You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by "Nour Al KOTOB (Jira)" <ji...@apache.org> on 2022/01/06 20:12:00 UTC

[jira] [Updated] (CMIS-1120) unescaped single quotes lead to an OOM exception

     [ https://issues.apache.org/jira/browse/CMIS-1120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nour Al KOTOB updated CMIS-1120:
--------------------------------
    Description: 
when we call 
{noformat}
org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(){noformat}
 with a statement containing an unescaped single quote like:
{code:java}
"SELECT cmis:objectId FROM cmis:folder WHERE dc:title = '';'"{code}
or even just
{code:java}
"'';'" {code}
We run into an OOM exception with such stack trace:
{code:java}
java.lang.OutOfMemoryError: Java heap space
    at java.base/java.util.Arrays.copyOf(Arrays.java:3689)
    at java.base/java.util.ArrayList.grow(ArrayList.java:238)
    at java.base/java.util.ArrayList.grow(ArrayList.java:243)
    at java.base/java.util.ArrayList.add(ArrayList.java:486)
    at java.base/java.util.ArrayList.add(ArrayList.java:499)
    at org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:146)
    at org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)
    at org.antlr.runtime.CommonTokenStream.skipOffTokenChannels(CommonTokenStream.java:116)
    at org.antlr.runtime.CommonTokenStream.LT(CommonTokenStream.java:102)
    at org.antlr.runtime.BufferedTokenStream.LA(BufferedTokenStream.java:174)
    at org.antlr.runtime.BaseRecognizer.mismatchIsUnwantedToken(BaseRecognizer.java:127)
    at org.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(BaseRecognizer.java:593)
    at org.antlr.runtime.BaseRecognizer.match(BaseRecognizer.java:115)
    at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser_CmisBaseGrammar.query(CmisQlStrictParser_CmisBaseGrammar.java:197)
    at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.query(CmisQlStrictParser.java:273)
    at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.root(CmisQlStrictParser.java:215)
    at org.apache.chemistry.opencmis.server.support.query.QueryUtilStrict.parseStatement(QueryUtilStrict.java:61)
    at org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(QueryUtilBase.java:72){code}
 

  was:
when calling `org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement()` with a statement containing an unescaped single quote like:
{code:java}
"SELECT cmis:objectId FROM cmis:folder WHERE dc:title = '';'"{code}
or even just
{code:java}
"'';'" {code}
We run into an OOM exception with such stack trace:
{code:java}
java.lang.OutOfMemoryError: Java heap space
    at java.base/java.util.Arrays.copyOf(Arrays.java:3689)
    at java.base/java.util.ArrayList.grow(ArrayList.java:238)
    at java.base/java.util.ArrayList.grow(ArrayList.java:243)
    at java.base/java.util.ArrayList.add(ArrayList.java:486)
    at java.base/java.util.ArrayList.add(ArrayList.java:499)
    at org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:146)
    at org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)
    at org.antlr.runtime.CommonTokenStream.skipOffTokenChannels(CommonTokenStream.java:116)
    at org.antlr.runtime.CommonTokenStream.LT(CommonTokenStream.java:102)
    at org.antlr.runtime.BufferedTokenStream.LA(BufferedTokenStream.java:174)
    at org.antlr.runtime.BaseRecognizer.mismatchIsUnwantedToken(BaseRecognizer.java:127)
    at org.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(BaseRecognizer.java:593)
    at org.antlr.runtime.BaseRecognizer.match(BaseRecognizer.java:115)
    at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser_CmisBaseGrammar.query(CmisQlStrictParser_CmisBaseGrammar.java:197)
    at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.query(CmisQlStrictParser.java:273)
    at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.root(CmisQlStrictParser.java:215)
    at org.apache.chemistry.opencmis.server.support.query.QueryUtilStrict.parseStatement(QueryUtilStrict.java:61)
    at org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(QueryUtilBase.java:72){code}
 


> unescaped single quotes lead to an OOM exception
> ------------------------------------------------
>
>                 Key: CMIS-1120
>                 URL: https://issues.apache.org/jira/browse/CMIS-1120
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-server
>    Affects Versions: OpenCMIS 1.1.0
>            Reporter: Nour Al KOTOB
>            Priority: Major
>
> when we call 
> {noformat}
> org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(){noformat}
>  with a statement containing an unescaped single quote like:
> {code:java}
> "SELECT cmis:objectId FROM cmis:folder WHERE dc:title = '';'"{code}
> or even just
> {code:java}
> "'';'" {code}
> We run into an OOM exception with such stack trace:
> {code:java}
> java.lang.OutOfMemoryError: Java heap space
>     at java.base/java.util.Arrays.copyOf(Arrays.java:3689)
>     at java.base/java.util.ArrayList.grow(ArrayList.java:238)
>     at java.base/java.util.ArrayList.grow(ArrayList.java:243)
>     at java.base/java.util.ArrayList.add(ArrayList.java:486)
>     at java.base/java.util.ArrayList.add(ArrayList.java:499)
>     at org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:146)
>     at org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)
>     at org.antlr.runtime.CommonTokenStream.skipOffTokenChannels(CommonTokenStream.java:116)
>     at org.antlr.runtime.CommonTokenStream.LT(CommonTokenStream.java:102)
>     at org.antlr.runtime.BufferedTokenStream.LA(BufferedTokenStream.java:174)
>     at org.antlr.runtime.BaseRecognizer.mismatchIsUnwantedToken(BaseRecognizer.java:127)
>     at org.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(BaseRecognizer.java:593)
>     at org.antlr.runtime.BaseRecognizer.match(BaseRecognizer.java:115)
>     at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser_CmisBaseGrammar.query(CmisQlStrictParser_CmisBaseGrammar.java:197)
>     at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.query(CmisQlStrictParser.java:273)
>     at org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.root(CmisQlStrictParser.java:215)
>     at org.apache.chemistry.opencmis.server.support.query.QueryUtilStrict.parseStatement(QueryUtilStrict.java:61)
>     at org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(QueryUtilBase.java:72){code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)