feat(core): ensure combo resolution doesn't go into infinite loop #1416

erossignon · erossignon · commit 86321b6e1ff3 · 2025-09-02T14:57:48.000+02:00
diff --git a/packages/core/src/consumed-thing.ts b/packages/core/src/consumed-thing.ts
@@ -445,20 +445,29 @@ export default class ConsumedThing extends Thing implements IConsumedThing {
     }
 
     getSecuritySchemes(security: Array<string>): Array<SecurityScheme> {
+        const visited = new Set<string>();
+
         const scs: Array<SecurityScheme> = [];
-        for (const s of security) {
-            const ws = this.securityDefinitions[s + ""]; // String vs. string (fix wot-typescript-definitions?)
-            // also push nosec in case of proxy
-            if (ws != null) {
-                if (ws.scheme === "combo") {
-                    const combo = ws as ComboSecurityScheme;
-                    const schemes = this.getSecuritySchemes(combo.allOf as string[]);
-                    scs.push(...schemes);
-                } else {
-                    scs.push(ws);
+        const visitSchemes = (security: Array<string>) => {
+            for (const s of security) {
+                if (visited.has(s)) {
+                    continue;
+                }
+                visited.add(s);
+
+                const ws = this.securityDefinitions[s + ""]; // String vs. string (fix wot-typescript-definitions?)
+                // also push nosec in case of proxy
+                if (ws != null) {
+                    if (ws.scheme === "combo") {
+                        const combo = ws as ComboSecurityScheme;
+                        visitSchemes(combo.allOf as string[]);
+                    } else {
+                        scs.push(ws);
+                    }
                 }
             }
-        }
+        };
+        visitSchemes(security);
         return scs;
     }
 
diff --git a/packages/core/test/ClientTest.ts b/packages/core/test/ClientTest.ts
@@ -806,7 +806,7 @@ class WoTClientTest {
         expect(WoTClientTest.servient.hasClientFor(tcf2.scheme)).to.be.not.true;
     }
 
-    @test "ensure combo security "(done: Mocha.Done) {
+    @test "ensure combo security"(done: Mocha.Done) {
         try {
             const ct = new ConsumedThing(WoTClientTest.servient);
             ct.securityDefinitions = {
@@ -873,4 +873,28 @@ class WoTClientTest {
             done(err);
         }
     }
+
+    @test "ensure no infinite loop with recursive combo security"(done: Mocha.Done) {
+        try {
+            const ct = new ConsumedThing(WoTClientTest.servient);
+            ct.securityDefinitions = {
+                // a badly designed combo that goes into infinite loop
+                combo_sc: {
+                    scheme: "combo",
+                    allOf: ["combo_sc", "combo_sc"],
+                },
+            };
+            ct.security = "basic";
+            const pc = new TestProtocolClient();
+            const form: Form = {
+                href: "https://example.com/",
+                security: ["combo_sc"],
+            };
+            ct.ensureClientSecurity(pc, form);
+            expect(pc.securitySchemes.length).equals(0);
+            done();
+        } catch (err) {
+            done(err);
+        }
+    }
 }
