summary

DomainNameUtil issues java.lang.StackOverflowError on very large error (@Email validation)

Description

When validating a large domain name (for example using the @Email annotation), the validator issues a java.lang.StackOverflowError.

It happens here with a very large domain name and JVM default options, but when Xss is tweaked to run in a container for example, it can happen with smaller domain name (https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers/).

Here is a test case:

Environment

None

Activity

Show:

Guillaume Smet

March 4, 2021, 10:09 AM

Yeah, I think we can't do a lot better than changing the order of operations.

I also made the groups non capturing to reduce memory usage.

Thanks for the report.

Jérôme Joslet

March 4, 2021, 7:17 AM

The Stack is too large to be displayed entirely, Java does not get it entirely. There is nothing interesting in the stack trace.

The error is located here:

Using the pattern EMAIL_DOMAIN_PATTERN

But if you still want the stack trace, here is the full printed one:

Guillaume Smet

March 3, 2021, 12:00 PM

Any chance we could have the interesting parts of the stacktrace in the issue description? Thanks.

Jérôme Joslet

February 25, 2021, 10:03 AM

Edited

A partial solution is to perform the length check in the isValidDomainAddress before the pattern validation.

Please note that this code can be vulnerable to ReDoS https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Fixed

Assignee

Guillaume Smet

Reporter

Jérôme Joslet

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

https://github.com/hibernate/hibernate-validator/pull/1159

backportDecision

None

backportReEvaluate

None

Fix versions

6.2-next

7.0-next

Priority

Major

Configure