-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tree::resolve() leaves some references in place in certain cases #400
Comments
Thanks for reporting. References are notably unsafe; implementing an iterative resolve opens an attack vector to nasty attacks such as https://en.wikipedia.org/wiki/Billion_laughs_attack . I am envisioning adding a parameter specifying the max number of resolve levels (defaulting to 1, ie equivalent to the current behavior). With this, the user will be responsible for picking the appropriate risk level. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Consider the following document:
Tree:resolve() will result in:
Which is correct safe for the unintended remaining '&a' reference. This happens whenever referenced nodes contains further references. As the reference instantiation process creates copies of the entire referenced sub-tree, including any references, there are now references that are not part of the list of anchors and references created at the start of resolve() and which is used to remove them at the end of resolve() - leaving out the 'newly created' references.
Workaround: call resolve() again (this will collect the additional 'newly created' references and delete them).
The text was updated successfully, but these errors were encountered: