| عنوان | grass 0.13.4 Asymmetric Resource Consumption |
|---|
| الوصف | Grass is a pure-Rust Sass-to-CSS compiler.
`grass` implements Sass's nested parent-selector (`&`) and combinator (`+`, `~`, `>`) semantics. When evaluating rulesets that combine multiple parent-selector references inside child blocks separated by adjacent-sibling
or general-sibling combinators, the resolver in `grass_compiler::selector::extend` and `grass_compiler::evaluate::visitor` recursively materializes the cross-product of every (parent × child) combinator combination.
For adversarial nesting patterns this materialization is super-linear in the number of `&` and combinator tokens, and the per-step Vec allocation overhead is non-trivial. An 85-byte SCSS source is sufficient to drive
grass to allocate ~2.5 GiB of memory and spend ~8 seconds of CPU on a single compilation, against a Sass spec where compile time should be linear in input size.
The compiler does eventually return `Ok(_)`, but the memory and CPU footprint makes any service that compiles untrusted SCSS trivially DoS-able with sub-100-byte payloads. |
|---|
| المصدر | ⚠️ https://github.com/connorskees/grass/issues/117 |
|---|
| المستخدم | Zyz3366 (UID 97230) |
|---|
| ارسال | 03/06/2026 04:42 AM (1 شهر منذ) |
|---|
| الاعتدال | 03/07/2026 08:40 PM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 376164 [connorskees grass حتى 0.13.4 visitor الحرمان من الخدمة] |
|---|
| النقاط | 20 |
|---|