Stirling-PDF icon indicating copy to clipboard operation
Stirling-PDF copied to clipboard
verified publisher icon Stirling-Tools

Protect readLine() against DoS

Open zcarroll4 opened this issue 2 years ago • 2 comments

This change hardens all BufferedReader#readLine() operations against memory exhaustion.

There is no way to call readLine() safely since it is, by its nature, a read that must be terminated by the stream provider. Furthermore, a stream of data provided by an untrusted source could lead to a denial of service attack, as attackers can provide an infinite stream of bytes until the process runs out of memory.

Fixing it is straightforward using an API which limits the amount of expected characters to some sane limit. This is what our changes look like:

+ import io.github.pixee.security.BoundedLineReader;
  ...
  BufferedReader reader = getReader();
- String line = reader.readLine(); // unlimited read, can lead to DoS
+ String line = BoundedLineReader.readLine(reader, 5_000_000); // limited to 5MB
More reading

Powered by: pixeebot (codemod ID: pixee:java/limit-readline)

zcarroll4 avatar Oct 06 '23 12:10 zcarroll4

Hi zcarroll4,

We are updating Stirling-PDF's license to MPL 2.0 (Mozilla Public License Version 2.0) to continue fostering our open-source commitment while introducing more flexible usage of the project.

What We Need From You:

In order to transition to the MPL 2.0 license, we need the explicit consent of all our contributors.

  1. If you're comfortable relicensing your contributions for this specific PR under MPL 2.0, please respond with: I, zcarroll4, grant permission to relicense my contributions from this PR to Stirling-PDF under the Mozilla Public License 2.0.
  2. If you'd prefer to give blanket permission for all of your contributions to Stirling-PDF (be it through pull requests, commits, or any other form of contribution) rather than on a PR-by-PR basis, please respond with: I, zcarroll4, grant permission to relicense all my contributions to Stirling-PDF under the Mozilla Public License 2.0.

What does this do and why?

As your old code was contributed under a different license it legally cannot move to a new license without your permission, and since we dont want to lose your code we wanted to reach out. Remember this project is remaining open-source!.

Deadline:

If we dont receive a response, or if you decline, unfortunately, we will have to remove your contributions from Stirling-PDF before the license change, which is scheduled in coming months.

Thank You!

Your contributions are invaluable, and we hope to continue having them in Stirling-PDF under the new license. Feel free to ask if you have any questions or concerns about this change.

Best, Frooodle Stirling-PDF Maintainer

Frooodle avatar Oct 08 '23 19:10 Frooodle

@Frooodle I, zcarroll4, grant permission to relicense all my contributions to Stirling-PDF under the Mozilla Public License 2.0.

zcarroll4 avatar Oct 17 '23 15:10 zcarroll4