Complex body verification leads to rapid expansion of Hibernate memory

Description

I found OOM when I tested my service by FUZZ. The OOM is because processedPathsPerBean(ofAbstractValidationContext) rapid expansion when verifying a complex body.I think this is a bug, Hibernate Validator should have the ability to prevent this DDOS attack。

The body of the request:

The code causing the problem

org.hibernate.validator.internal.engine.validationcontext.AbstractValidationContext


Memory analysis:

Environment

None

Activity

Show:
muyangdexiaoselang
January 14, 2021, 7:54 AM
Edited

Hi,

Thanks for the reply. I think if we cloud set the Set size, we can set the appropriate set size and prevent the DDOS attack.

Thanks!

Guillaume Smet
January 5, 2021, 10:10 AM

Yeah, so we could reduce the default Set size a bit but I don't think we will have a definitive solution to this issue as we need to keep the list of validated paths so at some point you can always push a ton of objects and go OOM.

Also note that this context is short lived so it won't grow forever.

That being said, I agree the situation could probably be improved memory wise and we could try to reduce the memory consumption.

If you have some time to prepare a simple Maven reproducer for this issue, I would love to check if I can improve the situation. Always easier when you have a reproducer to test your hypothesis.

Thanks!

muyangdexiaoselang
January 5, 2021, 6:34 AM

Add Memory analysis:

Guillaume Smet
January 4, 2021, 9:57 AM

Hi,

Thanks for the report. I don't see the memory analysis though?

FYI, keeping the list of processed paths is necessary to avoid infinite recursions. I'm a bit surprised you could hit a OOM with just 10k objects though so if you could add more information, that would be great.

Thanks!

Assignee

Unassigned

Reporter

muyangdexiaoselang

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

Affects versions

Priority

Major