From cd7c41308ef982e17cb8ea280e19bf025837a113 Mon Sep 17 00:00:00 2001
From: Yorke Rhodes <yorke@hyperlane.xyz>
Date: Wed, 8 Jan 2025 13:50:15 -0500
Subject: [PATCH] fix: yaml resource exhaustion (#5127)

### Description

Fixes
```
ReferenceError: Excessive alias count indicates a resource exhaustion attack
```

See
https://stackoverflow.com/questions/63075256/why-does-the-npm-yaml-library-have-a-max-alias-number

### Backward compatibility

Yes

### Testing

Manual
---
 .changeset/shaggy-dolphins-wink.md |  5 +++++
 typescript/cli/src/utils/files.ts  | 14 ++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/shaggy-dolphins-wink.md

diff --git a/.changeset/shaggy-dolphins-wink.md b/.changeset/shaggy-dolphins-wink.md
new file mode 100644
index 0000000000..b79c38f33a
--- /dev/null
+++ b/.changeset/shaggy-dolphins-wink.md
@@ -0,0 +1,5 @@
+---
+"@hyperlane-xyz/cli": patch
+---
+
+Fix yaml resource exhaustion
diff --git a/typescript/cli/src/utils/files.ts b/typescript/cli/src/utils/files.ts
index 50f56d1b77..b067963d8c 100644
--- a/typescript/cli/src/utils/files.ts
+++ b/typescript/cli/src/utils/files.ts
@@ -4,9 +4,12 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import {
+  DocumentOptions,
   LineCounter,
+  ParseOptions,
+  SchemaOptions,
+  ToJSOptions,
   parse,
-  parse as yamlParse,
   stringify as yamlStringify,
 } from 'yaml';
 
@@ -14,6 +17,13 @@ import { objMerge } from '@hyperlane-xyz/utils';
 
 import { log } from '../logger.js';
 
+const yamlParse = (
+  content: string,
+  options?: ParseOptions & DocumentOptions & SchemaOptions & ToJSOptions,
+) =>
+  // See stackoverflow.com/questions/63075256/why-does-the-npm-yaml-library-have-a-max-alias-number
+  parse(content, { maxAliasCount: -1, ...options });
+
 export const MAX_READ_LINE_OUTPUT = 250;
 
 export type FileFormat = 'yaml' | 'json';
@@ -250,7 +260,7 @@ export function logYamlIfUnderMaxLines(
 ): void {
   const asYamlString = yamlStringify(obj, null, margin);
   const lineCounter = new LineCounter();
-  parse(asYamlString, { lineCounter });
+  yamlParse(asYamlString, { lineCounter });
 
   log(lineCounter.lineStarts.length < maxLines ? asYamlString : '');
 }