Protect readLine() against DoS

[pixeebot]

This change hardens all BufferedReader#readLine() operations against memory exhaustion.

There is no way to call readLine() safely since it is, by its nature, a read that must be terminated by the stream provider. Furthermore, a stream of data provided by an untrusted source could lead to a denial of service attack, as attackers can provide an infinite stream of bytes until the process runs out of memory.

Fixing it is straightforward using an API which limits the amount of expected characters to some sane limit. This is what our changes look like:

+ import io.github.pixee.security.BoundedLineReader;
  ...
  BufferedReader reader = getReader();
- String line = reader.readLine(); // unlimited read, can lead to DoS
+ String line = BoundedLineReader.readLine(reader, 5_000_000); // limited to 5MB

More reading

• https://vulncat.fortify.com/en/detail?id=desc.dataflow.abap.denial_of_service
• https://cwe.mitre.org/data/definitions/400.html

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:java/limit-readline

[pixeebot]

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

[secure-code-warrior-for-github]

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "denial of service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

[guardrails]

⚠️ We detected 12 security issues in this pull request:

Vulnerable Libraries (12)

Severity	Details
Critical	pkg:maven/net.minidev/[email protected] (t) upgrade to: 1.3.2,2.4.1,2.3.1
Medium	pkg:maven/org.bouncycastle/[email protected] (t) upgrade to: 1.0.2.1,1.66
High	pkg:maven/ch.qos.logback/[email protected] (t) upgrade to: 1.3.12,1.4.12,1.2.13
Medium	pkg:maven/com.google.protobuf/[email protected] (t) upgrade to: 3.21.7,3.20.3,3.19.6,3.16.3
Medium	pkg:maven/org.codehaus.groovy/[email protected] (t) upgrade to: 2.4.21,2.5.14,3.0.7
Medium	pkg:maven/org.springframework/[email protected] (t) upgrade to: 5.3.38,6.0.23,6.1.12
N/A	pkg:maven/org.apache.tomcat.embed/[email protected] (t) upgrade to: 11.0.0-M17,10.1.19,9.0.86,8.5.99
Critical	pkg:maven/org.apache.xmlbeans/[email protected] (t) upgrade to: 3.0.0
Medium	pkg:maven/org.springframework/[email protected] (t) upgrade to: 6.1.14
High	pkg:maven/org.springframework/[email protected] (t) upgrade to: 5.1.1,5.0.10,4.3.20
High	pkg:maven/org.springframework/[email protected] (t) upgrade to: 6.1.13
High	pkg:maven/org.springframework/[email protected] (t) upgrade to: 5.2.22.RELEASE,5.3.20

More info on how to fix Vulnerable Libraries in Java.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[secure-code-warrior-for-github]

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Libraries"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	io.github.pixee/​java-security-toolkit@​1.2.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		org.apache.xmlbeans/[email protected] has a Critical CVE. CVE: GHSA-mw3r-pfmg-xp92 Improper Restriction of Recursive Entity References in Apache XMLBeans (CRITICAL) Affected versions: < 3.0.0 Patched version: 3.0.0 From: pom.xml → maven/org.apache.poi/[email protected] → maven/org.apache.xmlbeans/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.xmlbeans/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pixeebot]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!