New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stackoverflow exception when using a Membership extender with jwt auth #393

Closed
tusmester opened this Issue Jun 20, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@tusmester
Copy link
Member

tusmester commented Jun 20, 2018

In a certain environment the Membership extender mechanism can cause an infinite recursion loop and throw a stackoverflow exception. This kills the IIS process, which is a serious issue.

Stack trace

[External Code] 
               SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SnSecurityContext.GetGroups() Line 384                C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.GetGroups(SenseNet.ContentRepository.Storage.Security.IUser differentUser) Line 1289               C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.GetIdentitiesByMembershipPrivate(int contentId, int ownerId, SenseNet.ContentRepository.Storage.Security.IUser user) Line 1264       C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.GetIdentitiesByMembership(SenseNet.ContentRepository.Storage.NodeHead head) Line 1191                C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.GetPermittedLevel(SenseNet.ContentRepository.Storage.NodeHead nodeHead) Line 720        C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Node.GetUserAccessLevel(SenseNet.ContentRepository.Storage.NodeHead head) Line 2058                C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Node.LoadNode(SenseNet.ContentRepository.Storage.NodeHead head, SenseNet.ContentRepository.Storage.VersionNumber version) Line 1959 C#
               SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Node.LoadNode(int nodeId, SenseNet.ContentRepository.Storage.VersionNumber version) Line 1930             C#
               SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Node.LoadNode(int nodeId) Line 1915          C#
SenseNet.Services.dll!SenseNet.Portal.Virtualization.PortalContext.LoadContextNode(SenseNet.ContentRepository.Storage.NodeHead head, string versionRequest) Line 1191  C#
               SenseNet.Services.dll!SenseNet.Portal.Virtualization.PortalContext.ContextNode.get() Line 1165              C#
SharedUrl.dll!SharedUrl.SharedUrlMembershipExtender.GetExtension(SenseNet.ContentRepository.Storage.Security.IUser user) Line 25      C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.MembershipExtenderBase.ExtendPrivate(SenseNet.ContentRepository.Storage.Security.IUser user) Line 54      C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.MembershipExtenderBase.Extend(SenseNet.ContentRepository.Storage.Security.IUser user) Line 50      C#
               SenseNet.ContentRepository.dll!SenseNet.ContentRepository.User.MembershipExtension.get() Line 842                C#
               SenseNet.ContentRepository.dll!SenseNet.ContentRepository.User.GetDynamicGroups(int entityId) Line 1138                C#
               [External Code] 
               SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SnSecurityContext.HasPermission(int contentId, SenseNet.Security.PermissionTypeBase[] permissions) Line 168          C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.HasPermissionPrivate(SenseNet.ContentRepository.Storage.Security.SnSecurityContext ctx, int contentId, SenseNet.ContentRepository.Storage.Security.PermissionType[] permissionTypes) Line 271   C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.HasPermission.AnonymousMethod__0() Line 265               C#
               SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Retrier.Retry<bool>(int count, int waitMilliseconds, System.Type caughtExceptionType, System.Func<bool> callback) Line 42         C#
               SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.HasPermission(int nodeId, SenseNet.ContentRepository.Storage.Security.PermissionType[] permissionTypes) Line 265       C#
SenseNet.Storage.dll!SenseNet.ContentRepository.Storage.Security.SecurityHandler.HasPermission(SenseNet.ContentRepository.Storage.NodeHead nodeHead, SenseNet.ContentRepository.Storage.Security.PermissionType[] permissionTypes) Line 248 C#
               SenseNet.Services.dll!SenseNet.Portal.AppModel.HttpAction.CheckPermission() Line 56              C#
               SenseNet.Services.dll!SenseNet.Portal.AppModel.RemapHttpAction.CheckPermission() Line 199              C#
SenseNet.Services.dll!SenseNet.Portal.Virtualization.AuthorizationModule.AuthorizeRequest(System.Web.HttpContext context) Line 53                C#
               SenseNet.Services.dll!SenseNet.Portal.Virtualization.AuthorizationModule.OnAuthorizeRequest(object sender, System.EventArgs e) Line 21       C#
               [External Code]

The first section (between the two External code lines) repeats itself from the User.GetDynamicGroups call to he SnSecurityContext.GetGroups call infinitely. The problem is that the SnSecurityContext.GetGroups call ends up calling the User.GetDynamicGroups method indirectly (through the security context) that calls the GetGroups again.

@tusmester tusmester added the bug label Jun 20, 2018

@kavics kavics self-assigned this Jun 22, 2018

@kavics

This comment has been minimized.

Copy link
Contributor

kavics commented Jun 22, 2018

I reproduced the bug in a unit test. I would like to know the code of the SharedUrlMembershipExtender for writing a better solution.

@tusmester tusmester added this to the Sprint 161 milestone Jul 20, 2018

@tusmester tusmester closed this Jul 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment