Fix infinite loop in role hierarchy resolving

karelmaxa · karelmaxa · commit d3eaef66fcb4 · 2019-07-11T15:43:26.000+02:00
Issue: gh-7035
diff --git a/core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImpl.java b/core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImpl.java
@@ -215,33 +215,19 @@ private void buildRolesReachableInOneOrMoreStepsMap() {
 		// iterate over all higher roles from rolesReachableInOneStepMap
 
 		for (GrantedAuthority role : this.rolesReachableInOneStepMap.keySet()) {
-			Set<GrantedAuthority> rolesToVisitSet = new HashSet<>();
-
-			if (this.rolesReachableInOneStepMap.containsKey(role)) {
-				rolesToVisitSet.addAll(this.rolesReachableInOneStepMap.get(role));
-			}
-
+			Set<GrantedAuthority> rolesToVisitSet = new HashSet<>(this.rolesReachableInOneStepMap.get(role));
 			Set<GrantedAuthority> visitedRolesSet = new HashSet<>();
 
 			while (!rolesToVisitSet.isEmpty()) {
 				// take a role from the rolesToVisit set
 				GrantedAuthority aRole = rolesToVisitSet.iterator().next();
 				rolesToVisitSet.remove(aRole);
-				visitedRolesSet.add(aRole);
-				if (this.rolesReachableInOneStepMap.containsKey(aRole)) {
-					Set<GrantedAuthority> newReachableRoles = this.rolesReachableInOneStepMap
-							.get(aRole);
-
-					// definition of a cycle: you can reach the role you are starting from
-					if (rolesToVisitSet.contains(role)
-							|| visitedRolesSet.contains(role)) {
-						throw new CycleInRoleHierarchyException();
-					}
-					else {
-						// no cycle
-						rolesToVisitSet.addAll(newReachableRoles);
-					}
+				if (!visitedRolesSet.add(aRole) || !this.rolesReachableInOneStepMap.containsKey(aRole)) {
+					continue; // Already visited role or role with missing hierarchy
+				} else if (role.equals(aRole)) {
+					throw new CycleInRoleHierarchyException();
 				}
+				rolesToVisitSet.addAll(this.rolesReachableInOneStepMap.get(aRole));
 			}
 			this.rolesReachableInOneOrMoreStepsMap.put(role, visitedRolesSet);
 
diff --git a/core/src/test/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImplTests.java b/core/src/test/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImplTests.java
@@ -168,6 +168,12 @@ public void testCyclesInRoleHierarchy() {
 		}
 		catch (CycleInRoleHierarchyException e) {
 		}
+
+		try {
+			roleHierarchyImpl.setHierarchy("ROLE_C > ROLE_B\nROLE_B > ROLE_A\nROLE_A > ROLE_B");
+			fail("Cycle in role hierarchy was not detected!");
+		} catch (CycleInRoleHierarchyException e) {
+		}
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,12 @@ public void testCyclesInRoleHierarchy() {`
`168`	`168`	`}`
`169`	`169`	`catch (CycleInRoleHierarchyException e) {`
`170`	`170`	`}`
	`171`	`+`
	`172`	`+ try {`
	`173`	`+ roleHierarchyImpl.setHierarchy("ROLE_C > ROLE_B\nROLE_B > ROLE_A\nROLE_A > ROLE_B");`
	`174`	`+ fail("Cycle in role hierarchy was not detected!");`
	`175`	`+ } catch (CycleInRoleHierarchyException e) {`
	`176`	`+ }`
`171`	`177`	`}`
`172`	`178`
`173`	`179`	`@Test`