Billion Laughs causes extension to consume all cpu and die

[zkrising]

I guess this is expected behaviour but I was running tests that involve throwing billion laughs at an xml parser and this extension - upon seeing billion laughs - halted vscode and consumed as much cpu as possible.

Is there a way around this without disabling the extension/getting the extension to ignore the file? My vscode just slowly crashes if I even see the file.

[angelozerr]

Is it possible to share your XML, DTD, XSD, files which causes problem and share your tests you are executing in order to we can reproduce your problem. Thanks.

[zkrising]

No worries -

<?xml version="1.0"?>
<!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

This is the billion laughs attack as per wikipedia - should crash your pc if its noticed by vscode with this extension enabled.

[fbricon]

@angelozerr @evidolob YAML is similarly affected, see kubernetes/kubernetes#83253 and one mitigation strategy (limiting recursive entities): go-yaml/yaml@bb4e33b

[angelozerr]

This is the billion laughs attack as per wikipedia - should crash your pc if its noticed by vscode with this extension enabled.

Thanks for your sample!

It seems that you have enabled the resolve of XML entities https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities If you disable it, you should ignore the problem, no?

YAML is similarly affected, see kubernetes/kubernetes#83253 and one mitigation strategy (limiting recursive entities)

resolve of XML entities is managed by Xerces,I don't know ifit's possible to set a limit for recursive entities.

[zkrising]

This is the billion laughs attack as per wikipedia - should crash your pc if its noticed by vscode with this extension enabled.

Thanks for your sample!

It seems that you have enabled the resolve of XML entities https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities If you disable it, you should ignore the problem, no?

YAML is similarly affected, see kubernetes/kubernetes#83253 and one mitigation strategy (limiting recursive entities)

resolve of XML entities is managed by Xerces,I don't know ifit's possible to set a limit for recursive entities.

Hi, Thanks for the quick response! Changing that setting does fix the problem, but does mean you can't take advantage of doctype declarations.

I looked at the commit that fixes this, looks like a good way to mitigate this problem. Thanks again for fixing this so quickly!

[angelozerr]

@zkldi my current PR eclipse-lemminx/lemminx#1038 should fix your issue and you will benefit with doctype declaration again.

You should see now an error: