Protect readLine() against DoS

liquibase-standard/pom.xml

@@ -179,7 +179,11 @@
             <artifactId>commons-text</artifactId>
             <version>${commons-text.version}</version>
         </dependency>
-    </dependencies>
+  <dependency>
+   <groupId>io.github.pixee</groupId>
+   <artifactId>java-security-toolkit</artifactId>
+  </dependency>
+ </dependencies>
 
     <build>
         <resources>

liquibase-standard/src/main/java/liquibase/parser/AbstractFormattedChangeLogParser.java

@@ -1,5 +1,6 @@
 package liquibase.parser;
 
+import io.github.pixee.security.BoundedLineReader;
 import liquibase.Labels;
 import liquibase.Scope;
 import liquibase.change.AbstractSQLChange;
@@ -236,10 +237,10 @@ public boolean supports(String changeLogFile, ResourceAccessor resourceAccessor)
                 }
                 reader = new BufferedReader(StreamUtil.readStreamWithReader(fileStream, null));
 
-                String firstLine = reader.readLine();
+                String firstLine = BoundedLineReader.readLine(reader, 5_000_000);
 
                 while (firstLine != null && firstLine.trim().isEmpty() && reader.ready()) {
-                    firstLine = reader.readLine();
+                    firstLine = BoundedLineReader.readLine(reader, 5_000_000);
                 }
 
                 //
@@ -293,7 +294,7 @@ public DatabaseChangeLog parse(String physicalChangeLogLocation, ChangeLogParame
 
             int count = 0;
             String line;
-            while ((line = reader.readLine()) != null) {
+            while ((line = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                 count++;
                 Matcher commentMatcher = COMMENT_PATTERN.matcher(line);
                 Matcher propertyPatternMatcher = PROPERTY_PATTERN.matcher(line);
@@ -314,7 +315,7 @@ public DatabaseChangeLog parse(String physicalChangeLogLocation, ChangeLogParame
                 Matcher altIgnoreLinesOneDashMatcher = ALT_IGNORE_LINES_ONE_CHARACTER_PATTERN.matcher(line);
                 if (ignoreLinesMatcher.matches()) {
                     if ("start".equals(ignoreLinesMatcher.group(1))) {
-                        while ((line = reader.readLine()) != null) {
+                        while ((line = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                             altIgnoreLinesOneDashMatcher = ALT_IGNORE_LINES_ONE_CHARACTER_PATTERN.matcher(line);
                             count++;
                             ignoreLinesMatcher = IGNORE_LINES_PATTERN.matcher(line);
@@ -332,7 +333,7 @@ public DatabaseChangeLog parse(String physicalChangeLogLocation, ChangeLogParame
                     } else {
                         try {
                             long ignoreCount = Long.parseLong(ignoreLinesMatcher.group(1));
-                            while (ignoreCount > 0 && reader.readLine() != null) {
+                            while (ignoreCount > 0 && BoundedLineReader.readLine(reader, 5_000_000) != null) {
                                 ignoreCount--;
                                 count++;
                             }
@@ -828,7 +829,7 @@ private StringBuilder extractMultiLineRollBack(BufferedReader reader) throws IOE
 
         String line;
         if (reader != null) {
-            while ((line = reader.readLine()) != null) {
+            while ((line = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                 if (ROLLBACK_MULTI_LINE_END_PATTERN.matcher(line).matches()) {
                     String[] lastLineSplit = line.split(String.format("%s\\s*$", getEndMultiLineCommentSequence()));
                     if (lastLineSplit.length > 0 && !StringUtil.isWhitespace(lastLineSplit[0])) {

liquibase-standard/src/main/java/liquibase/ui/ConsoleUIService.java

@@ -1,5 +1,6 @@
 package liquibase.ui;
 
+import io.github.pixee.security.BoundedLineReader;
 import liquibase.AbstractExtensibleObject;
 import liquibase.GlobalConfiguration;
 import liquibase.Scope;
@@ -235,7 +236,7 @@ public String readLine() {
                     return "";
                 }
                 try {
-                    return new BufferedReader(new InputStreamReader(System.in)).readLine();
+                    return BoundedLineReader.readLine(new BufferedReader(new InputStreamReader(System.in)), 5_000_000);
                 } catch (IOException ioe) {
                     //
                     // Throw an exception if we can't read

liquibase-standard/src/test/java/liquibase/NoJavaSpecificCodeTest.java

@@ -1,5 +1,6 @@
 package liquibase;
 
+import io.github.pixee.security.BoundedLineReader;
 import org.junit.Test;
 
 import java.io.BufferedReader;
@@ -25,7 +26,7 @@ private void checkJavaClasses(File directory) throws Exception {
             if (file.getName().endsWith(".java")) {
                 try (BufferedReader reader = new BufferedReader(new FileReader(file))) {
                     String line;
-                    while ((line = reader.readLine()) != null) {
+                    while ((line = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                         if (line.contains("java.sql")) {
                             fail(file.getCanonicalPath() + " contains java.sql");
                         }

liquibase-standard/src/test/java/liquibase/verify/AbstractVerifyTest.java

@@ -1,5 +1,6 @@
 package liquibase.verify;
 
+import io.github.pixee.security.BoundedLineReader;
 import liquibase.util.StringUtil;
 import org.junit.ComparisonFailure;
 import org.junit.Rule;
@@ -91,7 +92,7 @@ private String readExistingValue() throws IOException {
                 BufferedReader reader = new BufferedReader(new FileReader(stateFile));
 
                 String line;
-                while ((line = reader.readLine()) != null) {
+                while ((line = BoundedLineReader.readLine(reader, 5_000_000)) != null) {
                     content.append(line).append("\n");
                 }
                 reader.close();

pom.xml

@@ -90,7 +90,9 @@
         <itCoverageAgent></itCoverageAgent>
         <sonar.coverage.jacoco.xmlReportPaths>target/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
         <surefire.failIfNoTests>true</surefire.failIfNoTests>
-    </properties>
+
+  <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+ </properties>
 
     <!-- comment -->
     <distributionManagement>
@@ -171,7 +173,12 @@
                 <artifactId>spock-core</artifactId>
                 <version>${spock.version}</version>
             </dependency>
-        </dependencies>
+   <dependency>
+    <groupId>io.github.pixee</groupId>
+    <artifactId>java-security-toolkit</artifactId>
+    <version>${versions.java-security-toolkit}</version>
+   </dependency>
+  </dependencies>
     </dependencyManagement>
     <dependencies>