You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "kingkk (Jira)" <ji...@apache.org> on 2021/03/21 07:02:00 UTC

[jira] [Created] (GROOVY-9992) Redos in groovy.sql.Sql

kingkk created GROOVY-9992:
------------------------------

             Summary: Redos in groovy.sql.Sql
                 Key: GROOVY-9992
                 URL: https://issues.apache.org/jira/browse/GROOVY-9992
             Project: Groovy
          Issue Type: Bug
          Components: SQL processing
            Reporter: kingkk


When executing a prepare sql statement, adding too many spaces in front of sql will cause redos.The following is an example.
{code:java}
import groovy.sql.Sql

class SqlTest {
    static void main(String[] args) {
        def url = 'jdbc:mysql://127.0.0.1:3306/test'
        def user = 'user'
        def password = '123456'
        def driver = 'com.mysql.cj.jdbc.Driver'
        def conn = Sql.newInstance(url, user, password, driver)

        def sql = ""
        for (int i = 0; i < 400; i++) {
            sql += " "
        }
        sql += "select * from users where id=?"

        def startTime = System.currentTimeMillis()
        conn.execute(sql, 1)
        println("exec sql: " + (System.currentTimeMillis() - startTime))
        conn.close()
    }
}{code}
The groovy and mysql-connector versions used are as follows
{code:java}
<dependency>
    <groupId>org.codehaus.groovy</groupId>
    <artifactId>groovy-all</artifactId>
    <version>3.0.7</version>
</dependency>
<dependency>
    <groupId>org.codehaus.groovy</groupId>
    <artifactId>groovy-sql</artifactId>
    <version>3.0.7</version>
</dependency>
<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>8.0.23</version>
</dependency>
{code}
The output after executing this is as follows
{code:java}
exec sql: 11731
{code}
This shows that the conn.execute() operation took about 11 seconds to complete, and the cpu utilization has been high during this period. Modifying 400 in the for loop to 1000 will take longer and eventually lead to exhaustion of computer resources.

 

The reason for this vuln is that groovy.sql.Sql$CreatePreparedStatementCommand.appearsLikeStoredProc uses improper regular expressions for matching.
{code:java}
private boolean appearsLikeStoredProc(String sql) {
    return sql.matches("\\s*[{]?\\s*[?]?\\s*[=]?\\s*[cC][aA][lL][lL].*");
}
{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)