Sagar Miglani created SLING-11776:
-------------------------------------
Summary: Sling ResourceMerger may cause high cpu utilization
Key: SLING-11776
URL: https://issues.apache.org/jira/browse/SLING-11776
Project: Sling
Issue Type: Bug
Components: Extensions
Affects Versions: Resource Merger 1.4.0
Reporter: Sagar Miglani
If a bogus path like the following is used, resource merger can consume high
amount of CPU and may lead to Denial of Service:
{code:xml}
/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override
{code}
*Steps to reproduce*
# Spawn an AEM author instance and login
# Open
[http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override]
OR use
curl -u <user>:<pass>
[http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override]
In
[MergingResourceProvider|https://github.com/apache/sling-org-apache-sling-resourcemerger/blob/master/src/main/java/org/apache/sling/resourcemerger/impl/MergingResourceProvider.java#L164-L174],
we are calculating the relative path, which is just removing the merge root
path from from the actual path.
And this relative path is used for finding the resources under it.
eg: if path is {{/mnt/override/mnt/override/mnt/override/bin}} then relative
path will be {{/mnt/override/mnt/override}}
And because this relative path again starts with {{/mnt/override}} again
[MergingResourceProvider|https://github.com/apache/sling-org-apache-sling-resourcemerger/blob/master/src/main/java/org/apache/sling/resourcemerger/impl/MergingResourceProvider.java]
will be picked and same calls will be executed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
