You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Sagar Miglani (Jira)" <ji...@apache.org> on 2023/02/16 09:08:00 UTC
[jira] [Updated] (SLING-11776) Sling ResourceMerger may cause high cpu utilization
[ https://issues.apache.org/jira/browse/SLING-11776?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sagar Miglani updated SLING-11776:
----------------------------------
Attachment: SLING-11776.patch
> Sling ResourceMerger may cause high cpu utilization
> ---------------------------------------------------
>
> Key: SLING-11776
> URL: https://issues.apache.org/jira/browse/SLING-11776
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: Resource Merger 1.4.0
> Reporter: Sagar Miglani
> Priority: Major
> Attachments: SLING-11776.patch
>
>
> If a bogus path like the following is used, resource merger can consume high amount of CPU and may lead to Denial of Service:
> {code:xml}
> /mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override
> {code}
> *Steps to reproduce*
> # Spawn an AEM author instance and login
> # Open
> [http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override]
> OR use
> curl -u <user>:<pass> [http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override]
> In [MergingResourceProvider|https://github.com/apache/sling-org-apache-sling-resourcemerger/blob/master/src/main/java/org/apache/sling/resourcemerger/impl/MergingResourceProvider.java#L164-L174], we are calculating the relative path, which is just removing the merge root path from from the actual path.
> And this relative path is used for finding the resources under it.
> eg: if path is {{/mnt/override/mnt/override/mnt/override/bin}} then relative path will be {{/mnt/override/mnt/override}}
> And because this relative path again starts with {{/mnt/override}} again [MergingResourceProvider|https://github.com/apache/sling-org-apache-sling-resourcemerger/blob/master/src/main/java/org/apache/sling/resourcemerger/impl/MergingResourceProvider.java] will be picked and same calls will be executed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)