Potential SnakeYaml version upgrade issue #5818
Description
The latest release versions of SnakeYaml, the YML parser used by ORT, it is no longer possible to parse ORT files larger than 3 MB in size
The symptom is an exception similar to this:
com.fasterxml.jackson.databind.JsonMappingException: The incoming YAML document exceeds the limit: 3145728 code points.
Caused by: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points.
at [Source: (BufferedInputStream); line: 83202, column: 17]
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:409)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:308)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:176)
at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:313)
... 89 more
Caused by: org.yaml.snakeyaml.error.YAMLException: The incoming YAML document exceeds the limit: 3145728 code points.
at org.yaml.snakeyaml.scanner.ScannerImpl.fetchMoreTokens(ScannerImpl.java:335)
at org.yaml.snakeyaml.scanner.ScannerImpl.checkToken(ScannerImpl.java:256)
at org.yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingValue.produce(ParserImpl.java:680)
at org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:171)
at org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:181)
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:403)
... 93 more
The problem seems to be introduced as part of the fix for CVE-2022-25857
There is currently no other workaround except fixing the snakeyaml version to 1.30