[jira] [Commented] (SLING-8775) java.lang.StackOverflowError in XSSAPI.getValidHref

Radu Cotescu (Jira) Mon, 21 Oct 2019 04:40:54 -0700


    [ 
https://issues.apache.org/jira/browse/SLING-8775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16955981#comment-16955981
 ]


Radu Cotescu commented on SLING-8775:
-------------------------------------

[~asanso], do you have some inputs that could be used for testing? :)

> java.lang.StackOverflowError in XSSAPI.getValidHref
> ---------------------------------------------------
>
>                 Key: SLING-8775
>                 URL: https://issues.apache.org/jira/browse/SLING-8775
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>            Reporter: Antonio Sanso
>            Priority: Major
>
> The regex pattern in  XSSAPI.getValidHref may cause StackOverflowError .
> try 'xssAPI.getValidHref(String)' API throwing StackOverflowError. Input 
> string param that has a length of '1700' or more. 
> {code}
> Caused by: java.lang.StackOverflowError
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at 
> java.base/java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3951)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-8775) java.lang.StackOverflowError in XSSAPI.getValidHref

Reply via email to