[jira] [Commented] (CONFIGURATION-819) Uncaught snakeyaml.error.YAMLException in YAMLConfiguration.write

Sat, 06 Aug 2022 05:33:11 -0700 


    [ 
https://issues.apache.org/jira/browse/CONFIGURATION-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576197#comment-17576197
 ] 

Gilles Sadowski commented on CONFIGURATION-819:
-----------------------------------------------

bq. What do others think?

So this is the error:
{noformat}
Java Exception: org.yaml.snakeyaml.error.YAMLException: invalid string value 
has occurred
{noformat}

TL;DR; but it seems that caller says "Here is a YAML string" and the YAML 
implementation replies "No, it's not".  How is it different, in principle, from 
"Here is a non-null reference", and the JVM replying with NPE if it is, in 
fact, null?

I don't agree with the patch, because the cause of the error is *not* an I/O 
issue; it is a programming error (on the part of the caller).
The original exception _is-a_ {{RuntimeException}} as it should (as per J. 
Bloch's "Effective Java"...): There no reason to wrap it in a checked exception.

> Uncaught snakeyaml.error.YAMLException in YAMLConfiguration.write
> -----------------------------------------------------------------
>
>                 Key: CONFIGURATION-819
>                 URL: https://issues.apache.org/jira/browse/CONFIGURATION-819
>             Project: Commons Configuration
>          Issue Type: Bug
>            Reporter: Weber Jo
>            Priority: Major
>         Attachments: 48192.patch, 
> clusterfuzz-testcase-YAMLConfigurationWriteFuzzer-5634459279425536, 
> clusterfuzz-testcase-minimized-YAMLConfigurationWriteFuzzer-5634459279425536, 
> stacktrace.txt
>
>
> When executing YAMLConfiguration.write with malformed input, there is the 
> possibility to receive a snakeyaml.error.YAMLException which does not get 
> caught and leads to a crash.
> This was found through OSS-Fuzz ([Crash 
> #48192|https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48192]).
> I attached the stacktrace and the crashing inputs.
> Furthermore, I attached a possible fix that suppresses the given crashing 
> inputs.
> It passes all unit tests, but I am not sure if fits your code standards or if 
> you want to catch the exception earlier (as in YAMLConfiguration.dump)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to