Complex body verification leads to rapid expansion of Hibernate memory
Description
I found OOM when I tested my service by FUZZ. The OOM is because processedPathsPerBean(ofAbstractValidationContext) rapid expansion when verifying a complex body.I think this is a bug, Hibernate Validator should have the ability to prevent this DDOS attack。
The body of the request:
The code causing the problem:
org.hibernate.validator.internal.engine.validationcontext.AbstractValidationContext
Memory analysis:
Environment
Activity
Hi,
Thanks for the reply. I think if we cloud set the Set size, we can set the appropriate set size and prevent the DDOS attack.
Thanks!
Yeah, so we could reduce the default Set size a bit but I don't think we will have a definitive solution to this issue as we need to keep the list of validated paths so at some point you can always push a ton of objects and go OOM.
Also note that this context is short lived so it won't grow forever.
That being said, I agree the situation could probably be improved memory wise and we could try to reduce the memory consumption.
If you have some time to prepare a simple Maven reproducer for this issue, I would love to check if I can improve the situation. Always easier when you have a reproducer to test your hypothesis.
Thanks!
Add Memory analysis:
Hi,
Thanks for the report. I don't see the memory analysis though?
FYI, keeping the list of processed paths is necessary to avoid infinite recursions. I'm a bit surprised you could hit a OOM with just 10k objects though so if you could add more information, that would be great.
Thanks!
Assignee
Reporter
Labels
Feedback Requested
Feedback Requested By
backPortable
Suitable for new contributors
Pull Request
backportDecision
backportReEvaluate
Components
Affects versions
Priority
