DevSkim entering infinite loop in wild causing Visual Studio responsiveness issues

[davkean]

Describe the bug Visual Studio CPU telemetry has caught an issue in the wild where DevSkimFixMessageTarget is entering an infinite loop due to overlapped reads and writes to a HashSet. This is described in this article:https://frugalcafe.beehiiv.com/p/selfinflicted-dos-attack-dictionary-corruption. The specified lambda argument for the updateValueFactory parameter to AddOrUpdate can overlap on multiple threads at the same time, causing curruption to the hashset.

At the time we caught this, the lambda in CodeFixMappingEventAsync was consuming 3 CPU cores for over 6 minutes, but would never have broken out of the loop.

Replace the HashSet with an immutable structure such as ImmutableHashSet.

To Reproduce There is no repro, this was caught by automatic CPU tracing, akin to Watson crash reporting.

Expected behavior Don't overlap read/writes to a HashSet

Versions(please complete the following information):

• OS: I don't have the OS handy but I don't believe its an influence in the issue.
• Devskim Version: I don't have exact version, I can gather if absolutely needed but I can see the current version of the code still has the bug.

[gfs]

Thanks for the report. I have a PR open that will switch the backing store to concurrent dictionary.

[davkean]

@gfs Thanks!