Vulnerability related exception produced when using protobuf 3.25.6

[tmortagne]

When using closure compiler with protobuf 3.25.6, I get the following exception:

 - Caused by: java.lang.UnsupportedOperationException: As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf gencode. If you are seeing this message, your gencode is vulnerable to a denial of service attack. You should regenerate your code using protobuf 25.6 or later. Use the latest version that meets your needs. However, if you understand the risks and wish to continue with vulnerable gencode, you can set the system property `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line. See security vulnerability: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 
 - 	at com.google.protobuf.GeneratedMessage.warnPre22Gencode(GeneratedMessage.java:327) 
 - 	at com.google.protobuf.GeneratedMessageV3.makeExtensionsImmutable(GeneratedMessageV3.java:531) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst.<init>(TypedAst.java:150) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst.<init>(TypedAst.java:13) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$1.parsePartialFrom(TypedAst.java:2748) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$1.parsePartialFrom(TypedAst.java:2742) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$Builder.mergeFrom(TypedAst.java:1675) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$Builder.mergeFrom(TypedAst.java:1408) 
 - 	at com.google.protobuf.CodedInputStream$StreamDecoder.readMessage(CodedInputStream.java:2331) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserializeTypedAsts(TypedAstDeserializer.java:414) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserialize(TypedAstDeserializer.java:182) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserializeRuntimeLibraries(TypedAstDeserializer.java:140) 
 - 	at com.google.javascript.jscomp.Compiler.initRuntimeLibraryTypedAsts(Compiler.java:690) 
 - 	at com.google.javascript.jscomp.serialization.ConvertTypesToColors.process(ConvertTypesToColors.java:116) 
 - 	at com.google.javascript.jscomp.DefaultPassConfig.lambda$new$81(DefaultPassConfig.java:2805) 
 - 	at com.google.javascript.jscomp.PhaseOptimizer$NamedPass.process(PhaseOptimizer.java:240) 
 - 	at com.google.javascript.jscomp.PhaseOptimizer.process(PhaseOptimizer.java:179) 
 - 	at com.google.javascript.jscomp.Compiler.performTranspilationAndOptimizations(Compiler.java:2966) 
 - 	at com.google.javascript.jscomp.Compiler.lambda$stage2Passes$7(Compiler.java:1025) 
 - 	at com.google.javascript.jscomp.CompilerExecutor.lambda$runInCompilerThread$0(CompilerExecutor.java:100) 
 - 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
 - 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) 
 - 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) 
 - 	... 1 common frames omitted 

[mhausner]

Can you add more info here? How are you using protobuf 3.25.6?

We don't think a DOS attack is a real issue here.

We will update the protobuf version.

[tmortagne]

Can you add more info here? How are you using protobuf 3.25.6?

Not really my area of expertise but my understanding is that this specific error was triggered by https://github.com/xwiki/xwiki-platform/blob/1a426e4115ea8828fe01bcc84857b2a7190f9c15/xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/web/sx/JsExtension.java#L81-L120. And I think we also have the problem at build time with the com.github.blutorange:closure-compiler-maven-plugin (to minify javascript here too, as far as I know).

We don't think a DOS attack is a real issue here.

I don't think so either in our case, but unfortunately, protobuf decided to deal with this with an exception by default.

There is obviously the workaround indicated in the error but wanted to let you know what is the current default behavior when using the compiler with this version of protobuf.