feat: add YAML anchors and aliases support to ClusterConfig

- Add resolveYAMLAnchors() function to process YAML anchors and aliases
- Include security protections against YAML bombs and excessive nesting
- Add comprehensive test coverage for functionality and security

Fixes #8270

Author: guessi

pkg/eks/api.go

@@ -212,18 +212,122 @@ func newAWSProvider(spec *api.ProviderConfig, configurationLoader AWSConfigurati
 	return provider, nil
 }
 
+// resolveYAMLAnchors processes YAML anchors and aliases, returning clean YAML
+// that can be safely parsed by strict unmarshaling. It removes the "aliases"
+// field commonly used for anchor definitions as it's not part of ClusterConfig schema.
+func resolveYAMLAnchors(data []byte) ([]byte, error) {
+	// Security: Limit input size to prevent memory exhaustion attacks
+	const maxInputSize = 1024 * 1024 // 1MB limit
+	if len(data) > maxInputSize {
+		return nil, fmt.Errorf("YAML input too large: %d bytes exceeds limit of %d bytes", len(data), maxInputSize)
+	}
+
+	// Security: Check for excessive nesting depth to prevent stack overflow
+	const maxNestingDepth = 5
+	if nestingDepth := countNestingDepth(data); nestingDepth > maxNestingDepth {
+		return nil, fmt.Errorf("YAML nesting too deep: %d levels exceeds limit of %d", nestingDepth, maxNestingDepth)
+	}
+
+	// Resolve YAML anchors and aliases by unmarshaling to interface{} first.
+	// This step processes any YAML anchors (&anchor) and aliases (*alias) in the input,
+	// expanding them to their full values.
+	var resolved interface{}
+	if err := yaml.Unmarshal(data, &resolved); err != nil {
+		return nil, err
+	}
+
+	// Marshal back to get resolved YAML without anchors/aliases
+	resolvedData, err := yaml.Marshal(resolved)
+	if err != nil {
+		return nil, err
+	}
+
+	// Security: Check for excessive expansion (YAML bomb protection)
+	const maxExpansionRatio = 5
+	if len(resolvedData) > len(data)*maxExpansionRatio {
+		return nil, fmt.Errorf("YAML expansion too large: %d bytes expanded from %d bytes (ratio: %d, limit: %d)",
+			len(resolvedData), len(data), len(resolvedData)/len(data), maxExpansionRatio)
+	}
+
+	// Remove any top-level fields that are not part of ClusterConfig schema.
+	// The "aliases" field is commonly used to define YAML anchors but is not
+	// a valid ClusterConfig field, so we filter it out after anchor resolution.
+	var temp map[string]interface{}
+	if err := yaml.Unmarshal(resolvedData, &temp); err != nil {
+		return nil, err
+	}
+
+	// Security: Remove any non-standard top-level fields that could bypass validation
+	allowedTopLevelFields := map[string]bool{
+		"apiVersion":              true,
+		"kind":                    true,
+		"metadata":                true,
+		"managedNodeGroups":       true,
+		"nodeGroups":              true,
+		"fargateProfiles":         true,
+		"vpc":                     true,
+		"iam":                     true,
+		"addons":                  true,
+		"privateCluster":          true,
+		"cloudWatch":              true,
+		"secretsEncryption":       true,
+		"kubernetesNetworkConfig": true,
+		"accessConfig":            true,
+	}
+
+	for field := range temp {
+		if !allowedTopLevelFields[field] {
+			delete(temp, field)
+		}
+	}
+
+	// Marshal back to clean YAML
+	return yaml.Marshal(temp)
+}
+
+// countNestingDepth estimates YAML nesting depth by counting indentation
+func countNestingDepth(data []byte) int {
+	lines := strings.Split(string(data), "\n")
+	maxDepth := 0
+	for _, line := range lines {
+		if strings.TrimSpace(line) == "" || strings.HasPrefix(strings.TrimSpace(line), "#") {
+			continue
+		}
+		depth := 0
+		for _, char := range line {
+			if char == ' ' {
+				depth++
+			} else if char == '\t' {
+				depth += 2 // Count tabs as 2 spaces
+			} else {
+				break
+			}
+		}
+		if depth/2 > maxDepth { // Assuming 2-space indentation
+			maxDepth = depth / 2
+		}
+	}
+	return maxDepth
+}
+
 // ParseConfig parses data into a ClusterConfig
 func ParseConfig(data []byte) (*api.ClusterConfig, error) {
+	// Resolve YAML anchors and aliases before parsing
+	cleanData, err := resolveYAMLAnchors(data)
+	if err != nil {
+		return nil, err
+	}
+
 	// strict mode is not available in runtime.Decode, so we use the parser
 	// directly; we don't store the resulting object, this is just the means
 	// of detecting any unknown keys
 	// NOTE: we must use sigs.k8s.io/yaml, as it behaves differently from
 	// github.com/ghodss/yaml, which didn't handle nested structs well
-	if err := yaml.UnmarshalStrict(data, &api.ClusterConfig{}); err != nil {
+	if err := yaml.UnmarshalStrict(cleanData, &api.ClusterConfig{}); err != nil {
 		return nil, err
 	}
 
