Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite recursion on malformed input (parseTypeSystemDefinition) #637

Closed
WGH- opened this issue Jul 19, 2022 · 6 comments · Fixed by #642, solidwall/graphql-go#1, tailor-inc/graphql#3 or kubeops/ui-server#164
Closed

Infinite recursion on malformed input (parseTypeSystemDefinition) #637

WGH- opened this issue Jul 19, 2022 · 6 comments · Fixed by #642, solidwall/graphql-go#1, tailor-inc/graphql#3 or kubeops/ui-server#164

Comments

@WGH-
Copy link

WGH- commented Jul 19, 2022

Simple input String r crashes the parser with infinite recursion.

func TestInfiniteRecursion(t *testing.T) {
	body := `String r`
	source := source.NewSource(&source.Source{
		Body: []byte(body),
	})
	_, err := Parse(
		ParseParams{
			Source: source,
			Options: ParseOptions{
				NoSource: true,
			},
		},
	)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
}
untime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc020178350 stack=[0xc020178000, 0xc040178000]
fatal error: stack overflow

runtime stack:
runtime.throw({0x581369?, 0x67d3c0?})
	/usr/lib/go/src/runtime/panic.go:992 +0x71
runtime.newstack()
	/usr/lib/go/src/runtime/stack.go:1101 +0x5cc
runtime.morestack()
	/usr/lib/go/src/runtime/asm_amd64.s:547 +0x8b

goroutine 50 [running]:
runtime.mapaccess2_faststr(0x55ce00?, 0xc0000aa510?, {0xc0001630b8, 0x6})
	/usr/lib/go/src/runtime/map_faststr.go:108 +0x3ee fp=0xc020178360 sp=0xc020178358 pc=0x41254e
github.com/graphql-go/graphql/language/parser.parseTypeSystemDefinition(0xc00015a8c0)
	/tmp/graphql/language/parser/parser.go:867 +0x146 fp=0xc02017ca88 sp=0xc02017c9d0 pc=0x533006
github.com/graphql-go/graphql/language/parser.parseTypeSystemDefinition(0xc00015a8c0)
	/tmp/graphql/language/parser/parser.go:867 +0x146 fp=0xc02017ca88 sp=0xc02017c9d0 pc=0x533006
...additional frames elided...
created by testing.(*T).Run
	/usr/lib/go/src/testing/testing.go:1486 +0x35f
@WGH-
Copy link
Author

WGH- commented Jul 19, 2022

Just FYI, this test case was found with the new Go 1.18 fuzzer (*testing.F).

@WGH- WGH- changed the title Infinite recursion on malformed input Infinite recursion on malformed input (parseTypeSystemDefinition) Jul 19, 2022
Invizory added a commit to Invizory/graphql-go that referenced this issue Jul 29, 2022
@Invizory
Fix infinite recursion in parser
edac3f0 
Fixes graphql-go#637
Invizory added a commit to Invizory/graphql-go that referenced this issue Jul 29, 2022
@Invizory
Fix infinite recursion in parser
6d83653 
Fixes graphql-go#637.
@Invizory Invizory mentioned this issue Jul 29, 2022
Merged
Invizory added a commit to Invizory/graphql-go that referenced this issue Jul 29, 2022
@Invizory
Fix infinite recursion in type definition parser
4188bd5 
Fixes graphql-go#637.
@Invizory
Copy link
Contributor

Invizory commented Aug 2, 2022

This was assigned CVE-2022-37315.

@JohnStarich
Copy link

@alex-lange @chris-ramon Would you mind taking a look when you have a chance?

If needed, let me know where I can help. Looks like the above PR may be the needed fix. (Due to the assigned CVE, my team is getting alerts to patch.)

jamesdphillips pushed a commit to jamesdphillips/graphql-go that referenced this issue Aug 10, 2022
@Invizory @jamesdphillips
Fix infinite recursion in type definition parser
8a04f2f 
Fixes graphql-go#637.
jamesdphillips pushed a commit to jamesdphillips/graphql-go that referenced this issue Aug 10, 2022
@Invizory @jamesdphillips
Fix infinite recursion in type definition parser
efd2a06 
Fixes graphql-go#637.
@romko11l romko11l mentioned this issue Sep 7, 2022
Merged
@miseyu miseyu mentioned this issue Oct 12, 2022
Merged
@JohnStarich
Copy link

@chris-ramon @sogko Are any maintainers available to take a look at this? This CVE is now 2 months old.

We can't afford to continue using dependencies with active CVEs. I'd much prefer to avoid dropping this dependency. If there's anything the community can do to help, please shout.

@WGH-
Copy link
Author

WGH- commented Oct 13, 2022

I apologize for dropping zero-day DoS without consideration...

@Pashugan
Copy link

Pashugan commented Nov 21, 2022
edited
Loading

nancy fails on this vulnerability now. Any chance to merge the fix?

tamalsaha added a commit to kubeops/ui-server that referenced this issue Nov 30, 2022
@tamalsaha
Fix CVE-2022-37315
235e912 
Fixes graphql-go/graphql#637

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha mentioned this issue Nov 30, 2022
Merged
tamalsaha added a commit to kubeops/ui-server that referenced this issue Nov 30, 2022
@tamalsaha
Fix CVE-2022-37315 (#164)
59bb7a6 
Fixes graphql-go/graphql#637

Signed-off-by: Tamal Saha <tamal@appscode.com>
keegancsmith added a commit to sourcegraph/sourcegraph that referenced this issue Jan 18, 2023
@keegancsmith
gomod: use graphql-go fork to fix CVE-2022-37315
08a87ab 
I found this when scanning sourcegraph/gitserver:4.4.0-rc.1.

This is the same fork and commit used by the kubeops project.
kubeops/ui-server@59bb7a6

Snyk report is at
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGRAPHQLGOGRAPHQLLANGUAGEPARSER-2964941
and the upstream issue is at
graphql-go/graphql#637

Test Plan: CI
@keegancsmith keegancsmith mentioned this issue Jan 18, 2023
Merged
keegancsmith added a commit to sourcegraph/sourcegraph that referenced this issue Jan 18, 2023
@keegancsmith
gomod: use graphql-go fork to fix CVE-2022-37315 (#46621)
5e7477d 
I found this when scanning sourcegraph/gitserver:4.4.0-rc.1.

This is the same fork and commit used by the kubeops project.
kubeops/ui-server@59bb7a6

Snyk report is at
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGRAPHQLGOGRAPHQLLANGUAGEPARSER-2964941
and the upstream issue is at
graphql-go/graphql#637

Test Plan: CI
BolajiOlajide pushed a commit to sourcegraph/sourcegraph that referenced this issue Jan 18, 2023
@keegancsmith @BolajiOlajide
gomod: use graphql-go fork to fix CVE-2022-37315 (#46621)
b29fcfb 
I found this when scanning sourcegraph/gitserver:4.4.0-rc.1.

This is the same fork and commit used by the kubeops project.
kubeops/ui-server@59bb7a6

Snyk report is at
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGRAPHQLGOGRAPHQLLANGUAGEPARSER-2964941
and the upstream issue is at
graphql-go/graphql#637

Test Plan: CI
snej pushed a commit to couchbasedeps/graphql-go that referenced this issue Mar 8, 2023
@Invizory @snej
Fix infinite recursion in type definition parser
8f2d5c3 
Fixes graphql-go#637.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@JohnStarich @WGH- @Invizory @Pashugan