Abstract:
YAML is widely used for configuration files, infrastructure as code, documentation, and configuration of DevOps tools. Its features and the corresponding specifications are extensive and complex. There are various parsers for different programming languages available. Each has an individual feature set, unique properties, and supports one or more YAML versions. Developing secure parsers is difficult and important for those reasons. Therefore, we analyzed twelve parsers systematically using various automated tests for four categories: Functionality, Duplicate Keys,Denial-of-Service, and Integer Overflow. Our results show that all analyzed parsers behave uniquely in different tests, and problematic or critical behavior is revealed for all of them.