Protect readLine() against DoS

Pixee-Bot-Java · Sep 19, 2024 · 2d61aaa · 2d61aaa
1 parent 38a3f87
commit 2d61aaa
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 6 deletions.
diff --git a/app/src/main/java/com/nextcloud/android/sso/InputStreamBinder.java b/app/src/main/java/com/nextcloud/android/sso/InputStreamBinder.java
@@ -28,6 +28,7 @@
 import com.owncloud.android.lib.common.OwnCloudClientManagerFactory;
 import com.owncloud.android.lib.common.utils.Log_OC;
 import com.owncloud.android.utils.EncryptionUtils;
+import io.github.pixee.security.BoundedLineReader;
 
 import org.apache.commons.httpclient.HttpConnection;
 import org.apache.commons.httpclient.HttpMethodBase;
@@ -489,10 +490,10 @@ private static String inputStreamToString(InputStream inputStream) {
         try {
             StringBuilder total = new StringBuilder();
             BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
-            String line = reader.readLine();
+            String line = BoundedLineReader.readLine(reader, 5_000_000);
             while (line != null) {
                 total.append(line).append('\n');
-                line = reader.readLine();
+                line = BoundedLineReader.readLine(reader, 5_000_000);
             }
             return total.toString();
         } catch (Exception e) {

diff --git a/app/src/main/java/com/owncloud/android/ui/asynctasks/LoadingVersionNumberTask.java b/app/src/main/java/com/owncloud/android/ui/asynctasks/LoadingVersionNumberTask.java
@@ -10,6 +10,7 @@
 import android.os.AsyncTask;
 
 import com.owncloud.android.lib.common.utils.Log_OC;
+import io.github.pixee.security.BoundedLineReader;
 
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -35,7 +36,7 @@ protected Integer doInBackground(String... args) {
             URL url = new URL(args[0]);
             final Charset charset = Charset.defaultCharset();
             try (BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream(), charset))) {
-                return Integer.parseInt(in.readLine());
+                return Integer.parseInt(BoundedLineReader.readLine(in, 5_000_000));
 
             } catch (IOException e) {
                 Log_OC.e(TAG, "Error loading version number", e);

diff --git a/app/src/main/java/com/owncloud/android/ui/helpers/FileOperationsHelper.java b/app/src/main/java/com/owncloud/android/ui/helpers/FileOperationsHelper.java
@@ -72,6 +72,7 @@
 import com.owncloud.android.utils.PermissionUtil;
 import com.owncloud.android.utils.UriUtils;
 import com.owncloud.android.utils.theme.ViewThemeUtils;
+import io.github.pixee.security.BoundedLineReader;
 
 import org.greenrobot.eventbus.EventBus;
 
@@ -141,7 +142,7 @@ private String getUrlFromFile(String storagePath, Pattern pattern) {
             br = new BufferedReader(fr);
 
             String line;
-            while ((line = br.readLine()) != null) {
+            while ((line = BoundedLineReader.readLine(br, 5_000_000)) != null) {
                 Matcher m = pattern.matcher(line);
                 if (m.find()) {
                     url = m.group(1);

diff --git a/app/src/main/java/com/owncloud/android/utils/DisplayUtils.java b/app/src/main/java/com/owncloud/android/utils/DisplayUtils.java
@@ -80,6 +80,7 @@
 import com.owncloud.android.utils.svg.SvgDecoder;
 import com.owncloud.android.utils.svg.SvgDrawableTranscoder;
 import com.owncloud.android.utils.theme.ViewThemeUtils;
+import io.github.pixee.security.BoundedLineReader;
 
 import org.greenrobot.eventbus.EventBus;
 
@@ -620,7 +621,7 @@ public static String getData(InputStream inputStream) {
         String line;
         StringBuilder text = new StringBuilder();
         try {
-            while ((line = buffreader.readLine()) != null) {
+            while ((line = BoundedLineReader.readLine(buffreader, 5_000_000)) != null) {
                 text.append(line);
                 text.append('\n');
             }

diff --git a/app/src/main/java/com/owncloud/android/utils/EncryptionUtils.java b/app/src/main/java/com/owncloud/android/utils/EncryptionUtils.java
@@ -52,6 +52,7 @@
 import com.owncloud.android.lib.resources.status.SendClientDiagnosticRemoteOperation;
 import com.owncloud.android.operations.UploadException;
 import com.owncloud.android.utils.theme.CapabilityUtils;
+import io.github.pixee.security.BoundedLineReader;
 
 import org.apache.commons.httpclient.HttpStatus;
 
@@ -1200,7 +1201,7 @@ public static ArrayList<String> getRandomWords(int count, Context context) throw
 
         List<String> lines = new ArrayList<>();
         String line;
-        while ((line = bufferedReader.readLine()) != null) {
+        while ((line = BoundedLineReader.readLine(bufferedReader, 5_000_000)) != null) {
             lines.add(line);
         }