Vulnerability related exception produced when using protobuf 3.25.6 · Issue #4215

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Description

When using closure compiler with protobuf 3.25.6, I get the following exception:

 - Caused by: java.lang.UnsupportedOperationException: As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf gencode. If you are seeing this message, your gencode is vulnerable to a denial of service attack. You should regenerate your code using protobuf 25.6 or later. Use the latest version that meets your needs. However, if you understand the risks and wish to continue with vulnerable gencode, you can set the system property `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line. See security vulnerability: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 
 - 	at com.google.protobuf.GeneratedMessage.warnPre22Gencode(GeneratedMessage.java:327) 
 - 	at com.google.protobuf.GeneratedMessageV3.makeExtensionsImmutable(GeneratedMessageV3.java:531) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst.<init>(TypedAst.java:150) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst.<init>(TypedAst.java:13) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$1.parsePartialFrom(TypedAst.java:2748) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$1.parsePartialFrom(TypedAst.java:2742) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$Builder.mergeFrom(TypedAst.java:1675) 
 - 	at com.google.javascript.jscomp.serialization.TypedAst$Builder.mergeFrom(TypedAst.java:1408) 
 - 	at com.google.protobuf.CodedInputStream$StreamDecoder.readMessage(CodedInputStream.java:2331) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserializeTypedAsts(TypedAstDeserializer.java:414) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserialize(TypedAstDeserializer.java:182) 
 - 	at com.google.javascript.jscomp.serialization.TypedAstDeserializer.deserializeRuntimeLibraries(TypedAstDeserializer.java:140) 
 - 	at com.google.javascript.jscomp.Compiler.initRuntimeLibraryTypedAsts(Compiler.java:690) 
 - 	at com.google.javascript.jscomp.serialization.ConvertTypesToColors.process(ConvertTypesToColors.java:116) 
 - 	at com.google.javascript.jscomp.DefaultPassConfig.lambda$new$81(DefaultPassConfig.java:2805) 
 - 	at com.google.javascript.jscomp.PhaseOptimizer$NamedPass.process(PhaseOptimizer.java:240) 
 - 	at com.google.javascript.jscomp.PhaseOptimizer.process(PhaseOptimizer.java:179) 
 - 	at com.google.javascript.jscomp.Compiler.performTranspilationAndOptimizations(Compiler.java:2966) 
 - 	at com.google.javascript.jscomp.Compiler.lambda$stage2Passes$7(Compiler.java:1025) 
 - 	at com.google.javascript.jscomp.CompilerExecutor.lambda$runInCompilerThread$0(CompilerExecutor.java:100) 
 - 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
 - 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) 
 - 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) 
 - 	... 1 common frames omitted

Vulnerability related exception produced when using protobuf 3.25.6 · Issue #4215 · google/closure-compiler (original) (raw)

Navigation Menu

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Description