DomainNameUtil issues java.lang.StackOverflowError on very large error (@Email validation)

Description

When validating a large domain name (for example using the @Email annotation), the validator issues a java.lang.StackOverflowError.

It happens here with a very large domain name and JVM default options, but when Xss is tweaked to run in a container for example, it can happen with smaller domain name (https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers/).

Here is a test case:

Environment

None

Activity

Show:
Guillaume Smet
March 4, 2021, 10:09 AM

Yeah, I think we can't do a lot better than changing the order of operations.

I also made the groups non capturing to reduce memory usage.

Thanks for the report.

Jérôme Joslet
March 4, 2021, 7:17 AM

The Stack is too large to be displayed entirely, Java does not get it entirely. There is nothing interesting in the stack trace.

The error is located here:

Using the pattern EMAIL_DOMAIN_PATTERN

But if you still want the stack trace, here is the full printed one:

Guillaume Smet
March 3, 2021, 12:00 PM

Any chance we could have the interesting parts of the stacktrace in the issue description? Thanks.

Jérôme Joslet
February 25, 2021, 10:03 AM
Edited

A partial solution is to perform the length check in the isValidDomainAddress before the pattern validation.

Please note that this code can be vulnerable to ReDoS https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Fixed

Assignee

Guillaume Smet

Reporter

Jérôme Joslet

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

backportDecision

None

backportReEvaluate

None

Fix versions

Priority

Major