-	obj, err := runtime.Decode(scheme.Codecs.UniversalDeserializer(), data)
+	obj, err := runtime.Decode(scheme.Codecs.UniversalDeserializer(), cleanData)
 	if err != nil {
 		return nil, err
 	}

pkg/eks/api_anchors_test.go

@@ -0,0 +1,116 @@
+package eks
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+)
+
+func TestYAMLAnchorsAndAliases(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "YAML Anchors and Aliases Suite")
+}
+
+var _ = Describe("ParseConfig with YAML anchors and aliases", func() {
+	BeforeEach(func() {
+		err := api.Register()
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("should parse ClusterConfig with YAML anchors and aliases", func() {
+		yamlWithAnchors := `---
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+aliases:
+  genericAttachPolicyARNs: &genericAttachPolicyARNs
+  - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
+  - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+
+  genericNodeGroupSettings: &genericNodeGroupSettings
+    minSize: 2
+    maxSize: 5
+    desiredCapacity: 2
+    volumeSize: 30
+    volumeType: gp3
+    instanceTypes:
+    - "t3a.small"
+    - "t3.small"
+
+metadata:
+  name: eks-demo
+  region: us-east-1
+
+managedNodeGroups:
+  - name: generic-1
+    <<: *genericNodeGroupSettings
+    iam:
+      attachPolicyARNs: *genericAttachPolicyARNs
+
+  - name: generic-2
+    <<: *genericNodeGroupSettings
+    iam:
+      attachPolicyARNs: *genericAttachPolicyARNs`
+
+		cfg, err := ParseConfig([]byte(yamlWithAnchors))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(cfg).NotTo(BeNil())
+		Expect(cfg.Metadata.Name).To(Equal("eks-demo"))
+		Expect(cfg.Metadata.Region).To(Equal("us-east-1"))
+		Expect(cfg.ManagedNodeGroups).To(HaveLen(2))
+
+		// Verify first node group
+		ng1 := cfg.ManagedNodeGroups[0]
+		Expect(ng1.Name).To(Equal("generic-1"))
+		Expect(*ng1.MinSize).To(Equal(2))
+		Expect(*ng1.MaxSize).To(Equal(5))
+		Expect(*ng1.DesiredCapacity).To(Equal(2))
+		Expect(*ng1.VolumeSize).To(Equal(30))
+		Expect(*ng1.VolumeType).To(Equal("gp3"))
+		Expect(ng1.InstanceTypes).To(Equal([]string{"t3a.small", "t3.small"}))
+		Expect(ng1.IAM.AttachPolicyARNs).To(Equal([]string{
+			"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+			"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+		}))
+
+		// Verify second node group has same settings
+		ng2 := cfg.ManagedNodeGroups[1]
+		Expect(ng2.Name).To(Equal("generic-2"))
+		Expect(*ng2.MinSize).To(Equal(2))
+		Expect(*ng2.MaxSize).To(Equal(5))
+		Expect(*ng2.DesiredCapacity).To(Equal(2))
+		Expect(*ng2.VolumeSize).To(Equal(30))
+		Expect(*ng2.VolumeType).To(Equal("gp3"))
+		Expect(ng2.InstanceTypes).To(Equal([]string{"t3a.small", "t3.small"}))
+		Expect(ng2.IAM.AttachPolicyARNs).To(Equal([]string{
+			"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+			"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+		}))
+	})
+
+	It("should reject YAML input that is too large", func() {
+		// Create a YAML that exceeds the 1MB limit
+		largeYAML := "apiVersion: eksctl.io/v1alpha5\nkind: ClusterConfig\nmetadata:\n  name: " + strings.Repeat("a", 1025*1024)
+		_, err := ParseConfig([]byte(largeYAML))
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("YAML input too large"))
+	})
+
+	It("should reject YAML with excessive nesting depth", func() {
+		// Create deeply nested YAML that exceeds the 5 level limit
+		deepYAML := "apiVersion: eksctl.io/v1alpha5\nkind: ClusterConfig\nmetadata:\n  name: test\n"
+		for i := 0; i < 7; i++ {
+			deepYAML += strings.Repeat("  ", i) + "level" + fmt.Sprintf("%d:\n", i)
+		}
+		deepYAML += strings.Repeat("  ", 7) + "value: deep"
+
+		_, err := ParseConfig([]byte(deepYAML))
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("YAML nesting too deep"))
+	})
+})