Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

AppDos Vulnerability with BufferedReader.readLine()

 
thiru maram
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi when my application is going through an security scanner I am getting AppDos Vulnerability error...

Could anyone help me out on this issue?Thanks in advance...My Code Goes here.

public static void parse(BufferedReader reader, PrintWriter writer) throws Exception
{
String line = null;
while((line = reader.readLine())!= null)
{

// Remove JavaScript
if (isPartOfString("somecode", line))
{
while ((!isPartOfString("somecode", line)) && ((line = reader.readLine())!= null));
continue;
}

// Remove comments
if (isPartOfString("somecode", line))
{
while ((!isPartOfString("somecode", line)) && ((line = reader.readLine())!= null));
continue;
}

//Replace images
if (isPartOfString("somecode", line) || isPartOfString("somecode", line))
{
continue;
}
else
{
String replacementStr;
if (isPartOfString("somestring", line))
{
replacementStr = "somestring";

if (isPartOfString("somestring", line))
{
replacementStr = "somestring";
}
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
}
line = replaceImgTag(line, replacementStr);

}
else
{
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
if (isPartOfString(somestring, line))
{
replacementStr = somestring;
}
line = replaceImgTag(line, replacementStr);
}
else
{
if (isPartOfString(somestring, line))
{
line = somestring;
}
}
}
}
line = line.trim();

if (line.length() > 0)
{
writer.println(line);
}
}
writer.flush();
reader.close();
}
 
Paul Clapham
Sheriff
Posts: 21416
33
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When I googled for the keywords "AppDos Vulnerability" I got this thread and some other links. This link probably explains the message you're getting.
 
thiru maram
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could you clear me here..

What is the difference with that buffer which has the same size of the line which i am reading from the buffer.
1) What I meant to say is both are one and the same.

2) I could not able to anticipate the max_buffer_size in my case.
 
Tim Holloway
Saloon Keeper
Posts: 18304
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A buffered reader for a string (line) would do something like this, by default:


So there are actually 2 potential offences here. First, a really long inputstream without a line terminator in it will cause output to get bigger and bigger and bigger until memory is exhausted. Secondly, since the actual storage used by output is a fixed size, periodically the string manager will run out of room and have to re-allocate a new character buffer within the String, so that's extra processing overhead.

To avoid this, their recommended practice is basically to implement your own version of the readLine method, but to put a check in at the point I marked (XXXX) that says once a certain number of characters have been processed, something is wrong. Throw an exception or truncate the string.

Note that I have simplified what actually happens here, so don't try to use this code verbatim!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic