Skip to content

bluelotussoftware/BoundedBufferedReader

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

The class grew out of a code review for a project that was using the readLine() function of java.io.BufferedReader to read a user-controlled file.  
The security issue here is that, even if the number of lines to be read is limited, an attacker can still cause an OutOfMemoryError exception by providing 
a large file with no newline characters.  The readLine function will just keep going until it runs out of memory, creating a denial of service.

My team did some research into this issue, but the only thing we found was an old bug report that had been closed with the status of "Will Not Fix."  
The suggested workaround was buggy and inconvenient, so I wrote the BoundedBufferedReader class to extend BufferedReader and add the capability to 
limit both line length and the number of lines read.  This class can be used in much the same way as the original BufferedReader class.

Included Files:
* BoundedBufferedReader.java is the main class
* ExampleUsage.java processes the test case file using the BoundedBufferedReader.  Usage: "java ExampleUsage [maxLines] [maxLineLength]"
>> Both of these can be compiled with a simple "javac *.java")

* TestCase.txt is the test case file, which includes lines of various lengths, multiple types of newline chars, and some NULL chars.

* TestCase_output_Ref.text -- output of "java ExampleUsage"
* TestCase_output_Ref_20_20.text -- output of "java ExampleUsage 20 20"
* TestCase_output_Ref_1000_10.text -- output of "java ExampleUsage 1000 10"

About

Extension of java.io.BufferedReader to enforce bounds

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 100.0%