Protect readLine() against DoS
#7
Conversation
![pixeebot[bot]](https://avatars.githubusercontent.com/in/193111?s=60&v=4){kind=small}
| @@ -179,7 +179,11 @@ | |||
| <artifactId>commons-text</artifactId> | |||
| <version>${commons-text.version}</version> | |||
| </dependency> | |||
| </dependencies> | |||
| <dependency> | |||
There was a problem hiding this comment.
This library holds security tools for protecting Java API calls.
License: MIT ✅ | Open source ✅ | More facts
| @@ -171,7 +173,12 @@ | |||
| <artifactId>spock-core</artifactId> | |||
| <version>${spock.version}</version> | |||
| </dependency> | |||
| </dependencies> | |||
| <dependency> | |||
There was a problem hiding this comment.
This library holds security tools for protecting Java API calls.
License: MIT ✅ | Open source ✅ | More facts
|
I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it? If this change was not helpful, or you have suggestions for improvements, please let me know! |
|
Unless you expect (and want to handle) reading lines greater than 5MB, this change should be safe. You could also change the second argument to a set more aggressive or conservative limit. If there are other concerns about this change, I'd love to hear about them! |
This change hardens all
BufferedReader#readLine()operations against memory exhaustion.There is no way to call
readLine()safely since it is, by its nature, a read that must be terminated by the stream provider. Furthermore, a stream of data provided by an untrusted source could lead to a denial of service attack, as attackers can provide an infinite stream of bytes until the process runs out of memory.Fixing it is straightforward using an API which limits the amount of expected characters to some sane limit. This is what our changes look like:
More reading
🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: pixee:java/limit-readline