Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

AppDos Vulnerability with BufferedReader.readLine()

 
thiru maram
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi when my application is going through an security scanner I am getting AppDos Vulnerability error...

Could anyone help me out on this issue?Thanks in advance...My Code Goes here.

public static void parse(BufferedReader reader, PrintWriter writer) throws Exception
{
String line = null;
while((line = reader.readLine())!= null)
{

// Remove JavaScript
if (isPartOfString("somecode", line))
{
while ((!isPartOfString("somecode", line)) && ((line = reader.readLine())!= null));
continue;
}

// Remove comments
if (isPartOfString("somecode", line))
{
while ((!isPartOfString("somecode", line)) && ((line = reader.readLine())!= null));
continue;
}

//Replace images
if (isPartOfString("somecode", line) || isPartOfString("somecode", line))
{
continue;
}
else
{
String replacementStr;
if (isPartOfString("somestring", line))
{
replacementStr = "somestring";

if (isPartOfString("somestring", line))
{
replacementStr = "somestring";
}
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
}
line = replaceImgTag(line, replacementStr);

}
else
{
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
}
line = replaceImgTag(line, replacementStr);
}
else
{
if (isPartOfString(somestring, line))
{
line = somestring;
}
}
}
}
line = line.trim();

if (line.length() > 0)
{
writer.println(line);
}
}
writer.flush();
reader.close();
}
 
Paul Clapham
Sheriff
Pie
Posts: 20750
30
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When I googled for the keywords "AppDos Vulnerability" I got this thread and some other links. This link probably explains the message you're getting.
 
thiru maram
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could you clear me here..

What is the difference with that buffer which has the same size of the line which i am reading from the buffer.
1) What I meant to say is both are one and the same.

2) I could not able to anticipate the max_buffer_size in my case.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18008
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A buffered reader for a string (line) would do something like this, by default:


So there are actually 2 potential offences here. First, a really long inputstream without a line terminator in it will cause output to get bigger and bigger and bigger until memory is exhausted. Secondly, since the actual storage used by output is a fixed size, periodically the string manager will run out of room and have to re-allocate a new character buffer within the String, so that's extra processing overhead.

To avoid this, their recommended practice is basically to implement your own version of the readLine method, but to put a check in at the point I marked (XXXX) that says once a certain number of characters have been processed, something is wrong. Throw an exception or truncate the string.

Note that I have simplified what actually happens here, so don't try to use this code verbatim!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic