Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

AppDos Vulnerability with BufferedReader.readLine()

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi when my application is going through an security scanner I am getting AppDos Vulnerability error...

Could anyone help me out on this issue?Thanks in advance...My Code Goes here.

public static void parse(BufferedReader reader, PrintWriter writer) throws Exception
{
String line = null;
while((line = reader.readLine())!= null)
{

// Remove JavaScript
if (isPartOfString("somecode", line))
{
while ((!isPartOfString("somecode", line)) && ((line = reader.readLine())!= null));
continue;
}

// Remove comments
if (isPartOfString("somecode", line))
{
while ((!isPartOfString("somecode", line)) && ((line = reader.readLine())!= null));
continue;
}

//Replace images
if (isPartOfString("somecode", line) || isPartOfString("somecode", line))
{
continue;
}
else
{
String replacementStr;
if (isPartOfString("somestring", line))
{
replacementStr = "somestring";

if (isPartOfString("somestring", line))
{
replacementStr = "somestring";
}
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
}
line = replaceImgTag(line, replacementStr);

}
else
{
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
}
line = replaceImgTag(line, replacementStr);
}
else
{
if (isPartOfString(somestring, line))
{
line = somestring;
}
}
}
}
line = line.trim();

if (line.length() > 0)
{
writer.println(line);
}
}
writer.flush();
reader.close();
}
 
Marshal
Posts: 26912
82
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When I googled for the keywords "AppDos Vulnerability" I got this thread and some other links. This link probably explains the message you're getting.
 
thiru maram
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Could you clear me here..

What is the difference with that buffer which has the same size of the line which i am reading from the buffer.
1) What I meant to say is both are one and the same.

2) I could not able to anticipate the max_buffer_size in my case.
 
Saloon Keeper
Posts: 24555
168
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A buffered reader for a string (line) would do something like this, by default:


So there are actually 2 potential offences here. First, a really long inputstream without a line terminator in it will cause output to get bigger and bigger and bigger until memory is exhausted. Secondly, since the actual storage used by output is a fixed size, periodically the string manager will run out of room and have to re-allocate a new character buffer within the String, so that's extra processing overhead.

To avoid this, their recommended practice is basically to implement your own version of the readLine method, but to put a check in at the point I marked (XXXX) that says once a certain number of characters have been processed, something is wrong. Throw an exception or truncate the string.

Note that I have simplified what actually happens here, so don't try to use this code verbatim!
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic