Skip to content

Concurrency issue in HtmlSanitizer #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JornWildt opened this issue Nov 9, 2022 · 9 comments
Closed

Concurrency issue in HtmlSanitizer #519

JornWildt opened this issue Nov 9, 2022 · 9 comments
Labels
bug
Milestone
0.12

Comments

@JornWildt
Copy link

I found this error in the Cofoundry error log - it seems like there is a concurrency issue in HtmlSanitizer.

Message: Operations that change non-concurrent collections must have exclusive access. A concurrent update was performed on this collection and corrupted its state. The collection's state is no longer correct.

   at System.Collections.Generic.HashSet`1.Contains(T item)
   at Ganss.XSS.HtmlSanitizer.IsAllowedAttribute(IAttr attribute)
   at Ganss.XSS.HtmlSanitizer.<DoSanitize>b__127_1(IAttr a)
   at System.Linq.Enumerable.WhereEnumerableIterator`1.ToList()
   at Ganss.XSS.HtmlSanitizer.DoSanitize(IHtmlDocument dom, IParentNode context, String baseUrl)
   at Ganss.XSS.HtmlSanitizer.SanitizeDom(String html, String baseUrl)
   at Ganss.XSS.HtmlSanitizer.Sanitize(String html, String baseUrl, IMarkupFormatter outputFormatter)
   at Cofoundry.Core.Web.Internal.HtmlSanitizer.Sanitize(String source, IHtmlSanitizationRuleSet ruleSet)
   at Cofoundry.Core.Web.Internal.HtmlSanitizer.Sanitize(IHtmlContent source)
   at Cofoundry.Domain.HtmlSanitizerHelper.Sanitize(IHtmlContent source)
   at AspNetCore._PageBlockTypes_RichTextWithMedia_RichTextWithMedia.ExecuteAsync() in /PageBlockTypes/RichTextWithMedia/RichTextWithMedia.cshtml:line 8
   at Microsoft.AspNetCore.Mvc.Razor.RazorView.RenderPageCoreAsync(IRazorPage page, ViewContext context)
   at Microsoft.AspNetCore.Mvc.Razor.RazorView.RenderPageAsync(IRazorPage page, ViewContext context, Boolean invokeViewStarts)
   at Microsoft.AspNetCore.Mvc.Razor.RazorView.RenderAsync(ViewContext context)
   at Cofoundry.Web.RazorViewRenderer.RenderViewAsync(ViewContext viewContext, ViewEngineResult viewResult, Object model)
   at Cofoundry.Web.PageBlockRenderer.RenderBlockAsync(ViewContext viewContext, IEditablePageViewModel pageViewModel, IEntityVersionPageBlockRenderDetails blockViewModel)
   at Cofoundry.Web.PageTemplateRegionTagBuilder.RenderBlocksToHtml(PageRegionRenderDetails pageRegion, Dictionary`2 regionAttributes, VisualEditorState visualEditorState)
   at Cofoundry.Web.PageTemplateRegionTagBuilder.RenderRegion(PageRegionRenderDetails pageRegion)
   at Cofoundry.Web.PageTemplateRegionTagBuilder.InvokeAsync()
@HeyJoel
Copy link
Member

HeyJoel commented Nov 10, 2022

First up can I check a couple of things:

  • Are you definately awaiting any async calls in your views/templates?
  • Is this an intermittent issue, or does it happen on every render?
  • Did anything change prior to the issue occuring e.g. version update
  • What version of Cofoundry / .NET are you running?

@JornWildt
Copy link
Author

Are you definately awaiting any async calls in your views/templates?

Sorry, can't answer that - that is rather difficult to verify.

Is this an intermittent issue, or does it happen on every render?

Certainly an intermittent issue - the log indicates that there were three simultaneous requests to the website.

Did anything change prior to the issue occuring e.g. version update

No.

What version of Cofoundry / .NET are you running?

Cofoundry: 0.9.1 (Nuget package number). Target framework is netcoreapp3.1.

@JornWildt
Copy link
Author

Looking into "mganss", there error is here: https://github.com/mganss/HtmlSanitizer/blob/master/src/HtmlSanitizer/HtmlSanitizer.cs#L638

        private bool IsAllowedAttribute(IAttr attribute)
        {
            return AllowedAttributes.Contains(attribute.Name)
                // test html5 data- attributes
                || (AllowDataAttributes && attribute.Name != null && attribute.Name.StartsWith("data-", StringComparison.OrdinalIgnoreCase));
        }

Here AllowedAttributes is a standard HashSet - which is not thread safe, so two concurrent requests can run into the reported problem.

Probably not something Cofoundry can do anything about - besides adding some locking statements.

@HeyJoel
Copy link
Member

HeyJoel commented Nov 10, 2022

I don't see why there would be a concurrency issue with the HashSet unless it was being altered while the check was being made, and on a cursory look over the code I can't see how that might happen, given we create the mganss sanitizer and the ruleset on demand and have everything registered as transient. That's why I was thinking about un-awaited async calls in your views, as I wouldn't expect anything in a request to run concurrently anyway.

Are you altering the sanitizer rulesets at all?

There must be something somewhere, but I'm not seeing it as yet, I will probably have to do a deeper dive into the code.

@JornWildt
Copy link
Author

I don't see why there would be a concurrency issue with the HashSet unless it was being altered while the check was being made

Now, I haven't experienced it myself with HashSet - but with Dictionary you cannot even have two concurrent readers! It is most likely the same with HashSet. So don't look for concurrent read/write - all you need is two concurrent reads on the same collection - and that is not difficult to imagine.

@JornWildt
Copy link
Author

For the code here (any code in fact) to be thread safe, you need to use the concurrent versions of the collections. You have to be quite unlucky to experience issues - but it does happen.

@HeyJoel
Copy link
Member

HeyJoel commented Nov 11, 2022

The docs for Dictionary indicate that you can have two concurrent readers, but not if there are concurrent writes. The docs don't mention anything for HashSet, but my assumption would be the same - I'm not expecting the HashSet to be modified after it's been constructed, but looking at the error message that mentions "a concurrent update was performed...", it seems it must be.

I'll need to do a deeper dive when i have some time, but can you let me know if you are you altering/customizing the sanitizer rulesets at all?

@JornWildt
Copy link
Author

Okay, I must have been mistaken somehow. Pretty sure that we had issues with reading a standard dictionary, but cannot reproduce it.

I have not, consciously, done anything to modify the sanitizer rulesets.

@HeyJoel HeyJoel added the bug label Nov 22, 2022
@HeyJoel HeyJoel added this to the 0.12 milestone Nov 22, 2022
@HeyJoel HeyJoel modified the milestones: 0.13, 0.12 Mar 27, 2024
HeyJoel added a commit that referenced this issue Apr 3, 2024
@HeyJoel
Changing HtmlSanitizationRuleSet to use read-only collections to enco…
94cf0e7 
…urage immutability and help to avoid issues like #519.
@HeyJoel
Copy link
Member

HeyJoel commented Apr 3, 2024

As part of the v0.12 release there are improvements in both the mganss html sanaitizer and the Cofoundry implementation to improve the immutability of sanitizer configuration, which should illiminate the kinds of issues you are seeing.

I wasn't able to replicate the issue though so feel free to reopen the issue if you're still having problems after the update. I will close this for now; the changed will be released with v0.12.

@HeyJoel HeyJoel closed this as completed Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
0.12
Development

No branches or pull requests
2 participants
@JornWildt @HeyJoel