[SLING-12366] Failure to read from InputStream backed by closed session - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: XSS Protection API 2.4.0
Fix Version/s: XSS Protection API 2.4.2
Component/s: XSS Protection API
Labels:
None

Description

The method org.apache.sling.xss.impl.XSSFilterImpl.AntiSamyPolicy#read() opens a ResourceResolver, finds a Resource, adapts it to an InputStream, returns the InputStream and closes the ResourceResolver via try-with-resource.

This works fine, as long as the InputStream is not a JcrExternalizableInputStream, which is only available when the blob resides in an external blob store, e.g. azure.

The reason is that the JcrExternalizableInputStream takes a reference to the JCR Property and only reads it lazily. In this scenario, when it reads the property, the session is already closed.

A typical stack-trace looks like the one below:

[main] ERROR org.apache.sling.xss.impl.XSSFilterImpl - Unable to load policy from /libs/sling/xss/config.xml
java.io.IOException: This session has been closed.
	at org.apache.sling.jcr.resource.internal.helper.jcr.JcrExternalizableInputStream.getInputStream(JcrExternalizableInputStream.java:70)
	at org.apache.sling.jcr.resource.internal.helper.jcr.JcrExternalizableInputStream.read(JcrExternalizableInputStream.java:57)
	at java.base/java.io.InputStream.read(InputStream.java:271)
	at java.base/java.io.InputStream.read(InputStream.java:205)
	at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1485)
	at org.apache.commons.io.IOUtils.copy(IOUtils.java:1105)
	at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1458)
	at org.apache.commons.io.IOUtils.copy(IOUtils.java:1083)
	at org.apache.sling.xss.impl.PolicyHandler.<init>(PolicyHandler.java:43)
	at org.apache.sling.xss.impl.XSSFilterImpl.setActivePolicy(XSSFilterImpl.java:331)
	at org.apache.sling.xss.impl.XSSFilterImpl.updatePolicy(XSSFilterImpl.java:293)
	at org.apache.sling.xss.impl.XSSFilterImpl.activate(XSSFilterImpl.java:269)
	[... snipped the caller ...]
Caused by: javax.jcr.RepositoryException: This session has been closed.
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.checkAlive(SessionDelegate.java:323)
	at org.apache.jackrabbit.oak.jcr.delegate.ItemDelegate.checkAlive(ItemDelegate.java:83)
	at org.apache.jackrabbit.oak.jcr.session.operation.ItemOperation.checkPreconditions(ItemOperation.java:34)
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.prePerform(SessionDelegate.java:614)
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:204)
	at org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112)
	at org.apache.jackrabbit.oak.jcr.session.PropertyImpl.getValue(PropertyImpl.java:248)
	at org.apache.jackrabbit.oak.jcr.session.PropertyImpl.getBinary(PropertyImpl.java:287)
	at org.apache.sling.jcr.resource.internal.helper.jcr.JcrExternalizableInputStream.getInputStream(JcrExternalizableInputStream.java:68)
	... 93 more

Attachments

Issue Links

links to

GitHub Pull Request #46

Activity

People

Assignee:: Julian Sedding

Reporter:: Julian Sedding

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 01/Jul/24 14:57

Updated:: 19/Aug/24 07:41

Resolved:: 14/Aug/24 12:46