OpenComputers

OpenComputers

Mods
46M Downloads

Critical Bug: OpenComputers 1.8.5 Causes Server Hang with Delayed API Response

31415-n opened this issue · 1 comments

commented

Description:

I have encountered a critical issue with the OpenComputers mod that results in both server and single-player environments hanging for an extended period when a delayed API response is received. The problem occurs regardless of the API endpoint used, as long as the response time is prolonged.

Steps to Reproduce:

  1. Execute the following Lua code in OpenComputers:

lua:

   while true do 
       local a, b, c = component.internet.request("http://localhost/script.php", "", {["User-Agent"] = "test", ["Content-Type"] = "application/octet-stream"}, "POST"),
       ""
       while true do 
           c = a.read(math.huge)
           if c then 
               b = b .. c 
           else 
               break 
           end 
       end
       if b then 
           return b 
       end
       return false 
   end

Note: You can use any URL instead of http://localhost/script.php as long as it simulates a delayed response.

  1. On the server side, use the following PHP script (server.php):

php:

 <?php
  sleep(60);
  return "TEST";
  ?>

Expected Result:

The API call should return the response after 60 seconds without affecting the performance of the server or the single-player game.

Actual Result:

The entire server hangs for 60 seconds while waiting for the response from the API. During this time, no other processes can run, effectively freezing the server and subsequently causing a server crash.

Additional Notes:

It appears that OpenComputers prioritizes the API call over other server processes, leading to a significant freeze. This behavior can severely impact gameplay, especially on multiplayer servers and in single-player mode, and it needs to be addressed urgently.

Environment:

  • Mod: OpenComputers 1.8.5
  • Minecraft version: [1.7.10 and 1.12.2]
commented

I'd like to encourage you to disclose security issues with working proofs of concept privately next time; for the last few hours, anyone reading OpenComputers's issue tracker could perform a denial-of-service attack on any server using it, without any option of patch or mitigation for server operators.

The "Security" tab on a repository can be used for the entire process; for those repositories which have it enabled, anyway.

  • ❤️1