I'm using springboot+freemarker.
Customer can modify the freemarker template.
If you add <#assign x><#list 1..9999999999999 as n>${n}</#list></#assign>${x}
The backend will throw out of memory error.
Is there any solution that can define the memory of the template.
Asked
Active
Viewed 286 times
1
3 Answers
0
FreeMarker currently has no support/solution for it:
It's trivial to create templates that run practically forever (with a loop), or exhaust memory (by concatenating to a string in a loop). FreeMarker can't enforce CPU or memory usage limits, so this is something that has no solution on the FreeMarker-level.
You shouldn't blindly let customer handle freemarker templates
Ori Marko
- 56,308
- 23
- 131
- 233
0
Also consider the security implications. FreeMarker templates can call the public methods of the objects you put into the data-model. See https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
If your user can't be trusted (and held accountable), you can't allow them to specify FreeMarker templates.
ddekany
- 29,656
- 4
- 57
- 64
-1
You can increase the memory used for your application (not specifically for the template), using Xmx option.
For example:
java -Xmx20G -jar app.jar
would start app.jar with 20Gb of memory.
Unfortunately there is little chance that your template will work, as it tries to create a string with 10000 billion elements (1e13 elements), which would take at least 10 terabytes of memory. I'm not even sure that Java can deal with strings this size.
obourgain
- 8,856
- 6
- 42
- 57