Closed MirkoDziadzka closed 5 months ago
libinjection-go does have the same problem as it's C counterpart, see https://github.com/libinjection/libinjection/issues/33
Using
$ go version go version go1.17.3 darwin/amd64
and adding the following test and run it with go test
go test
package libinjection import ( "testing" ) func TestMemory(t *testing.T) { size := 10_000_000 input := make([]byte, size) for i := range input { input[i] = '/' } IsXSS(string(input)) }
test is passing
$ go test runtime: goroutine stack exceeds 1000000000-byte limit runtime: sp=0xc020d8a380 stack=[0xc020d8a000, 0xc040d8a000] fatal error: stack overflow runtime stack: runtime.throw({0x1131c7e, 0x122fa80}) /usr/local/Cellar/go/1.17.3/libexec/src/runtime/panic.go:1198 +0x71 runtime.newstack() /usr/local/Cellar/go/1.17.3/libexec/src/runtime/stack.go:1088 +0x5ac runtime.morestack() /usr/local/Cellar/go/1.17.3/libexec/src/runtime/asm_amd64.s:461 +0x8b goroutine 6 [running]: github.com/corazawaf/libinjection-go.(*h5State).stateSelfClosingStartTag(0xc000062140) /Users/mirko/Projects/libinjection-go/html5.go:205 +0x130 fp=0xc020d8a390 sp=0xc020d8a388 pc=0x10e9990 github.com/corazawaf/libinjection-go.(*h5State).stateBeforeAttributeName(0x0) /Users/mirko/Projects/libinjection-go/html5.go:504 +0x14a fp=0xc020d8a3b0 sp=0xc020d8a390 pc=0x10eaeca github.com/corazawaf/libinjection-go.(*h5State).stateSelfClosingStartTag(0x0) /Users/mirko/Projects/libinjection-go/html5.go:219 +0xfd fp=0xc020d8a3d0 sp=0xc020d8a3b0 pc=0x10e995d github.com/corazawaf/libinjection-go.(*h5State).stateBeforeAttributeName(0x0) /Users/mirko/Projects/libinjection-go/html5.go:504 +0x14a fp=0xc020d8a3f0 sp=0xc020d8a3d0 pc=0x10eaeca github.com/corazawaf/libinjection-go.(*h5State).stateSelfClosingStartTag(0x0) ...
libinjection-go does have the same problem as it's C counterpart, see https://github.com/libinjection/libinjection/issues/33
How to reproduce
Using
and adding the following test and run it with
go testExpected result
test is passing
actual result