Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate Billion Laughs vulnerability #1038

Merged
merged 1 commit into from
May 18, 2021
Merged

Mitigate Billion Laughs vulnerability #1038

merged 1 commit into from
May 18, 2021

Conversation

angelozerr
Copy link
Contributor

@angelozerr angelozerr commented May 18, 2021
edited
Loading

@angelozerr
Copy link
Contributor Author

This PR should fix the redhat-developer/vscode-xml#476 issue but I need

  • to write tests
  • try to report the error (because as it's a fatal error it breaks the validation without reporting the error, why?)

@fbricon fbricon added the bug Something isn't working label May 18, 2021
@fbricon
Copy link
Contributor

fbricon commented May 18, 2021

I can see the error
Screenshot 2021-05-18 at 11 53 07

@fbricon fbricon changed the title Billion Laughs causes extension to consume all cpu and die Mitigate Billion Laughs vulnerability May 18, 2021
@angelozerr
Copy link
Contributor Author

I can see the error

My issue was with Eclipse IDE. Now it works I select the entity which causes the problem.

@angelozerr angelozerr marked this pull request as ready for review May 18, 2021 12:36
@datho7561
Copy link
Contributor

You can still freeze the language server if you do the following:

  1. Open the document
  2. Comment out the definition of &lol; in the DOCTYPE
  3. Uncomment the definition of &lol;
  4. If you attempt to revalidate, it the language server will be unresponsive, with no error messages on the output

@rgrunber
Copy link
Contributor

I'm seeing similar behaviour. The patch works when resolving entities is enabled. When one disables it, the CPU still goes to 100% for the process.

Suspending the thread that seems to be spinning generally yields :

Daemon Thread [ForkJoinPool.commonPool-worker-3] (Suspended)	
	XMLEntityManager.startEntity(String, boolean) line: not available	
	XMLNSDocumentScannerImpl(XMLDocumentFragmentScannerImpl).scanEntityReference() line: not available	
	XMLNSDocumentScannerImpl$NSContentDispatcher(XMLDocumentFragmentScannerImpl$FragmentContentDispatcher).dispatch(boolean) line: not available	
	XMLNSDocumentScannerImpl(XMLDocumentFragmentScannerImpl).scanDocument(boolean) line: not available	
	LSPXMLParserConfiguration(XML11Configuration).parse(boolean) line: not available	
	LSPXMLParserConfiguration(XML11Configuration).parse(XMLInputSource) line: not available	
	LSPSAXParser(XMLParser).parse(XMLInputSource) line: not available	
	LSPSAXParser(AbstractSAXParser).parse(InputSource) line: not available	
	XMLValidator.parseXML(String, String, SAXParser) line: 293	
	XMLValidator.doDiagnostics(DOMDocument, XMLEntityResolver, List<Diagnostic>, XMLValidationSettings, ContentModelManager, CancelChecker) line: 123	
	ContentModelDiagnosticsParticipant.doDiagnostics(DOMDocument, List<Diagnostic>, XMLValidationSettings, CancelChecker) line: 50	
	XMLDiagnostics.doExtensionsDiagnostics(DOMDocument, List<Diagnostic>, XMLValidationSettings, CancelChecker) line: 64	
	XMLDiagnostics.doDiagnostics(DOMDocument, XMLValidationSettings, CancelChecker) line: 46	
	XMLLanguageService.doDiagnostics(DOMDocument, XMLValidationSettings, CancelChecker) line: 162	
	XMLLanguageService.publishDiagnostics(DOMDocument, Consumer<PublishDiagnosticsParams>, Consumer<TextDocument>, XMLValidationSettings, CancelChecker) line: 171	
	XMLTextDocumentService.validate(DOMDocument) line: 521	
	XMLTextDocumentService.lambda$triggerValidationFor$26(DOMDocument) line: 514	
	0x0000000800c9eab0.accept(Object) line: not available	
	CompletableFuture$UniAccept<T>.tryFire(int) line: 714	
	CompletableFuture$UniAccept<T>(CompletableFuture$Completion).exec() line: 479	
	CompletableFuture$UniAccept<T>(ForkJoinTask<V>).doExec() line: 295	
	ForkJoinPool$WorkQueue.topLevelExec(ForkJoinTask<?>, WorkQueue, int) line: 1016	
	ForkJoinPool.scan(ForkJoinPool$WorkQueue, int) line: 1665	
	ForkJoinPool.runWorker(ForkJoinPool$WorkQueue) line: 1598	
	ForkJoinWorkerThread.run() line: 183

I was also able to reproduce this a few times without this patch, even when I could clearly see that entity resolution was being passed in as false.

@angelozerr
Copy link
Contributor Author

I'm seeing similar behaviour. The patch works when resolving entities is enabled. When one disables it, the CPU still goes to 100% for the process.

Good catch! It should work now.

@datho7561 could you tell me if it is working with your usecase plase.

@angelozerr angelozerr mentioned this pull request May 18, 2021
Closed
datho7561
datho7561 approved these changes May 18, 2021
View reviewed changes
...inx/src/main/java/org/eclipse/lemminx/extensions/contentmodel/participants/DTDErrorCode.java
@@ -20,6 +20,7 @@
import org.apache.xerces.xni.XMLLocator;
import org.eclipse.lemminx.commons.BadLocationException;
import org.eclipse.lemminx.dom.DOMDocument;
import org.eclipse.lemminx.dom.DOMDocumentType;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class is not used

@datho7561 datho7561 merged commit 8c4f23f into eclipse:master May 18, 2021
@datho7561 datho7561 added this to the 0.16.2 milestone May 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fbricon fbricon fbricon left review comments

@datho7561 datho7561 datho7561 approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
0.16.2
Development

Successfully merging this pull request may close these issues.

Billion Laughs causes extension to consume all cpu and die
4 participants
@angelozerr @fbricon @datho7561 @rgrunber