Uploaded image for project: 'DSpace (LEGACY)'
  1. DSpace (LEGACY)
  2. DS-4427

Infinite loops possible when embedding all resources in REST responses



    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0
    • Fix Version/s: 7.0
    • Component/s: REST API v7
    • Labels:
    • Attachments:
    • Comments:
    • Documentation Status:


      In REST APIv7 responses, when resources are embedded, it is possible to create an infinite loop of requests for resources.  Some scenarios where this might occur:

      • A Group resource embeds its subgroups, and the subgroups embed the groups they belong to.  The same would also occur for EPerson resources that embed Groups, and those Groups embed their EPersons (which again embed their Groups)
      • Collection (or any DSO) resource which embeds its ResourcePolicies and those ResourcePolicies embedding the DSO they refer to (which again embed their ResourcePolicies)


      Currently, a simple workaround for this problem is being developed as part of the projections ticket (DS-3533) in this PR https://github.com/DSpace/DSpace/pull/2625   The idea in that PR is to:

      1. Disables all embedded resources by default.  (However it is possible for a request to choose to reenable those embedded resources via projections)
      2. Disallow (via Java code) some Links to ever be embedded.  For example, the EPersonGroupLinkRepository disallows any request to embed those resources by returning `false` for `isEmbeddableRelation()`.  (This ensures no requests or projections can embed those resources.)

      As pointed out in Slack today by Andrea Bollini (4Science), this simple workaround works fine, but point #2 above requires us to keep close watch on any links/embeds that might accidentally result in an infinite loop.

      An alternative, more automated solution to this problem might be to only allow a full resource to be embedded once in a request.  The second time that resource is encountered in the same request, only its ID would be embedded. 

      This would ensure infinite loops are no longer possible in any requests. However, it would require clients to "understand" that the full resource and the "only ID" resource are in fact the same resource.

      This ticket is currently a simple placeholder for more discussion. More analysis/discussion is needed to determine the best route forward.



          Issue Links



              cwilper Chris Wilper
              tdonohue Tim Donohue
              0 Vote for this issue
              1 Start watching this issue