Serde_yml bug which causes a panic

Hi all, I have encountered a bug with serde_yml crate, but it appears their repo has issues turned off, only pull requests. I have created a project which demonstrates the panic if anyone wants to take a look. I'll take recommendations, but for now putting it here for visibility. The gist of it is, this panics:

You can find full project at: a repo I created

pub async fn demo_panic() -> Result<(), Box<dyn std::error::Error>> {
    use serde_yml::Value;

    let t = Test {
        // NOTE: the amount of spaces at the end matters
        content: "\n    a {\n        ".into(),
    };

    // create the file with the failing string
    // ensure to deserialize using serde_yml

    fs::write("./generated-test.yaml", serde_yml::to_string(&t)?).await?;
    let bad_file = fs::read("./generated-test.yaml").await?;
    println!("attempt to deserialize Test");

    // PANICS //
    let _: Result<Test, _> = serde_yml::from_slice(&bad_file);
    println!("attempt to deserialize serde_yml::Value");

    // PANICS //
    let _: Result<Value, _> = serde_yml::from_slice(&bad_file);
    Ok(())
}



Using the archived serde_yaml crate instead works. Playground. Running the same snippet with serde_yml on my local machine gives the following panic:

thread 'main' panicked at /home/masterusr/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libyml-0.0.5/src/scanner.rs:2798:17:
String join would overflow memory bounds

If I replace the escaped \ns in the yaml file with real line breaks, the code compiles fine. This looks like a bug in the serde_yml crate to me and I believe you should open an issue with them... or not, given that they disabled their issues on GitHub. Edit: re-reading your post I see that you already looked at that option.

Thanks for taking a look! I figured out that the repo supports bug reports. Filed it here Panic on valid input · Issue #9845 · rust-lang/crates.io · GitHub

Thought id close the loop

The repository you filed that bug report in is for the crates.io website itself, not for projects listed on crates.io. The developers there have no involvement with serde-yml.

2 Likes

The repo of the crate itself does not support bug reports. This should be a red flag for using it.

3 Likes

serde_yml is a borderline malicious pile of AI-generated garbage, btw.

1 Like

can you please provide a bit more detail on why this is malicious? I'm using it on some projects and would like to understand more

1 Like

And a number of other posts in that thread.
Also the fact that serde_yml repo has issues disabled entirely at this point.

1 Like

Thanks for the feedback on the serde_yml repo. Ill have to rip the thing out of my code now. That discussion is alarming. I wish I would’ve known this before using it.

I did not realize that I created an issue for something totally different. I was trying to figure out how to file a bug report. I forgot to update the thread.

Again, thanks for the feedback on this @conqp I really need to find a good replacement and that may be serde_yaml crate for now.