00
Mike Farah
9af55d555b Fixed handling of merging null #1501 2023-01-10 13:48:57 +11:00
Hayama
9b47a29864
hotfix: fix panic multiply assign (#1257) 2022-06-25 12:08:52 +10:00
Mike Farah
72cdde78f6 Fixing issues found by codeql 2022-05-06 13:46:14 +10:00
Mike Farah
71706af3d4 String op can now run on custom types 2022-02-22 14:50:45 +11:00
Mike Farah
26356ff4be Added github action fix for parsing xml, updated linter 2022-02-07 11:55:55 +11:00
Mike Farah
6e33132de9 Added support for *= 2022-01-22 16:40:17 +11:00
Mike Farah
a6c79f3410 Multiply, substract with custom types 2022-01-22 16:12:59 +11:00
Mike Farah
8c94a96ee0 New merge flag (n) to only merge in new fields (#1038) 2022-01-15 15:48:34 +11:00
Matthieu MOREL
59752fb36d
enable more linters (#1043) 
* enable revive linter

* enable gochecknoinits linter

* enable unconvert linter

* enable unparam linter

* enable asciicheck linter

* enable depguard linter

* enable nakedret linter

* enable megacheck linter

* enable nolintlint linter

* enable predeclared linter

* Update go.yml

* Update go.yml
 2021-12-21 09:30:08 +11:00
Mike Farah
8c5d1e0252 gci linter 2021-11-26 20:24:21 +11:00
Matthieu MOREL
15d7c9e118 enable misspell linter 2021-11-25 22:01:30 +11:00
Mike Farah
b44fecdfa5 Added key operator 2021-11-24 09:57:35 +11:00
Mike Farah
33871bf007 Fixed header preprocessing! 2021-11-14 10:59:50 +11:00
Mike Farah
ed4d888bfa Speed up multiply 2021-10-11 14:46:46 +11:00
Mike Farah
eea2c97cd8 Can process hex numbers 2021-09-02 15:26:44 +10:00
Mike Farah
4ba96d902b Fixed document header/footer comment handling when merging 2021-08-17 09:54:12 +10:00
Mike Farah
eeac03a437 Fixed merging arrays with merge anchors #899 2021-07-22 20:58:58 +10:00
Mike Farah
d1b6a6fdd9 Fixed merge bug https://github.com/mikefarah/yq/issues/880 2021-07-07 14:29:24 +10:00
Mike Farah
25e0a824c5 Fixed alternative operator when LHS has empty matches 2021-04-13 10:53:46 +10:00
Mike Farah
21a9e506cb Fixed merge comments 2021-03-19 12:54:03 +11:00
Mike Farah
81136ad57e Arrays no longer deeply merge by defauly, like jq 2021-02-18 11:16:54 +11:00
Mike Farah
c4c8e5e7b0 Preserve comments on map keys 2021-02-11 10:58:40 +11:00
Mike Farah
c6efd5519b Pass context through operators 
Allows more sophisticated functionality
 2021-02-11 10:58:40 +11:00
Mike Farah
6c14a80991 Fixed cross-function combinatorial bug 2021-02-11 10:58:40 +11:00
Mike Farah
76bd1896e9 wip 2021-02-11 10:58:40 +11:00
Mike Farah
c63801a8a5 thoughts 2021-02-11 10:58:40 +11:00
Mike Farah
f7cfdc29e1 cross function fix wip 2021-02-11 10:58:40 +11:00
Mike Farah
1a03031297 Dont use pointer for recursive prefs (avoid nil) 2021-02-11 10:58:40 +11:00
Mike Farah
2c7db0071a Dont use pointer for multiply prefs (avoid nil) 2021-02-11 10:58:40 +11:00
Mike Farah
91c72d2d9e Added merge if empty 2021-02-11 10:58:40 +11:00
Mike Farah
e86f83fb69 Renaming pathtree to expression 2021-02-11 10:58:40 +11:00
Mike Farah
b749973fe0 UnwrapDoc now private 2021-02-11 10:58:40 +11:00
Mike Farah
7518dac99c Fixed creation of candidateNode in operators to include file metadata 2021-02-11 10:58:40 +11:00
Mike Farah
286590b01e fixing exposed functions and interfaces 2021-02-11 10:58:40 +11:00
Mike Farah
2e81384eed Can assign-update comments 2021-02-11 10:58:40 +11:00
Mike Farah
88663a6ce3 Added recurse keys operator 2020-12-28 11:24:42 +11:00
Mike Farah
f305e8fa12 Fixed delete full path 2020-12-22 11:45:51 +11:00
Mike Farah
c9dbf04da3 Added pipe and length docs, fix pipe precedence 2020-12-01 17:58:07 +11:00
Mike Farah
3a030651a3 Added append equals, merge append. Fixed creating numeric arrays 2020-11-28 11:24:16 +11:00
Mike Farah
3cecb4e383 wip 2020-11-28 10:41:09 +11:00