| 제목 | grass 0.13.4 Asymmetric Resource Consumption |
|---|
| 설명 | Grass is a pure-Rust Sass-to-CSS compiler.
`grass` implements Sass's nested parent-selector (`&`) and combinator (`+`, `~`, `>`) semantics. When evaluating rulesets that combine multiple parent-selector references inside child blocks separated by adjacent-sibling
or general-sibling combinators, the resolver in `grass_compiler::selector::extend` and `grass_compiler::evaluate::visitor` recursively materializes the cross-product of every (parent × child) combinator combination.
For adversarial nesting patterns this materialization is super-linear in the number of `&` and combinator tokens, and the per-step Vec allocation overhead is non-trivial. An 85-byte SCSS source is sufficient to drive
grass to allocate ~2.5 GiB of memory and spend ~8 seconds of CPU on a single compilation, against a Sass spec where compile time should be linear in input size.
The compiler does eventually return `Ok(_)`, but the memory and CPU footprint makes any service that compiles untrusted SCSS trivially DoS-able with sub-100-byte payloads. |
|---|
| 원천 | ⚠️ https://github.com/connorskees/grass/issues/117 |
|---|
| 사용자 | Zyz3366 (UID 97230) |
|---|
| 제출 | 2026. 06. 03. AM 04:42 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 03. PM 08:40 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376164 [connorskees grass 까지 0.13.4 visitor 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|