[
https://issues.apache.org/jira/browse/CMIS-1120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nour Al KOTOB updated CMIS-1120:
--------------------------------
Description:
when we call
{noformat}
org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(){noformat}
with a statement containing an unescaped single quote like:
{code:java}
"SELECT cmis:objectId FROM cmis:folder WHERE dc:title = '';'"{code}
or even just
{code:java}
"'';"{code}
We run into an OOM exception with such stack trace:
{code:java}
java.lang.OutOfMemoryError: Java heap space
at java.base/java.util.Arrays.copyOf(Arrays.java:3689)
at java.base/java.util.ArrayList.grow(ArrayList.java:238)
at java.base/java.util.ArrayList.grow(ArrayList.java:243)
at java.base/java.util.ArrayList.add(ArrayList.java:486)
at java.base/java.util.ArrayList.add(ArrayList.java:499)
at org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:146)
at org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)
at
org.antlr.runtime.CommonTokenStream.skipOffTokenChannels(CommonTokenStream.java:116)
at org.antlr.runtime.CommonTokenStream.LT(CommonTokenStream.java:102)
at org.antlr.runtime.BufferedTokenStream.LA(BufferedTokenStream.java:174)
at
org.antlr.runtime.BaseRecognizer.mismatchIsUnwantedToken(BaseRecognizer.java:127)
at
org.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(BaseRecognizer.java:593)
at org.antlr.runtime.BaseRecognizer.match(BaseRecognizer.java:115)
at
org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser_CmisBaseGrammar.query(CmisQlStrictParser_CmisBaseGrammar.java:197)
at
org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.query(CmisQlStrictParser.java:273)
at
org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.root(CmisQlStrictParser.java:215)
at
org.apache.chemistry.opencmis.server.support.query.QueryUtilStrict.parseStatement(QueryUtilStrict.java:61)
at
org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(QueryUtilBase.java:72){code}
was:
when we call
{noformat}
org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(){noformat}
with a statement containing an unescaped single quote like:
{code:java}
"SELECT cmis:objectId FROM cmis:folder WHERE dc:title = '';'"{code}
or even just
{code:java}
"'';" // "''a" works fine {code}
We run into an OOM exception with such stack trace:
{code:java}
java.lang.OutOfMemoryError: Java heap space
at java.base/java.util.Arrays.copyOf(Arrays.java:3689)
at java.base/java.util.ArrayList.grow(ArrayList.java:238)
at java.base/java.util.ArrayList.grow(ArrayList.java:243)
at java.base/java.util.ArrayList.add(ArrayList.java:486)
at java.base/java.util.ArrayList.add(ArrayList.java:499)
at org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:146)
at org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)
at
org.antlr.runtime.CommonTokenStream.skipOffTokenChannels(CommonTokenStream.java:116)
at org.antlr.runtime.CommonTokenStream.LT(CommonTokenStream.java:102)
at org.antlr.runtime.BufferedTokenStream.LA(BufferedTokenStream.java:174)
at
org.antlr.runtime.BaseRecognizer.mismatchIsUnwantedToken(BaseRecognizer.java:127)
at
org.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(BaseRecognizer.java:593)
at org.antlr.runtime.BaseRecognizer.match(BaseRecognizer.java:115)
at
org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser_CmisBaseGrammar.query(CmisQlStrictParser_CmisBaseGrammar.java:197)
at
org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.query(CmisQlStrictParser.java:273)
at
org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.root(CmisQlStrictParser.java:215)
at
org.apache.chemistry.opencmis.server.support.query.QueryUtilStrict.parseStatement(QueryUtilStrict.java:61)
at
org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(QueryUtilBase.java:72){code}
> unescaped single quotes lead to an OOM exception
> ------------------------------------------------
>
> Key: CMIS-1120
> URL: https://issues.apache.org/jira/browse/CMIS-1120
> Project: Chemistry
> Issue Type: Bug
> Components: opencmis-server
> Affects Versions: OpenCMIS 1.1.0
> Reporter: Nour Al KOTOB
> Priority: Major
>
> when we call
> {noformat}
> org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(){noformat}
> with a statement containing an unescaped single quote like:
> {code:java}
> "SELECT cmis:objectId FROM cmis:folder WHERE dc:title = '';'"{code}
> or even just
> {code:java}
> "'';"{code}
> We run into an OOM exception with such stack trace:
> {code:java}
> java.lang.OutOfMemoryError: Java heap space
> at java.base/java.util.Arrays.copyOf(Arrays.java:3689)
> at java.base/java.util.ArrayList.grow(ArrayList.java:238)
> at java.base/java.util.ArrayList.grow(ArrayList.java:243)
> at java.base/java.util.ArrayList.add(ArrayList.java:486)
> at java.base/java.util.ArrayList.add(ArrayList.java:499)
> at
> org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:146)
> at
> org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)
> at
> org.antlr.runtime.CommonTokenStream.skipOffTokenChannels(CommonTokenStream.java:116)
> at org.antlr.runtime.CommonTokenStream.LT(CommonTokenStream.java:102)
> at org.antlr.runtime.BufferedTokenStream.LA(BufferedTokenStream.java:174)
> at
> org.antlr.runtime.BaseRecognizer.mismatchIsUnwantedToken(BaseRecognizer.java:127)
> at
> org.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(BaseRecognizer.java:593)
> at org.antlr.runtime.BaseRecognizer.match(BaseRecognizer.java:115)
> at
> org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser_CmisBaseGrammar.query(CmisQlStrictParser_CmisBaseGrammar.java:197)
> at
> org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.query(CmisQlStrictParser.java:273)
> at
> org.apache.chemistry.opencmis.server.support.query.CmisQlStrictParser.root(CmisQlStrictParser.java:215)
> at
> org.apache.chemistry.opencmis.server.support.query.QueryUtilStrict.parseStatement(QueryUtilStrict.java:61)
> at
> org.apache.chemistry.opencmis.server.support.query.QueryUtilBase.processStatement(QueryUtilBase.java:72){code}
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
