Skip to content

Vulnerability related exception produced when using protobuf 3.25.6 #4215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tmortagne opened this issue Jan 28, 2025 · 4 comments
Closed

Vulnerability related exception produced when using protobuf 3.25.6 #4215

tmortagne opened this issue Jan 28, 2025 · 4 comments
Assignees
@lauraharker

Comments

@tmortagne
Copy link

When using closure compiler with protobuf 3.25.6, I get the following exception:

 - Caused by: java.lang.UnsupportedOperationException: As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf gencode. If you are seeing this message, your gencode is vulnerable to a denial of service attack. You should regenerate your code using protobuf 25.6 or later. Use the latest version that meets your needs. However, if you understand the risks and wish to continue with vulnerable gencode, you can set the system property `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line. See security vulnerability: https://github.com./protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 
 - 	at com.google.protobuf.GeneratedMessage.warnPre22Gencode(GeneratedMessage.java:327) 
 - 	at com.google.protobuf.GeneratedMessageV3.makeExtensionsImmutable(GeneratedMessageV3.java:531) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst.<init>(TypedAst.java:150) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst.<init>(TypedAst.java:13) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$1.parsePartialFrom(TypedAst.java:2748) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$1.parsePartialFrom(TypedAst.java:2742) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$Builder.mergeFrom(TypedAst.java:1675) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$Builder.mergeFrom(TypedAst.java:1408) 
 - 	at com.google.protobuf.CodedInputStream$StreamDecoder.readMessage(CodedInputStream.java:2331) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserializeTypedAsts(TypedAstDeserializer.java:414) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserialize(TypedAstDeserializer.java:182) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserializeRuntimeLibraries(TypedAstDeserializer.java:140) 
 - 	at com.google.javascript.jscomp.Compiler.initRuntimeLibraryTypedAsts(Compiler.java:690) 
 - 	at com.google.javascript.jscomp.serialization.ConvertTypesToColors.process(ConvertTypesToColors.java:116) 
 - 	at com.google.javascript.jscomp.DefaultPassConfig.lambda$new$81(DefaultPassConfig.java:2805) 
 - 	at com.google.javascript.jscomp.PhaseOptimizer$NamedPass.process(PhaseOptimizer.java:240) 
 - 	at com.google.javascript.jscomp.PhaseOptimizer.process(PhaseOptimizer.java:179) 
 - 	at com.google.javascript.jscomp.Compiler.performTranspilationAndOptimizations(Compiler.java:2966) 
 - 	at com.google.javascript.jscomp.Compiler.lambda$stage2Passes$7(Compiler.java:1025) 
 - 	at com.google.javascript.jscomp.CompilerExecutor.lambda$runInCompilerThread$0(CompilerExecutor.java:100) 
 - 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
 - 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) 
 - 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) 
 - 	... 1 common frames omitted
@mhausner
Copy link
Contributor

Can you add more info here? How are you using protobuf 3.25.6?

We don't think a DOS attack is a real issue here.

We will update the protobuf version.

@tmortagne
Copy link
Author

tmortagne commented Jan 29, 2025
edited
Loading

Can you add more info here? How are you using protobuf 3.25.6?

Not really my area of expertise but my understanding is that this specific error was triggered by https://github.com./xwiki/xwiki-platform/blob/1a426e4115ea8828fe01bcc84857b2a7190f9c15/xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/web/sx/JsExtension.java#L81-L120. And I think we also have the problem at build time with the com.github.blutorange:closure-compiler-maven-plugin (to minify javascript here too, as far as I know).

We don't think a DOS attack is a real issue here.

I don't think so either in our case, but unfortunately, protobuf decided to deal with this with an exception by default.

There is obviously the workaround indicated in the error but wanted to let you know what is the current default behavior when using the compiler with this version of protobuf.

@lauraharker lauraharker mentioned this issue Feb 18, 2025
Open
@tmortagne
Copy link
Author

tmortagne commented Apr 7, 2025
edited
Loading

I imagine this issue was fixed by b99e83b (at least according to what is indicated in the error).

@lauraharker
Copy link
Contributor

Thanks for pointing that out! Closing this, please reopen if you see it again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lauraharker lauraharker

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tmortagne @concavelenz @lauraharker @mhausner