I found OOM when I tested my service by FUZZ. The OOM is because processedPathsPerBean(ofAbstractValidationContext) rapid expansion when verifying a complex body.I think this is a bug, Hibernate Validator should have the ability to prevent this DDOS attack。
The body of the request:
The code causing the problem:
org.hibernate.validator.internal.engine.validationcontext.AbstractValidationContext
Memory analysis:
Hi,
Thanks for the report. I don't see the memory analysis though?
FYI, keeping the list of processed paths is necessary to avoid infinite recursions. I'm a bit surprised you could hit a OOM with just 10k objects though so if you could add more information, that would be great.
Thanks!
Add Memory analysis:
Yeah, so we could reduce the default Set size a bit but I don't think we will have a definitive solution to this issue as we need to keep the list of validated paths so at some point you can always push a ton of objects and go OOM.
Also note that this context is short lived so it won't grow forever.
That being said, I agree the situation could probably be improved memory wise and we could try to reduce the memory consumption.
If you have some time to prepare a simple Maven reproducer for this issue, I would love to check if I can improve the situation. Always easier when you have a reproducer to test your hypothesis.
Thanks!
Hi,
Thanks for the reply. I think if we cloud set the Set size, we can set the appropriate set size and prevent the DDOS attack.
Thanks!