Skip to content

Protect readLine() against DoS #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Protect readLine() against DoS #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions event-sourcing/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
Expand Down
3 changes: 2 additions & 1 deletion event-sourcing/src/main/java/com/iluwatar/event/sourcing/processor/JsonFileJournal.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import com.iluwatar.event.sourcing.event.DomainEvent;
import com.iluwatar.event.sourcing.event.MoneyDepositEvent;
import com.iluwatar.event.sourcing.event.MoneyTransferEvent;
import io.github.pixee.security.BoundedLineReader;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
Comment on lines 30 to 36
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BoundedLineReader import and its usage in this context might not be necessary. If the purpose is to limit the size of each line read, it would be better to handle this within the application logic rather than relying on an external library, which could introduce unnecessary dependencies and potential security risks.

Recommended Solution:
Consider using standard Java I/O libraries to read lines and handle any size limitations within the application logic. This will reduce dependencies and potential security vulnerabilities.

Expand Down Expand Up @@ -62,7 +63,7 @@ public JsonFileJournal() {
try (var input = new BufferedReader(
new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8))) {
String line;
while ((line = input.readLine()) != null) {
while ((line = BoundedLineReader.readLine(input, 5_000_000)) != null) {
events.add(line);
}
} catch (IOException e) {
Expand Down
4 changes: 4 additions & 0 deletions module/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@
<artifactId>junit-jupiter-engine</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
Expand Down
349 changes: 175 additions & 174 deletions module/src/test/java/com/iluwatar/module/FileLoggerModuleTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,174 +1,175 @@
/*
* This project is licensed under the MIT license. Module model-view-viewmodel is using ZK framework licensed under LGPL (see lgpl-3.0.txt).
*
* The MIT License
* Copyright © 2014-2022 Ilkka Seppälä
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package com.iluwatar.module;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;

import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Test;

/**
* The Module pattern can be considered a Creational pattern and a Structural pattern. It manages
* the creation and organization of other elements, and groups them as the structural pattern does.
* An object that applies this pattern can provide the equivalent of a namespace, providing the
* initialization and finalization process of a static class or a class with static members with
* cleaner, more concise syntax and semantics.
* <p>
* The below example demonstrates a JUnit test for testing two different modules: File Logger and
* Console Logger
*/
@Slf4j
public final class FileLoggerModuleTest {

private static final String OUTPUT_FILE = "output.txt";
private static final String ERROR_FILE = "error.txt";

private static final String MESSAGE = "MESSAGE";
private static final String ERROR = "ERROR";


/**
* This test verify that 'MESSAGE' is perfectly printed in output file
*
* @throws IOException if program is not able to find log files (output.txt and error.txt)
*/
@Test
void testFileMessage() throws IOException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Print 'Message' in file */
fileLoggerModule.printString(MESSAGE);

/* Test if 'Message' is printed in file */
assertEquals(readFirstLine(OUTPUT_FILE), MESSAGE);

/* Unprepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* This test verify that nothing is printed in output file
*
* @throws IOException if program is not able to find log files (output.txt and error.txt)
*/
@Test
void testNoFileMessage() throws IOException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Test if nothing is printed in file */
assertNull(readFirstLine(OUTPUT_FILE));

/* Unprepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* This test verify that 'ERROR' is perfectly printed in error file
*
* @throws FileNotFoundException if program is not able to find log files (output.txt and
* error.txt)
*/
@Test
void testFileErrorMessage() throws FileNotFoundException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Print 'Error' in file */
fileLoggerModule.printErrorString(ERROR);

/* Test if 'Message' is printed in file */
assertEquals(ERROR, readFirstLine(ERROR_FILE));

/* Un-prepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* This test verify that nothing is printed in error file
*
* @throws FileNotFoundException if program is not able to find log files (output.txt and
* error.txt)
*/
@Test
void testNoFileErrorMessage() throws FileNotFoundException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Test if nothing is printed in file */
assertNull(readFirstLine(ERROR_FILE));

/* Unprepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* Utility method to read first line of a file
*
* @param file as file name to be read
* @return a string value as first line in file
*/
private static String readFirstLine(final String file) {

