[GraphQL] Magento versions prior to 2.4.7 have infinite store lookup loop #39742
Description
Preconditions and environment
- Magento version: 2.4.6-p9 & 2.4.5-p11
- GraphQL needs to be accessible
Steps to reproduce
Send a GraphQL request to /graphql with an invalid store code. ie Store: thisdoesnotexist
Expected result
An error is returned that the requested store was not found.
Actual result
One of 2 things happen, depending on the server configuration:
- The server returns a 500 error and a PHP Fatal Error is logged, for example:
PHP Fatal error: Allowed memory size of 2147483648 bytes exhausted (tried to allocate 20480 bytes) in vendor/magento/module-store/Model/StoreRepository.php on line 75, or; - The (web)server runs out of memory and is OOM killed by the OS
Additional information
Because It's an infinite loop it's a bit harder to debug, however it looks like the loop is caused by the localized NoSuchEntityException exception being thrown here: vendor/magento/module-store/Model/StoreRepository.php line 75
When it's trying to translate the string, it's checking if the Inline render can be used, which uses the scope config, which uses the getStore method, throwing the same NoSuchEntityException again, repeating over and over.
I haven't been able to reproduce this on 2.4.7-p4
I've rated this S0 because if GraphQL is publically available, it could lead to potential DDoS issues.
Release note
No response
Triage and priority
- Severity: S0 - Affects critical data or functionality and leaves users without workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.