Extension of java.io.BufferedReader to enforce bounds
Switch branches/tags
Nothing to show
Clone or download
Latest commit d3107c9 Aug 4, 2013

README

The class grew out of a code review for a project that was using the readLine() function of java.io.BufferedReader to read a user-controlled file.  The security issue here is that, even if the number of lines to be read is limited, an attacker can still cause an OutOfMemoryError exception by providing a large file with no newline characters.  The readLine function will just keep going until it runs out of memory, creating a denial of service.

My team did some research into this issue, but the only thing we found was an old bug report that had been closed with the status of "Will Not Fix."  The suggested workaround was buggy and inconvenient, so I wrote the BoundedBufferedReader class to extend BufferedReader and add the capability to limit both line length and the number of lines read.  This class can be used in much the same way as the original BufferedReader class.

Included Files:
* BoundedBufferedReader.java is the main class
* ExampleUsage.java processes the test case file using the BoundedBufferedReader.  Usage: "java ExampleUsage [maxLines] [maxLineLength]"
>> Both of these can be compiled with a simple "javac *.java")

* TestCase.txt is the test case file, which includes lines of various lengths, multiple types of newline chars, and some NULL chars.

* TestCase_output_Ref.text -- output of "java ExampleUsage"
* TestCase_output_Ref_20_20.text -- output of "java ExampleUsage 20 20"
* TestCase_output_Ref_1000_10.text -- output of "java ExampleUsage 1000 10"