Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-11776

Sling ResourceMerger may cause high cpu utilization

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Resource Merger 1.4.0
    • Resource Merger 1.4.2
    • Extensions
    • None

    Description

      If a bogus path like the following is used, resource merger can consume high amount of CPU and may lead to Denial of Service:

      /mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override
      

      Steps to reproduce

      1. Spawn an AEM author instance and login
      2. Open
        http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override
        OR use
        curl -u <user>:<pass> http://localhost:4502/aem/start.html//mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override/mnt/override

      In MergingResourceProvider, we are calculating the relative path, which is just removing the merge root path from from the actual path.
      And this relative path is used for finding the resources under it.
      eg: if path is /mnt/override/mnt/override/mnt/override/bin then relative path will be /mnt/override/mnt/override
      And because this relative path again starts with /mnt/override again MergingResourceProvider will be picked and same calls will be executed.

      Attachments

        1. SLING-11776_test.patch
          6 kB
          Sagar Miglani
        2. SLING-11776_with_logs.patch
          2 kB
          Sagar Miglani
        3. SLING-11776.patch
          1.0 kB
          Sagar Miglani

        Activity

          People

            cziegeler Carsten Ziegeler
            sagarmiglani Sagar Miglani
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.5h
                0.5h