[jira] [Commented] (XERCESJ-1759) Parsing xml cannot limit the maximum element depth, resulting in excessive memory usage and DOS.

[shuailingliang (Jira)]

    [ 
https://issues.apache.org/jira/browse/XERCESJ-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17761872#comment-17761872
 ] 

shuailingliang commented on XERCESJ-1759:
-----------------------------------------

The service with a heap size of 250M is just an example I gave, and the actual 
business is larger than this configuration.

Parsing an xml file of similar size, shallow depth, but with the same number of 
elements takes up about the same amount of memory, but an xml file of the same 
size without closing tags can construct more elements, thus taking up more 
memory. And as you said, this will increase the risk of stack overflow. We want 
to prevent this problem by limiting the element depth, and JDK has a similar 
implementation, and I hope xerces can also provide it.

!image-2023-09-05-01-37-14-363.png!

> Parsing xml cannot limit the maximum element depth, resulting in excessive 
> memory usage and DOS.
> ------------------------------------------------------------------------------------------------
>
>                 Key: XERCESJ-1759
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1759
>             Project: Xerces2-J
>          Issue Type: Bug
>          Components: JAXP (javax.xml.parsers), JAXP (javax.xml.validation)
>    Affects Versions: 2.12.2
>            Reporter: shuailingliang
>            Priority: Major
>              Labels: security
>         Attachments: image-2023-09-05-01-37-14-363.png
>
>
> When parsing an xml file similar to the following by calling the 
> javax.xml.parsers.DocumentBuilder#parse(java.io.File) method, the elements 
> are nested layer by layer and there is no element closing tag. Since the 
> depth of elements cannot be verified, the array in 
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl#fElementStack will 
> continue to increase the number of QName objects, resulting in excessive 
> memory and DOS problems.
>  
> <?xml version=”1.0” encoding=”UTF-8” standalone=”no” ?>
> <A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A 
> a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A 
> a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”>…
>  
> After testing, we found that a file of 12.93M will cause an OOM exception in 
> a service with a maximum heap memory of 250M.
>  
> We checked the jdk information and found that we can limit the nesting depth 
> of xml elements by setting the system property jdk.xml.maxElementDepth. We 
> hope xerces can solve this problem.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org