String firstLine = null;
try (var bufferedReader = new BufferedReader(new FileReader(file))) {

while (bufferedReader.ready()) {

/* Read the line */
firstLine = bufferedReader.readLine();
}

LOGGER.info("ModuleTest::readFirstLine() : firstLine : " + firstLine);

} catch (final IOException e) {
LOGGER.error("ModuleTest::readFirstLine()", e);
}

return firstLine;
}
}
/*
* This project is licensed under the MIT license. Module model-view-viewmodel is using ZK framework licensed under LGPL (see lgpl-3.0.txt).
*
* The MIT License
* Copyright © 2014-2022 Ilkka Seppälä
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package com.iluwatar.module;

import io.github.pixee.security.BoundedLineReader;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;

import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Test;

/**
* The Module pattern can be considered a Creational pattern and a Structural pattern. It manages
* the creation and organization of other elements, and groups them as the structural pattern does.
* An object that applies this pattern can provide the equivalent of a namespace, providing the
* initialization and finalization process of a static class or a class with static members with
* cleaner, more concise syntax and semantics.
* <p>
* The below example demonstrates a JUnit test for testing two different modules: File Logger and
* Console Logger
*/
@Slf4j
public final class FileLoggerModuleTest {

private static final String OUTPUT_FILE = "output.txt";
private static final String ERROR_FILE = "error.txt";

private static final String MESSAGE = "MESSAGE";
private static final String ERROR = "ERROR";


/**
* This test verify that 'MESSAGE' is perfectly printed in output file
*
* @throws IOException if program is not able to find log files (output.txt and error.txt)
*/
@Test
void testFileMessage() throws IOException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Print 'Message' in file */
fileLoggerModule.printString(MESSAGE);

/* Test if 'Message' is printed in file */
assertEquals(readFirstLine(OUTPUT_FILE), MESSAGE);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The readFirstLine method reads the entire file to get the first line, which is inefficient. This can be optimized by reading only the first line and then closing the file.

Recommended Solution:
Refactor the readFirstLine method to read only the first line and then close the file immediately.

private static String readFirstLine(final String file) {
try (var bufferedReader = new BufferedReader(new FileReader(file))) {
return BoundedLineReader.readLine(bufferedReader, 5_000_000);
} catch (final IOException e) {
LOGGER.error("ModuleTest::readFirstLine()", e);
return null;
}
}


/* Unprepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* This test verify that nothing is printed in output file
*
* @throws IOException if program is not able to find log files (output.txt and error.txt)
*/
@Test
void testNoFileMessage() throws IOException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Test if nothing is printed in file */
assertNull(readFirstLine(OUTPUT_FILE));

/* Unprepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* This test verify that 'ERROR' is perfectly printed in error file
*
* @throws FileNotFoundException if program is not able to find log files (output.txt and
* error.txt)
*/
@Test
void testFileErrorMessage() throws FileNotFoundException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Print 'Error' in file */
fileLoggerModule.printErrorString(ERROR);

/* Test if 'Message' is printed in file */
assertEquals(ERROR, readFirstLine(ERROR_FILE));

/* Un-prepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* This test verify that nothing is printed in error file
*
* @throws FileNotFoundException if program is not able to find log files (output.txt and
* error.txt)
*/
@Test
void testNoFileErrorMessage() throws FileNotFoundException {

/* Get singleton instance of File Logger Module */
final var fileLoggerModule = FileLoggerModule.getSingleton();

/* Prepare the essential sub modules, to perform the sequence of jobs */
fileLoggerModule.prepare();

/* Test if nothing is printed in file */
assertNull(readFirstLine(ERROR_FILE));

/* Unprepare to cleanup the modules */
fileLoggerModule.unprepare();
}

/**
* Utility method to read first line of a file
*
* @param file as file name to be read
* @return a string value as first line in file
*/
private static String readFirstLine(final String file) {

String firstLine = null;
try (var bufferedReader = new BufferedReader(new FileReader(file))) {

while (bufferedReader.ready()) {

/* Read the line */
firstLine = BoundedLineReader.readLine(bufferedReader, 5_000_000);
}

LOGGER.info("ModuleTest::readFirstLine() : firstLine : " + firstLine);

} catch (final IOException e) {
LOGGER.error("ModuleTest::readFirstLine()", e);
}

return firstLine;
}
}
Loading
Loading