graphql
graphql copied to clipboard
Infinite recursion on malformed input (parseTypeSystemDefinition)
Simple input String r
crashes the parser with infinite recursion.
func TestInfiniteRecursion(t *testing.T) {
body := `String r`
source := source.NewSource(&source.Source{
Body: []byte(body),
})
_, err := Parse(
ParseParams{
Source: source,
Options: ParseOptions{
NoSource: true,
},
},
)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
untime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc020178350 stack=[0xc020178000, 0xc040178000]
fatal error: stack overflow
runtime stack:
runtime.throw({0x581369?, 0x67d3c0?})
/usr/lib/go/src/runtime/panic.go:992 +0x71
runtime.newstack()
/usr/lib/go/src/runtime/stack.go:1101 +0x5cc
runtime.morestack()
/usr/lib/go/src/runtime/asm_amd64.s:547 +0x8b
goroutine 50 [running]:
runtime.mapaccess2_faststr(0x55ce00?, 0xc0000aa510?, {0xc0001630b8, 0x6})
/usr/lib/go/src/runtime/map_faststr.go:108 +0x3ee fp=0xc020178360 sp=0xc020178358 pc=0x41254e
github.com/graphql-go/graphql/language/parser.parseTypeSystemDefinition(0xc00015a8c0)
/tmp/graphql/language/parser/parser.go:867 +0x146 fp=0xc02017ca88 sp=0xc02017c9d0 pc=0x533006
github.com/graphql-go/graphql/language/parser.parseTypeSystemDefinition(0xc00015a8c0)
/tmp/graphql/language/parser/parser.go:867 +0x146 fp=0xc02017ca88 sp=0xc02017c9d0 pc=0x533006
...additional frames elided...
created by testing.(*T).Run
/usr/lib/go/src/testing/testing.go:1486 +0x35f
Just FYI, this test case was found with the new Go 1.18 fuzzer (*testing.F
).
This was assigned CVE-2022-37315.
@alex-lange @chris-ramon Would you mind taking a look when you have a chance?
If needed, let me know where I can help. Looks like the above PR may be the needed fix. (Due to the assigned CVE, my team is getting alerts to patch.)
@chris-ramon @sogko Are any maintainers available to take a look at this? This CVE is now 2 months old.
We can't afford to continue using dependencies with active CVEs. I'd much prefer to avoid dropping this dependency. If there's anything the community can do to help, please shout.
I apologize for dropping zero-day DoS without consideration...
nancy
fails on this vulnerability now. Any chance to merge the fix?