Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Deeply nested ASTs should be de-serialized correctly

Description

In https://sonarsource.atlassian.net/browse/JS-160, we are now creating Java ESTree API. In the process, we read a protobuf serialized message.

It seems that we reach a limit of recursion when deserializing potentially large AST.

java.lang.IllegalStateException: com.google.protobuf.InvalidProtocolBufferException: Protocol message had too many levels of nesting. May be malicious. Use CodedInputStream.setRecursionLimit() to increase the depth limit. at org.sonar.plugins.javascript.bridge.FormDataUtils.parseFormData(FormDataUtils.java:74)

This can be observed in django-crm (analyzed on gill).

This also happens in the ITs of Armor (onion subset).

We should understand if the limit should be increased and prevent the error from stopping the analysis.

Note that it should not appear in production anymore, as we implemented https://sonarsource.atlassian.net/browse/JS-166, serializing the AST only when ARMOR is enabled.

Attachments

1

Activity

Show:

Quentin Jaquier July 17, 2024 at 7:42 AM

Raising the priority: this ticket impacts more than 500 files in the onion benchmark.

Quentin Jaquier July 15, 2024 at 2:46 PM

Fixing this issue should recover two issues in the ITs:

[Issue[rule=armor:JSEngineRule, fileId=onion-subset:src/distr_53/sample99/main/index.js, line=24], Issue[rule=armor:JSEngineRule, fileId=onion-subset:src/distr_90/sample99/main/index.js, line=4],

Quentin Jaquier June 17, 2024 at 10:07 AM

Before investigating further, we made sure not to crash the analysis when this happens. See https://github.com/SonarSource/SonarJS/pull/4740.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Priority

Sentry

Created June 13, 2024 at 3:58 PM
Updated October 16, 2024 at 12:53 PM
Resolved July 31, 2024 at 7:41 AM

Flag notifications