fix: prevent infinite loops in collection deserialization by skipping unexpected tokens (#5)

glucaci · web-flow · commit d1bab84cc8eb · 2026-01-05T17:19:45.000+01:00
diff --git a/src/Yamlify.SourceGenerator/YamlSourceGenerator.cs b/src/Yamlify.SourceGenerator/YamlSourceGenerator.cs
@@ -566,6 +566,8 @@ private static void GenerateReadMethod(StringBuilder sb, TypeToGenerate type, IR
         
         sb.AppendLine("            if (reader.TokenType != YamlTokenType.MappingStart)");
         sb.AppendLine("            {");
+        sb.AppendLine("                // Skip unexpected token to prevent infinite loops when reading collections");
+        sb.AppendLine("                reader.Skip();");
         sb.AppendLine("                return default;");
         sb.AppendLine("            }");
         sb.AppendLine();
@@ -2819,6 +2821,8 @@ private static void GenerateRootCollectionRead(StringBuilder sb, ITypeSymbol col
         
         sb.AppendLine("            if (reader.TokenType != YamlTokenType.SequenceStart)");
         sb.AppendLine("            {");
+        sb.AppendLine("                // Skip unexpected token to prevent infinite loops when reading collections");
+        sb.AppendLine("                reader.Skip();");
         sb.AppendLine("                return default;");
         sb.AppendLine("            }");
         sb.AppendLine();
@@ -2860,6 +2864,8 @@ private static void GenerateRootDictionaryRead(StringBuilder sb, ITypeSymbol dic
         
         sb.AppendLine("            if (reader.TokenType != YamlTokenType.MappingStart)");
         sb.AppendLine("            {");
+        sb.AppendLine("                // Skip unexpected token to prevent infinite loops when reading collections");
+        sb.AppendLine("                reader.Skip();");
         sb.AppendLine("                return default;");
         sb.AppendLine("            }");
         sb.AppendLine();
diff --git a/src/Yamlify/Reader/Utf8YamlReader.cs b/src/Yamlify/Reader/Utf8YamlReader.cs
@@ -587,6 +587,13 @@ public void Skip()
                 // Keep reading until we exit the current depth
             }
         }
+        else if (_tokenType is YamlTokenType.Scalar)
+        {
+            // For scalar values (including nulls like ~, null, Null, NULL), just advance to the next token
+            Read();
+        }
+        // For other tokens (end markers, etc.), do nothing - they're structural tokens
+        // that don't need to be skipped
     }
 }
 
diff --git a/test/Yamlify.Tests/Serialization/InfiniteLoopRegressionTests.cs b/test/Yamlify.Tests/Serialization/InfiniteLoopRegressionTests.cs

Original file line number	Diff line number	Diff line change
`@@ -587,6 +587,13 @@ public void Skip()`
`587`	`587`	`// Keep reading until we exit the current depth`
`588`	`588`	`}`
`589`	`589`	`}`
	`590`	`+ else if (_tokenType is YamlTokenType.Scalar)`
	`591`	`+ {`
	`592`	`+ // For scalar values (including nulls like ~, null, Null, NULL), just advance to the next token`
	`593`	`+ Read();`
	`594`	`+ }`
	`595`	`+ // For other tokens (end markers, etc.), do nothing - they're structural tokens`
	`596`	`+ // that don't need to be skipped`
`590`	`597`	`}`
`591`	`598`	`}`
`592`	`599`