[jira] [Closed] (SLING-11776) Sling ResourceMerger may cause high cpu utilization

[Radu Cotescu (Jira)]

     [ 
https://issues.apache.org/jira/browse/SLING-11776?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Radu Cotescu closed SLING-11776.
--------------------------------

> Sling ResourceMerger may cause high cpu utilization
> ---------------------------------------------------
>
>                 Key: SLING-11776
>                 URL: https://issues.apache.org/jira/browse/SLING-11776
>             Project: Sling
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: Resource Merger 1.4.0
>            Reporter: Sagar Miglani
>            Assignee: Carsten Ziegeler
>            Priority: Major
>             Fix For: Resource Merger 1.4.2
>
>         Attachments: SLING-11776.patch, SLING-11776_test.patch, 
> SLING-11776_with_logs.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> If a bogus path like the following is used, resource merger can consume high 
> amount of CPU and may lead to Denial of Service:
> {code:xml}
> /mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override
> {code}
> *Steps to reproduce*
>  # Spawn an AEM author instance and login
>  # Open
> [http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override]
> OR use
> curl -u <user>:<pass> 
> [http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override]
> In 
> [MergingResourceProvider|https://github.com/apache/sling-org-apache-sling-resourcemerger/blob/master/src/main/java/org/apache/sling/resourcemerger/impl/MergingResourceProvider.java#L164-L174],
>  we are calculating the relative path, which is just removing the merge root 
> path from from the actual path.
> And this relative path is used for finding the resources under it.
> eg: if path is {{/mnt/override/mnt/override/mnt/override/bin}} then relative 
> path will be {{/mnt/override/mnt/override}}
> And because this relative path again starts with {{/mnt/override}} again 
> [MergingResourceProvider|https://github.com/apache/sling-org-apache-sling-resourcemerger/blob/master/src/main/java/org/apache/sling/resourcemerger/impl/MergingResourceProvider.java]
>  will be picked and same calls will be executed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)